The Coordinated Action by data protection authorities in 2026 addresses transparency and information obligations. Let's take a look at Articles 12 to 14 GDPR.

After the right to erasure and "being forgotten" in accordance with Article 17 GDPR was the theme of the Coordinated Action of European data protection authorities last year, this year's focus is on compliance with the transparency and information obligations under Articles 12 to 14 GDPR.

In accordance with the Coordinated Enforcement Framework (CEF), the data protection authorities select a topic of particular practical relevance for their Coordinated Action for the respective year in order to optimise enforcement the European General Data Protection Regulation (GDPR) and cooperation between data protection authorities in the EU and gain insight into implementation of the GDPR. The individual national authorities can join the Coordinated Action on a voluntary basis. The results of the action are summarised and analysed in the following year. The European Data Protection Board (EDPB) has chosen Articles 12 to 14 GDPR as the topic for 2026, which we will discuss in more detail below.

The right to information is a core element of the controller's transparency obligation. This right is intended to ensure that data subjects have control over their data by providing them with specific information on a regular basis when their data is collected by the controller, in particular about the controller and the purposes of processing.

Transparency obligations pursuant to Article 12 GDPR

Article 12 (1) GDPR implements the principle of transparency for the information to be provided by the controller and defines the standard for comprehensible communication. The information should be provided "in a concise, transparent, intelligible and easily accessible form, using clear and plain language". At the same time, Article 13 and Article 14 GDPR require that the controller provides specific information on the handling of personal data. At first glance, this seems contradictory. In practice, it is indeed difficult to reconcile the different requirements - clear and plain language on the one hand and concise and transparent information on the other. The supervisory authorities have repeatedly emphasised that the solution to this apparent contradiction lies in presenting the information in a graduated manner based on the target group, and not in reducing the content of the information to be provided.

In practice, a two-stage approach (layered privacy notice) is recommended for extensive data processing: In the first layer, a short, clearly structured summary of the key information should be provided in plain language. This includes the identity of the controller, the main purpose of processing, the relevant legal basis in summarised form, the most important recipients or categories of recipients, information on transfers to third countries with a brief reference to safeguards, the main points on the storage period and rights of data subjects, including the right to lodge a complaint.

All detailed information to be provided in accordance with Article 13 or Article 14 GDPR should be presented completely and precisely in the next layers. This includes the differentiation by purpose with specific legal basis for each purpose, the description of legitimate interests, differentiated storage periods or criteria to determine them, specific recipients or categories of recipients, information on third country transfers including the relevant safeguards, categories of origin and sources for data not collected directly from the data subject, information on the requirement to provide data and the consequences of failure to do so, and information on automated decision-making, including profiling.

Obligation to provide information pursuant to Article 13 GDPR

Article 13 GDPR specifies which information the controller must provide if personal data are collected directly from the data subject. Article 13 GDPR therefore defines the minimum standard for the content of the initial information at the time data are collected from the data subject. This information includes, in particular, the identity and contact details of the controller (and, where applicable, of the data protection officer, if one has been appointed), the purposes of the processing with the respective legal basis, the recipients or categories of recipients, information on third country transfers and safeguards, the storage period or criteria, the rights of data subjects including revocation of consent and the right to lodge a complaint, the requirement to provide the data and the consequences of not doing so, as well as information on automated decision-making including profiling, where relevant. If controllers process data on the basis of Article 6 (1) (f) GDPR (legitimate interest), the CJEU has already emphasised in several decisions that pursuant to Article 13 (1) (d) GDPR the controller is required to explicitly inform the data subject of the legitimate interests pursued (CJEU, judgment of 9 January 2025 - C-394/23; CJEU, judgment of 4 October 2024 - C‑621/22; CJEU, judgment of 4 July 2023 - C‑252/21).

In terms of timing, the information must be provided at the latest when the data are collected, i.e. directly in connection with the first contact or the first collection of data from data subjects.

Follow-up information in the event of a change of purpose

If the purposes or the legal basis for collecting data change during the course of data processing by the controller, so-called "follow-up information" must be provided. Article 13 (3) GDPR is very relevant in practice. This includes, for example, collecting data in the context of an employment relationship, which is later processed in internal investigations for the purposes of corporate compliance. It is therefore advisable for controllers to consider future processing scenarios when drafting their data protection policy and include them in their data protection policy so data subjects do not have to be informed subsequently.

Obligation to provide information pursuant to Article 14 GDPR

The distinction from the information obligations under Article 14 GDPR is based on the origin of the data: Article 13 GDPR is applicable if the controller collects the data from the data subject. Article 14 GDPR applies if the controller does not collect the data directly from the data subject.

In addition to the information to be provided in accordance with Article 13 GDPR, in this situation the controller must provide information on the categories of personal data (e.g. contact data, contract data, usage data) and the origin of the data (i.e. the data source, e.g. from publicly accessible sources). This information is therefore in addition to the (largely identical) mandatory information that the controller must provide under Article 13 GDPR.

In practice, the information obligations under Article 13 and Article 14 GDPR are often combined in standardised data protection notices. This is advisable from a practical point of view. In "mixed scenarios", the information required under Article 13 and the information required under Article 14 GDPR must both be provided. Often, the controller does not make a clear distinction between data collected from the data subject and data that are not collected from the data subject, i.e. from other sources. The employment relationship is mentioned here again as an example. Providing the (complete) information in accordance with Article 13 and Article 14 GDPR avoids doing it twice, inconsistencies between different data protection policies and, last but not least, errors when "updating" the corresponding data protection policies due to changes in processing operations.

Legal consequences of infringements

According to court rulings of German courts, controllers face measures imposed by data protection authorities for infringements of Articles 12 to 14 GDPR as well as claims for compensation from the data subjects in accordance with Article 82 GDPR. The compensation awarded to date tends to be in the lower range (e.g. EUR 250: Düsseldorf Local Court, judgment of 19 August 2025 - 42 C 61/25; Hanover Labour Court, judgment of 23 January 2024 - 1 Ca 121/23; Nürnberg-Fürth Regional Court, judgment of 20 October 2023 - 10 O 1510/22; EUR 1,000: German Federal Labour Court, judgment of 5 June 2025 - 8 AZR 117/24; Düsseldorf Regional Labour Court, judgment of 10 April 2024 - 12 Sa 1007/23). However, the risk of claims for compensation can accumulate for the controller if several or perhaps a significant number of data subjects make such claims (e.g. customers of an online shop or employees of a company).

Coordinated Action by data protection authorities: Status quo and outlook

Since the EU Digital Omnibus proposes changes to Articles 12 to 15 of the GDPR, the Data Protection Conference has submitted reform proposals for the GDPR in general and with regard to the rights of data subjects in connection with the use of artificial intelligence (AI) in particular. The changes remain to be seen, but will not have a concrete impact on the Coordinated Action this year. Data protection authorities will examine how Articles 12 to 14 GDPR are implemented in companies. The aim is to assess the implementation of these GDPR regulations in practice and identify any difficulties. The final report on this Coordinated Action is expected in 2027.