Tools / News / Europe's 25 Data Protection Authorities Just Launched a Coordinated Audit of Online Services

Press

Europe's 25 Data Protection Authorities Just Launched a Coordinated Audit of Online Services

March 20, 2026 · VaultTools

The EDPB formally launched its 2026 enforcement action on March 19, targeting GDPR transparency obligations. Online file tools that collect user data are directly in scope.

VaultTools · March 20, 2026

A physical padlock resting on a laptop keyboard, representing digital security and data protection compliance. Photo by Philipp Katzenberger on Unsplash

What launched yesterday
What GDPR Articles 12 to 14 actually require
Why online file tools are in scope
How browser-based processing changes the equation
What operators should do now
Sources

What Launched Yesterday

On March 19, 2026, the European Data Protection Board (EDPB) formally launched its 2026 Coordinated Enforcement Framework (CEF) action. Twenty-five national data protection authorities (DPAs) across the EU are now running a synchronized audit campaign focused on a single area: GDPR transparency and information obligations under Articles 12, 13, and 14.

The topic was announced in October 2025. The active enforcement phase began yesterday.

Participating DPAs will contact organizations across multiple sectors, using standardized questionnaires to assess compliance. Results will be aggregated at the EU level, with targeted follow-up actions at both national and European scale. Past CEF campaigns have led directly to fines and corrective measures.

Articles 12, 13, and 14 of the GDPR define what organizations must tell people when they process their personal data. The rules cover four core questions that any privacy notice must answer clearly:

What personal data is being collected
Why it is being collected (the legal basis and purpose)
How long it will be retained
Who it will be shared with or transferred to

The disclosure must be provided at the point of collection (Article 13) or within one month when data is obtained indirectly (Article 14). Article 12 sets the standard for how that information must be presented: concise, transparent, intelligible, and in plain language.

Regulators are not looking for fine print. They are looking for clear, accessible notices that an ordinary person can understand.

Why Online File Tools Are in Scope

An online PDF converter, image compressor, or document editor that receives files on a server is processing personal data. Most documents users convert or compress contain personal information: names, addresses, signatures, financial figures, medical details. Under GDPR, personal data is any information relating to an identified or identifiable natural person.

When a cloud-based file tool receives a document, it becomes a data controller or processor for that processing activity. It must tell users what data it collects from or about the file, how long the file is retained on its servers, and whether the file or extracted metadata is shared with third parties.

Many tools bury these disclosures in multi-page privacy policies written in legal language. That approach is now a primary enforcement target. The EDPB’s 2026 campaign will assess whether notices are genuinely accessible, not just technically present.

How Browser-Based Processing Changes the Equation

A tool that processes files entirely inside the user’s browser using WebAssembly never receives the file on any server. The file does not leave the user’s device. No document content is processed by the tool’s infrastructure.

When no personal data is collected from the file processing itself, Articles 13 and 14 transparency obligations do not apply to that processing activity. There is no data collection event to disclose, no retention period to declare, and no third-party transfer to describe.

This is not a compliance shortcut. It is a structural consequence of where the processing happens. Browser-based file tools eliminate a category of GDPR exposure by design. They can still be subject to transparency obligations for other data they collect (analytics, contact forms, account creation), but the file processing itself is outside scope.

What Operators Should Do Now

For operators of cloud-based file tools with European users, the 2026 CEF action is a signal to audit privacy notices immediately. The EDPB has published guidance under Articles 12 to 14. The specific questions to check:

Is the privacy notice visible at the point where users upload files?
Does it state in plain language what happens to uploaded files and for how long?
Does it identify any processors or subprocessors that handle file data?
Is there a clear contact point for data subject requests?

DPAs may reach out proactively with questionnaires or open formal investigations based on complaints. Both paths can lead to corrective orders and fines.

For browser-based tools: document and communicate the fact that files are processed locally. “Files never leave your device” is not just a marketing claim. In the context of the 2026 enforcement wave, it is a substantive compliance statement.

Sources

CEF 2026: EDPB Launches Coordinated Enforcement Action on Transparency (EDPB)
Coordinated Enforcement Framework: EDPB Selects Topic for 2026 (EDPB)
What the EDPB’s 2026 Focus on Transparency Means for Online Businesses (iubenda)
EDPB to Focus on Transparency in 2026 Enforcement (Inside Privacy)
EDPB Selects Topic for 2026 Coordinated Enforcement Action (Hunton Andrews Kurth)
GDPR Audit Priorities for 2026: Transparency and Information Obligations (Ailance)
GDPR Transparency Duties: Information Obligations under Articles 12 to 14 (CMS Law Now)
Europe Fines Big Tech Over EUR 1.2 Billion under GDPR in 2025 (Bitdefender)

← Back to all news