Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Sweden: IMY fines Bonnier News SEK 13M for processing on incorrect legal basis

On June 27, 2023, the Swedish Authority for Privacy Protection (IMY) published its Decision No. DI-2019-11737, as issued on June 26, 2023, in which it imposed a fine of SEK 13 million (approx. $1.21 million) on Bonnier News AB, for violation of the General Data Protection Regulation (GDPR).

Background to the decision

In particular, IMY highlighted that it initiated its investigation into Bonnier in June 2019, aiming to review the legal basis of consent for processing personal data. Further, IMY noted that Bonnier was dissolved by a merger on June 1, 2022, into Expressen Lifestyle AB.

Findings of the IMY

Following its investigation, IMY highlighted that Bonnier collected personal data from group-wide databases for purposes including establishing a common customer register, checking data is correct and up to date, and making personal data available to affiliate companies to market affiliate companies' own products and services. More specifically, IMY clarified that the information transferred to behavioral databases was collected by Bonnier affiliate companies through cookies placed on user terminals.

Accordingly, IMY found that Bonnier processed personal data to profile data subjects and made such profiles available to affiliate companies to show customers advertisements, and made the contact details of customers available to affiliate companies for telephone marketing and direct marketing purposes. Therefore, IMY determined that Bonnier was in violation of Article 6(1) of the GDPR.


In conclusion, IMY imposed a fine of SEK 13 million (approx. $1,21 million) for the above-mentioned violation of the GDPR.

You can read the press release here and the decision here, both only available in Swedish.