Expressen Lifestyle AB – Violation Found (Sweden, 2023)

The Swedish DPA ("IMY") initiated an investigation against Expressen Lifestyle AB ("the controller") on 2019 to check whether consent was obtained in compliance with Article 6(1) GDPR. Following the implementation of the GDPR in 2018, the controller reassessed its legal basis for processing personal data, and started relying mainly on contractual necessity under Article 6(1)(b) GDPR or legitimate interest under Article 6(1)(f) GDPR instead of consent when subscribing for the controller's magazine. However, the controller accidentally missed updating the registration form of one of the company's webshop, Magasinshoppen. The webshop had a checkbox on its webpage along with the text "I accept the subscription terms. By doing so, I consent to the processing of personal data within the Bonnier Group." The controller also did not update the subscription terms which stated: “When ordering, you agree that your personal data, including email address, mobile phone number for calls and text messages and any other digital addresses, may be stored and used within Bonnier for digital services, marketing, and for statistical and analytical purposes." Furthermore, information was provided on the the right to withdraw consent. After the DPA's inspection began, the controller took immediate action to correct the information provided in their webshop's registration process. Now, instead of being presented with either a consent request or consent information text, the data subject is asked to agree to the subscription terms (i.e. the terms of purchase) and to confirm to have read the controller’s data protection policy. When collecting personal data from a data subject, the controller is obliged under Article 13(1)(c) GDPR to provide information regarding the legal bases of the processing. Article 12(1) GDPR requires the controller to take steps to provide this information to the data subject in a concise, clear, intelligible and easily accessible form, using clear and plain languag