Requires data controllers to implement appropriate measures to ensure data protection and to demonstrate compliance with GDPR.
Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.
Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.
Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller.
Wind Tre was fined by the Garante for not allowing customers to withdraw consent or object to marketing data processing, lacking transparency in data information, using a single button for multiple consents, using small prints, bundled consents, and conducting unlawful data collection and unauthorised marketing.
The EDPB fined Meta for the providing lack of processing contact information on children’s business accounts and using ‘public by default’-settings for child users.
The Belgian DPA issues a reprimand to a government agency for failing to provide website visitors with clear information and a means to refuse non-strictly necessary cookies.