Dagens Industri Aktiebolag – Complaint Upheld (Sweden, 2023)
Dagens Industri was found to have improperly used Google Analytics by transferring user data without consent. This matters because it emphasizes the need for businesses to obtain user permission before using tracking tools. Companies should review their cookie policies to ensure compliance with data protection laws.
What happened
Dagens Industri used Google Analytics, transferring personal data without proper consent.
Who was affected
Website visitors whose data was collected and transferred to Google were affected.
What the authority found
The Swedish DPA upheld a complaint against Dagens Industri for violating GDPR by not obtaining consent for data transfers.
Why this matters
This case serves as a reminder that businesses must be transparent and obtain consent when using tracking technologies. Companies should prioritize user privacy in their data practices.
GDPR Articles Cited
Dagens Industri Aktiebolag (the controller) used Google Analytics tool provided by Google LLC (processor) on its website. For the use of this tool, the controller transferred users’ personal data to the processor which stored it on servers in different countries, including in the US. In 2020, noyb lodged a complaint against the controller with the Austrian DPA, alleging that the transfer of personal data through the use of Google Analytics tool was in violation of the provisions of Chapter V GDPR. The complaint was transferred to the Swedish DPA in its quality of lead supervisory authority pursuant to Article 56 GDPR. Following the complaint, the DPA investigated the data transfers from the controller to the US through the use of Google Analytics. In its defense, the controller stated that according to its internal assessments, individuals were not identifiable on the basis of the transferred data. It added that the transfer was based on SCC’s concluded with Google Analytics pursuant to Article 46 GDPR and that it put in place additional safeguards. Firstly, the DPA assessed whether the data processed through Google Analytics tool constituted personal data and found that it did. Indeed, generic IP address and users’ unique identifiers collected through cookies were transmitted to Google LLC. The DPA outlined that although such unique identifiers would not make the users identifiable in themselves, they could be combined with additional elements and enable to distinguish individual visitors. Secondly, the DPA held that Dagens decided to implement the Google Analytics tool on its website for its own analytics purposes. By determining the means and purposes of the processing, Dagens qualified as the controller. Thirdly, the DPA assessed the compatibility of the transfer with Article 44 GDPR and if it was supported by a transfer basis under Chapter V GDPR. Referring to CJEU Schrems II judgment, the DPA noted that the use of SCC’s is not in itself sufficient to achiev
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Violations (1)
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Dagens Industri Aktiebolag in SE
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
About this data
Cite as: Cookie Fines. Dagens Industri Aktiebolag - Sweden (2023). Retrieved from cookiefines.eu
Last updated: