Sweden: IMY fines Bonnier News SEK 13M for processing on incorrect legal basis
On June 27, 2023, the Swedish Authority for Privacy Protection (IMY) published its Decision No. DI-2019-11737, as issued on June 26, 2023, in which it imposed a fine of SEK 13 million (approx. $1.21 million) on Bonnier News AB, for violation of the General Data Protection Regulation (GDPR).
Background to the decision
In particular, IMY highlighted that it initiated its investigation into Bonnier in June 2019, aiming to review the legal basis of consent for processing personal data. Further, IMY noted that Bonnier was dissolved by a merger on June 1, 2022, into Expressen Lifestyle AB.
Findings of the IMY
Following its investigation, IMY highlighted that Bonnier collected personal data from group-wide databases for purposes including establishing a common customer register, checking data is correct and up to date, and making personal data available to affiliate companies to market affiliate companies' own products and services. More specifically, IMY clarified that the information transferred to behavioral databases was collected by Bonnier affiliate companies through cookies placed on user terminals.
Accordingly, IMY found that Bonnier processed personal data to profile data subjects and made such profiles available to affiliate companies to show customers advertisements, and made the contact details of customers available to affiliate companies for telephone marketing and direct marketing purposes. Therefore, IMY determined that Bonnier was in violation of Article 6(1) of the GDPR.
In conclusion, IMY imposed a fine of SEK 13 million (approx. $1,21 million) for the above-mentioned violation of the GDPR.