The DPA found that the controller violated Article 13(2)(a) GDPR by failing to provide complete information about the processing of personal data acquired through the merger. Additionally, the controller violated Article 5(2), Article 24, and Article 13 GDPR by not providing evidence of the purposes and criteria for the storage of personal data processed through the blog and for the blog's lack of privacy notice. Article 5(2) GDPR requires that personal data be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Article 24 GDPR mandates that controllers implement appropriate technical and organizational measures to ensure and demonstrate that processing is performed in accordance with the GDPR. Finally, Article 13 GDPR requires that controllers provide clear and concise information to data subjects about the processing of their personal data.