GDPR Transparency Obligations: 3 Critical Articles

Last week the European Data Protection Board launched its 2026 Coordinated Enforcement Framework action; the target is GDPR transparency obligations under Articles 12, 13 and 14. Twenty-five data protection authorities across Europe will now audit how controllers inform individuals about the processing of their personal data. If you are studying for the CIPP/E, this should sharpen your focus; transparency sits at the centre of Domain III and the exam tests it harder than most candidates expect.

Why the EDPB Picked GDPR Transparency Obligations for 2026

The Coordinated Enforcement Framework follows a pattern. In previous years the EDPB examined cloud services in the public sector, the role of data protection officers, the right of access and the right to erasure. Each action selected a single GDPR topic and asked national regulators to investigate it in parallel.

This year the Board chose GDPR transparency obligations. Participating authorities will contact controllers through enforcement actions or fact-finding exercises, review their privacy notices and assess compliance with Articles 12 through 14. Where responses raise concerns, formal investigations may follow.

The choice is not accidental. Transparency has always been a first-principles requirement of the GDPR; Article 5(1)(a) lists it alongside lawfulness and fairness as a processing principle. Regulators have also signalled that they expect more specificity in privacy notices than many organisations currently provide.

Article 13 vs Article 14: The Distinction That Catches Candidates

This is where exam preparation meets enforcement reality. The CIPP/E Body of Knowledge (the document the IAPP publishes to define every topic candidates are tested on; you can find it on iapp.org) places information provision obligations squarely inside Domain III, section III.C. That section carries between 4 and 6 questions on its own, within a domain worth 13 to 21 questions total.

The exam expects you to know two separate information regimes and when each applies.

Article 13 governs the situation where personal data is collected directly from the data subject. The controller must provide its identity, the purposes and legal basis of processing, any recipients, details of international transfers and the data subject’s rights. The information must be provided at the time the data is collected.

Article 14 applies when personal data has not been obtained from the data subject; it was sourced from a third party, a public register or some other indirect channel. The content requirements overlap with Article 13, but Article 14 adds two obligations: the controller must disclose the categories of personal data concerned and the source from which the data originates. The timing also shifts; information must be provided within a reasonable period and no later than one month after obtaining the data.

Scenario questions on the exam often present a data collection situation and ask which article applies. The trap is straightforward: candidates who memorise one list of notice contents and assume it covers both articles will pick the wrong answer when the scenario involves indirect collection.

The Article 12 Layer Most Candidates Underestimate

Article 12 is not a standalone information obligation; it sets the modality rules for how Articles 13 and 14 must be delivered. Information must be concise, transparent, intelligible and easily accessible, using clear and plain language.

Article 12 also establishes the layered notice concept. A controller can use a short first-layer notice linking to a full privacy policy rather than presenting everything in one block. The exam tests whether candidates understand that layered notices are a practical tool for meeting GDPR transparency obligations, not a separate legal requirement.

What Regulators Now Expect: Specificity on Transfers

Recent enforcement decisions have raised the bar on what counts as adequate transparency. Some authorities now expect organisations to identify each third country to which personal data is transferred by name, rather than referencing transfer mechanisms in general terms. If your privacy notice says “data may be transferred outside the EEA using standard contractual clauses” without naming the destination countries, that may no longer satisfy Article 13(1)(f) or Article 14(1)(f).

This matters for the exam because it tests whether candidates can distinguish between the minimum legal text of the GDPR and the evolving regulatory interpretation of that text. The exam does not operate in a vacuum; EDPB guidance and enforcement trends inform how questions are framed.

How to Study GDPR Transparency Obligations for the CIPP/E

Start with the actual text of Articles 12, 13 and 14. Read them side by side and note the differences rather than the overlaps. Build a comparison table; Article 14’s additional requirements (categories of data and source) are the details examiners target.

Then review the IAPP training material for Module 6 (Information Provision Obligations), which maps directly to BoK section III.C. Pay attention to the performance indicators: understand the transparency principle, know the components of privacy notices and understand the purpose of layered notices.

Finally, practise scenario questions. If a question describes a controller receiving personal data from a credit reference agency, you need Article 14. If a question describes a user filling in an online form, you need Article 13. The enforcement priority for 2026 tells you regulators consider this a weak spot; there is a good chance the exam agrees.

If you want structured CIPP/E preparation material that maps each topic to the Body of Knowledge, the free resources at 22academy.com/study are a solid starting point.