The DPA found that the controller violated Article 13(2)(a) GDPR by failing to provide complete information about the processing of personal data acquired through the merger. Additionally, the controller violated Article 5(2), Article 24, and Article 13 GDPR by not providing evidence of the purposes and criteria for the storage of personal data processed through the blog and for the blog's lack of privacy notice. Article 5(2) GDPR requires that personal data be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Article 24 GDPR mandates that controllers implement appropriate technical and organizational measures to ensure and demonstrate that processing is performed in accordance with the GDPR. Finally, Article 13 GDPR requires that controllers provide clear and concise information to data subjects about the processing of their personal data.
Ms XX (Complainant) and Douglas Italia S.p.a.
Related deceptive patterns
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Legal basis for processing personal data are performance of contract, legal obligations compliance, protection of vital interests, controller's legitimate interests, and data subject's consent.
Valid consent conditions include being freely given, specific, informed, and unambiguous, and the data subject should be able to withdraw it anytime.
Ensures transparent information and easy access for individuals to their personal data processing, with the right to obtain a copy in a clear and common format.
Controllers must provide identity, contact details, processing purposes and legal basis, recipient information, retention period, and data subject rights when collecting personal data.
Requires data controllers to implement appropriate measures to ensure data protection and to demonstrate compliance with GDPR.
Mandates that data protection must be incorporated into the design of systems, and that privacy must be a default setting for all data processing activities.