Enforcement cooperation format
- This format has been adopted by the G7 Data Protection and Privacy Authorities Roundtable on December 9th, 2025.
- This format itself can be used to share enforcement cases that have been completed and publicized in the context of “Enforcement Dialogue” among DPAs other than G7 as well since the format has versatility.
- This format is designed to provide the necessary and sufficient structure for sharing any layer of information related to enforcement cases – from highly confidential data to open-source information – according to the decisions made by the information-sharing DPA.
- Although security consideration must be addressed separately, this format can be used across different security levels adopted by the information-sharing DPA.
- Sharing enforcement cases via this format aims:
- To make it easy to compare, analyze many cases throughout different jurisdictions by standardizing items of the cases and order of them to be shared among DPAs,
- To derive trends and know-how for effective enforcement among your jurisdictions from the result of analysis,
- To grasp international trends for enforcement across different forums in future by spreading this format to multiple regions.
Help for filling this form
1. Company name
Obligation: Mandatory
Validation: This field must not be empty
Format: Free text
2. Status of the case
Obligation: Mandatory
Occurrence: Single
Validation: This field must not be empty
Format: Controlled list
Options:
- in progress
- concluded
- under appeal
3. Confidential information
Obligation: Mandatory
Occurrence: Single
Validation: This field must not be empty
Format: Controlled list
Options:
- Included
- Not included
4. Theme of the case
Obligation: Mandatory
Occurrence: Select up to three options
Validation: This field must not be empty
Format: Controlled list
Options:
- Adtech
- AI
- Big Tech
- Biometrics
- Children
- Cyber
- Dark Patterns
- Invisible Processing
- Online Tracking
- Scraping
- Surveillance
- Vulnerability
- Connected Home Devices
- Data Broker
5. Other relevant jurisdictions affected
Obligation: Optional
Occurrence: Select up to three options
Validation: None
Format: Controlled list
Options:
- Canada
- EU
- France
- Germany
- Italy
- Japan
- UK
- USA
6. Legal basis for sharing information
Obligation: Mandatory
Occurrence: Select up to three options
Validation: This field must not be empty
Format: Controlled list
Options:
- Global CAPE
- MoC/MoU
- GPEN
- 15 United States Code §46(j)(1)-(3)
- UK GDPR Art. 50
- PIPEDA Section 23.1
- GDPR Art.50
- GDPR Art.51
- French Data Protection Law Art. 29
- Italian Data Protection Code (Codice in materia di protezione dei dati personali – D.Lgs. 196/2003)
- Act on the Protection of Personal Information Art.172
7. Summary of case and enforcement
Obligation: Mandatory
Validation: This field must not be empty
Format: Free text
8. Data subject
Obligation: Mandatory
Occurrence: Select up to three options
Validation: This field must not be empty
Format: Controlled list
Options:
- Consumer
- Employee
- Child
- Student
- Patient
- Ongoing/Unknown
9. Type of relevant data
Obligation: Mandatory
Occurrence: Select all applicable options
Validation: This field must not be empty
Format: Controlled list
Options:
- Name
- Date of Birth
- Phone Number
- Address
- Email Address
- Account ID
- Password
- IP Address
- Social Security Number
- Biometrics
- Credit Card Number
- Ongoing/Unknown
- Financial Information
- Genetic Information
- Health Information
- Other Sensitive Personal Information
10. Description of the entity processing the data
Obligation: Mandatory
Validation: This field must not be empty
Format: Free text
11. Controller
Obligation: Mandatory
Occurrence: Single
Validation: This field must not be empty
Format: Controlled list
Options:
- B to B Business
- B to C Business
- IT Tech
- Employer
- School
- Academia
- Hospital
- Local Government
- Ongoing/Unknown
12. Processor
Obligation: Mandatory
Occurrence: Single
Validation: This field must not be empty
Format: Controlled list
Options:
- B to B Business
- B to C Business
- IT Tech
- Employer
- School
- Academia
- Hospital
- Local Government
- Ongoing/Unknown
13. Relevant data protection rules
Obligation: Mandatory
Occurrence: Select up all applicable options
Validation: This field must not be empty
Format: Controlled list
Options:
- Accountability
- Accuracy
- Breach Notification
- Data Minimisation
- Data Protection by Design
- Data Protection by Default
- Data Subject Rights
- Fairness
- Lawful Basis
- Purpose Limitation
- Security
- Storage Limitation
- Transfers
- Transparency
- Ongoing/Unknown
14. Enforcement measures taken or envisaged
Obligation: Mandatory
Occurrence: Select all applicable options
Validation: This field must not be empty
Format: Controlled list
Options:
- Administrative Fines
- Penalties
- Ban on Processing
- suspension of Data Flows
- Judicial Remedy
- Administrative Guidance
- Algorithmic Deletion
- Under Consideration
15. Joint or coordinated enforcement / Parallel investigation
Obligation: Optional
Occurrence: Select all applicable options
Validation: None
Format: Controlled list requiring adding free text
Options:
- Joint Investigation with
- Service Abroad of Relevant documents by
- Under Consideration
- Parallel Investigation with
16. Relevant other DPAs to consult with
Obligation: Optional
Validation: None
Format: Free text
17. Relevant URLs
Obligation: Optional
Validation: None
Format: Free text
- Date modified: