Coop Sverige AB – Complaint Upheld (Sweden, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Coop Sverige AB was found to have used Google Analytics to transfer personal data to the US without getting proper consent from users. This is important because it shows that companies must be careful about how they handle user data and ensure they comply with consent requirements. Website operators should take note of this ruling to avoid similar issues.
What happened
Coop Sverige AB transferred users' personal data to the US through Google Analytics without obtaining consent.
Who was affected
Visitors to Coop's website whose personal data was collected and sent to Google in the US via tracking cookies.
What the authority found
The authority determined that Coop Sverige AB violated GDPR rules by failing to secure proper consent for transferring personal data to the US.
Why this matters
This case highlights the need for companies to ensure they have valid consent when using analytics tools that involve data transfers. It sets a precedent for stricter scrutiny of data handling practices.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
[https://www.coop.se/ Coop Sverige AB] (the controller) used Google Analytics tool provided by Google LLC (processor) on its website. For the use of this tool, the controller transferred users’ personal data to the processor, in the US. In 2020, noyb lodged a complaint against the controller with the Austrian DPA, alleging that the transfer of personal data through the use of Google Analytics tool was in violation of the provisions of Chapter V GDPR. The complaint was transferred to the Swedish DPA in its quality of lead supervisory authority pursuant to Article 56 GDPR. Following the complaint, the DPA investigated the data transfers from the controller to the US through the use of Google Analytics. In its defense, the controller explained that the transfer was based on SCC’s concluded with Google Analytics pursuant to Article 46 GDPR and that it put in place additional safeguards. Firstly, the DPA assessed whether the data processed through Google Analytics tool constituted personal data and found that it did. Indeed, generic IP address and users’ unique identifiers collected through cookies were transmitted to Google LLC. The DPA outlined that although such unique identifiers would not make the users identifiable in themselves, they could be combined with additional elements and enable to distinguish individual visitors. Secondly, the DPA held that Coop decided to implement the Google Analytics tool on its website for its own analytics purposes. By determining the means and purposes of the processing, Coop qualified as the controller. Thirdly, the DPA assessed the compatibility of the transfer with Article 44 GDPR and if it was supported by a transfer basis under Chapter V GDPR. Referring to CJEU Schrems II judgment, the DPA noted that the use of SCC’s is not in itself sufficient to achieve an acceptable level of protection in the context of data transfers to the US and that an analysis of the national provisions must be carried out. Under national US law,
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Violations (1)
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Coop Sverige AB in SE
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
About this data
Cite as: Cookie Fines. Coop Sverige AB - Sweden (2023). Retrieved from cookiefines.eu
Last updated: