Ms XX (Complainant) v. Douglas Italia S.p.a.

€1,400,000 in fines


The Italian DPA fined Douglas for providing a single button to accept the general terms and conditions, privacy policy and cookie policy. Additionally, there was no information about data processing in its privacy policy.

Our analysis

The DPA launched an investigation into the controller's data collection practices, specifically focused on its app and privacy policy. During the investigation, the DPA conducted tests on the controller's app and found several deceptive patterns used during the registration process. The user was presented with a single button to accept multiple policies. The bundling of choices was seen as a single button was used to accept the general terms and conditions, privacy policy, and cookie policy.
Furthermore, when creating an account on the app, the user was asked to provide an email address and date of birth. However, the information provided to customers regarding the purposes of processing and the legal basis was incomplete and inadequate. The deceptive pattern of hidden information is seen here as the privacy policy informed interested parties that their data would be processed for a variety of purposes based on consent, but failed to provide any information on how data collected separately by the three companies was processed after the merger.
The DPA found that the controller violated Article 13(2)(a) GDPR by failing to provide complete information about the processing of personal data acquired through the merger. Additionally, the controller violated Article 5(2), Article 24, and Article 13 GDPR by not providing evidence of the purposes and criteria for the storage of personal data processed through the blog and for the blog's lack of privacy notice. Article 5(2) GDPR requires that personal data be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Article 24 GDPR mandates that controllers implement appropriate technical and organizational measures to ensure and demonstrate that processing is performed in accordance with the GDPR. Finally, Article 13 GDPR requires that controllers provide clear and concise information to data subjects about the processing of their personal data.


The controller faced corrective measures from the DPA under Article 58(2) GDPR to align its processing activities with GDPR regulations. The measures included revising the privacy and cookie policy, disposing of personal data older than 10 years (excluding ongoing disputes), and deleting or making anonymous recently collected personal data. The controller was also required to implement organizational and technical measures to ensure the proper handling of customer data in line with principles of purpose, storage limitation, and data minimization. In addition to these measures, the DPA imposed a fine of €1,400,000 on the controller for breaching multiple GDPR provisions.


Ms XX (Complainant) and Douglas Italia S.p.a.

Case number


Related deceptive patterns

Related laws

Legal enforcement database by Leiser, Santos and Doshi

The information about laws and cases on this website is brought to you by the Leiser, Santos and Doshi enforcement database.

About us