Laws ›

GDPR - Article 24

Definition

Requires data controllers to implement appropriate measures to ensure data protection and to demonstrate compliance with GDPR.

Excerpt

Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.
Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller. 
Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller.

View full legislation ›

Related cases

Executive-committee of the Belgian DPA (GBA) v. Roularta Media Group

The Belgian DPA fined Roularta, for several violations regarding the use of cookies such as placing unnecessary cookies, placing statistical cookies without obtaining consent, using pre-ticked boxes to grant consent for cookies from partners, providing false and inadequate information in their privacy policy, and making it impossible to revoke consent.

D.A.A.A. (Complainant) v. Wind Tre SpA

Wind Tre was fined by the Garante for not allowing customers to withdraw consent or object to marketing data processing, lacking transparency in data information, using a single button for multiple consents, using small prints, bundled consents, and conducting unlawful data collection and unauthorised marketing.

Ms XX (Complainant) v. Douglas Italia S.p.a.

The Italian DPA fined Douglas for providing a single button to accept the general terms and conditions, privacy policy and cookie policy. Additionally, there was no information about data processing in its privacy policy.

Meta Platforms Ireland Limited, and Instagram Social Media Network's Investigation by DPC

The EDPB fined Meta for the providing lack of processing contact information on children’s business accounts and using ‘public by default’-settings for child users.

Belgian DPA's Investigation against Toerisme Vlaanderen

The Belgian DPA issues a reprimand to a government agency for failing to provide website visitors with clear information and a means to refuse non-strictly necessary cookies.

Related deceptive patterns

Preselection
The user is presented with a default option that has already been selected for them, in order to influence their decision-making.
Forced action
The user wants to do something, but they are required to do something else undesirable in return.
Hard to cancel
The user finds it easy to sign up or subscribe, but when they want to cancel they find it very hard.
Sneaking
The user is drawn into a transaction on false pretences, because pertinent information is hidden or delayed from being presented to them.
Trick wording
The user is misled into taking an action, due to the presentation of confusing or misleading language.
Legal enforcement database by Leiser, Santos and Doshi

The information about laws and cases on this website is brought to you by the Leiser, Santos and Doshi enforcement database.

About us