Deceptive Patterns
‹ All laws EU & UK

GDPR - Article 24

Jurisdiction
EU & UK
Law category
GDPR (EU)
Date
14 May 2018

Requires data controllers to implement appropriate measures to ensure data protection and to demonstrate compliance with GDPR.

Excerpt from regulation

Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.

Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller. 

Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller.

View full legislation

Related deceptive patterns

PreselectionThe user is presented with a default option that has already been selected for them, in order to influence their decision-making. Forced actionThe user wants to do something, but they are required to do something else undesirable in return.Hard to cancelThe user finds it easy to sign up or subscribe, but when they want to cancel they find it very hard. SneakingThe user is drawn into a transaction on false pretences, because pertinent information is hidden or delayed from being presented to them. Trick wordingThe user is misled into taking an action, due to the presentation of confusing or misleading language.

Related enforcement

Belgian DPA (APD/GBA) 2
Belgian DPA's Investigation against Toerisme VlaanderenReprimand issuedExecutive-committee of the Belgian DPA (GBA) v. Roularta Media Group€50.000 in fines
Italian DPA (GPDP) 2
D.A.A.A. (Complainant) v. Wind Tre SpA€ 16,729,600 in finesMs XX (Complainant) v. Douglas Italia S.p.a.€1,400,000 in fines
Meta Platforms Ireland Limited, and Instagram Social Media Network's Investigation by DPC€405,000,000 in fines