Will the eu look at individuals data in its investigation

1. What the EDPB has actually announced and what it means

The EDPB selected transparency as the 2026 Coordinated Enforcement Action subject and said the action will be launched over the course of 2026 with participating DPAs joining voluntarily; the results of national actions will be aggregated to generate pan‑EEA insights and targeted follow‑up where needed ^[1]. Several legal and industry summaries make clear the practical elements: regulators will issue questionnaires to controllers asking for details about privacy notices, communications to data subjects and how organizations disclose transfers and third‑party recipients ^{[2] [3]}.

2. The staged, proportional approach regulators describe

Public guidance and commentary frame the CEA as starting with fact‑finding rather than immediate intrusive searches — DPAs may run questionnaires or "fact‑finding exercises" and only some will escalate to formal investigations based on the aggregated findings ^{[4] [2]}. Legal observers expect follow‑up enforcement (administrative fines and corrective orders) where non‑compliance is identified, which implies that the initial stage is documentary and procedural before any deeper operational or data access occurs ^[5].

3. When individual‑level data is likely to be examined

While the EDPB and allied reporting emphasize questionnaires about how organisations inform individuals, national DPAs retain investigative powers under the GDPR and the Commission’s enforcement framework, meaning they can require documentation and, in formal investigations, examine records of processing that may include logs or samples tied to individuals if necessary for proving non‑compliance ^{[6] [7]}. Sources do not provide a blanket statement that DPAs will routinely pull individual data for the CEA; rather, deeper access appears contingent on risk signals emerging from the initial exercises and on national authorities’ discretion ^{[4] [5]}.

4. Where national variation and procedural safeguards matter

Participation is voluntary and DPAs will act under their national procedures, which means practice will vary across member states: some authorities may confine activity to questionnaires and public‑facing notice reviews, while others may open formal probes with powers to inspect systems and request records ^{[1] [4]}. The GDPR and EU enforcement rules set procedural protections and timeframes for multi‑country cases, and these rules shape what DPAs can request and how complainants and controllers are involved ^{[7] [8]}.

5. Bottom line and reporting limits

The EDPB’s published material and contemporaneous reporting make clear regulators will seek information about individual‑facing disclosures and may request documentary evidence via questionnaires, and that national DPAs can escalate to formal investigations with the powers to inspect processing ^{[2] [3] [5]}; however, the sources do not assert that the coordinated action will automatically or routinely involve bulk access to individual‑level personal data in every participating country — whether investigators look at individuals’ data will depend on national choices, the findings of preliminary fact‑finding, and any formal investigations that follow ^{[1] [4]}. This account is limited to what the EDPB and reporting have publicly disclosed; the sources do not provide a single, definitive protocol describing the exact scope of data access in every DPA’s potential investigation ^{[1] [2]}.