GDPR transparency obligations require data controllers to give individuals clear, complete and timely information about how their personal data is processed. The EDPB CEF 2026, the European Data Protection Board’s next coordinated enforcement action under its Coordinated Enforcement Framework, is expected to place these obligations at the centre of simultaneous investigations across EU member states. For public-sector bodies, regulated financial institutions, healthcare providers and legal organisations, the stakes are concrete: privacy notices, records of processing activities and impact assessments will all be reviewed against the full text of GDPR Articles 13 and 14.
What the EDPB CEF 2026 Will Actually Scrutinise
The CEF mechanism coordinates national supervisory authorities so that a single theme is investigated simultaneously across many jurisdictions, producing comparable findings and raising the probability that any organisation operating in multiple member states faces review. The 2023 CEF on Data Protection Officers already demonstrated that the majority of investigated organisations were found non-compliant in at least one respect (EDPB CEF 2023 Report, 2023). CEF 2026 is expected to turn that same coordinated lens on transparency.
Under GDPR Article 13, a controller collecting data directly from a data subject must provide, at the moment of collection: the identity and contact details of the controller and any DPO; the purposes and legal bases for processing; the legitimate interests relied upon where applicable; any recipients or categories of recipients; and details of any intended transfers to third countries together with the safeguards applied. GDPR Article 14 mirrors these requirements for data obtained indirectly, with an additional obligation to disclose the source of the data.
Supervisory authorities scrutinising these notices will look beyond the existence of a privacy policy to its operational accuracy. A notice that still lists Microsoft or Google as a processor after an organisation has migrated to a sovereign environment is as deficient as one that omits a processor entirely. Equally, a notice that describes transfers to the United States without identifying the mechanism used (Standard Contractual Clauses, an adequacy decision or Binding Corporate Rules) will draw enforcement attention.
“Transparency is not a formality. It is the foundation on which data subjects exercise all their other rights, and supervisory authorities will treat opaque or incomplete privacy notices as a systemic failure, not a technical deficiency.” (European Data Protection Supervisor, EDPS Guidelines on Transparency, edps.europa.eu)
Restructuring Privacy Notices After a Sovereign Migration
Migrating from Microsoft 365 or Google Workspace to a sovereign Nextcloud environment changes at least three disclosable facts simultaneously: the identity of the data processor, the location of processing, and the applicable legal framework governing that location.
A well-structured post-migration privacy notice must reflect each change explicitly. The processor section should identify the new sovereign operator by full legal name and registered address, not a generic category such as “cloud hosting provider.” If the new environment is hosted in Switzerland under the revised Federal Act on Data Protection (revFADP, in force since 1 September 2023), the notice should state that Switzerland benefits from an EU adequacy decision (Commission Implementing Decision 2000/518/EC, still in effect) and that processing therefore occurs under a jurisdiction that does not expose data to US CLOUD Act or FISA 702 compelled-access requests.
| Disclosure element | Microsoft 365 / Google Workspace (typical) | Sovereign Nextcloud (Swiss hosting) |
|---|---|---|
| Processor identity | Microsoft Ireland Operations Ltd / Google Ireland Ltd, with US parent access | Named sovereign operator, no US parent |
| Processing location | EU data centres, potential US replication or access | Switzerland (adequacy-covered jurisdiction) |
| International transfer safeguard | SCCs to US, with residual CLOUD Act risk | Adequacy decision; no third-country transfer |
| Sub-processor disclosure | Extensive sub-processor list, changes notified by email | Minimal or zero sub-processors |
| AI / telemetry data use | Provider may use data for model improvement unless opted out | No external model training; data stays on-premises |
The notice should be layered: a short, plain-language summary at the point of data collection with a link to the full notice. This satisfies the Article 12 requirement that information be provided in a concise, transparent, intelligible and easily accessible form.
Article 30 Records of Processing: From Manual Spreadsheets to Automated Infrastructure Metadata
GDPR Article 30 requires controllers and processors to maintain records of processing activities covering purposes, data categories, recipient categories, retention periods and, where applicable, international transfers and their safeguards. In practice, many organisations maintain these as manually updated spreadsheets, which drift out of date quickly and reflect aspirational rather than actual processing.
“Organisations must be able to demonstrate compliance, not merely claim it. Records of processing activities are the backbone of that demonstration.” (Andrea Jelinek, former Chair of the European Data Protection Board, EDPB Annual Report 2022, edpb.europa.eu)
Sovereign infrastructure changes this fundamentally. A self-hosted Nextcloud deployment logs every file operation, user session, sharing event and API call in structured, queryable logs. Combined with an identity management layer such as LDAP or SAML, these logs record which user category accessed which data category, from which location, and at what time. An organisation can configure automated exports of this metadata into a format that maps directly to the Article 30 record schema, producing a continuously updated record rather than a point-in-time snapshot.
Private AI deployments running on-premises on open-source models such as Mistral or Llama produce their own inference logs, which must also appear in the Article 30 record. The record should capture: the AI processing purpose, the data categories submitted as prompts or context, the retention period for inference logs, and the confirmation that no data is transmitted to external model providers.
DPIAs on Sovereign Infrastructure Versus US-Controlled Hyperscalers
GDPR Article 35 requires a Data Protection Impact Assessment before processing that is likely to result in a high risk to individuals, including large-scale processing of sensitive data, systematic monitoring and the use of new technologies. Both hyperscaler deployments and private AI fall within this trigger.
A DPIA conducted for processing on a US-controlled hyperscaler must grapple with a set of residual risks that cannot be fully mitigated by contract. The CLOUD Act enables US law enforcement to compel Microsoft or Google to produce data held anywhere in the world. FISA Section 702 enables the NSA to conduct upstream collection from providers that qualify as electronic communications service providers. Standard Contractual Clauses do not override a US court order. The Schrems II judgment of the Court of Justice of the EU (Case C-311/18, 2020) confirmed that these legal mechanisms represent a real interference with fundamental rights. A DPIA for such processing must therefore document these residual risks explicitly and either accept them or demonstrate supplementary measures that genuinely neutralise them, which in practice is very difficult for FISA 702.
A DPIA for the same processing on sovereign, jurisdiction-isolated infrastructure has a structurally different risk profile. Where data is processed in Switzerland under the revFADP, there is no equivalent of CLOUD Act or FISA 702 compelled-access mechanism directed at a foreign government. The DPIA can document this as a residual risk that has been eliminated by design rather than mitigated by contract. The remaining risks (insider threat, physical security, availability) are then the focus of the assessment and are addressable through conventional technical and organisational measures.
The total GDPR fine volume exceeding €4.5 billion by early 2024 (GDPR Enforcement Tracker, CMS Law, 2024) reflects that supervisory authorities treat inadequate DPIAs as a serious failing. A DPIA that omits the CLOUD Act risk for a US hyperscaler deployment, or that describes it without documenting mitigation, is likely to attract criticism during a CEF 2026 inspection.
Audit Evidence for Private AI Deployments
A CISO or DPO demonstrating compliance with transparency obligations when deploying private AI on on-premises infrastructure must prepare evidence across four categories.
First, model provenance: documentation showing that the model (Mistral 7B, Llama 3 or equivalent) was obtained from a known, auditable source, that no personal data was used in fine-tuning, and that the weights are stored within the controlled environment. Second, data flow confirmation: network logs showing that inference requests do not leave the on-premises perimeter, verified by firewall egress rules and absence of DNS queries to external AI provider endpoints. Third, the updated Article 30 record entry for the AI processing activity, generated from infrastructure logs rather than written by hand. Fourth, the Article 35 DPIA specific to the AI deployment, documenting the processing purpose, data categories involved, the absence of external data transfer, and the human oversight mechanism for any automated decisions informed by the AI output.
The global average cost of a data breach reached USD 4.45 million in 2023 (IBM Cost of a Data Breach Report, 2023), a figure that underscores why proactive audit readiness is less expensive than incident response. A DPO who can hand a supervisory authority a complete, consistent evidence package, drawn from live infrastructure rather than assembled retrospectively, is in a fundamentally stronger position during a CEF 2026 inspection than one who must reconstruct what happened from memory and stale documents.
FAQ
What exactly will the EDPB CEF 2026 investigate regarding transparency?
The EDPB CEF 2026 coordinated enforcement action is expected to focus on how organisations fulfil the layered information obligations in GDPR Articles 13 and 14, including whether privacy notices identify processors and sub-processors, state the legal basis for each processing purpose, disclose international transfers and the safeguards applied, and provide meaningful contact details for the data controller and DPO.
Does moving to a sovereign Nextcloud environment automatically satisfy GDPR transparency requirements?
No. The migration removes key legal risks, such as US CLOUD Act exposure and opaque sub-processor chains, but the organisation must still update its privacy notices, Article 30 records and DPIAs to reflect the new processing reality. Sovereignty simplifies the disclosure because there are fewer jurisdictions and sub-processors to explain, but the obligation to disclose clearly remains and must be actively maintained.
How does a DPIA for on-premises private AI differ from one covering a public cloud AI service?
A DPIA for on-premises private AI running on open-source models can demonstrate that data does not leave a controlled environment, that no training occurs on personal data without consent, and that no third-party processor has independent access. A DPIA for a public cloud AI service must address international transfers, the provider’s model-training policies, sub-processor chains and the risk that foreign intelligence law could compel access, all of which are residual risks that are difficult to fully mitigate contractually.
Can Article 30 records of processing be generated automatically rather than maintained in a spreadsheet?
Yes. Sovereign infrastructure platforms such as Nextcloud log every processing activity, user, data category and transfer destination in structured metadata. These logs can be exported or queried to populate Article 30 records continuously, ensuring the records reflect the actual state of processing rather than a point-in-time snapshot, which is precisely what a supervisory authority will compare against the privacy notice during a CEF inspection.
What happens if a supervisory authority finds that a privacy notice failed to disclose a processor change during a cloud migration?
Failure to update a privacy notice when a new processor is engaged, or when the processing location changes, is a direct violation of GDPR Articles 13(1)(e) and 14(1)(e), which require disclosure of recipients and any intended international transfers. Supervisory authorities can issue a reprimand, an order to bring processing into compliance, or a fine of up to €10 million or 2% of global annual turnover, whichever is higher, for infringements of these information obligations.
