Transparency under the GDPR: not a mere formality, but a strict obligation

April 23, 2026

Last month, the European Data Protection Board (EDPB) announced that a coordinated enforcement action (CEF) will take place this year, focusing on transparency and the provision of information to individuals whose personal data is being processed. This means that national data protection authorities will actively monitor whether organisations are complying with their transparency obligations.

The EDPB is the European Data Protection Board, in which all national data protection authorities from the EU collaborate. Although the announcement itself is brief, the message is clear: transparency is not a side issue, but a core obligation under the GDPR.

Transparency as a starting point

Transparency is one of the fundamental principles of the GDPR. People have the right to know what an organisation intends to do with their personal data and for what purpose. Without this information, people cannot exercise their rights under the GDPR or challenge the processing of their personal data. Transparency is therefore an important prerequisite forachieving one of the GDPR’s objectives, namely giving citizens greater control over their personal data.

Failure to comply has concrete consequences

Enforcement practice and case law demonstrate that shortcomings in transparency can indeed have consequences.

For instance, in 2024, the Dutch Data Protection Authority imposed a fine of 4.75 million euros on streaming service Netflix, because Netflix did not provide its customers withsufficient information about what it did with their personal data. The information that Netflix did provide was unclear in some respects.

In 2025, the privacy watchdog also imposed a fine on credit reference agency Experian. This fine amounted to 2.7 million euros. Experian used personal data improperly and, in somecases, failed to inform people about this.

These examples demonstrate that transparency is not merely a formal requirement, but an obligation with real consequences in the event of non-compliance.

From document to practice

In practice, transparency is often translated into privacy and cookie statements. These documents are important, but they are only part of the obligation.

The information must also be provided at the moment personal data is collected, for example via forms or when seeking consent. It is precisely here that shortcomings regularly arise, for example because information is incomplete or does not correspond to the content of the privacy statement. Furthermore, the information must be concise and comprehensible, andpresented in clear and simple language.

Time to review

The announced enforcement action provides a good opportunity to critically assess your own information provision:

Does your privacy statement contain all the mandatory elements?

Is the information understandable to the target audience?

Does the information provided when collecting data align with the documentation?

Do you provide sufficient information when requesting consent?

By checking this now, you reduce the risk of a fine or other measures, for example following complaints from data subjects or intervention by the supervisory authority.

How we can help

Meeting transparency obligations requires more than just drafting documents. It requires an understanding of how personal data is processed within your organisation and how youcommunicate this.

We can support you in evaluating and, where necessary, improving your privacy and cookie policies, as well as reviewing consent mechanisms. We can also carry out a broader Privacy scan to assess how well your organisation complies with privacy regulations.

The message from regulators is clear: transparency remains a priority. Organisations that get this in order now will be better prepared for the increasing focus from regulators andenforcement bodies.

View the announcement here.

Download

—

Patrick

Consultant