The EDPB 2026 transparency sweep and the recipient-disclosure prong

Each year the European Data Protection Board runs a Coordinated Enforcement Framework (CEF) action: data protection authorities across Europe pick one GDPR topic and examine it together for the year, so enforcement is consistent rather than fragmented across member states. Past editions looked at the role of data protection officers and the right of access.

On 19 March 2026 the EDPB announced the 2026 action, with 25 data protection authorities taking part. The theme is transparency and the right to be informed under GDPR Articles 12, 13 and 14 - the obligations to tell people what is done with their personal data, and to do so in a concise, intelligible, and accessible way. Participating authorities will contact controllers across sectors through enforcement actions or fact-finding exercises, share and discuss their findings in the second half of 2026, and may decide on follow-up action.

Transparency is a broad topic, but one requirement inside it is directly about who touches the data. Articles 13(1)(e) and 14(1)(e) require a controller to inform people of “the recipients or categories of recipients of the personal data”. Article 4(9) then defines a recipient as any body to which personal data are disclosed - which includes the processors you engage to run your service.

In other words, the vendors that most teams think of as invisible plumbing - cloud hosting, transactional email, payments, analytics, AI APIs - are recipients in GDPR terms, and the transparency rules expect people to be able to learn about them. The processor relationship itself is governed by Article 28; the duty to tell people about those recipients comes from Articles 13 and 14, which is exactly the territory the 2026 sweep covers. For the distinction between a processor and a subprocessor, see what is a subprocessor?

The Article 29 Working Party guidelines on transparency (WP260, endorsed by the EDPB) address the choice between naming recipients and giving categories. Where a controller opts for categories, the guidance is that the information should be as specific as possible- identifying the type of recipient by reference to its activities, the industry and sector, and its location. A single line saying “we may share your data with third-party service providers” is generally treated as too vague to satisfy the obligation.

• -Be specific.Name the actual processors, or give genuinely specific categories - not “third parties”.
• -Be accessible. Put the information somewhere a data subject can actually reach without asking - a linked, public page rather than a figure available only on request.
• -Be current.The EDPB's standing position (Opinion 22/2024) is that the identity of processors and subprocessors should be “readily available at all times” - which means the list has to track reality as your providers change theirs, not an annual refresh.

The 2026 sweep does not create a new obligation; it raises the odds and the rigour of being asked to show you already meet the existing one. The practical preparation is the same work that answers an enterprise security questionnaire:

• -Check your privacy notice actually names who receives the data, or gives specific categories, rather than a generic third-party clause.
• -Publish or refresh a current public list of the processors and subprocessors you use. How to build a subprocessor page.
• -Keep it current as upstreams change. Your providers update their own recipient and subprocessor lists without telling you; your disclosure is only as accurate as your last check. Audit what your own site loads.