IMY (Sweden) - DI-2019-11737: Difference between revisions

Latest revision as of 08:44, 20 February 2025

IMY - DI-2019-11737

Authority:	IMY (Sweden)
Jurisdiction:	Sweden
Relevant Law:	Article 4(1) GDPR Article 4(2) GDPR Article 4(4) GDPR Article 4(7) GDPR Article 6 GDPR Article 6(1) GDPR Article 6(1)(f) GDPR
Type:	Investigation
Outcome:	Violation Found
Started:	07.11.2019
Decided:	26.06.2023
Published:	06.02.2025
Fine:	13000000 SEK
Parties:	Bonnier News AB
National Case Number/Name:	DI-2019-11737
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Swedish
Original Source:	IMY (in SV)
Initial Contributor:	n/a

The DPA fined a media company SEK 13,000,000 for unlawfully profiling its users in order to target them with behavioral advertising on its website, thus violating Article 6(1) GDPR.

English Summary

Facts

Bonnier News AB (now Expressen Lifestyle), the controller, is a media company in Sweden. The Bonnier group processed their customers' data for, among other reasons, marketing purposes. They compiled profiles on their users and made these available to affiliated companies who then provided targeted advertisements for their own products and services through direct mail and telemarketing. They relied on legitimate interests under Article 6(1)(f) GDPR to do so.

At the time of the investigation,which followed a complaint from a data subject, there were 15 such affiliated companies, with the personal data being collected from users and website visitors being stored in two group-wide data bases from which it was then shared with the affiliate companies. One of these databases was a “behavioral data base”.

The personal data recorded in this database, by means of a cookie identifier, included the URL that the user visited, as well as its category and content type, information on the user’s device and their IP address, behavioral data in terms of time spent and the time the page was viewed and also whether the user logged into the website. In some instances, this data could be linked with the user’s data in the customer data base, resulting in a full behavior profile including the user’s age, gender, their car ownership and some variable based on the users’ residential area, such as their life phase, housing type and purchasing power.

During the course of the investigation, the controller argued that they are not joint controllers in respect of the personal data, and that after the affiliated companies access the data provided in the databases, that they alone are responsible for the legality of that processing.

The controller further argued that while the personal data in the customer database was personal data, the data in the behavioral database was comprised of anonymous data and as such was not personal data under Article 4(1) GDPR.

The controller stated that they rely on legitimate interest as a lawful basis for the profiling of their customers and users to provide personalised advertisements. The controller identified the legitimate interest as being the need to ensure relevant content and advertisements for their customers so that they can offer competitive services and have attractive advertising spaces. The controller also submitted that this interest outweighed the interest of their customers in the protection of their personal data. The controller claimed that such was the case as the customers could object to the profiling, that the customers already have a direct relationship with one (or more) of the affiliates, either from having purchased from their websites or having visited their website, that the processing was unlikely to adversely affect the data subject’s interests as their interaction with the affiliates was voluntary and, finally, that the processing is consistent with the reasonable expectations of the data subjects.

Holding

The IMY (Swedish DPA), after highlighting the fact that Bonnier set up the framework for the accessing of the personal data by the affiliate countries, held that Bonnier News AB was a joint controller in respect of the processing activities. This included the initial collection of the data, the storage of that data in the databases, the profiling of the data subjects and the use of the data for the purposes of customised advertisements and direct marketing.

The IMY further reasoned that as the behavioral data base distinguished users based on cookie identifiers, and the users can be individually identified from them, the behavioral data base constituted personal data.

The IMY then considered the validity of the controller’s reliance on legitimate interest as a lawful basis for the profiling of user data. It was found that the interest being pursued was legitimate, and the processing in question necessary for the pursuit of the interest.

The IMY then turned to assess the balancing of interests. In respect of the making available of completed behavior profiles, it was noted that the overall benefit of the processing was for the controller to generate revenue from advertisements. The IMY disagreed with the controller’s assertion that the processing would be consistent with the reasonable expectations of the data subject, finding that the profiling was extensive in nature and not something which could be reasonably expected without consenting. The IMY thus found that the privacy interests of the data subjects outweighed the interest being pursued by the controller and as such, the controller infringed Article 6(1) GDPR.

With respect to the processing of simple behavioral profiles, allowing for the mapping of individuals through observation and the use of cookies, the IMY again held that the data subject’s interest in privacy outweighs the interests of the controller. The IMY reasoned that the monitoring of data subject behavior to provide targeted advertisements could give the data subject’s the feeling that they are being monitored.

The IMY thus found that the controller had processed personal data for profiling based on behavioral data for the purposes of enabling targeted advertisements without a lawful basis, infringing Article 6(1) GDPR.

The IMY issued a fine of SEK 13,000,000 (€1,157,483.21).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

1(29)

Bonnier News AB
105 15 Stockholm

Registration number: Decision after supervision according to
DI-2019-11737

Data Protection Regulation – Bonnier

Date: News AB
2023-06-26

Contents

1. The Swedish Data Protection Authority's decision........................................................................3

2. Statement of the supervision case..................................................................................3

2.1 Description of the group-wide personal data processing..........................................................4

2.1.1 Description of the processing of personal data contained in

the behavior database..................................................................................5

2.1.2 Description of the processing of personal data stored

in the KDB..................................................................................................................6

3. Justification of the decision..................................................................................................8

3.1 IMY's competence..................................................................................................8

3.1.1 Current circumstances.................................................................................8

3.1.2 Applicable provisions etc. ......................................................8

3.1.3 IMY's assessment ................................................................................9

3.2 Bonnier News AB's personal data responsibility..................................................9

3.2.1 Current circumstances and Bonnier News AB's position.........9

3.2.2 Applicable provisions etc. ......................................................9

3.2.3 IMY's assessment ...........................................................................10

3.3 Which data constitutes personal data?..................................................................10

3.3.1 Current circumstances and Bonnier News AB's position...........10

Postal address: 3.3.2 Applicable provisions and other general starting points...10
Box 8114
104 20 Stockholm 3.3.3 IMY's assessment........................................................................12

3.4 The processing constitutes profiling..................................................................13
Website:
www.imy.se 3.4.1 Applicable provisions..................................................................13
E-mail:
imy@imy.se 3.4.2 IMY's assessment..................................................................................13

Telephone:
08-657 61 00 2

3.5 Legal basis for processing for the purpose of displaying customized advertisements based on
data in behavioral database ................................................................................13

3.5.1 Current circumstances and Bonnier News AB's position...........13

3.5.2 Applicable provisions, etc. ...................................................15

3.5.3 Basis for IMY's assessment.................................................17

3.5.4 Legitimate interest ................................................................................19

3.5.5 Is the processing necessary for the legitimate interest?................................19

3.5.6 The balance of interests for the processing of personal data in

supplemented behavioral profiles ..............................................................19

3.5.7 The balance of interests for the processing of personal data in simple

behavioral profiles ..............................................................................21

3.6 Legal basis for processing for the purpose of making contact details available for

telephone sales and direct mail marketing..................................................21

3.6.1 Applicable provisions, etc. .....................................................21

3.6.2 Current circumstances and Bonnier News AB's position...........22

3.6.3 IMY's assessment................................................................................24

3.6.4 Is Bonnier News AB's interest in profiling individuals for the purpose of
making data available to affiliated companies for use in
telephone sales and direct mail marketing justified?................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ and other general starting points....26

3.7.2 Same or connected data processing................................................26

3.7.3 Penalty fee................................................................................................26

Appendix ......................................................................................................28

Copy to................................................................................................................28

4. How to appeal ................................................................................................29 3

1. Decision of the Data Protection Authority

The Data Protection Authority finds that Bonnier News AB (559080-0917) during the

period from 7 November 2019 to 11 June 2020 has processed personal data
without having a legal basis for it according to Article 6(1) of the Data Protection Regulation by

a) processing personal data for the purpose of profiling the data subjects based on
their behavioural data in so-called supplemented behavioural profiles and

making the profiles available to affiliated companies for the purpose of displaying customised
advertisements,
b) processing personal data for the purpose of profile the data subjects based on

their behavioral data in so-called simple behavioral profiles and make the profiles available to affiliated companies for the purpose of displaying customized advertisements,
c) to process personal data by profiling the data subjects based on

their supplemented customer database profiles for the purpose of making

contact details available to affiliated companies for telephone sales and postal

marketing.

The Swedish Data Protection Authority decides, based on Articles 58(2) and 83 of

the Data Protection Regulation, that Bonnier News AB shall pay an administrative
sanction fee of SEK 13,000,000 (thirteen million).

2. Statement of the supervisory case

The Swedish Data Protection Authority (IMY) has, in a supervision of the former Bonnier Magazine and

Brands AB, now Expressen Lifestyle (ref. DI-2019-6523), noted that
Bonnier News AB, together with other companies within the Bonnier Group, processes

personal data for, among other things, marketing purposes based on the legal basis

legitimate interest according to Article 6(1)(f) of the Data Protection Regulation. IMY has initiated supervision of
Bonnier News AB with the aim of investigating whether Bonnier News AB complies
with the requirements of the Data Protection Regulation for the processing of personal data for
marketing purposes.

Within the framework of this supervision, Bonnier News AB has been asked to comment on seven complaints
submitted to IMY regarding various marketing measures taken by companies within the
Bonnier Group. Bonnier News AB has commented on the complaints and it has then emerged
that the marketing measures taken have not been caused by withdrawals from
the group-wide databases nor have they occurred under Bonnier News AB's
personal data responsibility. Against this background, IMY does not find any reason to investigate these complaints further within the framework of
this case.

Within the framework of the supervision, IMY has examined whether Bonnier News AB has a legal basis
according to Article 6 of the Data Protection Regulation for the processing of personal data that takes place in

the group-wide databases for marketing purposes. The supervision
covers the processing of personal data that takes place by creating profiles and

making such data available for use by affiliated companies to
display customized advertisements. It also covers the processing of personal data,

1Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to
the processing of personal data and on the free movement of such data, and repealing
Directive 95/46/EC (General Data Protection Regulation).
2DI-2018-22602, DI-2019-10121, DI-2019-10513, DI-2019-11057, DI-2019-7484, DI-2019-8104 and DI-2019-9556 4

creation of profiles and making data available to affiliated companies for the purpose of
using them for telephone sales and direct mail marketing.
IMY has not taken a position on whether Bonnier News AB's personal data processing is otherwise in compliance with the Data Protection Regulation.

The supervisory case began with an inspection on 7 November 2019. In connection with IMY sending the inspection report to Bonnier News AB, IMY asked the company additional questions on 20 December 2019. Bonnier submitted comments on the inspection report and submitted responses to IMY's questions on 14 February 2020. On 15 May 2020, IMY asked further additional questions to Bonnier News AB, to which the company submitted responses on 11 June 2020. Due to Bonnier News AB having updated its personal data policy, the company submitted additional information on 21 July 2020. Bonnier News AB has commented on IMY's draft decision on 13 April 2023. Since the case concerns cross-border processing, IMY has used the mechanisms for cooperation and consistency contained in Article 56 and Chapter VII of the

Data Protection Regulation. The supervisory authorities concerned have been the authorities in
Denmark, Estonia, Finland, Norway and Germany.

2.1 Description of the group-wide
personal data processing

The following has emerged during the inspection and subsequent correspondence. Within
the Bonnier Group, there is a collaboration between Bonnier News AB and a number of affiliated
companies that are part of the group (the affiliated companies). Which companies are affiliated

changes over time. At the time of the inspection, there were 15 affiliated companies, which
drew to 8 during the spring of 2020. The processing of personal data that takes place within
the framework of the collaboration is limited to the affiliated companies' customers on the
Swedish market. The affiliated companies collect personal data from their customers

and people who visit the companies' websites. The collected data is transferred
to two group-wide databases, a customer database (KDB) and a behavior database (the behavior database). In these databases, profiles of individuals are created. The profiles are also linked to information obtained from Bisnode Sverige AB.

Bonnier News AB has stated that it stores collected data in the
group-wide databases for the following purposes:

• To establish a common customer register for affiliated companies with good
data quality, which includes compiling customer and

user data and checking that the data is correct,
updated and appropriate

• To offer the affiliated companies' customers an easy way to exercise their

rights and an opportunity to ask questions about personal data to the
joint customer service

• To make personal data available to affiliated companies for the purpose of:

• Using the contact information of other affiliated companies in order to
market the affiliated companies' own products and services

through direct mail marketing and telephone sales. 5

• Displaying customized content and customized advertisements in the affiliated
companies' digital services, based on the customers' and users'

customer profiles and behavior on the affiliated companies' websites.
• Perform analysis of customer data in order to use the customer insight obtained

to conduct customer communication, marketing of its own products,
services and service.

• Perform analysis of customer data in order to improve and develop existing
services and products.

The personal data processing that takes place for the purpose of adapting affiliated companies'
advertisements is based on data saved in the behavioral database. The

personal data processing that takes place to disclose personal data to affiliated companies
for use in telephone sales and direct mail marketing is based on data in the KDB.

2.1.1 Description of the processing of personal data contained in

the behavioral database
The investigation into the case reveals the following.

The data contained in the behavioral database is processed for the purpose of displaying customized
content and customized advertisements in the affiliated companies' digital services.

When an individual visits an affiliated company's website, the affiliated company collects information about the individual's surfing behavior. This is done by

the affiliated company having placed a script on its website that requests to save a
text file (cookie) on the visitor's computer, tablet or mobile phone. The information in the
cookie can be used to track the user's surfing on the website. The

information (behavioral data) that is collected when the individual surfs and then transferred to the
behavioral database and added to the individual's profile is:

• Information about the URL (web address) of the page visited, its category and a
content tag.

• Information about the user's device type on which the page was viewed,
the browser type and the part of the user's IP address that refers to the country,
• Information about behavior in the form of time spent and time of

the page view,
• Information about a unique randomly generated cookie value (hereinafter

referred to as the cookie identifier),
• Information about whether the page was viewed in logged-in mode.

Bonnier News AB discards the cookie identifier after 30 days and from day

31 the generated behavioral data is no longer used to adapt advertisements to individuals.

Data in the behavioral database and in the KDB can in some cases be linked together.

3A content tag is a description of the content that has been consumed in the participating companies' services. Bonnier
News AB collects two types of tags, predefined according to the IAB (The Interactive Advertising Bureau) standard and
tags produced by the affiliated companies' editorial departments. 6

When the data in the behavioral database cannot be linked with data in the KDB
the data subject's behavioral profile consists only of the data specified above, a
profile that in this decision will be referred to as a simple behavioral profile.

In cases where data in the behavioral database and data in the KDB can be linked together in the behavioral database, data from the KDB on purchase history, gender, age, household additional ownership and postal code, as well as statistical variables based on the individual's residential area such as life stage, purchasing power and housing type are added to the behavioral database. These profiles will hereinafter be referred to in this decision as supplemented behavioral profiles. The data is made available to affiliated companies through a search tool linked to the behavioral database, where the affiliated company can order a segment of customer data based on its chosen variables. An administrator checks whether the order meets certain criteria determined within the collaboration. If so, the affiliated company is given access to a code that makes it possible to target advertisements to users who are included in the segment. The affiliated companies can only retrieve data from the behavioral database based on behavioral data collected from the company's own digital services. This applies regardless of whether it is a simple or supplemented behavioral profile. However, the supplemented behavioral profile may also contain purchase history from other affiliated companies. In the KDB, data is filtered after two years, which is why data older than that cannot be linked to the behavioral database or disclosed to affiliated companies. 2.1.2 Description of the processing of personal data stored in the KDB The investigation into the case reveals the following. The data about individuals in the KDB is processed for the purpose of being used for affiliated companies' marketing of their own products and services through direct mail and telephone sales. When an individual makes a purchase or signs up for a subscription, the affiliated company that has a contractual relationship with the customer collects data from them. Some of this data is transferred to the KDB. In the KDB, information is linked to a profile. In the KDB, the customer profile is assigned a KDB ID. If the affiliated company's customer is already

registered in KDB, the existing customer profile is updated/supplemented with the new

engagement. Otherwise, a new customer profile is created with a new KDB ID. The information

stored in KDB and collected from the customer's contact with the affiliated

company is name, address, telephone number, personal identification number, email address and information

linked to the customer's purchase, such as product category, brand, type of

packaging (whether it is a digital or traditional product and whether it is a free or

paid product). The KDB also records whether the customer has objected to the use of information in

KDB for marketing purposes and information whether the customer has registered in the so-called

NIX register. There are restrictions for the following categories of information:

• Information about email addresses is not disclosed to affiliated companies in the case of

telephone sales and direct mail marketing.

• Personal identification number information is only used to check whether the customer has

registered to oppose marketing in the NIX register (NIX blocking) and

to check that the customer is not deceased.

• Personal identification number information is not made available to the affiliated companies. 7

In addition to the information collected by the affiliated companies, Bonnier News

AB collects information from Bisnode Sverige AB for the purpose of checking and supplementing

individuals' contact information, and to provide statistical data such as life stage, purchasing power

and housing. Furthermore, information on car ownership and on deceased persons is collected

as well as information on a so-called GEDI-id (which is a unique identifier in the form of a

pseudonymized ID).

Information in the KDB and the behavioral database can in some cases also be linked in the KDB.
The profile then constitutes what in this decision will be referred to below as a supplemented
customer database profile. This is done by a customer of an affiliated company visiting

the company's website and logging into their account with the company. The behavioral data that has been
collected about the customer and that is linked to a cookie identifier can then, under certain conditions, be linked with the customer's KDB ID. In cases where the customer's KDB ID and the cookie value can be linked, the KDB profile is supplemented with
information collected over the past 30 days from the behavioral database. The information
that is retrieved is information about which websites the customer has visited, which section

of the website the customer has visited (so-called content tags), and which device type
the customer has surfed from. Bonnier News AB has limited the type of content tags that companies other than the one whose website the individual surfed can base their profiling on
4
for the purposes of telephone sales and direct mail marketing.

When a person ceases to be a customer of an affiliated company, KDB is notified that

the customer's engagement has ceased and the customer is flagged as a passive customer. The customer's data is then deleted

in KDB after two years. Data obtained from the behavioral database

is filtered after 30 days. Any NIX blocking is always activated when

contact data in KDB is made available to customers of other affiliated companies and contact data to own customers when these have been passive for 12 months.

Data is made available to affiliated companies upon request through an application in KDB.

A selection file is created in KDB based on the criteria specified by the affiliated company. Within the framework of

the collaboration, something called purpose-adapted schedules are applied. These regulate what information is disclosed from KDB. When disclosed, only the data points defined as necessary for the marketing channel specified at the time of disclosure are disclosed, i.e., for example, telephone numbers in a telephone sales campaign and addresses in postal direct marketing. The data points on which the segmentation is based are not disclosed. The data is made available through an interface in KDB to the affiliated company.

The data subject has the option of requesting deletion from KDB. The data subject also has the right to object to the use of the data for telephone sales and postal direct marketing.

Bonnier News AB has stated that all affiliated companies are majority-owned by Bonnier Group AB and subject to the Bonnier Group's framework for personal data processing

and that only a small portion of the profiles in question have been able to be linked to data in the behavioral database.

4Only tags categorized with the IAB taxonomy are collected. 8

3. Justification of the decision

3.1 IMY's authority

3.1.1 Current circumstances
Some of the personal data processed within the group-wide

cooperation has been collected by affiliated companies placing a cookie on the
visitor's computer, tablet or mobile phone. Bonnier News AB has stated that

the collection is done through affiliated companies' websites. The affiliated companies then transfer
this information to the behavioral database and in some cases the information is also linked
with profile information in KDB. Bonnier News AB has stated that the obligations that followed from the provisions of the Electronic Communications Act (2003:389) and now follow from the Electronic Communications Act (2022:482) (LEK), affect affiliated companies and not Bonnier News AB since it is the companies that are responsible for the actual collection of the data.

3.1.2 Applicable provisions, etc.

It follows from Article 95 of the Data Protection Regulation that the Data Protection Regulation shall not entail any additional obligations for natural or legal persons who process personal data, for areas that are already covered by obligations in accordance with the so-called eData Protection Directive. The eData Protection Directive has been implemented in Swedish law through the LEK, which, among other things, regulates the collection of data through cookies.

According to Chapter 9 Section 28 of the LEK states that data may be stored in or retrieved from a subscriber's or user's terminal equipment only if the subscriber or user is given access to information about the purpose of the processing and consents to it. It is further stated that this does not prevent such storage or access that is necessary to transmit an electronic message via an electronic communications network or that is necessary to provide a service that the user or subscriber has expressly requested. Before 1 August 2022, when the LEK came into force, the corresponding requirements were set in accordance with Chapter 6, Section 18 of the Electronic Communications Act (2003:389). The Swedish Post and Telecom Agency (PTS) is the supervisory authority under the LEK (Chapter 1, Section 5 of the Electronic Communications Ordinance [2022:511]). The EDPB has issued an opinion on the interaction between the ePrivacy Directive and the 6th General Data Protection Regulation. The opinion states, among other things: that the national supervisory authority designated under the ePrivacy Directive is solely competent to monitor compliance with the Directive. However, the supervisory authority under the Data Protection Regulation is the competent supervisory authority for processing not specifically regulated in the ePrivacy Directive. If only part of the processing falls under the ePrivacy Directive, this does not limit the competence of the data protection authority to examine other parts of the processing under the Data Protection Regulation. 7

This means, among other things, that the supervisory authority under the Data Protection Regulation is competent to assess the lawfulness of the processing of personal data that takes place after the data has been retrieved from the individual's terminal equipment, such as the storage of retrieved

5Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).
6Opinion 5/2019 on the interaction between the Directive on privacy and electronic communications and the General Data Protection Regulation, in particular as regards the competence, tasks and powers of data protection authorities,
adopted on 12 March 2019
7See paragraphs 68 and 69 of the Opinion. 9

data and analysis of such data for the purposes of behavioural advertising
8
online.

3.1.3 IMY's assessment

The data added to the behavioural database has been collected by the affiliated companies
through cookies. The personal data processing examined in this supervisory case

is Bonnier News AB's subsequent processing of personal data in the behavioural database. That processing is not covered by the regulation in LEK or the
previously applicable regulation in the Act on (2003:389) on electronic communications.

This means that the regulations in the Data Protection Regulation apply to the processing and that IMY is the competent supervisory authority.

3.2 Bonnier News AB's personal data responsibility

3.2.1 Current circumstances and Bonnier News AB's position

It is Bonnier News AB's opinion that Bonnier News AB and the respective affiliated
company have a joint personal data responsibility for the processing that takes place in the KDB

and the behavioral database for the purposes stated above as common.

Furthermore, Bonnier News AB has stated that Bonnier News AB and affiliated companies have a
common view of purposes and means and that Bonnier News AB has entered into a so-called Joint

Data Controller Agreement with the affiliated companies in accordance with Article 26(2) of the
GDPR.

Bonnier News AB has stated that each affiliated company has its own independent

("local") personal data responsibility for its own collection of data. Bonnier News AB has further stated that it does not have a joint controller for the processing of personal data carried out after the data has been disclosed to affiliated companies from the joint databases. It is the affiliated company that has retrieved the data that is the controller for the processing carried out by this company after the retrieval.

3.2.2 Applicable provisions, etc.
According to Article 4(7) of the Data Protection Regulation, the controller is the person who alone or jointly with others determines the purposes and means of the processing of personal data. The fact that purposes and means can be determined by more than one actor means that several actors can be controllers for the same processing.

According to Article 4(2) of the Data Protection Regulation, processing is an action or combination of actions concerning personal data or sets of personal data.

In the Fashion-ID case, the CJEU held that a website operator who uses social network plug-ins on its website may become a joint controller with the social network. This applies to the collection and disclosure by transmission of personal data of website visitors that takes place using the social network plug-in. The CJEU also stated that each party is only responsible for those parts of the processing chain for which it actually determined the purposes and means. 8 See paragraph 75 of the Opinion. 9 See judgment in Fashion-ID, C-40/17, EU:C:2019:629, paragraphs 64-85 10 In the Wirtschaftsakademie case, the CJEU stated that joint responsibility for processing does not necessarily mean that the different actors involved in the processing of personal data have the same responsibility. On the contrary, these actors may be involved at different stages of the processing of personal data to varying degrees, and the level of responsibility of each must be assessed taking into account all the relevant circumstances of the individual case.

3.2.3 IMY's assessment

Bonnier News AB provides two databases, the KDB and the behavioral database, where
information from affiliated companies is combined into profiles of individuals. Under the
conditions determined by Bonnier News AB and the companies, the information is

made available to Bonnier News AB and the respective affiliated company.

IMY notes that, in addition to making the databases available to the affiliated companies,

Bonnier News AB has, together with the companies, set up the framework for the processing in
various ways.

IMY therefore assesses that Bonnier News AB is jointly
controller of personal data with the affiliated companies for the part of the
personal data processing that takes place for the common purposes of
making personal data, through profiling of individuals' data, available to affiliated companies to display customized advertisements and for use in telephone sales and
direct mail marketing. This includes the collection of data for the databases, the storage in the databases and the profiling, the collection of additional data from Bisnode Sverige AB, the connection between the behavioral database and KDB, and the transfer of data between the databases. Furthermore, Bonnier News AB is jointly responsible for personal data with the affiliated companies for the actions taken prior to and in the event of disclosure to an affiliated company. 3.3 What data constitutes personal data? 3.3.1 Current circumstances and Bonnier News AB's position The section "Description of the group-wide personal data processing" states that a large amount of data collected from individuals is processed in the KDB and the joint behavioral database. Bonnier News AB believes that what is referred to in this decision as a supplemented behavioral profile constitutes personal data. However, data in the behavioral database - which cannot be linked with data in the KDB - constitutes anonymous behavioral data according to Bonnier News AB. This is because they cannot be linked to a person either via KDB-ID, customer ID, IP address or any other identifier for a person. Bonnier News AB therefore believes that the behavioral profiles referred to in this decision as simple behavioral profiles do not constitute personal data. According to Bonnier News AB, the segmentation made on these simple profiles is only based on the affiliated company's own collected information in the behavioral database (a company can, for example, choose to adapt sports-related content and advertisements to the information registered via a cookie over the last 30 days). 3.3.2 Applicable provisions and other general starting points According to Article 4(1) of the General Data Protection Regulation, personal data is any information relating to an identified or identifiable natural person (i.e. the data subject). The same provision states that an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or online identifiers or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. According to recital 26 of the GDPR, the principles of data protection should apply to any information relating to an identified or identifiable natural person. Personal data which have been pseudonymised and which could be attributed to a natural person by the use of supplementary information should be considered as data relating to an identifiable natural person. In order to determine whether a natural person is identifiable, account should be taken of all the means, such as screening, which, either by the controller or by another person, can reasonably be used to directly or indirectly identify the natural person. In order to determine whether means can reasonably be used to identify the natural person, all objective factors, such as the cost and time required for identification, should be taken into account, taking into account both the technology available at the time of the processing and the state of the art. According to recital 26, the principles of data protection should not apply to anonymous information which does not relate to an identified or identifiable natural person, or to personal data which has been rendered anonymous in such a way that the data subject is no longer identifiable. The Regulation therefore does not concern the processing of such anonymous information, which includes information for statistical or research purposes. According to recital 30 of the Data Protection Regulation, natural persons may be linked to online identifiers provided by their equipment, applications, tools and protocols, e.g. IP addresses, cookies or other identifiers, such as radio frequency tags. This may leave traces which, in particular in combination with unique identifiers and other data received by the servers, can be used to create profiles of natural persons and identify them. 11 An opinion of the Article 29 Working Party, which contains an analysis of the concept of personal data, states that a natural person in a group is considered to be “identified” when he or she can be “distinguished” from other individuals in some way. The European Data Protection Board (EDPB), in its guidelines on targeted advertising in social media, has stated that even individuals who use a social media service without having created an account or profile with the social media service may constitute data subjects within the meaning of Article 4(1) of the GDPR if the person is directly or indirectly identified or identifiable. The EDPB has referred to the concept of “thinning” in recital 26 of the GDPR and to the above-mentioned opinion of the Article 29 Working Party.

The Article 29 Working Party’s opinion on online behavioural advertising further elaborates on what it means to be identifiable:

The Article 29 Working Party notes that behavioural advertising often leads to the processing of personal data. Behavioural advertising typically involves the collection of IP addresses and the processing of unique identifiers (through the cookie). The use of such functions with a unique identifier makes it

11The so-called Article 29 Working Party was an advisory and independent working party consisting of representatives of the supervisory authorities in the EU and the EEA. , The working party was tasked with contributing to the uniform application of the Data Protection Directive through, among other things, recommendations. On 25 May 2018, the working party was replaced by the European Data Protection Board, the EDPB.
12See WP 136. Article 29 Working Party Opinion 4/2007 on the concept of personal data, adopted on 20 June 2007, p. 12 f
13See EDPB Guidelines 8/2020 on targeted advertising in social media Version 2.0, adopted on 13 April 2021, p. 19 12

allow users of a particular computer to be tracked even if dynamic IP addresses

are used. In other words, such features make it possible to “point out” individual
data subjects, even if their names are not known. Moreover, the information

collected in the context of behavioural advertising relates to (i.e. concerns) the characteristics or behaviour of a
person and is used to influence that specific
person. This view is further strengthened if one considers the possibility that

profiles can be linked at any time to directly identifiable information provided by the data subject, such as information provided when
registering on a website. Other scenarios that can lead to identifiability are

mergers, data losses and the growing availability on the Internet of

personal data linked to IP addresses. 14

3.3.3 IMY's assessment
IMY initially notes that the supplemented behavioural profiles (i.e.

behavioural profiles linked to KDB) contain data relating to identified

or identifiable natural persons. The supplemented behavioural profiles are thus

personal data.

With regard to the simple behavioural profiles (i.e. behavioural profiles without a link to

KDB), IMY makes the following assessment.

In order for a piece of data to qualify as personal data, it is first required that

the data relates to a natural person. This requirement is met with regard to simple

behavioural profiles since the data describes how the individual surfed with a number

of different parameters.

Furthermore, it is required that the natural person is identified or identifiable. Article 4(1) of the GDPR states that it is sufficient that a person can be identified indirectly. The provision further states that identification can be made by reference to an online identifier. Recital 30 of the GDPR lists cookies (in the English version) as an example of online identifiers. Identification within the meaning of Article 4(1) can thus be made by means of such unique cookie values used in the behavioural database. IMY further notes that recital 26 of the GDPR states that 

selection is a way of identifying a person. This means that a person can be 

identified by being distinguished from other persons. It is therefore not required that the person be identified by name or personal identification number. Such 

selection or selection occurs when the information processed makes it possible to 

identify, draw conclusions about or take specific measures in relation to a user. In the behavioral database, the information is linked to a unique identifier, a unique cookie value, which is linked to a specific browser or app, which in turn is linked to a device such as a computer or phone. One of the purposes of the processing of the data is to target marketing to a user based on the user's behavior based on that user's previous behavior in an identified browser or app. The purpose of the processing is thus to draw conclusions about the individual by creating a profile and based on this to influence the individual. IMY thus states that even the simple behavioral profiles that are not linked to the KDB mean that individuals are identifiable.

14See WP 171, Article 29 Working Party Opinion 2/2010 on online behavioural advertising, adopted on 22 June
2010, p. 9 f
15See WP 136. f Article 29 Working Party Opinion 4/2007 on the concept of personal data, adopted on 20 June 2007, p. 12 13

In this context, IMY assesses that simple behavioural profiles constitute
personal data.

3.4 Processing constitutes profiling

3.4.1 Applicable provisions
Profiling is defined in Article 4(4) of the GDPR as any form of
automatic processing of personal data consisting of the use of personal data to
assess certain personal aspects relating to a natural person, in particular to
analyse or predict that natural person's performance at work, economic

situation, health, personal preferences, interests, reliability, behaviour, whereabouts
or movements.

3.4.2 IMY's assessment

IMY notes that both the processing of personal data based on simple behavioral profiles and supplemented behavioral profiles for the purpose of making the data available to affiliated companies for the purpose of displaying tailored advertisements

includes profiling of data subjects as defined in Article 4(4) of the
GDPR. This is because it involves the automated processing of personal data aimed at categorizing data subjects based on their previous behavioral patterns, which in turn makes it possible to assess certain of their personal characteristics.

IMY further notes that the processing of personal data for the purpose of making contact details available for telemarketing and direct mail marketing
includes profiling of data subjects as defined in Article 4(4) of the
GDPR. This is because it involves the automated processing of personal data aimed at categorizing data subjects based on their purchase history and, in some cases, behavioral patterns.

3.5 Legal basis for processing for the purpose of displaying customized advertisements based on data in the behavioral database

3.5.1 Current circumstances and Bonnier News AB's position
Bonnier News AB has stated that it has coordinated its activities within the group to
achieve a better data basis and make it possible to process customers' and

users' personal data for specified purposes in a cost-effective and privacy-friendly manner. Bonnier News AB uses its profiling of individuals to
make information available to affiliated companies for the purpose of displaying customized advertisements, partly on
collected behavioral data that cannot be linked to the KDB, partly on behavioral data where such a

connection can be made and where additional personal data has been added to the data subject's
profile. Bonnier News AB supports its processing of information to make information available to affiliated companies for the purpose of displaying customized advertisements on the legal basis of Article 6(1)(f) of

the General Data Protection Regulation.

Legitimate interest
Bonnier News AB has stated the following.

The company has a legitimate interest consisting of a need to understand the wishes and needs of its customers and users in order to be able to achieve relevance in content and advertising aimed at customers and users and thereby be able to offer competitive products/services and attractive advertising space. Many of the affiliated companies are also engaged in journalistic activities. The operating model of 14 publishers today consists of revenue streams from reader and advertising revenue. The group-wide processing of personal data is important for the financing of the companies' journalistic activities. Bonnier News AB has also pointed to the protection of media freedom and diversity in Article 11 of the EU Charter of Fundamental Rights. Necessary processing Bonnier News AB has stated that the processing of personal data is necessary to achieve the purposes of making individuals' profiles available to affiliated companies in order to display tailored advertisements. The company, together with the other companies, has taken measures

to minimize the amount of data collected and limited how long this data is

processed, and ensured that the databases are kept separate and that only certain data

is transferred between them.

Balancing of interests

Bonnier News AB has stated the following.

Bonnier News AB's interest outweighs the individual's interest in protecting their

personal data.

Processing personal data to display customized advertisements based on the individual's profile is a basic requirement for journalists and publishers to be able to receive

revenue and, in the long run, to be able to conduct journalism.

It is possible to object to profiling based on behavioral data. According to the

information that individuals receive in Bonnier News AB's personal data policy, the individual can object to information about their online behavior being processed in the

16 common customer database. This means that the connection between the individual's

customer data and their surfing behavior is removed.

The data subjects have a direct relationship with one or more affiliated companies.

The users/customers have either visited the website of an affiliated company, purchased

products from an affiliated company or an active digital subscription. Many of

the customers are subscribers who have a long-term relationship with the company that

provides the service or product and can therefore be considered to have a greater expectation that

their data will be processed. Many readers have a strong commitment linked to their

preference for news media. To some extent, customer profiles in KDB belong to piece purchases such as

literature, newspaper and goods purchases. In these cases, the relationship between customer and supplier

can be considered to be somewhat less unique. Furthermore, the interaction is voluntary, clear information is provided

and there are alternative products such as physical newspapers that can be viewed completely

anonymously.

The processing is unlikely to have any negative impact on the data subject's interest.

Individuals' interaction with affiliated companies is voluntary and it is in their interest that the companies' services are as relevant as possible. Furthermore, Bonnier News AB has referred to the fact that the Article 29 Working Party has found that targeted marketing based on simple customer profiles, such as gender, age, place of residence and broad interests (e.g. "fashion") typically does not have a significant impact on individuals. Bonnier News AB has also taken measures to ensure that a minimum of data is processed in relation to the purposes and to reduce privacy risks in general. Among other things, personal data is not shared with companies other than the affiliated companies within the group and 16The version of Bonnier News AB's personal data policy that was submitted on July 21, 2020, see under the heading "How you can access and control your personal data", attachment 20.1. 15

All of these companies are subject to the Bonnier Group's framework for

personal data processing.

The current processing is within the reasonable expectations of the data subjects because

the individuals who come into contact with the companies do so of their own free will in order to

participate in content on websites, purchase services and/or products and that they always have a

customer/user relationship with one or more companies in the group. The companies'

personal data policies contain clear information about how customers' and users'

personal data is processed and shared within the group. The processing carried out

within the framework of the KDB and the behavioral database is closely linked to the companies' services

and products, which is likely to have an impact on the consumer's expectations. The fact that many of the companies' products and services are online and in many cases free or

financed by advertising is likely to entail a particular expectation and acceptance of certain

personal data processing for, among other things, adaptation of content and advertising. Today,
many digital products consumed by a very large portion of
consumers in society are also tailored to the individual, and it is Bonnier News AB's
opinion that today's consumers expect that the digital products and services
that they consume will to some extent be tailored to the individual.

3.5.2 Applicable provisions, etc.

Personal data shall be processed lawfully, fairly and transparently in relation to the data subject, in accordance with Article 5(1)(a) of the GDPR. The fact that the data shall be
processed lawfully means, among other things, that at least one of the conditions set out in Article 6(1) is

met.

Consent is, according to Article 6(1)(a), one of the legal bases on which a

data controller can base its processing of personal data. Another
legal basis is legitimate interest according to Article 6(1)(f), which requires that three

cumulative conditions are met. There must be (i) a legitimate interest of the controller or of a third party to whom the data are disclosed, (ii) the processing of personal data must be necessary for the legitimate interest pursued, and (iii) the data subject's interest in the protection of his or her personal data must not be overridden. 18

Recital 47 of the GDPR states that a legitimate interest may, for example, exist where there is a relevant and appropriate relationship between the data subject and the controller, for example if the data subject is a customer of the controller. It states that the processing of personal data for direct marketing purposes may be considered a legitimate interest. It further states that a legitimate interest requires a careful assessment, which includes whether the data subject can reasonably expect, at the time and in connection with the collection of the personal data, that processing for the specified purpose may take place. In particular, the interests and fundamental rights of the data subject could be overridden if personal data are processed in circumstances where the data subject cannot reasonably expect any further processing.

According to Chapter 9, Section 28 of the LEK, which implements Article 5(3) of the eData Protection Directive into Swedish law,

data may be stored in or retrieved from the terminal equipment of users or subscribers

only if the subscriber or user is given access to information about the purpose of the
processing and consents to it. This does not prevent such storage or access

that is necessary for the transmission of an electronic message via an electronic

communications network or that is necessary for the provision of a service that

the user or subscriber has expressly requested. The corresponding requirement previously applied

according to Chapter 6, Section 18 of the Electronic Communications Act (2003:389).

The EDPB Guidelines on Connected Vehicles state that data collected on the basis of consent in accordance with Article 5(3) of the ePrivacy Directive or subject to the exceptions in Article 5(3) of that Directive may only be further processed for another purpose if the controller requests further consent or is supported by Union or Member State law. The EDPB further states that such further processing cannot rely on a compatibility test under Article 6(4) of the GDPR as it would undermine the protection of the ePrivacy Directive. Furthermore, the EDPB states that consent, where required by the ePrivacy Directive, must be specific and informed, meaning that data subjects must be aware of each purpose of the processing and have the right to object for specific purposes. If further processing on the basis of a compatibility test under Article 6(4) of the GDPR were possible, the very principle of the consent requirements in the current Directive would be circumvented. 20

The EDPB Guidelines on targeted advertising in social media divide personal data into the following categories: data that the data subject has actively and knowingly provided to the controller, data observed by the data subject through the use of the service or device, and inferred and derived data created on the basis of data provided by the data subject. According to the EDPB, there are two legal bases for processing such data that the data subject has actively and knowingly provided, namely consent under Article 6(1)(a) and legitimate interest under Article 6(1)(f) of the GDPR. In the case of data

collected through observed data provided by the data subject through the use of a service or device, including that collected through

cookies, the EDPB states that Article 6(1)(f) cannot constitute a legal basis for such targeted advertising where individuals are tracked across multiple websites and locations. 22
The EDPB further states that for such processing, consent is likely to be the most appropriate

legal basis under Article 6 of the GDPR. The assessment should also take into account that the processing includes activities for which the EU legislator has sought to provide

additional protection. 23

The EDPB has stated in its guidelines on consent that if controllers choose to rely on consent for any part of the processing, they must be prepared to

respect this choice and stop that part of the processing if an individual withdraws their consent. It would be fundamentally unfair to data subjects to give the message that data will be processed based on consent while actually referring to a different legal basis. In other words, the controller may not switch the legal basis from consent to other legal grounds. The EDPB further states that, for example, it is not permissible to retroactively use legitimate interest as a ground to justify processing if there have been problems in obtaining valid consent. Due to the requirement that data controllers must

19See Guidelines 01/2020 on the processing of personal data in the context of connected vehicles and

20relevant applications, Version 2.0, Adopted on 9 March 2021, paragraph 53
21See previous note
22See EDPB Guidelines 8/2020 on targeted advertising in social media Version 2.0, adopted on 13 April 2021, paragraph 40
See previous note, paragraph 77
23See previous note, paragraph 78 17

state the legal basis when collecting personal data, they must have determined the legal basis before collecting the data. 24

An opinion from the Article 29 Working Party on the concept of legitimate interest in Directive

95/46/EC states that when carrying out the balancing of interests, the type of interest invoked, the harm that would be suffered by the controller if the data were not processed, the nature of the data, how the personal data are processed, the position of the data subjects and the position of the controller, the reasonable expectations of the data subjects as to what will happen to their data and the consequences for the data subjects should be taken into account.

If, after analysing the above factors, it is still unclear how this balancing will turn out, the design of so-called additional safeguards may be decisive for the outcome of the balancing of interests. 25

The Article 29 Working Party Guidelines on Automated Individual Decision-Making and Profiling provide guidance on when profiling can be based on legitimate interests under

6.1 f. According to the guidelines, the following factors are relevant:

• The level of detail of the profile.

• The extent of the profile.

• The consequences of the profiling.

• The safeguards intended to ensure a fair, non-

discriminatory and accurate profiling process.

The Article 29 Working Party has reiterated in several opinions its position that it is difficult

to rely on Article 6(1)(f) of the GDPR for such profiling that takes place
for marketing or advertising purposes when individuals are tracked across several
26 different websites, locations, devices, services or for data brokering activities.

3.5.3 Basis for IMY's assessment
Bonnier News AB supports its processing of personal data for the purpose of
making individuals' profiles available to affiliated companies for the purpose of displaying tailored advertisements

on the legal basis of legitimate interest under Article 6(1)(f) of the GDPR. Before IMY examines whether the legal basis can constitute a basis

for Bonnier News AB's processing, IMY finds it necessary to address how the processing

relates to certain statements made in the EDPB guidelines.

The EDPB guidelines on targeted advertising in social media state that, when it comes to

data that the data subject has actively and knowingly provided, both

consent and legitimate interest can constitute a legal basis for the processing. The

guidelines state, however, that for data collected through observation

(for example, through cookies), legitimate interest cannot serve as an appropriate legal basis when the targeted advertising is based on individuals being tracked across multiple

websites and locations.

24
See EDPB Guidelines 05/2020 on consent under Regulation (EU) 2016/679, Version 1.1, adopted on 4 May 2020,
25points 122-123
See Article 29 Working Party Opinion 6/2014 on the notion of legitimate interests of the controller in Article 7 of
Directive 95/46/EC
26See Article 29 Working Party Opinion Guidelines on automated individual decision-making and profiling under
Regulation (EU) 2016/679, adopted on 3 October 2017, p.15 and Article 29 Working Party Opinion 6/2014 on the notion of legitimate interests of the controller in Article 7 of
Directive 95/46/EC, adopted on 9 April 2014, p. 47, and
the examples on pp. 59–60 and EDPB Guidelines 8/2020 on targeted advertising in social media Version 2.0, adopted 13
April 2021 p. 77 18

IMY notes that Bonnier News AB collects data for its behavioral database from several
different websites, but an affiliated company can only retrieve data based on
behavioral data collected from the company's own digital services. This applies regardless
of whether it is a simple or supplemented behavioral profile.

The EDPB Guidelines on connected vehicles state that data collected on the basis of
consent pursuant to 5.3 of the ePrivacy Directive can only be further processed

for another purpose if the data controller requests additional consent or
the processing is supported by EU law or national regulation. The section on the interaction between consent and other legal bases in Article 6 of the EDPB Guidelines on consent also addresses the issue of when the data subject has been informed that they have obtained the rights conferred by consent and the unfairness of not respecting these by referring to another legal basis.

IMY notes that the situation in the case differs to some extent from that described in these guidelines. In the case in point, it is the affiliated companies that collect the data pursuant to

5.3 of the ePrivacy Directive and are thus subject to the requirement for consent in that provision. The affiliated companies must ensure that they have legal grounds for their processing pursuant to

5.3 of the ePrivacy Directive and the GDPR. The affiliated companies’ processing of personal data is not covered by this supervision.

It is therefore not Bonnier News AB that collects the data on the basis of

consent pursuant to the national provisions implementing Article 5.3 of the ePrivacy Directive. It is only when the affiliated companies enter the personal data into the behavioral database and KDB that Bonnier News AB's processing begins. Bonnier News AB therefore does not change the legal basis from consent to legitimate interest.

IMY also notes that Bonnier News AB is part of the same group as the affiliated companies and that Bonnier News AB is jointly responsible for personal data with the affiliated companies for the processing of personal data in the databases. The fact that group-wide databases have been established should not mean that the data subjects receive less protection than if the processing had taken place at the group company that collected the personal data. In other words, Bonnier

News AB should not have greater opportunities to process personal data on the basis of the legal basis of legitimate interest than the affiliated companies have. According to IMY, the guidelines presented above should therefore be of importance for the assessment of the possibility of using legitimate interest as a legal basis in the case.

From the above, it can be concluded that the scope, based on Article 6(1)(f) of the Data Protection Regulation, to further process data collected on the basis of consent according to LEK is very limited. At the same time, it can be stated that the GDPR does not prohibit the use of Article 6(1)(f) as a legal basis for the current form of processing. IMY therefore proceeds to examine whether the processing is supported by Article 6(1)(f) of the GDPR. IMY's examination of whether Bonnier News AB is supported by Article 6(1)(f) of the GDPR is based on the three conditions that must be met according to the provision: (i) Is there a legitimate interest of the controller or a third party to whom the data is disclosed? (ii) Is the processing of personal data necessary for the legitimate interest pursued? 19 (iii) Does the data subject's interest in the protection of his or her personal data outweigh the interests of the data subject? IMY treats the first two steps in the balancing of interests jointly for the
supplemented and simple behavioral profiles (sections 3.5.3 and 3.5.4). Then, the
third and final step is treated separately for the supplemented behavioral profiles

(section 3.5.5) and the simple behavioral profiles (section 3.5.6).

3.5.4 Legitimate interest
Bonnier News AB's interest in creating profiles to make data available to
affiliated companies to display tailored advertisements is of a commercial nature. The fact that an

interest is commercial does not exclude that the interest is legitimate, but the decisive factor for
this assessment is whether the interest is legitimate, specific and constitutes a real and
actual interest.7

Bonnier News AB's and affiliated companies' interest is legitimate, real and actual. IMY

therefore finds that Bonnier News AB's interest in creating profiles for
making available and the interest of the affiliated companies in processing personal data to
display customized advertisements based on customers' and users' customer profiles and

behavioral profiles is justified.

3.5.5 Is the processing necessary for the legitimate interest?

The requirement of necessity in Article 6(1)(f) of the Data Protection Regulation shall be examined together

with the principle of data minimization in Article 5(1)(c). The purpose of the processing is to

make data available to affiliated companies to display customized advertisements based on

individuals' profiles. In the case, it has emerged that Bonnier News AB together with the
affiliated companies have taken measures to minimize the amount of data collected and

limit how long this data is processed and ensured that the databases in which the data is processed are kept separate and that only certain data is transferred

between them. Against this background, IMY finds that the processing described in this
decision is necessary for the stated purpose.

3.5.6 The balance of interests for the processing of personal data in supplemented
behavioral profiles

Bonnier News AB's interest in creating profiles to make data available to affiliated companies to display customized advertisements can, according to the company, benefit the individual
either by higher revenues enabling free or cheaper services or by the individual being met with offers that they are interested in. Bonnier News AB has further
emphasised that many of the affiliated companies are engaged in journalistic activities and
that the current operating model of publishers consists of revenue streams from reader and
advertisement revenues and that the group-wide processing of personal data is
important for the financing of the companies' journalistic activities. Against this

background, the company has assessed that its interest weighs particularly heavily.

As IMY has already stated, the interest in displaying tailored advertisements is legitimate within the meaning of Article 6(1)(f) of the GDPR. As regards the question of how much weight this interest carries, IMY states that the interest is not journalistic in itself, but rather commercial in nature. Profiling creates knowledge about customers and potential customers that enables revenue from tailored advertising. IMY considers that Bonnier

27See Opinion 6/2014 of the Article 29 Working Party on the concept of legitimate interests of the controller in Article 7 of Directive 95/46/EC
28See judgment in Asociaţia de Proprietari bloc M5A-ScaraA, C-708/18, EU:C:2019:1064, paragraph 48 20

News AB and its affiliated companies do not carry as much weight as Bonnier News AB claims.

When assessing the interests of the data subjects, IMY takes the following into account.

As stated above, Bonnier News AB collects personal data in the behavioral database that was originally collected by the affiliated companies through
29 cookies. The consent requirement that applies under Chapter 9, Section 28 of the LEK for that
collection provides strong privacy protection and an opportunity for the data subjects to
control the use of the collected data. This protection risks, as the

EDPB has stated in several of its guidelines, being undermined if the collected
personal data is processed on the basis of other legal grounds, such as
legitimate interest pursuant to Article 6(1)(f) of the GDPR. As IMY has already

stated, Bonnier News AB should not have a greater opportunity than the affiliated companies to
invite the legal basis of legitimate interest for the processing of the
personal data that the affiliated companies have collected using cookies. IMY therefore believes that the nature of the data means that the interests of the data subjects should be given great weight in the balancing of interests.

Furthermore, IMY considers that the scope for using Article 6(1)(f) of the GDPR as a legal basis for profiling based on observed data is limited (cf. EDPB Guidelines 8/2020 on targeted advertising in social media, p. 77–

78). IMY therefore notes that the nature of the processing also means that the privacy interests of the data subjects weigh heavily.

Bonnier News AB has emphasized that profiling and customized advertisements can benefit the data subject by enabling higher revenues for the affiliated companies, which in turn enables them to offer free or cheaper services. It can also benefit the data subject by presenting them with offers that they are interested in. IMY
does not dispute that the processing may to some extent benefit the data subjects, but considers that

the overall interest of profiling is to create advertising that is as accurate as possible in order to get customers and potential customers to purchase goods or services and to generate revenue from such advertising.

In cases where behavioral data can be linked to KDB for the purpose of displaying customized advertisements (the so-called
supplemented behavioral profiles), IMY considers the following in its assessment.

Although data for profiling is not collected from different websites, which according to
the EDPB guidelines would make Article 6(1)(f) of the Data Protection Regulation not an appropriate legal basis, the profiling instead includes data collected

from other contexts such as previous purchases, demographic data collected
and statistical data. IMY considers that profiling is extensive in nature and

that such profiling is not something a data subject can expect without having
consented to such personal data processing.

IMY considers, on a balanced assessment, that the privacy interests of the data subject outweigh the interests of Bonnier News AB and the affiliated companies.

Against this background, IMY finds that Bonnier News AB has processed personal data in violation of Article 6(1) of the Data Protection Regulation for the purpose of profiling the

29At the time of the case, the same requirements applied according to Chapter 6, Section 18 of the Electronic Communications Act (2003:389). 21

registered persons based on their behavioral data in a so-called supplemented behavioral profile
and making the profiles available to affiliated companies for the purpose of displaying customized advertisements.

3.5.7 Balancing of interests for the processing of personal data in simple behavioral profiles
As IMY stated above in section 3.5.4, Bonnier News AB's interest in creating profiles to make data available to affiliated companies to display customized advertisements is a commercial interest that does not weigh as heavily as Bonnier News AB claims.

When assessing the interests of the data subjects, IMY considers the following.

Bonnier News AB has taken measures to minimize the amount of data collected,
introduced privacy-enhancing rules for segmentation, introduced filtering rules and ensured that

data collected from an affiliated company can only be used by that company.

Profiling thus only takes place on a company's "own visitors". Furthermore, Bonnier News AB informs about the current processing through its personal data policy.

This should be weighed against the fact that the collection and profiling of simple behavioral profiles enables the mapping of individuals through observed data, which entails a greater invasion of privacy than when the data is collected through the active participation of the data subject. IMY believes that the data subject's privacy interest is strong due to the nature of the data (that the collection of the data is given special protection in the LEK). As IMY has already stated, Bonnier News AB should not have a greater opportunity than the affiliated companies to invoke the legal basis of legitimate interest for the processing of the personal data that the affiliated companies have collected using cookies. Furthermore, IMY believes that when individuals' surfing behavior is monitored to display tailored advertising, this can give the data subject the feeling of losing control over their data and the feeling of being monitored. This can result in individuals being influenced in their choice of what they see on a website.

IMY considers, on a balanced assessment, that the privacy interests of the data subject outweigh the interests of Bonnier News AB and affiliated companies even when processing personal data in simple behavioral profiles because this enables profiling of individuals.

Against this background, IMY states that Bonnier News AB has processed personal data without having a legal basis for it according to Article 6(1) of the

GDPR for the purpose of profiling the data subjects based on their behavioral data in so-called simple behavioral profiles and making the profiles available to affiliated companies for the purpose of displaying customized advertisements.

3.6 Legal basis for processing for the purpose of making contact details available for telephone sales and direct mail

marketing

3.6.1 Applicable provisions, etc.

In order to be able to rely on Article 6(1)(f) of the GDPR, the three conditions stated in the article must, as stated above, be met. There must be a legitimate interest of the controller or of the third party to whom the data are disclosed, the processing of personal data must be necessary for the 22 legitimate interest pursued and the data subject's interest in the protection of his or her personal data must not outweigh it. 30

The Article 29 Working Party and the EDPB's guidelines on profiling and the application of

Article 6 have been described in section 3.5.

3.6.2 Current circumstances and Bonnier News AB's position

Bonnier News AB has stated that the group has coordinated its activities to
achieve a better data basis and enable the processing of customers' and
users' personal data for the specified purposes in a cost-effective and

privacy-friendly manner. Bonnier News AB profiles data subjects with the aim of making the data available for telephone sales and direct mail marketing. The profiling that this entails is based partly on data in KDB collected from affiliated companies in connection with purchases and subscriptions (so-called customer engagement), partly on data obtained from Bisnode Sverige AB and, for a small part of the profiles, data from the behavioral database. Bonnier News AB bases its processing on Article 6(1)(f) of the GDPR.

Legitimate interest

Bonnier News AB has stated that the affiliated companies have a legitimate interest in marketing their products and services in an efficient and privacy-friendly manner.

Necessary processing

Bonnier News AB has stated that, together with the affiliated companies, they have taken measures to minimize the amount of data collected, how long this data is processed and, in order to comply with the data minimization principle, have kept the databases separate and only transferred certain data. Furthermore, Bonnier News AB has taken measures so that no more information than is necessary is disclosed to the affiliated companies. When disclosing, only the data points that are defined as necessary for the marketing channel specified at the time of disclosure are disclosed, i.e. for example, telephone numbers in a telephone sales campaign and addresses in postal direct marketing. The data points on which the segmentation is based are not disclosed. The balance of interests Bonnier News AB has stated the following. Bonnier News AB's interest in making information available to affiliated companies based on the data subject's profile for use in telephone sales and postal direct marketing outweighs the data subject's privacy interest. By utilizing the Group's existing resources for telephone sales and postal direct marketing, instead of purchasing the same information/resource from an external party, a cost saving occurs while enabling a more controlled degree of utilization of addresses and telephone numbers than would otherwise have been possible.
The processing is also intended to save purchasing costs.

Bonnier News AB, together with the affiliated companies, has taken measures to
minimize the amount of data collected, limit how long this data is processed
and, in order to comply with the data minimization principle, keep the databases separate.

For the purposes of telephone sales and direct mail marketing, Bonnier News

30EU Court of Justice judgment Fashion ID, C-40/17, EU:C:2019:629, paragraph 95. 23

AB has limited the type of content tags generated by the data subject's
surfing of other companies' websites. Furthermore, a connection between the databases has only been

made for a small percentage of users.

Furthermore, something called purpose-adapted
schemes is applied within the framework of the collaboration. These regulate what information is disclosed from the KDB. When disclosing, only the data points defined as necessary for the marketing channel specified at the time of disclosure are disclosed, for example, telephone numbers in the case of a telephone sales campaign and addresses in the case of postal direct marketing. The data points on which the segmentation is based are not disclosed.

There is a specific possibility for the data subject to request deletion from the common database. The data subject also has the right to object to the data being used for telephone sales and postal direct marketing.

The data subjects have a direct relationship with one or more affiliated companies.

The users/customers have either visited the website of an affiliated company, purchased products from an affiliated company or have an active digital subscription. Many of the customers are subscribers who have a long-term relationship with the company that provides the service or product, and can therefore be considered to have a greater expectation that their data will be processed. Many readers have a strong commitment tied to their preference for news media. To some extent, customer profiles in KDB belong to piece purchases such as literature, newspaper and goods purchases, where the relationship between customer and supplier can be considered somewhat less unique. Furthermore, the interaction is voluntary, clear information is provided and there are alternative products such as physical newspapers that can be viewed completely anonymously.

According to Bonnier News AB, the processing does not likely have a negative impact on the interests of the data subject.

The processing that takes place is within the reasonable expectations of the data subjects because the individuals who come into contact with the companies do so of their own free will in order to access content on websites, purchase services and/or products and that they always have a customer/user relationship with one or more group companies. Furthermore, the companies' personal data policies contain clear information about how customers' and users' personal data is processed and shared within the group. The processing carried out within the framework of the KDB/behavioral database is closely linked to the companies' services and products, which should be of importance for the consumer's expectations. The fact that a group coordinates systems and central functions and shares certain data for efficiency reasons should not be unexpected for the data subjects. Customers who have not registered with the NIX register have a reasonable expectation that their contact details may be used for direct mail marketing or telephone sales. Consumers are used to this type of marketing. The group-wide policy provides information on direct marketing and telephone sales. It states that addresses and telephone numbers can be used by the Bonnier companies for direct mail marketing and telephone sales. It also states that the Bonnier companies can select segments that they believe are relevant for the current campaign, e.g. "men in the age range of 40-45 living in Stockholm". It also appears that the Bonnier companies always respect NIX restrictions and whether anyone has objected to the marketing.

31Only tags categorized with the IAB taxonomy are collected. 24

3.6.3 IMY's assessment

IMY treats the first two steps in the balancing of interests jointly for the supplemented and simple behavioral profiles (sections 3.6.4 and 3.6.5). The third and final step is then treated separately for the supplemented behavioral profiles

(section 3.6.6) and the simple behavioral profiles (section 3.6.7).

3.6.4 Is Bonnier News AB's interest in profiling individuals for the purpose of

making data available to affiliated companies for use in telephone sales

and direct mail marketing justified?

Bonnier News AB's interest in creating profiles to make the data available to affiliated companies for use in telephone sales and postal direct marketing is of a commercial nature. IMY assesses that the companies' interest is legitimate, real and actual with Bonnier News AB and the affiliated companies to which the data is disclosed. Against this background, IMY assesses that the company's interest in creating profiles to make data available to affiliated companies for use in telephone sales and postal direct marketing is justified. 3.6.5 Is the processing necessary for the interest in profiling individuals for the purpose of making data available to companies for use in telephone sales and postal direct marketing? The requirement of necessity in Article 6(1)(f) of the Data Protection Regulation shall be examined together with the principle of data minimization in Article 5. The purpose of the processing is to make data available to companies for use in telephone sales and direct mail marketing. In the case, it has emerged that Bonnier News AB, together with the other companies, has taken measures to minimize the amount of data collected and to limit the period for which this data is processed, and has ensured that the databases in which the data is processed are kept separate and that only certain data is transferred between them. Furthermore, the company has ensured that no more data than is necessary is disclosed to the affiliated companies for use in telephone sales and direct mail marketing. Against this background, IMY finds that the processing is necessary for the legitimate purpose.

3.6.6 Balancing of interests for the processing of personal data in supplemented
customer database profiles

Bonnier News AB has emphasized that the affiliated companies have an interest in marketing
their products and services in an efficient and privacy-friendly manner. IMY notes, however, that the interest in making data available for use in telephone sales and

direct mail marketing is a commercial interest that does not weigh particularly heavily.

When assessing the interests of the data subjects, IMY considers the following.

The profiling carried out on the supplemented customer database profiles includes
data collected from affiliated companies when purchasing and subscribing (so-called

customer engagement), data obtained from Bisnode Sverige AB and data from the
behavioral database (including data collected by the affiliated companies through

cookies). IMY has already stated above that Bonnier News AB should not have a greater

opportunity than the affiliated companies to invoke the legal basis of legitimate interest

when processing personal data that the affiliated companies have collected using

cookies. The behavioural data retrieved from the behavioural database of a data subject to

KDB is also collected from the websites of various companies. IMY considers that data subjects

cannot be expected to have their behavioural data collected for marketing purposes

32See judgment Asociaţia de Proprietari bloc M5A-ScaraA, C-708/18, EU:C:2019:1064, paragraph 48 25

just because they visit a website. Nor can they be expected to have their

behavioural data combined with data from another purchasing situation or data collected

from other registers for the purpose of contacting them for telephone sales or direct mail

marketing. This is not changed by the privacy-enhancing measure that the affiliated companies that carry out the marketing measure do not have access to the collected behavioral data, but only contact information.

The EDPB guidelines state that the scope for using legitimate interest as a legal basis for profiling depends on how detailed the profile is, how extensive the profile is, the consequences of the profiling and the safeguards intended to ensure a fair, non-discriminatory and correct profiling process.

IMY believes that the privacy interest of the data subjects is strong due to the nature of the data, since the data enables the mapping of individual behavior and the collection of the data is given special protection in the LEK.

IMY further notes that this is profiling as referred to in Article 4(4) of the GDPR and that the profiling is extensive as it provides an in-depth picture of the data subject. It is also a matter of data collected from various websites combined with data obtained from customer engagement and statistical data from Bisnode Sverige AB. Against this background, IMY notes that the nature of the processing means that the privacy interests of the data subjects outweigh the interests of Bonnier News AB and its affiliated companies in the processing of personal data based on a so-called supplemented customer database profile and which is carried out for the purpose of making contact details available to affiliated companies for telephone sales and postal marketing. Against this background, IMY notes that Bonnier News AB has processed personal data without having a legal basis for it according to Article 6(1) of the GDPR by profiling the data subjects based on their supplemented customer database profiles for the purpose of making contact details available to affiliated companies for telephone sales and postal marketing. 3.6.7 Balancing of interests for personal data not linked to the behavioral database As IMY stated above in section 3.6.6, Bonnier News AB's interest is primarily a commercial interest that does not weigh particularly heavily. When assessing the interests of the data subjects for such processing that is not linked to the behavioral database, IMY considers the following. Bonnier News AB has taken measures to minimize the number of data points both in relation to the principles of data minimization and storage minimization by not sharing data at the item level, but only at the product category, brand and type of packaging. The profiling also does not include data collected through cookies. The investigation has further shown that the individual has had the opportunity to object before the processing and that Bonnier News AB respects the data subjects' wishes to avoid marketing that has been noted in national blocking lists or with the data controller. Against this background, IMY believes that the processing is within the scope of what individuals can reasonably expect based on the information provided and that data is only disclosed to affiliated companies within the group. 26

IMY believes that, on a balanced assessment, the interests or fundamental rights of the data subjects do not outweigh the interests of Bonnier News AB and the affiliated companies in the current processing.

Against this background, IMY notes that Bonnier News AB has been supported for its processing in Article 6(1)(f) of the Data Protection Regulation.

3.7 Choice of intervention

3.7.1 Applicable provisions and other general starting points

IMY has a number of corrective powers in the event of violations of the Data Protection Regulation, including reprimands, injunctions and penalty fees. This follows from

Article 58(2)(a)–(j) of the Data Protection Regulation. The IMY shall impose administrative fines in addition to or in place of other corrective measures referred to in Article 58(2), depending on the circumstances of each case. Where a controller or a processor, in relation to the same or connected processing operations, intentionally or negligently infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount set for the most serious infringement. This is stated in Article 83(3) of the GDPR. Each supervisory authority shall ensure that the imposition of administrative fines in each case is effective, proportionate and dissuasive. This is stated in Article 83(1) of the GDPR. Article 83(2) sets out the factors to be taken into account in determining whether an administrative fine should be imposed and in assessing the amount of the fine.

The EDPB has adopted guidelines on the calculation of administrative fines under the GDPR, which aim to create a harmonised method and principles for calculating fines. 33

In the case of a minor infringement, the IMY may, in accordance with recital 148 of the GDPR, issue a reprimand in accordance with Article 58(2)(b) instead of imposing a fine.

3.7.2 Same or connected data processing operations

The IMY has assessed in three cases above that Bonnier News AB lacked support in Article 6(1) of the GDPR for its processing of personal data. IMY assesses that these
processing operations, which all take place in the company's databases through profiling for
marketing purposes, are interconnected in the manner referred to in
Article 83(3) of the Data Protection Regulation.

3.7.3 Penalty fee
IMY has assessed that Bonnier News AB has violated Article 6(1) of the Data Protection Regulation

in its processing of personal data for the purpose of displaying tailored advertisements
and making contact details available to affiliated companies for telephone sales and
direct postal marketing. IMY does not consider that these are minor infringements.

33EDPB Guidelines 8/2020 Guidelines 04/2022 on the calculation of administrative fines under the GDPR (adopted for
public consultation on 12 May 2022). 27

Bonnier News AB shall therefore be imposed an administrative penalty fee for these
infringements.

IMY notes that infringements of Article 6(1) of the GDPR are covered by

Article 83(5) which means that a fine of up to EUR 20 million or four
percent of the global annual turnover in the preceding financial year, whichever is higher, may be imposed.

In determining the maximum amount of a fine to be imposed on an undertaking,

the definition of the concept of undertaking used by the Court of Justice of the European Union in

the application of Articles 101 and 102 TFEU (see recital 150 of the

GDPR) shall be used. The Court's case law shows that this covers any entity that carries out economic activity, regardless of the legal form of the entity and the way in which it is financed, and even if the entity in legal terms consists of several natural or legal persons.34

IMY assesses that the turnover of the company that should be used as a basis for calculating the administrative penalty that can be imposed on Bonnier News AB is Bonnier News AB's parent company Albert Bonnier AB. From the information obtained, it appears that Albert Bonnier AB's annual turnover in 2021 was SEK 23,299,000,000. The maximum sanction amount that can be determined in the case is four percent of this amount, i.e. approximately SEK 931,960,000.

IMY assesses that the following factors are relevant to the assessment of the seriousness of the infringement.

This has been a matter of profiling of individuals for profit both when the profiling has been carried out to display tailored advertisements and when it has been carried out to disclose contact details for telephone sales and postal marketing. The profiling carried out to display tailored advertisements has, in cases where data in the behavioural database about individuals' surfing behaviour has been linked to the KDB, included surfing history, purchase history and demographic and statistical data. It has been a matter of a violation that has been ongoing for a long time and concerned a large number of data subjects and included a large amount of personal data. However, the data processed, as far as has been established, do not constitute special categories of personal data as specified in Article 9 of the Data Protection Regulation. In this decision, IMY has assessed that the profiling through supplementary behavioural profiles was extensive in nature.

Even for the profiling of personal data in KDB where there was a connection to data in the behavioral database, so-called supplemented customer database profiles, IMY has made the assessment that the profiling was extensive in nature, since it contained data collected about the individual's surfing behavior obtained from several websites combined with data from purchases made (customer engagement) and data obtained from Bisnode Sverige AB. However, IMY makes the assessment that the current personal data processing does not entail major consequences for the data subjects. It concerns an impact that is assessed to be moderate.

In both of these cases, IMY considers that the profiling that took place where data could be linked together in the two databases, supplementary behavioral profiles and the supplementary customer database profiles, has a higher degree of seriousness compared to the

34See Judgment in Akzo Nobel, C-516/15, EU:C:2017:314, paragraph. 48 28

violation concerning the profiling that takes place in the so-called simple behavioral profiles
to display customized advertisements. IMY believes that the profiling that takes place in the so-called simple behavioral profiles
to display customized advertisements is in itself
grounding for sanctions, but that it has a lower degree of seriousness than the violations
where a connection could be made between the different databases. The reason for this is that it concerns
less information about the data subjects and indirect personal data. IMY, however, considers
that this violation also includes systematic processing that has been going on
for a long time and has affected a large number of data subjects.

The measures that Bonnier has taken to limit the infringement of the data subjects'
personal integrity, in the form of set storage periods, that data is not recorded at the product level, that no more data than necessary is disclosed to affiliated companies, according to IMY, result in a significant reduction in the seriousness of the violations.

The personal data has also not been disclosed outside the group. IMY has noted that Bonnier News AB has consistently taken measures to reduce the privacy breach for the data subjects in its group-wide cooperation.

This situation is also taken into account when assessing the seriousness of the violations.

In light of the above circumstances, IMY assesses that these are violations of low severity overall. The starting point for calculating the

sanction fee should therefore be low in relation to the current maximum amount.

In addition to assessing the seriousness of the violation, IMY shall assess whether there are

any aggravating or mitigating circumstances that are significant for the amount of the sanction fee. IMY assesses that there are no further aggravating or mitigating circumstances, in addition to those taken into account when assessing the

severity above, that affect the amount of the sanction fee.

In light of the seriousness of the violation, aggravating and mitigating circumstances

and the high turnover in relation to the violations found

, IMY sets the administrative sanction fee for Bonnier News AB at

13,000,000 SEK. IMY assesses that this amount is effective, proportionate and

dissuasive.

__________________________________________

This decision has been made by Director General Lena Lindgren Schelin after a presentation
by lawyer Ulrika Bergström. The Head of Legal Affairs

David Törngren and the Head of Unit Catharina Fernquist have also participated in the final processing.

Lena Lindgren Schelin, 2023-06-26 (This is an electronic signature)

Appendix

Information on payment of sanction fee

Copy to

DSO 29

4. How to appeal

If you wish to appeal the decision, you should write to IMY. Indicate in the letter which decision you are appealing and the change you are requesting. The appeal must be received by IMY no later than three weeks from the date you received the decision. If the appeal has been received in good time, IMY will forward it to the Administrative Court in Stockholm for review. You can e-mail the appeal to IMY if it does not contain any privacy-sensitive personal information or information that may be subject to confidentiality. The authority's contact information is provided on the first page of the decision.

@@ Line 10: / Line 10: @@
 |ECLI=
-|Original_Source_Name_1=IMY (Sweden)
+|Original_Source_Name_1=IMY
 |Original_Source_Link_1=https://www.imy.se/globalassets/dokument/beslut/2023/beslut-tillsyn-bonnier-news.pdf
 |Original_Source_Language_1=Swedish
@@ Line 21: / Line 21: @@
 |Type=Investigation
 |Outcome=Violation Found
-|Date_Started=
+|Date_Started=07.11.2019
 |Date_Decided=26.06.2023
-|Date_Published=
+|Date_Published=06.02.2025
 |Year=2023
 |Fine=13000000
 |Currency=SEK
-|GDPR_Article_1=Article 4(4) GDPR
+|GDPR_Article_1=Article 4(1) GDPR
-|GDPR_Article_Link_1=Article 4 GDPR#4
+|GDPR_Article_Link_1=Article 4 GDPR#1
-|GDPR_Article_2=Article 6(1)(f) GDPR
+|GDPR_Article_2=Article 4(2) GDPR
-|GDPR_Article_Link_2=Article 6 GDPR#1f
+|GDPR_Article_Link_2=Article 4 GDPR#2
-|GDPR_Article_3=Article 60 GDPR
+|GDPR_Article_3=Article 4(4) GDPR
-|GDPR_Article_Link_3=Article 60 GDPR
+|GDPR_Article_Link_3=Article 4 GDPR#4
-|GDPR_Article_4=
+|GDPR_Article_4=Article 4(7) GDPR
-|GDPR_Article_Link_4=
+|GDPR_Article_Link_4=Article 4 GDPR#7
-|GDPR_Article_5=
+|GDPR_Article_5=Article 6 GDPR
-|GDPR_Article_Link_5=
+|GDPR_Article_Link_5=Article 6 GDPR
+|GDPR_Article_6=Article 6(1) GDPR
+|GDPR_Article_Link_6=Article 6 GDPR#1
+|GDPR_Article_7=Article 6(1)(f) GDPR
+|GDPR_Article_Link_7=Article 6 GDPR#1f
+|GDPR_Article_8=
+|GDPR_Article_Link_8=
+|GDPR_Article_9=
+|GDPR_Article_Link_9=
 |EU_Law_Name_1=
@@ Line 49: / Line 57: @@
 |National_Law_Link_2=
-|Party_Name_1=Bonier News AB
+|Party_Name_1=Bonnier News AB
-|Party_Link_1=
+|Party_Link_1=https://www.bonniernews.se/
 |Party_Name_2=
 |Party_Link_2=
@@ Line 65: / Line 73: @@
 }}
-The Swedish DPA found that the group-wide processing of personal data within the Bonnier group for various marketing purposes did not have a legal basis under [[Article 6 GDPR|Article 6(1) GDPR]]. Bonnier News AB was fined 13 000 000 SEK (approx. € 1 090 000 EUR) for the found violations.
+The DPA fined a media company SEK 13,000,000 for unlawfully profiling its users in order to target them with behavioral advertising on its website, thus violating Article 6(1) GDPR.
 == English Summary ==
 === Facts ===
-Bonnier News AB (Bonnier) processed personal data together with a number of affiliated companies belonging to the Bonnier group for various marketing purposes.
+Bonnier News AB (now Expressen Lifestyle), the controller, is a media company in Sweden. The Bonnier group processed their customers' data for, among other reasons, marketing purposes. They compiled profiles on their users and made these available to affiliated companies who then provided targeted advertisements for their own products and services through direct mail and telemarketing. They relied on legitimate interests under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] to do so.
-The affiliated companies collected information on their customers as well as browsing behavior of their website visitors through cookies. That data was transmitted to two Bonnier group-wide databases: (1) the customer database and (2) the behavioral database to create profiles of individuals (the data subjects).
+At the time of the investigation,which followed a complaint from a data subject, there were 15 such affiliated companies, with the personal data being collected from users and website visitors being stored in two group-wide data bases from which it was then shared with the affiliate companies. One of these databases was a “behavioral data base”.
-In some cases, information relating to a data subject in those two databases were linked which allowed the customer data, including contact information of an individual data subject, to be linked with behavioral data collected about them. Furthermore, in some cases, information obtained from Bisnode Sverige AB – a company offering business, marketing and credit information – was also linked to individual data subjects within the customer database.
+The personal data recorded in this database, by means of a cookie identifier, included the URL that the user visited, as well as its category and content type, information on the user’s device and their IP address, behavioral data in terms of time spent and the time the page was viewed and also whether the user logged into the website. In some instances, this data could be linked with the user’s data in the customer data base, resulting in a full behavior profile including the user’s age, gender, their car ownership and some variable based on the users’ residential area, such as their life phase, housing type and purchasing power.
-Bonnier made the behavioral data available to the affiliated companies for the purpose of displaying personalised ads, and the customer information for telemarkting and postal marketing purposes. This allowed Bonnier to collect data from several different websites through the affiliated companies. However, an affiliated company could only retrieve information based on behavioral data collected from that company's own services.
+During the course of the investigation, the controller argued that they are not joint controllers in respect of the personal data, and that after the affiliated companies access the data provided in the databases, that they alone are responsible for the legality of that processing.
-Bonnier claimed to have a legitimate under [[Article 6 GDPR|Article 6(1)(f) GDPR]] for the collection and processing of personal data in question.
+The controller further argued that while the personal data in the customer database was personal data, the data in the behavioral database was comprised of anonymous data and as such was not personal data under [[Article 4 GDPR#1|Article 4(1) GDPR]].
-Following various complaints lodged with the Swedish DPA against companies of the Bonnier group, the DPA initiated an investigation on whether Bonnier had a legal basis under [[Article 6 GDPR|Article 6(1) GDPR]] for its processing of the personal data included in the group-wide databases.
+The controller stated that they rely on legitimate interest as a lawful basis for the profiling of their customers and users to provide personalised advertisements. The controller identified the legitimate interest as being the need to ensure relevant content and advertisements for their customers so that they can offer competitive services and have attractive advertising spaces. The controller also submitted that this interest outweighed the interest of their customers in the protection of their personal data. The controller claimed that such was the case as the customers could object to the profiling, that the customers already have a direct relationship with one (or more) of the affiliates, either from having purchased from their websites or having visited their website, that the processing was unlikely to adversely affect the data subject’s interests as their interaction with the affiliates was voluntary and, finally, that the processing is consistent with the reasonable expectations of the data subjects.
 === Holding ===
-The DPA assessed the question whether Bonnier had a separate legal basis under the GDPR for processing personal data for 1) the purpose of displaying personalised ads based on the behavioral data, and 2) the purpose of making the customer data available for telemarketing and postal marketing purposes.
+The IMY (Swedish DPA), after highlighting the fact that Bonnier set up the framework for the accessing of the personal data by the affiliate countries, held that Bonnier News AB was a joint controller in respect of the processing activities. This included the initial collection of the data, the storage of that data in the databases, the profiling of the data subjects and the use of the data for the purposes of customised advertisements and direct marketing.
+The IMY further reasoned that as the behavioral data base distinguished users based on cookie identifiers, and the users can be individually identified from them, the behavioral data base constituted personal data.
-''1) Purpose of displaying personalised ads based on behavioral data''
+The IMY then considered the validity of the controller’s reliance on legitimate interest as a lawful basis for the profiling of user data. It was found that the interest being pursued was legitimate, and the processing in question necessary for the pursuit of the interest.
-Essentially, the DPA found that the interests of the data subjects outweighed the interests of Bonnier when it processed the behavioral because such processing enables profiling of individual data subjects as defined in [[Article 4 GDPR#4|Article 4(4) GDPR]].
+The IMY then turned to assess the balancing of interests. In respect of the making available of completed behavior profiles, it was noted that the overall benefit of the processing was for the controller to generate revenue from advertisements. The IMY disagreed with the controller’s assertion that the processing would be consistent with the reasonable expectations of the data subject, finding that the profiling was extensive in nature and not something which could be reasonably expected without consenting. The IMY thus found that the privacy interests of the data subjects outweighed the interest being pursued by the controller and as such, the controller infringed [[Article 6 GDPR#1|Article 6(1) GDPR]].
-Furthermore, the fact that in some cases the behavioral data of an individual data subject was linked with their customer data in the customer database, was considered to be profiling that is extensive in nature and that a data subject could not expect such profiling without having consented to it.
+With respect to the processing of simple behavioral profiles, allowing for the mapping of individuals through observation and the use of cookies, the IMY again held that the data subject’s interest in privacy outweighs the interests of the controller. The IMY reasoned that the monitoring of data subject behavior to provide targeted advertisements could give the data subject’s the feeling that they are being monitored.
-''2) Purpose of making customer data available for telemarketing and postal direct marketing''
+The IMY thus found that the controller had processed personal data for profiling based on behavioral data for the purposes of enabling targeted advertisements without a lawful basis, infringing [[Article 6 GDPR|Article 6(1) GDPR]].
-In cases where the customer information of an individual data subject was linked with behavioral data collected about them, the DPA held that the interests of the data subjects outweighed the interests of Bonnier. This was because such processing also constituted profiling pursuant to [[Article 4 GDPR#4|Article 4(4) GDPR]], and the DPA considered the profiling to be extensive in nature, since it provides an in-depth picture of the data subject. Further, because the data was collected from various websites and combined with additional data collected from Bisnode Sverige AB.
+The IMY issued a fine of SEK 13,000,000 (€1,157,483.21).
-On the other hand, when the customer information of an individual data subject was not linked with behavioral data collected about them, the DPA held that the interests of the data subjects do not override the interests of Bonnier. In this case, the DPA considered that the individuals could reasonably expect such processing and took into consideration that the data was only disclosed to affiliated companies within the Bonnier group, and that the data did not include information collected through cookies (behavioral data).
-Consequently, the DPA found that Bonnier had processed personal data in breach of [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] when the interests of data subjects were found to outweigh the interests of Bonnier, and imposed a fine of 13 000 000 (thirteen million) SEK (approx. € 1 094 000) on Bonnier.
 == Comment ==
-''This case concerned cross-border processing, and thus, the DPA applied the cooperation and consistency mechanisms provided for in the GDPR. The supervisory authorities concerned were the authorities of Denmark, Estonia, Finland, Norway and Germany.''
+''Share your comments here!''
 == Further Resources ==
@@ Line 111: / Line 117: @@
 (29)
+Bonnier News AB
+15 Stockholm
+Registration number: Decision after supervision according to
-                                                                         Bonnier News AB
-15 Stockholm
-Diary number: Decision after supervision according to
 DI-2019-11737
-                                 data protection regulation – Bonnier
+Data Protection Regulation – Bonnier
 Date: News AB
 -06-26
+Contents
+. The Swedish Data Protection Authority's decision........................................................................3
+. Statement of the supervision case..................................................................................3
+.1 Description of the group-wide personal data processing..........................................................4
+.1.1 Description of the processing of personal data contained in
-                                 Content
+the behavior database..................................................................................5
+.1.2 Description of the processing of personal data stored
-. The Privacy Protection Authority's decision............................................... ..........................3
+in the KDB..................................................................................................................6
-. Statement of the supervisory matter ............................................... .....................................3
+. Justification of the decision..................................................................................................8
-.1 Description of the group-wide personal data processing......4
+.1 IMY's competence..................................................................................................8
-.1.1 Description of the processing of personal data contained in
-                                                the behavior database ................................................... ................................5
+.1.1 Current circumstances.................................................................................8
-.1.2 Description of the processing of stored personal data
-                                                in KDB................................................ ................................................... .......6
+.1.2 Applicable provisions etc. ......................................................8
-. Justification of the decision................................... ................................................ ..8
-.1 IMY's authority................................................ ..............................................8
+.1.3 IMY's assessment ................................................................................9
-.1.1 Current circumstances................................................ ......................8
+.2 Bonnier News AB's personal data responsibility..................................................9
-.1.2 Applicable regulations, etc. ................................................ .....8
+.2.1 Current circumstances and Bonnier News AB's position.........9
-.1.3 IMY's assessment ........................................... ...................................9
-.2 Bonnier News AB's responsibility for personal data............................................ ..........9
+.2.2 Applicable provisions etc. ......................................................9
-.2.1 Current circumstances and Bonnier News AB's approach.........9
+.2.3 IMY's assessment ...........................................................................10
-.2.2 Applicable regulations, etc. ................................................... .....9
+.3 Which data constitutes personal data?..................................................................10
-.2.3 IMY's assessment ........................................... ................................10
+.3.1 Current circumstances and Bonnier News AB's position...........10
-.3 What information constitutes personal data?............................................. .............10
-.3.1 Current circumstances and Bonnier News AB's approach.......10
+Postal address: 3.3.2 Applicable provisions and other general starting points...10
+Box 8114
+20 Stockholm 3.3.3 IMY's assessment........................................................................12
-Postal address: 3.3.2 Applicable regulations and other general starting points....10
+.4 The processing constitutes profiling..................................................................13
-Box 8114
-20 Stockholm 3.3.3 IMY's assessment............................................ ................................12
-.4 The processing constitutes profiling............................................... .......................13
 Website:
-www.imy.se 3.4.1 Applicable regulations ......................................... ......................13
+www.imy.se 3.4.1 Applicable provisions..................................................................13
 E-mail:
-imy@imy.se 3.4.2 IMY's assessment ....................................... .....................................13
+imy@imy.se 3.4.2 IMY's assessment..................................................................................13
-Phone:
+Telephone:
 -657 61 00 2
+.5 Legal basis for processing for the purpose of displaying customized advertisements based on
+data in behavioral database ................................................................................13
+.5.1 Current circumstances and Bonnier News AB's position...........13
+.5.2 Applicable provisions, etc. ...................................................15
+.5.3 Basis for IMY's assessment.................................................17
+.5.4 Legitimate interest ................................................................................19
+.5.5 Is the processing necessary for the legitimate interest?................................19
-.5 Legal basis for processing for the purpose of displaying customized advertisements from outside
+.5.6 The balance of interests for the processing of personal data in
-        data in the behavior database .............................................. ..........................13
-.5.1 Current circumstances and Bonnier News AB's approach.......13
+supplemented behavioral profiles ..............................................................19
-.5.2 Applicable regulations, etc. ................................................... ...15
+.5.7 The balance of interests for the processing of personal data in simple
-.5.3 Starting points for IMY's assessment............................................ ...17
+behavioral profiles ..............................................................................21
-.5.4 Legitimate interest ............................................. ............................19
+.6 Legal basis for processing for the purpose of making contact details available for
-.5.5 Is the processing necessary for the legitimate interest?.............19
-.5.6 The balancing of interests for the processing of personal data i
+telephone sales and direct mail marketing..................................................21
-               supplemented behavioral profiles ................................................ ..............19
+.6.1 Applicable provisions, etc. .....................................................21
-.5.7 Balance of interests for the processing of personal data in simple
-               behavioral profiles ................................................... .....................................21
+.6.2 Current circumstances and Bonnier News AB's position...........22
-.6 Legal basis for processing for the purpose of making available contact information for
+.6.3 IMY's assessment................................................................................24
-        telephone sales and postal direct marketing............................................21
-.6.1 Applicable regulations, etc. ................................................... ...21
+.6.4 Is Bonnier News AB's interest in profiling individuals for the purpose of
+making data available to affiliated companies for use in
+telephone sales and direct mail marketing justified?................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ and other general starting points....26
-.6.2 Current circumstances and Bonnier News AB's approach.......22
+.7.2 Same or connected data processing................................................26
-.6.3 IMY's assessment ........................................... ................................24
-.6.4 Is Bonnier News AB's interest in profiling individuals for the purpose of
+.7.3 Penalty fee................................................................................................26
-               make data available to affiliated companies for use in
+Appendix ......................................................................................................28
-               telephone sales and postal direct marketing eligible?...............24
-.6.5 Is the processing necessary for the purpose of profiling individuals
+Copy to................................................................................................................28
-               to make information available to companies for use in
-               telephone sales and postal direct marketing?................................24
-.6.6 Balance of interests for processing personal data i
+. How to appeal ................................................................................................29 3
-               completed customer database profiles................................................... .........24
+. Decision of the Data Protection Authority
-.6.7 Balance of interests for personal data without connection to
-               the behavior database ................................................... ..............................25
+The Data Protection Authority finds that Bonnier News AB (559080-0917) during the
-.7 Choice of intervention............................................... ..........................................26
+period from 7 November 2019 to 11 June 2020 has processed personal data
-.7.1 Applicable regulations and other general starting points....26
+without having a legal basis for it according to Article 6(1) of the Data Protection Regulation by
-.7.2 Same or connected data processing...................26
+a) processing personal data for the purpose of profiling the data subjects based on
+their behavioural data in so-called supplemented behavioural profiles and
-.7.3 Penalty fee............................................... ................................26
+making the profiles available to affiliated companies for the purpose of displaying customised
+advertisements,
+b) processing personal data for the purpose of profile the data subjects based on
-               Appendix ................................................ ................................................... ...28
+their behavioral data in so-called simple behavioral profiles and make the profiles available to affiliated companies for the purpose of displaying customized advertisements,
+c) to process personal data by profiling the data subjects based on
-               Copy to................................................ ................................................... .28
+their supplemented customer database profiles for the purpose of making
-. How to appeal ............................................ ................................................ ...29 3
+contact details available to affiliated companies for telephone sales and postal
+marketing.
+The Swedish Data Protection Authority decides, based on Articles 58(2) and 83 of
+the Data Protection Regulation, that Bonnier News AB shall pay an administrative
+sanction fee of SEK 13,000,000 (thirteen million).
+. Statement of the supervisory case
+The Swedish Data Protection Authority (IMY) has, in a supervision of the former Bonnier Magazine and
+Brands AB, now Expressen Lifestyle (ref. DI-2019-6523), noted that
+Bonnier News AB, together with other companies within the Bonnier Group, processes
+personal data for, among other things, marketing purposes based on the legal basis
-. The Data Protection Authority's decision
+legitimate interest according to Article 6(1)(f) of the Data Protection Regulation. IMY has initiated supervision of
+Bonnier News AB with the aim of investigating whether Bonnier News AB complies
-The Privacy Protection Authority notes that Bonnier News AB (559080-0917) under
+with the requirements of the Data Protection Regulation for the processing of personal data for
-the period from 7 November 2019 to 11 June 2020 has processed personal data
-without having a legal basis for it according to article 6.1 of the data protection regulation through
-    a) to process personal data for the purpose of profiling the registered based on
-         their behavioral data in so-called supplemented behavioral profiles and
-         make the profiles available to affiliated companies in order to show customized
-         Adverts,
-    b) to process personal data for the purpose of profiling the registered based on
-         their behavioral data in so-called simple behavioral profiles and make available
-         the profiles of affiliated companies for the purpose of displaying customized advertisements,
-    c) to process personal data by profiling the registered based on
-         their completed customer database profiles for the purpose of making available
-         contact details for affiliated companies for telephone and postal sales
-         marketing.
-The Privacy Protection Authority decides with the support of articles 58.2 and 83 i
-the data protection regulation that Bonnier News AB must pay an administrative
-penalty fee of 13,000,000 (thirteen million) kroner.
-. Statement of the supervisory matter
-The Swedish Privacy Protection Agency (IMY) has in a supervision against former Bonnier Magazine and
-Brands AB, now Expressen Lifestyle (dnr DI-2019- 6523) noted that
-Bonnier News AB together with other companies within the Bonnier Group processes
-personal data for e.g. marketing purposes supported by the legal basis
-legitimate interest according to Article 6.1 f of the data protection regulation. IMY has initiated supervision of
-Bonnier News AB for the purpose of investigating whether Bonnier News AB complies
-the data protection regulation's requirements for the processing of personal data that takes place for
 marketing purposes.
-Within the framework of this supervision, Bonnier News AB has had to comment on seven complaints
+Within the framework of this supervision, Bonnier News AB has been asked to comment on seven complaints
+submitted to IMY regarding various marketing measures taken by companies within the
-submitted to IMY regarding various marketing measures taken by companies within
+Bonnier Group. Bonnier News AB has commented on the complaints and it has then emerged
-The Bonnier Group. Bonnier News AB has commented on the complaints and it has then
+that the marketing measures taken have not been caused by withdrawals from
-revealed that the marketing measures taken have not been caused by withdrawals from
+the group-wide databases nor have they occurred under Bonnier News AB's
+personal data responsibility. Against this background, IMY does not find any reason to investigate these complaints further within the framework of
-the group-wide databases and also did not happen under Bonnier News AB's
+this case.
-personal data responsibility. Against this background, IMY finds no reason to within the framework of
-this matter investigate these complaints further.
-IMY has, within the scope of supervision, examined whether Bonnier News AB has a legal basis
-according to article 6 of the data protection regulation for the personal data processing that takes place in
-the group-wide databases for marketing purposes. Supervision
+Within the framework of the supervision, IMY has examined whether Bonnier News AB has a legal basis
-includes the processing of personal data that takes place by creating profiles and
+according to Article 6 of the Data Protection Regulation for the processing of personal data that takes place in
-making such data available for use by affiliated companies for
+the group-wide databases for marketing purposes. The supervision
-to display personalized ads. It also covers the processing of personal data,
+covers the processing of personal data that takes place by creating profiles and
+making such data available for use by affiliated companies to
+display customized advertisements. It also covers the processing of personal data,
-Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with
+Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to
-regarding the processing of personal data and on the free flow of such data and on the cancellation of
+the processing of personal data and on the free movement of such data, and repealing
-directive 95/46/EC (General Data Protection Regulation).
+Directive 95/46/EC (General Data Protection Regulation).
 DI-2018-22602, DI-2019-10121, DI-2019-10513, DI-2019-11057, DI-2019-7484, DI-2019-8104 and DI-2019-9556 4
+creation of profiles and making data available to affiliated companies for the purpose of
+using them for telephone sales and direct mail marketing.
+IMY has not taken a position on whether Bonnier News AB's personal data processing is otherwise in compliance with the Data Protection Regulation.
+The supervisory case began with an inspection on 7 November 2019. In connection with IMY sending the inspection report to Bonnier News AB, IMY asked the company additional questions on 20 December 2019. Bonnier submitted comments on the inspection report and submitted responses to IMY's questions on 14 February 2020. On 15 May 2020, IMY asked further additional questions to Bonnier News AB, to which the company submitted responses on 11 June 2020. Due to Bonnier News AB having updated its personal data policy, the company submitted additional information on 21 July 2020. Bonnier News AB has commented on IMY's draft decision on 13 April 2023. Since the case concerns cross-border processing, IMY has used the mechanisms for cooperation and consistency contained in Article 56 and Chapter VII of the
+Data Protection Regulation. The supervisory authorities concerned have been the authorities in
-creation of profiles and making information available to affiliated companies for the purpose of
-used by affiliated companies for telephone sales and postal direct marketing.
-IMY has not taken a position on Bonnier News AB's processing of personal data in general
-complies with the data protection regulation.
-The supervisory case began with an inspection on November 7, 2019. In connection with
-IMY sent the inspection report to Bonnier News AB, IMY provided additional information
-questions to the company on 20 December 2019. Bonnier provided comments on
-the inspection protocol and submitted with answers to IMY's questions on 14 February 2020. IMY
-asked additional supplementary questions to Bonnier News AB on 15 May 2020, which
-the company submitted a response on June 11, 2020. Due to the fact that Bonnier News AB
-updated its personal data policy, the company came in with supplementary information
-on July 21, 2020.
-Bonnier News AB has commented on IMY's draft decision on April 13, 2023.
-Since the case concerns cross-border treatment, IMY has used them
-cooperation and consistency mechanisms found in Article 56 and Chapter VII i
-data protection regulation. The supervisory authorities concerned have been the authorities in
 Denmark, Estonia, Finland, Norway and Germany.
+.1 Description of the group-wide
+personal data processing
-.1 Description of the group common
+The following has emerged during the inspection and subsequent correspondence. Within
-the processing of personal data
+the Bonnier Group, there is a collaboration between Bonnier News AB and a number of affiliated
+companies that are part of the group (the affiliated companies). Which companies are affiliated
-The following has emerged during the inspection and subsequent exchange of letters. Within
-The Bonnier Group is a collaboration between Bonnier News AB and a number of affiliates
-companies that are part of the group (the affiliated companies). Which companies are connected
-changes over time. At the time of the inspection, there were 15 affiliated companies which
+changes over time. At the time of the inspection, there were 15 affiliated companies, which
-in the spring of 2020 fell to 8. The processing of personal data that takes place within
+drew to 8 during the spring of 2020. The processing of personal data that takes place within
-the scope of the collaboration is limited to refer to the affiliated companies' customers on it
+the framework of the collaboration is limited to the affiliated companies' customers on the
 Swedish market. The affiliated companies collect personal data from their customers
 and people who visit the companies' websites. The collected data is transferred
-to two group-wide databases, a customer database (KDB) and a
+to two group-wide databases, a customer database (KDB) and a behavior database (the behavior database). In these databases, profiles of individuals are created. The profiles are also linked to information obtained from Bisnode Sverige AB.
-behavior database (the behavior database). In these databases, profiles are created about individuals
-people. The profiles are also linked to information taken from Bisnode Sverige AB.
-Bonnier News AB has stated that it stores collected data in them
-the group-wide databases to use for the following purposes:
-     • To establish a common customer register for affiliated companies with approval
-               data quality, which includes compiling customer and
-               user data and to check that the data is correct,
-               updated and appropriate
-     • To offer the affiliated companies' customers a simple way to redeem theirs
-               rights and an opportunity to ask questions about personal data to it
-               joint customer service
-     • To make personal data available to affiliated companies in order to:
-           • Use other affiliated companies' contact details to be able to
-                market the affiliated companies' own products and services
-                through direct mail marketing and telephone sales. 5
+Bonnier News AB has stated that it stores collected data in the
+group-wide databases for the following purposes:
+• To establish a common customer register for affiliated companies with good
+data quality, which includes compiling customer and
+user data and checking that the data is correct,
+updated and appropriate
+• To offer the affiliated companies' customers an easy way to exercise their
+rights and an opportunity to ask questions about personal data to the
+joint customer service
+• To make personal data available to affiliated companies for the purpose of:
+• Using the contact information of other affiliated companies in order to
+market the affiliated companies' own products and services
-           • Show custom content and custom ads in the affiliates
+through direct mail marketing and telephone sales. 5
-                the companies' digital services, based on customers' and users'
-                customer profile and behavior on the affiliated companies' sites.
+• Displaying customized content and customized advertisements in the affiliated
-           • Perform analysis of customer data in order to, using obtained customer insight
+companies' digital services, based on the customers' and users'
-                carry out customer communication, marketing of their own products,
+customer profiles and behavior on the affiliated companies' websites.
-                services and service.
+• Perform analysis of customer data in order to use the customer insight obtained
-           • Perform analysis of customer data in order to improve and develop existing ones
+to conduct customer communication, marketing of its own products,
-                services and products.
+services and service.
+• Perform analysis of customer data in order to improve and develop existing
+services and products.
-The personal data processing that takes place for the purpose of adaptation of affiliated companies
+The personal data processing that takes place for the purpose of adapting affiliated companies'
-ads are based on data stored in the behavioral database. The
+advertisements is based on data saved in the behavioral database. The
 personal data processing that takes place to disclose personal data to affiliated companies
-for use in telephone sales and direct mail marketing is based on
+for use in telephone sales and direct mail marketing is based on data in the KDB.
-data in KDB.
 .1.1 Description of the processing of personal data contained in
-the behavior database
+the behavioral database
-The investigation into the matter shows the following.
+The investigation into the case reveals the following.
-The information contained in the behavioral database is processed for the purpose of displaying customized information
-content and customized advertisements in the connected companies' digital services.
-In connection with an individual visiting an affiliated company's website, it collects
-the affiliated company enters information about the individual's surfing behavior. This is done by
-the affiliated company has placed a script on its web page requesting to save one
-text file (web cookie) on the visitor's computer, tablet or mobile phone. The information in
-the web cookie can be used to track the user's browsing on the website. The
-information (behavioral data) that is collected when the individual surfs and then transferred to
-the behavior database and added to the individual's profile is:
-         • Details of the visited page's URL (web address), its category and a
-             content tag .
-         • Details of the user's device type in which the page was viewed,
-             browser type and the part of the user's IP address that refers to country,
-         • Data on behavior in the form of time spent and time of
-             the page view,
-         • Statement of a unique randomly generated web cookie value (below
-             called cookie identifier),
-         • Information on whether the page was viewed in logged-in mode.
-Bonnier News AB deletes the cookie identifier after 30 days and from today
-, the generated behavioral data is no longer used for the adaptation of advertisements to
-individuals.
-Data in the behavior database and in the KDB can in some cases be linked together.
-A content tag is a description of the content that has been consumed in the participating companies' services. Bonnie
-News AB collects two types of tags, predefined according to the IAB's (The Interactive Advertising Bureau) standard and
-tags produced by the affiliated companies' editorial offices. 6
+The data contained in the behavioral database is processed for the purpose of displaying customized
+content and customized advertisements in the affiliated companies' digital services.
+When an individual visits an affiliated company's website, the affiliated company collects information about the individual's surfing behavior. This is done by
-When the data in the behavior database cannot be linked with data in the KDB
+the affiliated company having placed a script on its website that requests to save a
-the data subject's behavioral profile consists only of the data listed above, a
+text file (cookie) on the visitor's computer, tablet or mobile phone. The information in the
-profile which in this decision will be called simple behavior profile.
+cookie can be used to track the user's surfing on the website. The
+information (behavioral data) that is collected when the individual surfs and then transferred to the
+behavioral database and added to the individual's profile is:
-In cases where data in the behavior database and data in the KDB can be linked in
+• Information about the URL (web address) of the page visited, its category and a
-the behavior database is supplied with data from KDB on purchase history gender, age, household's
+content tag.
-car ownership and zip code, as well as statistical variables based on the individual
-residential area such as life phase, purchasing power and form of living to the behavioral database.
+• Information about the user's device type on which the page was viewed,
-These profiles will henceforth in this decision be referred to as supplemented
+the browser type and the part of the user's IP address that refers to the country,
-behavioral profile.
+• Information about behavior in the form of time spent and time of
+the page view,
+• Information about a unique randomly generated cookie value (hereinafter
-The availability to affiliated companies takes place through a search tool linked to
+referred to as the cookie identifier),
-the behavioral database where the affiliated company can order a segment of
+• Information about whether the page was viewed in logged-in mode.
-customer data based on their chosen variables. An administrator reviews the order
+Bonnier News AB discards the cookie identifier after 30 days and from day
-fulfills certain criteria determined within the collaboration. If so, it gets connected
-the company access to a code that makes it possible to target ads to users who
-included in the segment.
+the generated behavioral data is no longer used to adapt advertisements to individuals.
-The affiliated companies can only retrieve information from the behavioral database based on
+Data in the behavioral database and in the KDB can in some cases be linked together.
-on behavioral data collected from the company's own digital services. It applies regardless
-whether it is a simple or supplemented behavioral profile. As for it
+A content tag is a description of the content that has been consumed in the participating companies' services. Bonnier
-supplemented the behavioral profile, however, it may also contain purchase history from others
+News AB collects two types of tags, predefined according to the IAB (The Interactive Advertising Bureau) standard and
-affiliated companies. In KDB, information is thinned out after two years, which is why older information cannot
+tags produced by the affiliated companies' editorial departments. 6
-linked to the behavioral database or disclosed to affiliated companies.
+When the data in the behavioral database cannot be linked with data in the KDB
+the data subject's behavioral profile consists only of the data specified above, a
+profile that in this decision will be referred to as a simple behavioral profile.
-.1.2 Description of the processing of personal data stored in KDB
+In cases where data in the behavioral database and data in the KDB can be linked together in the behavioral database, data from the KDB on purchase history, gender, age, household additional ownership and postal code, as well as statistical variables based on the individual's residential area such as life stage, purchasing power and housing type are added to the behavioral database. These profiles will hereinafter be referred to in this decision as supplemented behavioral profiles. The data is made available to affiliated companies through a search tool linked to the behavioral database, where the affiliated company can order a segment of customer data based on its chosen variables. An administrator checks whether the order meets certain criteria determined within the collaboration. If so, the affiliated company is given access to a code that makes it possible to target advertisements to users who are included in the segment. The affiliated companies can only retrieve data from the behavioral database based on behavioral data collected from the company's own digital services. This applies regardless of whether it is a simple or supplemented behavioral profile. However, the supplemented behavioral profile may also contain purchase history from other affiliated companies. In the KDB, data is filtered after two years, which is why data older than that cannot be linked to the behavioral database or disclosed to affiliated companies. 2.1.2 Description of the processing of personal data stored in the KDB The investigation into the case reveals the following. The data about individuals in the KDB is processed for the purpose of being used for affiliated companies' marketing of their own products and services through direct mail and telephone sales. When an individual makes a purchase or signs up for a subscription, the affiliated company that has a contractual relationship with the customer collects data from them. Some of this data is transferred to the KDB. In the KDB, information is linked to a profile. In the KDB, the customer profile is assigned a KDB ID. If the affiliated company's customer is already
-The investigation into the matter shows the following.
+registered in KDB, the existing customer profile is updated/supplemented with the new
-The information about individuals that is in KDB is processed for the purpose of being used for affiliates
+engagement. Otherwise, a new customer profile is created with a new KDB ID. The information
-the company's marketing of its own products and services by postal mail
+stored in KDB and collected from the customer's contact with the affiliated
-direct marketing and telephone sales.
+company is name, address, telephone number, personal identification number, email address and information
-In connection with an individual making a purchase or signing a subscription, it collects
+linked to the customer's purchase, such as product category, brand, type of
-affiliated companies that have a contractual relationship with the customer enter information from him. Some of
-this data is transferred to KDB. In KDB, information is linked to a profile. In KDB
-the customer profile is assigned a KDB ID. If the connected company's customer already exists
-registered in KDB, the existing customer profile is updated/supplemented with the new one
+packaging (whether it is a digital or traditional product and whether it is a free or
-the commitment. Otherwise, a new customer profile is created with a new KDB ID. The data
-which are stored in KDB and which are collected from the customer's contact with the connected
-the company's name, address, telephone number, social security number, e-mail address and information
+paid product). The KDB also records whether the customer has objected to the use of information in
-which are linked to the customer's purchase, such as product category, brand, type of
-packaging (if it is a digital or traditional item and if it is a free or
-paid product). In KDB, it is also registered if the customer has objected to data in
+KDB for marketing purposes and information whether the customer has registered in the so-called
-KDB is used for marketing as well as information on whether the customer has registered in it
-called the NIX registry. For the following categories of data there are restrictions:
+NIX register. There are restrictions for the following categories of information:
-    • Information about e-mail address is not disclosed to affiliated companies at
+• Information about email addresses is not disclosed to affiliated companies in the case of
-         telephone sales and postal direct marketing.
-    • Information about social security number is only used to check whether the customer has
-         registered to oppose marketing in the NIX registry (NIX block) as well
+telephone sales and direct mail marketing.
-         to check that the customer is not deceased.
-    • Information on social security numbers is not made available to the affiliated companies. 7
+• Personal identification number information is only used to check whether the customer has
+registered to oppose marketing in the NIX register (NIX blocking) and
+to check that the customer is not deceased.
+• Personal identification number information is not made available to the affiliated companies. 7
+In addition to the information collected by the affiliated companies, Bonnier News
+AB collects information from Bisnode Sverige AB for the purpose of checking and supplementing
-In addition to the data collected by the affiliated companies, Bonnier News collects
+individuals' contact information, and to provide statistical data such as life stage, purchasing power
-AB enters information from Bisnode Sverige AB for the purpose of checking and supplementing
-individuals' contact details, as well as to add statistical data such as life phase, purchasing power
+and housing. Furthermore, information on car ownership and on deceased persons is collected
-and form of accommodation. Furthermore, information is collected on car ownership and on deceased persons
-as well as information about a so-called GEDI ID (which is a unique identifier in the form of a
+as well as information on a so-called GEDI-id (which is a unique identifier in the form of a
-pseudonymised ID).
+pseudonymized ID).
-Data in the KDB and the behavior database can in some cases be linked together in the KDB as well.
+Information in the KDB and the behavioral database can in some cases also be linked in the KDB.
-The profile then constitutes what in this decision below will be called supplemented
+The profile then constitutes what in this decision will be referred to below as a supplemented
 customer database profile. This is done by a customer of an affiliated company visiting
-the company's website and logs into their account with the company. The behavioral data that has
+the company's website and logging into their account with the company. The behavioral data that has been
-collected about the customer and which is linked to a cookie identifier can then under
+collected about the customer and that is linked to a cookie identifier can then, under certain conditions, be linked with the customer's KDB ID. In cases where the customer's KDB ID and the cookie value can be linked, the KDB profile is supplemented with
-certain prerequisites are linked with the customer's KDB–ID. In cases where the customer's KDB
+information collected over the past 30 days from the behavioral database. The information
-The ID and the cookie value can be linked together if the KDB profile is supplemented with
-data collected in the last 30 days from the behavioral database. The data
 that is retrieved is information about which websites the customer has visited, which section
-on the website the customer visited (so-called content tags), as well as which device type
+of the website the customer has visited (so-called content tags), and which device type
-the customer surfed from. Bonnier News AB has limited the type of content tags that
+the customer has surfed from. Bonnier News AB has limited the type of content tags that companies other than the one whose website the individual surfed can base their profiling on
-companies other than the one whose website the individual surfed on can base their profiling on
+for the purposes of telephone sales and direct mail marketing.
-for the purposes of telephone sales and postal direct marketing.
 When a person ceases to be a customer of an affiliated company, KDB is notified that
-the customer's commitment has ended and the customer is flagged as a passive customer. Then deleted
+the customer's engagement has ceased and the customer is flagged as a passive customer. The customer's data is then deleted
-the customer's data in KDB after two years. Data obtained from the behavioral database
-thinned after 30 days. Any NIX block is always activated when making available
-contact details in KDB for customers of other affiliated companies and contact details for own
-customers when these have been inactive for 12 months.
-Information is made available to affiliated companies upon request through an application in KDB. IN
-KDB creates a selection file based on the criteria specified by the affiliated company. Within the scope of
-the collaboration applies something called purpose-adapted schedules. These regulate
-what information is disclosed from KDB. In the case of disclosure, only those are left
-data points defined as necessary for the marketing channel that
-specified at the time of disclosure, i.e. for example telephone numbers in the case of telephone sales
-campaign and address for postal direct marketing. The data points that
-the segmentation is based on, is not disclosed. The data is made available through a
-interface in KDB to the connected company.
-It is possible for the registered person to request deletion from KDB. It registered
-also has the right to object to the data being used for telephone and postal sales
-direct marketing.
-Bonnier News AB has stated that all affiliated companies are majority owned by Bonnier
-Group AB and subordinate Bonnier Group's framework for personal data processing
-and that only a small part of the profiles in question have been able to be made one
-connection to data in the behavior database.
+in KDB after two years. Data obtained from the behavioral database
+is filtered after 30 days. Any NIX blocking is always activated when
-Only tags categorized with the IAB's taxonomy are collected. 8
+contact data in KDB is made available to customers of other affiliated companies and contact data to own customers when these have been passive for 12 months.
+Data is made available to affiliated companies upon request through an application in KDB.
+A selection file is created in KDB based on the criteria specified by the affiliated company. Within the framework of
+the collaboration, something called purpose-adapted schedules are applied. These regulate what information is disclosed from KDB. When disclosed, only the data points defined as necessary for the marketing channel specified at the time of disclosure are disclosed, i.e., for example, telephone numbers in a telephone sales campaign and addresses in postal direct marketing. The data points on which the segmentation is based are not disclosed. The data is made available through an interface in KDB to the affiliated company.
+The data subject has the option of requesting deletion from KDB. The data subject also has the right to object to the use of the data for telephone sales and postal direct marketing.
+Bonnier News AB has stated that all affiliated companies are majority-owned by Bonnier Group AB and subject to the Bonnier Group's framework for personal data processing
+and that only a small portion of the profiles in question have been able to be linked to data in the behavioral database.
+Only tags categorized with the IAB taxonomy are collected. 8
 . Justification of the decision
 .1 IMY's authority
 .1.1 Current circumstances
-Part of the personal data that is processed within the group
+Some of the personal data processed within the group-wide
-the collaboration has been collected by affiliated companies placing a cookie on
-the visitor's computer, tablet or mobile phone. Bonnier News AB has stated that
-the collection is done through affiliated companies' websites. The affiliated companies transfer
-then this data to the behavior database and in some cases the data is linked
-also together with profile information in KDB. Bonnier News AB has stated that they
-obligations that resulted from the provisions of the Act (2003:389) on electronic
-communication and now follows from the Act (2022:482) on electronic communication
-(LEK), meets affiliated companies and not Bonnier News AB because it is those companies
-who is responsible for the actual collection of the data.
-.1.2 Applicable regulations, etc.
-It follows from Article 95 of the Data Protection Regulation that the Data Protection Regulation shall not
-entail any additional obligations for natural or legal persons who
-processes personal data, for such areas that are already covered by obligations
-according to the so-called eData protection directive. The eData Protection Directive has been implemented in
-Swedish law through LEK, where, among other things, collection of information through web cookies
-regulated.
-According to ch. 9 Section 28 LEK may store data in or retrieve from a subscriber's or
-user's terminal equipment only if the subscriber or user gets access to
-information about the purpose of the treatment and consent to it. Furthermore, it appears
-that this does not prevent such storage or access as is necessary to transfer one
-electronic message via an electronic communication network or which is necessary
-to provide a service that the user or subscriber expressly has
-requested. Before August 1, 2022, when LEK entered into force, corresponding requirements were made
-according to ch. 6 Section 18 of the Act on (2003:389) on electronic communications. It's Post-
-and the Swedish Telecom Agency (PTS), which is the supervisory authority according to LEK (chapter 1 § 5 of the regulation
-[2022:511] on electronic communication).
-The EDPB has commented on the interaction between the eData Protection Directive and
-the data protection regulation. From the opinion, i.a. follows that the national regulatory authority
-appointed under the eData Protection Directive is solely authorized to monitor compliance
-of the directive. However, according to the data protection regulation, the supervisory authority is competent
+cooperation has been collected by affiliated companies placing a cookie on the
-supervisory authority for the processing that is not specifically regulated in the eData Protection Directive.
+visitor's computer, tablet or mobile phone. Bonnier News AB has stated that
-If only part of the processing falls under the eData Protection Directive, does not limit
-this the authority of the data protection authority to test other parts of the processing
+the collection is done through affiliated companies' websites. The affiliated companies then transfer
-according to the data protection regulation. 7
+this information to the behavioral database and in some cases the information is also linked
+with profile information in KDB. Bonnier News AB has stated that the obligations that followed from the provisions of the Electronic Communications Act (2003:389) and now follow from the Electronic Communications Act (2022:482) (LEK), affect affiliated companies and not Bonnier News AB since it is the companies that are responsible for the actual collection of the data.
+.1.2 Applicable provisions, etc.
-This means, among other things, that the supervisory authority according to the data protection regulation is
+It follows from Article 95 of the Data Protection Regulation that the Data Protection Regulation shall not entail any additional obligations for natural or legal persons who process personal data, for areas that are already covered by obligations in accordance with the so-called eData Protection Directive. The eData Protection Directive has been implemented in Swedish law through the LEK, which, among other things, regulates the collection of data through cookies.
-authorized to assess the legality of the personal data processing that takes place after
-the information is retrieved from the individual's terminal equipment, e.g. storage of collected
+According to Chapter 9 Section 28 of the LEK states that data may be stored in or retrieved from a subscriber's or user's terminal equipment only if the subscriber or user is given access to information about the purpose of the processing and consents to it. It is further stated that this does not prevent such storage or access that is necessary to transmit an electronic message via an electronic communications network or that is necessary to provide a service that the user or subscriber has expressly requested. Before 1 August 2022, when the LEK came into force, the corresponding requirements were set in accordance with Chapter 6, Section 18 of the Electronic Communications Act (2003:389). The Swedish Post and Telecom Agency (PTS) is the supervisory authority under the LEK (Chapter 1, Section 5 of the Electronic Communications Ordinance [2022:511]). The EDPB has issued an opinion on the interaction between the ePrivacy Directive and the 6th General Data Protection Regulation. The opinion states, among other things: that the national supervisory authority designated under the ePrivacy Directive is solely competent to monitor compliance with the Directive. However, the supervisory authority under the Data Protection Regulation is the competent supervisory authority for processing not specifically regulated in the ePrivacy Directive. If only part of the processing falls under the ePrivacy Directive, this does not limit the competence of the data protection authority to examine other parts of the processing under the Data Protection Regulation. 7
+This means, among other things, that the supervisory authority under the Data Protection Regulation is competent to assess the lawfulness of the processing of personal data that takes place after the data has been retrieved from the individual's terminal equipment, such as the storage of retrieved
-Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 on the processing of personal data and
+Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).
-privacy protection in the electronic communications sector (Directive on Privacy and Electronic Communications).
+Opinion 5/2019 on the interaction between the Directive on privacy and electronic communications and the General Data Protection Regulation, in particular as regards the competence, tasks and powers of data protection authorities,
-Opinion 5/2019 on the interaction between the directive on privacy and electronic communications and the general
-the data protection regulation, especially with regard to the competence, tasks and powers of the data protection authorities,
 adopted on 12 March 2019
-See points 68 and 69 of the opinion. 9
+See paragraphs 68 and 69 of the Opinion. 9
+data and analysis of such data for the purposes of behavioural advertising
-data and analysis of such data for purposes related to behavioral advertising
 online.
 .1.3 IMY's assessment
-The information added to the behavioral database has been collected by the affiliated companies
+The data added to the behavioural database has been collected by the affiliated companies
-through cookies. The personal data processing that is reviewed in this supervisory matter
+through cookies. The personal data processing examined in this supervisory case
-is Bonnier News AB's subsequent processing of personal data i
+is Bonnier News AB's subsequent processing of personal data in the behavioural database. That processing is not covered by the regulation in LEK or the
-the behavior database. That processing is not covered by the regulation in LEK or the
+previously applicable regulation in the Act on (2003:389) on electronic communications.
-previously applicable regulations in the Act on (2003:389) on electronic communications.
-This means that the regulation in the data protection regulation is applicable to the processing and
+This means that the regulations in the Data Protection Regulation apply to the processing and that IMY is the competent supervisory authority.
-that IMY is the competent supervisory authority.
+.2 Bonnier News AB's personal data responsibility
-.2 Bonnier News AB's responsibility for personal data
+.2.1 Current circumstances and Bonnier News AB's position
+It is Bonnier News AB's opinion that Bonnier News AB and the respective affiliated
+company have a joint personal data responsibility for the processing that takes place in the KDB
-.2.1 Current circumstances and Bonnier News AB's attitude
+and the behavioral database for the purposes stated above as common.
-It is Bonnier News AB's opinion that Bonnier News AB and the respective affiliate
-companies have joint personal data responsibility for the processing that takes place in KDB
-and the behavioral database for the purposes listed above as common.
 Furthermore, Bonnier News AB has stated that Bonnier News AB and affiliated companies have a
-common view of goals and means and that Bonnier News AB has entered into so-called Joint
+common view of purposes and means and that Bonnier News AB has entered into a so-called Joint
-Data Controller Agreement with the affiliated companies in accordance with Article 26.2 i
-data protection regulation.
+Data Controller Agreement with the affiliated companies in accordance with Article 26(2) of the
+GDPR.
 Bonnier News AB has stated that each affiliated company has its own independent
-("local") personal data responsibility for its own collection of data. Bonnier News AB has
-further stated that it has no joint personal data responsibility for them
-personal data processing that is carried out after the data has been disclosed to
-affiliated companies from the common databases. It is the affiliated company which
-retrieved the data who is responsible for personal data for the treatments like this
-company carries out after collection.
-.2.2 Applicable regulations, etc.
-According to Article 4.7 of the data protection regulation, the person responsible for personal data is the person alone
-or together with others determine the purposes and means of the processing of
-personal data. That means and ends can be determined by more than one actor means
-that several actors can be responsible for personal data for the same processing.
-According to Article 4.2 of the Data Protection Regulation, processing is an action or
-combination of measures concerning personal data or sets of
-personal data.
-In the Fashion-ID case, the European Court of Justice has found that a website owner who
-using plug-ins from social networks on their website can become common
-personal data controller with the social network. This applies to the collection as well
-the disclosure by transmission of the website visitors' personal data which
-takes place with the help of the social network plug-in. The court also stated that
-each party is only responsible for the parts of the processing chain that it actually
-definite end and means for.
-See point 75 of the opinion.
-See judgment Fashion-ID, C-40/17, EU:C:2019:629, paragraphs 64-85 10
+("local") personal data responsibility for its own collection of data. Bonnier News AB has further stated that it does not have a joint controller for the processing of personal data carried out after the data has been disclosed to affiliated companies from the joint databases. It is the affiliated company that has retrieved the data that is the controller for the processing carried out by this company after the retrieval.
+.2.2 Applicable provisions, etc.
+According to Article 4(7) of the Data Protection Regulation, the controller is the person who alone or jointly with others determines the purposes and means of the processing of personal data. The fact that purposes and means can be determined by more than one actor means that several actors can be controllers for the same processing.
-In the Wirtschaftsakademie case, the European Court of Justice stated that a joint responsibility for a
+According to Article 4(2) of the Data Protection Regulation, processing is an action or combination of actions concerning personal data or sets of personal data.
-treatment does not necessarily mean that the various actors involved in
-the processing of personal data has the same responsibility. These actors can do the opposite
-involved in different stages of the processing of personal data to varying degrees, and where and
-one's level of responsibility must be assessed taking into account all the relevant circumstances therein
-individual case.
+In the Fashion-ID case, the CJEU held that a website operator who uses social network plug-ins on its website may become a joint controller with the social network. This applies to the collection and disclosure by transmission of personal data of website visitors that takes place using the social network plug-in. The CJEU also stated that each party is only responsible for those parts of the processing chain for which it actually determined the purposes and means. 8 See paragraph 75 of the Opinion. 9 See judgment in Fashion-ID, C-40/17, EU:C:2019:629, paragraphs 64-85 10 In the Wirtschaftsakademie case, the CJEU stated that joint responsibility for processing does not necessarily mean that the different actors involved in the processing of personal data have the same responsibility. On the contrary, these actors may be involved at different stages of the processing of personal data to varying degrees, and the level of responsibility of each must be assessed taking into account all the relevant circumstances of the individual case.
 .2.3 IMY's assessment
-Bonnier News AB provides two databases, KDB and the behavior database, there
+Bonnier News AB provides two databases, the KDB and the behavioral database, where
-information from affiliated companies is combined into profiles of individuals. Under them
+information from affiliated companies is combined into profiles of individuals. Under the
-prerequisites that Bonnier News AB and the companies determined, the information is made
+conditions determined by Bonnier News AB and the companies, the information is
-available to Bonnier News AB and respective affiliated companies.
+made available to Bonnier News AB and the respective affiliated company.
 IMY notes that, in addition to making the databases available to the affiliated companies,
-Bonnier News AB, together with the companies, has set up the framework for the processing of
+Bonnier News AB has, together with the companies, set up the framework for the processing in
-different ways.
+various ways.
+IMY therefore assesses that Bonnier News AB is jointly
+controller of personal data with the affiliated companies for the part of the
+personal data processing that takes place for the common purposes of
+making personal data, through profiling of individuals' data, available to affiliated companies to display customized advertisements and for use in telephone sales and
+direct mail marketing. This includes the collection of data for the databases, the storage in the databases and the profiling, the collection of additional data from Bisnode Sverige AB, the connection between the behavioral database and KDB, and the transfer of data between the databases. Furthermore, Bonnier News AB is jointly responsible for personal data with the affiliated companies for the actions taken prior to and in the event of disclosure to an affiliated company. 3.3 What data constitutes personal data? 3.3.1 Current circumstances and Bonnier News AB's position The section "Description of the group-wide personal data processing" states that a large amount of data collected from individuals is processed in the KDB and the joint behavioral database. Bonnier News AB believes that what is referred to in this decision as a supplemented behavioral profile constitutes personal data. However, data in the behavioral database - which cannot be linked with data in the KDB - constitutes anonymous behavioral data according to Bonnier News AB. This is because they cannot be linked to a person either via KDB-ID, customer ID, IP address or any other identifier for a person. Bonnier News AB therefore believes that the behavioral profiles referred to in this decision as simple behavioral profiles do not constitute personal data. According to Bonnier News AB, the segmentation made on these simple profiles is only based on the affiliated company's own collected information in the behavioral database (a company can, for example, choose to adapt sports-related content and advertisements to the information registered via a cookie over the last 30 days). 3.3.2 Applicable provisions and other general starting points According to Article 4(1) of the General Data Protection Regulation, personal data is any information relating to an identified or identifiable natural person (i.e. the data subject). The same provision states that an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or online identifiers or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. According to recital 26 of the GDPR, the principles of data protection should apply to any information relating to an identified or identifiable natural person. Personal data which have been pseudonymised and which could be attributed to a natural person by the use of supplementary information should be considered as data relating to an identifiable natural person. In order to determine whether a natural person is identifiable, account should be taken of all the means, such as screening, which, either by the controller or by another person, can reasonably be used to directly or indirectly identify the natural person. In order to determine whether means can reasonably be used to identify the natural person, all objective factors, such as the cost and time required for identification, should be taken into account, taking into account both the technology available at the time of the processing and the state of the art. According to recital 26, the principles of data protection should not apply to anonymous information which does not relate to an identified or identifiable natural person, or to personal data which has been rendered anonymous in such a way that the data subject is no longer identifiable. The Regulation therefore does not concern the processing of such anonymous information, which includes information for statistical or research purposes. According to recital 30 of the Data Protection Regulation, natural persons may be linked to online identifiers provided by their equipment, applications, tools and protocols, e.g. IP addresses, cookies or other identifiers, such as radio frequency tags. This may leave traces which, in particular in combination with unique identifiers and other data received by the servers, can be used to create profiles of natural persons and identify them. 11 An opinion of the Article 29 Working Party, which contains an analysis of the concept of personal data, states that a natural person in a group is considered to be “identified” when he or she can be “distinguished” from other individuals in some way. The European Data Protection Board (EDPB), in its guidelines on targeted advertising in social media, has stated that even individuals who use a social media service without having created an account or profile with the social media service may constitute data subjects within the meaning of Article 4(1) of the GDPR if the person is directly or indirectly identified or identifiable. The EDPB has referred to the concept of “thinning” in recital 26 of the GDPR and to the above-mentioned opinion of the Article 29 Working Party.
-IMY therefore makes the assessment that Bonnier News AB is joint
+The Article 29 Working Party’s opinion on online behavioural advertising further elaborates on what it means to be identifiable:
-personal data controller with the affiliated companies for that part of
-the personal data processing that takes place for the common purposes of
-make personal data available, through profiling of individual data, to connected
+The Article 29 Working Party notes that behavioural advertising often leads to the processing of personal data. Behavioural advertising typically involves the collection of IP addresses and the processing of unique identifiers (through the cookie). The use of such functions with a unique identifier makes it
-company to display customized ads and for use in telemarketing and
-postal direct marketing. This includes collecting data for the databases,
-the storage in the databases and the profiling, obtaining additional data from
+The so-called Article 29 Working Party was an advisory and independent working party consisting of representatives of the supervisory authorities in the EU and the EEA. , The working party was tasked with contributing to the uniform application of the Data Protection Directive through, among other things, recommendations. On 25 May 2018, the working party was replaced by the European Data Protection Board, the EDPB.
-Bisnode Sverige AB, the connection between the behavior database and KDB
+See WP 136. Article 29 Working Party Opinion 4/2007 on the concept of personal data, adopted on 20 June 2007, p. 12 f
-as well as the transfer of data between the databases. Further is Bonnier
+See EDPB Guidelines 8/2020 on targeted advertising in social media Version 2.0, adopted on 13 April 2021, p. 19 12
-News AB jointly responsible for personal data with the affiliated companies for them
+allow users of a particular computer to be tracked even if dynamic IP addresses
-measures that take place before and during a disclosure to an affiliated company.
+are used. In other words, such features make it possible to “point out” individual
+data subjects, even if their names are not known. Moreover, the information
-.3 What information constitutes personal data?
+collected in the context of behavioural advertising relates to (i.e. concerns) the characteristics or behaviour of a
+person and is used to influence that specific
+person. This view is further strengthened if one considers the possibility that
+profiles can be linked at any time to directly identifiable information provided by the data subject, such as information provided when
+registering on a website. Other scenarios that can lead to identifiability are
-.3.1 Current circumstances and Bonnier News AB's attitude
+mergers, data losses and the growing availability on the Internet of
-Under the section “Description of the group common
-the processing of personal data" it is clear that a lot of data collected from
-individuals are processed in the KDB and the common behavior database. Bonnier News
+personal data linked to IP addresses. 14
-AB considers that what is referred to in this decision as a completed behavioral profile constitutes
-personal data. In contrast, data in the behavior database - which cannot be linked
-together with data in KDB - according to Bonnier News AB anonymous behavioral data. This
-because they cannot be linked to a person either via KDB ID, customer ID, IP address or
-any other identifier for a person. Bonnier News AB thus believes that they
-behavioral profiles which in this decision are referred to as simple behavioral profiles do not constitute
-personal data. The segmentation that is done on these simple profiles is, according to Bonnier
-News AB, based only on the affiliated company's own collected information i
-the behavior database (a company can, for example, choose to sports-related content and advertisements
-must be adapted to the data registered via a web cookie during the last
-the 30 days).
-.3.2 Applicable regulations and other general starting points
-According to Article 4.1 of the Data Protection Regulation, personal data is any information which
-refers to an identified or identifiable natural person (ie the data subject). Of the same
-provision states that an identifiable natural person is a person who directly or
-See judgment Wirtschaftsakademie, C-210/16, EU:C:2018:388, paragraph 43 11
-indirect can be identified especially by reference to an identifier such as a name, one
-identification number, a location data or online identifiers or a or
-several factors specific to the natural person's physical, physiological,
-genetic, psychological, economic, cultural or social identity.
-According to recital 26 of the data protection regulation, the principles of data protection should apply to everyone
-information relating to an identified or identifiable natural person. Personal data
-which has been pseudonymised and which could be attributed to a natural person through
-that supplementary information is used should be considered as information about an identifiable person
-physical person. To determine whether a natural person is identifiable, all should be considered
-aids, such as thinning out, which, either by the data controller or
-by another person, may reasonably be used to directly or indirectly
-identify the natural person. To determine whether aids with reasonable
-probability may be used to identify the physical person should one
-take into account all objective factors, such as costs and time required for identification,
-taking into account the technology available at the time of the treatment as well as the
-technological development. According to reason 26, the principles for data protection should not apply to
-anonymous information that does not relate to an identified or identifiable physical
-person, or for personal data that has been anonymized in such a way that it
-registered is no longer identifiable. The regulation therefore does not affect the treatment of
-such anonymous information, which includes information for statistical purposes or
-research purposes.
-According to recital 30 of the data protection regulation, natural persons can be linked to
-network identifiers provided by their equipment, applications, tools and protocols;
-for example IP addresses, cookies or other identifiers, such as radio frequency tags. This can
-leave traces that, especially in combination with unique identifiers and other data
-received by the servers, can be used to create profiles of natural persons
-and identify them.
-From an opinion of the Article 29 Working Party, which contains an analysis of
-the concept of personal data, it appears that a natural person in a group is considered "identified"
-when he or she can in some way be "distinguished" from other persons. European
-The Danish Data Protection Agency (EDPB) has in its guidelines on targeted advertising in social media
-found that even people who use a social media service without having created
-an account or profile with the social media service may constitute registrants therein
-meaning referred to in Article 4.1 of the Data Protection Regulation if the person is directly or
-indirectly identified or identifiable. The EDPB has referred to the concept
-"thinning" in recital 26 to the data protection regulation and to the above-mentioned opinion from
-Article 29 Group.
-In the Article 29 group's opinion regarding behavioral advertising on the Internet is developed
-further what it means to be identifiable:
-    The Article 29 Group notes that behavioral advertising often leads to
-    Processing of personal data. Behavioral advertising normally includes
-    collection of IP addresses and processing of unique identifiers (by
-    the cookie). The use of such functions with a unique identifier does so
+.3.3 IMY's assessment
+IMY initially notes that the supplemented behavioural profiles (i.e.
-The so-called the Article 29 Group was an advisory and independent working group consisting of representatives of
+behavioural profiles linked to KDB) contain data relating to identified
-the supervisory authorities in the EU and EEA. , The group had the task of, among other things, recommendations contribute to a
-uniform application of the data protection directive. On 25 May 2018, the working group was replaced by European
-Data Protection Board, EDPB.
-See WP 136. Article 29 Group Opinion 4/2007 on the concept of personal data, adopted on 20 June 2007, p 12 f
-See EDPB guidelines 8/2020 on targeted advertising in social media Version 2.0, adopted 13 April 2021, p 19 12
+or identifiable natural persons. The supplemented behavioural profiles are thus
-    possible to track users of a particular computer even if dynamic IP addresses
-    is used. In other words, such functions make it possible to "point out" individuals
-    registered, even if their names are not known. Furthermore, the information relates
-    which is collected in behavioral advertising to (that is, about) a
-    person's characteristics or behavior and is used to influence this specific
-    person. This point of view is further strengthened if one considers the possibility that
-    profiles at any time can be linked to directly identifiable information such as
-    provided by the data subject, for example information specified at
-    registration on a website. Other scenarios that can lead to identifiability are
-    mergers, data loss and the growing accessibility of the Internet to
-    personal data linked to IP addresses. 14
-.3.3 IMY's assessment
-IMY initially states that the completed behavioral profiles (i.e.
-behavioral profiles linked to KDB) contain information relating to identified persons
-or identifiable natural persons. The complementary behavioral profiles are thus
 personal data.
-In the case of the simple behavioral profiles (ie behavioral profiles without connection to
+With regard to the simple behavioural profiles (i.e. behavioural profiles without a link to
-KDB) IMY makes the following assessment.
-In order for a piece of data to be qualified as personal data, it is first required that
-the information relates to a natural person. This requirement is met with respect to simple
-behavioral profiles because the data describes how the individual surfed with a number
-different parameters.
-Furthermore, it is required that the natural person is identified or identifiable. Of Article 4.1 i
-the data protection regulation states that it is sufficient that a person can be identified indirectly. IN
-the provision further states that identification can be made by reference to a
-online identifier. Recital 30 of the regulation states cookies ("cookie identifiers" in it
-the English language version) as an example of a network identifier. Identification in it
-meaning referred to in Article 4.1 can thus take place with the help of such unique
-cookie values used in the behavior database.
+KDB), IMY makes the following assessment.
-IMY further notes that it appears from recital 26 to the data protection regulation that
+In order for a piece of data to qualify as personal data, it is first required that
-thinning is a way of identifying a person. This means that a person can
+the data relates to a natural person. This requirement is met with regard to simple
-identified by being distinguished from other persons. It is therefore not required to
-the person is identified by name or social security number. Such a distinctive or
+behavioural profiles since the data describes how the individual surfed with a number
-thinning occurs when the information being processed makes it possible to point out, draw
-conclusions about or take specific actions in relation to a user.
-In the behavioral database, the information is linked with a unique identifier, a unique
+of different parameters.
-cookie value, which is linked to a specific browser or app, which in turn is
-connected to a device such as a computer or telephone. One of the purposes of the treatment of
-the data is to, on the basis of the user's behavior, target marketing to a
+Furthermore, it is required that the natural person is identified or identifiable. Article 4(1) of the GDPR states that it is sufficient that a person can be identified indirectly. The provision further states that identification can be made by reference to an online identifier. Recital 30 of the GDPR lists cookies (in the English version) as an example of online identifiers. Identification within the meaning of Article 4(1) can thus be made by means of such unique cookie values used in the behavioural database. IMY further notes that recital 26 of the GDPR states that
-user based on that particular user's past behavior in an identified
-browser or app. The purpose of the treatment is thus to draw conclusions about it
+selection is a way of identifying a person. This means that a person can be
-individual by creating a profile and based on this influence the individual. IMY
-thus states that even the simple behavioral profiles that are not connected with
-KDB means that individuals are identifiable.
+identified by being distinguished from other persons. It is therefore not required that the person be identified by name or personal identification number. Such
+selection or selection occurs when the information processed makes it possible to
+identify, draw conclusions about or take specific measures in relation to a user. In the behavioral database, the information is linked to a unique identifier, a unique cookie value, which is linked to a specific browser or app, which in turn is linked to a device such as a computer or phone. One of the purposes of the processing of the data is to target marketing to a user based on the user's behavior based on that user's previous behavior in an identified browser or app. The purpose of the processing is thus to draw conclusions about the individual by creating a profile and based on this to influence the individual. IMY thus states that even the simple behavioral profiles that are not linked to the KDB mean that individuals are identifiable.
-See WP 171, Article 29 Working Party Opinion 2/2010 on Behavioral Advertising on the Internet, adopted on 22 June
+See WP 171, Article 29 Working Party Opinion 2/2010 on online behavioural advertising, adopted on 22 June
 , p. 9 f
-See WP 136. f Article 29 Group opinion 4/2007 on the concept of personal data, adopted on 20 June 2007 p. 12 13
+See WP 136. f Article 29 Working Party Opinion 4/2007 on the concept of personal data, adopted on 20 June 2007, p. 12 13
-Against this background, IMY makes the assessment that the simple behavior profiles constitute
+In this context, IMY assesses that simple behavioural profiles constitute
 personal data.
-.4 The processing constitutes profiling
+.4 Processing constitutes profiling
-.4.1 Applicable regulations
-Profiling is defined in Article 4.4 of the Data Protection Regulation as any form of
-automatic processing of personal data which consists of personal data being used for
-to assess certain personal characteristics of a natural person, in particular to
-analyze or predict this natural person's work performance, financial
-situation, health, personal preferences, interests, reliability, behavior, whereabouts
+.4.1 Applicable provisions
-or transfers.
+Profiling is defined in Article 4(4) of the GDPR as any form of
+automatic processing of personal data consisting of the use of personal data to
+assess certain personal aspects relating to a natural person, in particular to
+analyse or predict that natural person's performance at work, economic
+situation, health, personal preferences, interests, reliability, behaviour, whereabouts
+or movements.
 .4.2 IMY's assessment
-IMY notes that both the processing of personal data based on simple
-behavioral profiles and supplemented behavioral profiles that take place for the purpose of
-make the data available to affiliated companies in order to display customized advertisements
-includes profiling of data subjects as defined in Article 4.4 i
-data protection regulation. This is because it is a question of automatic processing of
-personal data aimed at categorizing the registrants based on their past
-behavior pattern which in turn makes it possible to assess some of their personal
-characteristics.
-IMY further notes that the processing of personal data that takes place for the purpose of
+IMY notes that both the processing of personal data based on simple behavioral profiles and supplemented behavioral profiles for the purpose of making the data available to affiliated companies for the purpose of displaying tailored advertisements
-make available contact details for telephone sales and postal direct marketing
+includes profiling of data subjects as defined in Article 4(4) of the
-includes profiling of data subjects as defined in Article 4.4 i
+GDPR. This is because it involves the automated processing of personal data aimed at categorizing data subjects based on their previous behavioral patterns, which in turn makes it possible to assess certain of their personal characteristics.
-data protection regulation. This is because it is a question of automatic processing of
-personal data for the purpose of categorizing the registrants based on their purchase history and i
+IMY further notes that the processing of personal data for the purpose of making contact details available for telemarketing and direct mail marketing
-in some cases also behavioral patterns.
+includes profiling of data subjects as defined in Article 4(4) of the
+GDPR. This is because it involves the automated processing of personal data aimed at categorizing data subjects based on their purchase history and, in some cases, behavioral patterns.
+.5 Legal basis for processing for the purpose of displaying customized advertisements based on data in the behavioral database
-.5 Legal basis for processing for the purpose of displaying customized
+.5.1 Current circumstances and Bonnier News AB's position
-advertisements based on information in the behavioral database
+Bonnier News AB has stated that it has coordinated its activities within the group to
+achieve a better data basis and make it possible to process customers' and
+users' personal data for specified purposes in a cost-effective and privacy-friendly manner. Bonnier News AB uses its profiling of individuals to
+make information available to affiliated companies for the purpose of displaying customized advertisements, partly on
+collected behavioral data that cannot be linked to the KDB, partly on behavioral data where such a
-.5.1 Current circumstances and Bonnier News AB's attitude
+connection can be made and where additional personal data has been added to the data subject's
-Bonnier News AB has stated that within the group it has coordinated its activities for
+profile. Bonnier News AB supports its processing of information to make information available to affiliated companies for the purpose of displaying customized advertisements on the legal basis of Article 6(1)(f) of
-to achieve a better data basis and make it possible to process the customers' and
-users' personal data for specified purposes in a cost-effective and
+the General Data Protection Regulation.
-privacy-friendly way. Bonnier News AB uses its profiling of individuals to
-make information available to affiliated companies for the purpose of displaying customized advertisements on
-collected behavioral data that cannot be linked to KDB, partly on behavioral data where a
-such connection can be made and where additional personal data is added it is registered
-profile. Bonnier News AB supports its processing to make information available to connected users
-company for the purpose of displaying customized advertisements on the legal basis in Article 6.1 f i
-data protection regulation.
 Legitimate interest
 Bonnier News AB has stated the following.
+The company has a legitimate interest consisting of a need to understand the wishes and needs of its customers and users in order to be able to achieve relevance in content and advertising aimed at customers and users and thereby be able to offer competitive products/services and attractive advertising space. Many of the affiliated companies are also engaged in journalistic activities. The operating model of 14 publishers today consists of revenue streams from reader and advertising revenue. The group-wide processing of personal data is important for the financing of the companies' journalistic activities. Bonnier News AB has also pointed to the protection of media freedom and diversity in Article 11 of the EU Charter of Fundamental Rights. Necessary processing Bonnier News AB has stated that the processing of personal data is necessary to achieve the purposes of making individuals' profiles available to affiliated companies in order to display tailored advertisements. The company, together with the other companies, has taken measures
-The company has a legitimate interest that consists in a need to understand its customers and
+to minimize the amount of data collected and limited how long this data is
-users' wishes and needs in order to achieve relevance in content and
-advertising that is aimed at customers and users and thereby be able to offer
-competitive products/services and attractive advertising space. Many of the connected
-the companies also engage in journalistic activities. Publicists' business model of 14
-today consists of revenue streams from readership and advertising revenue. The
-Group-wide personal data processing is important for the financing of
-the companies' journalistic activities. Bonnier News AB has also pointed to the protection for
-freedom and diversity of the media in Article 11 of the EU Charter on the fundamentals
-the rights.
-Necessary treatment
-Bonnier News AB has stated that the processing of personal data is necessary to
+processed, and ensured that the databases are kept separate and that only certain data
-achieve the purposes of making individuals' profiles available to affiliated companies for viewing
-customized ads. The company, together with the other companies, has taken measures
-to minimize the number of collected data and limit the duration of this data
+is transferred between them.
-processed and ensured that the databases are kept separate and that only certain data
-transferred in between.
+Balancing of interests
-Balance of interests
 Bonnier News AB has stated the following.
+Bonnier News AB's interest outweighs the individual's interest in protecting their
-Bonnier News AB's interest outweighs the individual's interest in protection for their own
 personal data.
+Processing personal data to display customized advertisements based on the individual's profile is a basic requirement for journalists and publishers to be able to receive
-Processing of personal data to display customized advertisements based on it
+revenue and, in the long run, to be able to conduct journalism.
-an individual's profile is a basic prerequisite for journalists and publicists to be able to obtain
-income and, by extension, be able to conduct journalism.
+It is possible to object to profiling based on behavioral data. According to the
+information that individuals receive in Bonnier News AB's personal data policy, the individual can object to information about their online behavior being processed in the
-It is possible to object to profiling based on behavioral data. According to it
+common customer database. This means that the connection between the individual's
-information that individuals receive in Bonnier News AB's personal data policy it can
-individuals object to information about their online behavior being processed in it
-common customer database. This means that the connection between the individual
-customer data and their surfing behavior are deleted.
+customer data and their surfing behavior is removed.
-Those registered have a direct relationship with one or more affiliated companies.
+The data subjects have a direct relationship with one or more affiliated companies.
-The users/customers have either visited an affiliated company's website, purchased
-products of an affiliated company or an active digital subscription. Many of
-the customers are subscribers who have a long-term relationship with the company that
+The users/customers have either visited the website of an affiliated company, purchased
-provides the service or product and can therefore be considered to have a greater expectation of
-that their data is processed. Many readers have a strong commitment to theirs
-preference for news media. To a certain extent, customer profiles in KDB belong to piece purchases such as
+products from an affiliated company or an active digital subscription. Many of
-literature, newspaper and merchandise purchases. In these cases, the relationship between customer and supplier gets
-considered somewhat less unique. Furthermore, the interaction is voluntary, clear information is provided
-and there are alternative products such as physical newspapers that one can partake of completely
+the customers are subscribers who have a long-term relationship with the company that
-anonymously.
+provides the service or product and can therefore be considered to have a greater expectation that
-The processing is unlikely to have any negative impact on the data subject's interests.
+their data will be processed. Many readers have a strong commitment linked to their
-Individuals interacting with affiliated companies is voluntary and it is in their interest to
-the companies' services are as relevant as possible. Furthermore, Bonnier News AB has referred to
+preference for news media. To some extent, customer profiles in KDB belong to piece purchases such as
-that the Article 29 Group found that targeted marketing based on simple
-customer profiles, such as gender, age, place of residence and broad interests (eg "fashion") typically
-seen not to have any significant impact on the individuals. Bonnier News AB has further
+literature, newspaper and goods purchases. In these cases, the relationship between customer and supplier
-taken measures to ensure that a minimum of data is processed in relation
-for the purposes and to reduce integrity risks in general. Among other things shared
-the personal data not with companies other than the affiliated companies within the group and
+can be considered to be somewhat less unique. Furthermore, the interaction is voluntary, clear information is provided
-The version of Bonnier News AB's personal data policy that was submitted on 21 July 2020, see under the heading "How you
+and there are alternative products such as physical newspapers that can be viewed completely
-accesses and controls your personal data", file attachment 20.1. 15
+anonymously.
+The processing is unlikely to have any negative impact on the data subject's interest.
+Individuals' interaction with affiliated companies is voluntary and it is in their interest that the companies' services are as relevant as possible. Furthermore, Bonnier News AB has referred to the fact that the Article 29 Working Party has found that targeted marketing based on simple customer profiles, such as gender, age, place of residence and broad interests (e.g. "fashion") typically does not have a significant impact on individuals. Bonnier News AB has also taken measures to ensure that a minimum of data is processed in relation to the purposes and to reduce privacy risks in general. Among other things, personal data is not shared with companies other than the affiliated companies within the group and 16The version of Bonnier News AB's personal data policy that was submitted on July 21, 2020, see under the heading "How you can access and control your personal data", attachment 20.1. 15
+All of these companies are subject to the Bonnier Group's framework for
-all of these companies are subject to the Bonnier Group's framework for
 personal data processing.
-The current processing is within the data subject's reasonable expectations
+The current processing is within the reasonable expectations of the data subjects because
-of the fact that the individuals who come into contact with the companies do so of their own free will in order to take
-part of content on websites, buy services and/or products and that they always have one
-customer/user relationship with one or more companies in the group. The company's
-personal data policies contain clear information about how customers and users
-personal data is processed and shared within the group. The treatment that is carried out
-within the framework of KDB and the behavioral database is closely associated with the companies' services
-and products, which is likely to have an impact on consumer expectations. That many of
-the companies' products and services are online and in many cases free or
-ad-financed should entail a special expectation and acceptance for certain
-personal data processing for e.g. customization of content and advertising. Today is
-also many digital products that are consumed by a very large part of
-consumers in society adapted to the individual and that is Bonnier News AB's
-perception that today's consumers expect the digital products and services
-which they consume to some extent will be tailored to the individual.
+the individuals who come into contact with the companies do so of their own free will in order to
-.5.2 Applicable regulations, etc.
+participate in content on websites, purchase services and/or products and that they always have a
-Personal data must be processed in a legal, correct and transparent manner in relation to
+customer/user relationship with one or more companies in the group. The companies'
-the data subject, according to Article 5.1 a of the data protection regulation. That the data should
-processed legally means i.a. that at least one of the conditions stated in Article 6.1 is
-fulfilled.
+personal data policies contain clear information about how customers' and users'
-Consent is, according to Article 6.1 a, one of the legal grounds that a
+personal data is processed and shared within the group. The processing carried out
-The personal data controller can support its processing of personal data at Another
+within the framework of the KDB and the behavioral database is closely linked to the companies' services
-legal basis is legitimate interest according to Article 6.1 f , which requires that three
-cumulative conditions are met. It must (i) have a legitimate interest
+and products, which is likely to have an impact on the consumer's expectations. The fact that many of the companies' products and services are online and in many cases free or
-personal data controller or with a third party to whom the data is disclosed, (ii)
-the processing of personal data must be necessary for the legitimate interest which
-is pursued and (iii) the data subject's interest in the protection of his personal data may
+financed by advertising is likely to entail a particular expectation and acceptance of certain
-not weigh heavier. 18
+personal data processing for, among other things, adaptation of content and advertising. Today,
+many digital products consumed by a very large portion of
+consumers in society are also tailored to the individual, and it is Bonnier News AB's
+opinion that today's consumers expect that the digital products and services
+that they consume will to some extent be tailored to the individual.
-Recital 47 of the data protection regulation states that a legitimate interest can, for example
+.5.2 Applicable provisions, etc.
-exist when there is a relevant and appropriate relationship between the data subject
-and the personal data controller, for example if the data subject is a customer of it
+Personal data shall be processed lawfully, fairly and transparently in relation to the data subject, in accordance with Article 5(1)(a) of the GDPR. The fact that the data shall be
-personal data controller. It is stated that the processing of personal data for
+processed lawfully means, among other things, that at least one of the conditions set out in Article 6(1) is
-direct marketing can be considered a legitimate interest. Furthermore, it is stated that a
-legitimate interest requires a careful assessment, which includes whether it
+met.
-registered at the time and in connection with the collection of personal data
-can reasonably expect that processing for the stated purpose may take place. The
-data subject's interests and fundamental rights could weigh in particular
+Consent is, according to Article 6(1)(a), one of the legal bases on which a
-heavier if personal data is processed in circumstances where the data subject is not
-can reasonably expect some further treatment.
+data controller can base its processing of personal data. Another
+legal basis is legitimate interest according to Article 6(1)(f), which requires that three
-According to ch. 9 § 28 LEK, which implements Article 5.3 of the eData Protection Directive in Swedish law,
+cumulative conditions are met. There must be (i) a legitimate interest of the controller or of a third party to whom the data are disclosed, (ii) the processing of personal data must be necessary for the legitimate interest pursued, and (iii) the data subject's interest in the protection of his or her personal data must not be overridden. 18
-may data be stored in or retrieved from users' or subscribers' terminal equipment
+Recital 47 of the GDPR states that a legitimate interest may, for example, exist where there is a relevant and appropriate relationship between the data subject and the controller, for example if the data subject is a customer of the controller. It states that the processing of personal data for direct marketing purposes may be considered a legitimate interest. It further states that a legitimate interest requires a careful assessment, which includes whether the data subject can reasonably expect, at the time and in connection with the collection of the personal data, that processing for the specified purpose may take place. In particular, the interests and fundamental rights of the data subject could be overridden if personal data are processed in circumstances where the data subject cannot reasonably expect any further processing.
-only if the subscriber or user gets access to information about the purpose of
-the treatment and consent to it. This does not prevent such storage or access
-which is needed to transmit an electronic message via an electronic
+According to Chapter 9, Section 28 of the LEK, which implements Article 5(3) of the eData Protection Directive into Swedish law,
-Further measures taken can be seen from the opinion filed on February 14, 2020, file appendix 13, in appendix O
+data may be stored in or retrieved from the terminal equipment of users or subscribers
-See, Judgment in Fashion ID, C-40/17, EU:C:2019:629, point. 95. 16
+only if the subscriber or user is given access to information about the purpose of the
+processing and consents to it. This does not prevent such storage or access
+that is necessary for the transmission of an electronic message via an electronic
+communications network or that is necessary for the provision of a service that
+the user or subscriber has expressly requested. The corresponding requirement previously applied
+according to Chapter 6, Section 18 of the Electronic Communications Act (2003:389).
+The EDPB Guidelines on Connected Vehicles state that data collected on the basis of consent in accordance with Article 5(3) of the ePrivacy Directive or subject to the exceptions in Article 5(3) of that Directive may only be further processed for another purpose if the controller requests further consent or is supported by Union or Member State law. The EDPB further states that such further processing cannot rely on a compatibility test under Article 6(4) of the GDPR as it would undermine the protection of the ePrivacy Directive. Furthermore, the EDPB states that consent, where required by the ePrivacy Directive, must be specific and informed, meaning that data subjects must be aware of each purpose of the processing and have the right to object for specific purposes. If further processing on the basis of a compatibility test under Article 6(4) of the GDPR were possible, the very principle of the consent requirements in the current Directive would be circumvented. 20
-communication network or which is necessary to provide a service which
+The EDPB Guidelines on targeted advertising in social media divide personal data into the following categories: data that the data subject has actively and knowingly provided to the controller, data observed by the data subject through the use of the service or device, and inferred and derived data created on the basis of data provided by the data subject. According to the EDPB, there are two legal bases for processing such data that the data subject has actively and knowingly provided, namely consent under Article 6(1)(a) and legitimate interest under Article 6(1)(f) of the GDPR. In the case of data
-the user or subscriber has expressly requested. Corresponding requirements previously applied
+collected through observed data provided by the data subject through the use of a service or device, including that collected through
-according to ch. 6 § 18 of the Act (2003:389) on electronic communications.
+cookies, the EDPB states that Article 6(1)(f) cannot constitute a legal basis for such targeted advertising where individuals are tracked across multiple websites and locations. 22
+The EDPB further states that for such processing, consent is likely to be the most appropriate
-It appears from the EDPB's guidelines on connected vehicles that data collected on
+legal basis under Article 6 of the GDPR. The assessment should also take into account that the processing includes activities for which the EU legislator has sought to provide
-basis of consent in accordance with Article 5.3 of the eData Protection Directive or covered
+additional protection. 23
-of the exceptions in Article 5.3 of that directive can only be further processed for another
-purposes, if the person in charge of personal data requests further consent or has support in
+The EDPB has stated in its guidelines on consent that if controllers choose to rely on consent for any part of the processing, they must be prepared to
-Union law or the legislation of a Member State. The EDPB further states that such
-further processing cannot rely on a compatibility test according to Article 6.4 i
+respect this choice and stop that part of the processing if an individual withdraws their consent. It would be fundamentally unfair to data subjects to give the message that data will be processed based on consent while actually referring to a different legal basis. In other words, the controller may not switch the legal basis from consent to other legal grounds. The EDPB further states that, for example, it is not permissible to retroactively use legitimate interest as a ground to justify processing if there have been problems in obtaining valid consent. Due to the requirement that data controllers must
-the data protection regulation because it would undermine the protection in
-eData Protection Directive. Furthermore, the EDPB states that a consent must, when required by
+See Guidelines 01/2020 on the processing of personal data in the context of connected vehicles and
-eData Protection Directive, be specific and informed, which means that the registered
-must be aware of each processing purpose and have the right to refuse specific purposes.
-If further processing on the basis of a compatibility test according to Article 6.4 i
+relevant applications, Version 2.0, Adopted on 9 March 2021, paragraph 53
-the data protection regulation would be possible would the very principle of consent requirements
+See previous note
+See EDPB Guidelines 8/2020 on targeted advertising in social media Version 2.0, adopted on 13 April 2021, paragraph 40
+See previous note, paragraph 77
+See previous note, paragraph 78 17
-in the current directive is circumvented. 20
+state the legal basis when collecting personal data, they must have determined the legal basis before collecting the data. 24
+An opinion from the Article 29 Working Party on the concept of legitimate interest in Directive
-In the EDPB's guidelines on targeted advertising in social media, personal data is divided into
+/46/EC states that when carrying out the balancing of interests, the type of interest invoked, the harm that would be suffered by the controller if the data were not processed, the nature of the data, how the personal data are processed, the position of the data subjects and the position of the controller, the reasonable expectations of the data subjects as to what will happen to their data and the consequences for the data subjects should be taken into account.
-the categories of data that it actively recorded and knowingly provided to it
-personal data controller, observed data provided by the data subject
+If, after analysing the above factors, it is still unclear how this balancing will turn out, the design of so-called additional safeguards may be decisive for the outcome of the balancing of interests. 25
-through use of the Service or Device and derivative and derived data that
-created on the basis of the data provided by the data subject. According to the EDPB
-there are two legal bases that may come into question for processing such data
-which the data subject actively and knowingly provided, namely consent according to 6.1
+The Article 29 Working Party Guidelines on Automated Individual Decision-Making and Profiling provide guidance on when profiling can be based on legitimate interests under
-a and legitimate interest according to 6.1 f of the data protection regulation. When it comes to data
-which was collected through observed data provided by the data subject
-through use of a Service or Device, including that collected through
-cookies, the EDPB states that Article 6.1 f cannot constitute a legal basis for such directed
-advertising where individuals are tracked across multiple websites and locations. 22
-Furthermore, the EDPB states that for such processing, consent is probably the most appropriate
-the legal basis in Article 6 of the Data Protection Regulation. In the assessment, one must move on
-take into account that the processing includes activities that the legislator in the EU has wanted to provide
-additional protection.23
-The EDPB has stated in its guidelines on consent that if the data controller chooses
-to invoke consent for any part of the processing they must be prepared to
-respect this choice and stop this part of the processing about an individual
-revokes his consent. It would be fundamentally unfair to the data subjects to give
-the message that the data will be processed based on consent while
-one actually refers to another legal basis. In other words, don't get it
-personal data controller change the legal basis from consent to other legal grounds.
-The EDPB further states that, for example, retroactive fair use is not permitted
-interest as a basis for justifying the treatment, if there have been problems with
-obtain valid consent. Due to the requirement that the data controllers must
-See Guidelines 01/2020 on the processing of personal data in connection with connected vehicles and
-Safety-related applications, Version 2.0, Adopted on 9 March 2021, paragraph 53
-See previous note
-See EDPB guidelines 8/2020 on targeted advertising in social media Version 2.0, adopted 13 April 2021, point 40
-  See previous note, point 77
-See previous note point 78 17
-specify a legal basis when the personal data is collected, they must have determined which one
-the legal basis is before they collect the data. 24
-In an opinion of the Article 29 Working Party on the concept of legitimate interest in directives
-/46/EG it appears that when carrying out the balancing of interests should be taken into account
-what type of interest is stated, what damage the personal data controller would
-hit by whether the data was not processed, the nature of the data, how
-the personal data is processed, the position of the data subjects and the
-the position of the data controller, the data subject's reasonable expectations of what
-will happen to their data and the consequences for the data subjects. If
-that, after the above factors are analyzed, it is still unclear how this
-trade-off occurs, the design of the so-called additional protective measures are essential
-for the outcome in the balancing of interests. 25
-In the Article 29 Working Party Guidelines on Automated Individual Decision-Making and
-profiling is given guidance when profiling can be based on legitimate interests according to
 .1 f. According to the guidelines, the following factors are relevant:
+• The level of detail of the profile.
-            • How detailed the profile is.
+• The extent of the profile.
-            • How extensive the profile is.
-            • The consequences of profiling.
+• The consequences of the profiling.
-            • The safeguards intended to ensure a fair, non-
-                discriminatory and accurate profiling process.
+• The safeguards intended to ensure a fair, non-
+discriminatory and accurate profiling process.
-In several opinions, the Article 29 group has repeated its position that it is difficult
+The Article 29 Working Party has reiterated in several opinions its position that it is difficult
-to rely on Article 6.1 f of the data protection regulation for such profiling that takes place
+to rely on Article 6(1)(f) of the GDPR for such profiling that takes place
-for marketing or advertising purposes when individuals are tracked on several different
+for marketing or advertising purposes when individuals are tracked across several
+different websites, locations, devices, services or for data brokering activities.
-websites, locations, devices, services or for data brokerage operations.
+.5.3 Basis for IMY's assessment
+Bonnier News AB supports its processing of personal data for the purpose of
+making individuals' profiles available to affiliated companies for the purpose of displaying tailored advertisements
-.5.3 Starting points for IMY's assessment
+on the legal basis of legitimate interest under Article 6(1)(f) of the GDPR. Before IMY examines whether the legal basis can constitute a basis
-Bonnier News AB supports its processing of personal data for the purpose of
-make individuals' profiles available to affiliated companies for the purpose of displaying customized advertisements
-on the legal basis legitimate interest according to Article 6.1 f i
+for Bonnier News AB's processing, IMY finds it necessary to address how the processing
-data protection regulation. Before IMY examines whether the legal basis can constitute a basis
-for Bonnier News AB's processing, IMY finds reason to go into how the processing
 relates to certain statements made in the EDPB guidelines.
+The EDPB guidelines on targeted advertising in social media state that, when it comes to
+data that the data subject has actively and knowingly provided, both
-From the EDPB's guidelines on targeted advertising in social media, it appears that when applicable
+consent and legitimate interest can constitute a legal basis for the processing. The
-data that the registrant actively and knowingly provided so can both
+guidelines state, however, that for data collected through observation
-consent and legitimate interest constitute a legal basis for the processing. Of
-however, the guidelines state that for such data collected through observation
-(e.g. through cookies) legitimate interest cannot serve as an appropriate legal
+(for example, through cookies), legitimate interest cannot serve as an appropriate legal basis when the targeted advertising is based on individuals being tracked across multiple
-basis when the targeted advertising is based on individuals being tracked over several
 websites and locations.
-  See EDPB Guidelines 05/2020 on consent under Regulation (EU) 2016/679, Version 1.1, adopted on 4 May 2020,
+See EDPB Guidelines 05/2020 on consent under Regulation (EU) 2016/679, Version 1.1, adopted on 4 May 2020,
-Chapters 122-123
+points 122-123
-  See Article 29 Working Party Opinion 6/2014 on the concept of the controller's legitimate interests in Article 7 of
+See Article 29 Working Party Opinion 6/2014 on the notion of legitimate interests of the controller in Article 7 of
-directive 95/46/EC
+Directive 95/46/EC
-See the opinion of the Article 29 group Guidelines on automated individual decision-making and profiling according to
+See Article 29 Working Party Opinion Guidelines on automated individual decision-making and profiling under
-Regulation (EU) 2016/679, adopted on 3 October 2017, p.15 and Article 29 Working Party Opinion 6/2014 on the concept
+Regulation (EU) 2016/679, adopted on 3 October 2017, p.15 and Article 29 Working Party Opinion 6/2014 on the notion of legitimate interests of the controller in Article 7 of
-the controller's legitimate interest in Article 7 of Directive 95/46/EC, adopted on 9 April 2014, p. 47, and
+Directive 95/46/EC, adopted on 9 April 2014, p. 47, and
-the examples on pp. 59–60 as well as the EDPB's guidelines 8/2020 on targeted advertising in social media Version 2.0, adopted 13
+the examples on pp. 59–60 and EDPB Guidelines 8/2020 on targeted advertising in social media Version 2.0, adopted 13
 April 2021 p. 77 18
+IMY notes that Bonnier News AB collects data for its behavioral database from several
+different websites, but an affiliated company can only retrieve data based on
+behavioral data collected from the company's own digital services. This applies regardless
+of whether it is a simple or supplemented behavioral profile.
+The EDPB Guidelines on connected vehicles state that data collected on the basis of
+consent pursuant to 5.3 of the ePrivacy Directive can only be further processed
+for another purpose if the data controller requests additional consent or
+the processing is supported by EU law or national regulation. The section on the interaction between consent and other legal bases in Article 6 of the EDPB Guidelines on consent also addresses the issue of when the data subject has been informed that they have obtained the rights conferred by consent and the unfairness of not respecting these by referring to another legal basis.
+IMY notes that the situation in the case differs to some extent from that described in these guidelines. In the case in point, it is the affiliated companies that collect the data pursuant to
+.3 of the ePrivacy Directive and are thus subject to the requirement for consent in that provision. The affiliated companies must ensure that they have legal grounds for their processing pursuant to
+.3 of the ePrivacy Directive and the GDPR. The affiliated companies’ processing of personal data is not covered by this supervision.
-IMY states that Bonnier News AB collects data for its behavioral database from several sources
+It is therefore not Bonnier News AB that collects the data on the basis of
-different websites but an affiliated company can only extract data based on
-behavioral data collected from the company's own digital services. It applies regardless
-whether it is a simple or supplemented behavioral profile.
-The EDPB's guidelines on connected vehicles state that data collected on
-basis of consent according to 5.3 of the eData Protection Directive can only be further processed
-for another purpose if the controller requests further consent or
-the processing is supported by EU law or national regulation. Also the section on interaction
-between consent and other legal grounds in Article 6 of the EDPB guidelines on consent
-takes aim when the data subject is given the message that they have obtained the rights as one
-consent entails and the unfairness of not respecting these by referring to a
-other legal basis.
-IMY states that the situation in the case differs to some extent from that described in
-these guidelines. In the matter, it is the affiliated companies that collect the data according to
-.3 of the eData Protection Directive and which is thus covered by the requirement for consent therein
-the provision. The affiliated companies have to ensure that they have legal support for their
-processing according to the eData Protection Directive and the Data Protection Regulation. The connected
-the companies' processing of personal data is not covered by this supervision.
-It is thus not Bonnier News AB that collects the data with the support of
-consent according to the national provisions implementing Article 5.3 i
-eData Protection Directive. It is only when the affiliated companies enter the personal data in
-the behavior database and KDB as Bonnier News AB's treatment begins. Bonnie
-News AB thus does not change the legal basis from consent to legitimate interest.
-IMY notes at the same time that Bonnier News AB is part of the same group as them
-affiliated companies and that Bonnier News AB is jointly responsible for personal data
-with the affiliated companies for the processing of personal data in the databases. The
-the fact that group-wide databases have been established should not mean that they
-data subjects receive less protection compared to if the processing took place with them
-group company that collected the personal data. In other words, Bonnier should not
-News AB have greater opportunities to process the personal data with the support of it
-legal basis justified interest than the affiliated companies have. According to IMY should
-therefore the guidelines reported above have significance for the assessment of the possibility to
-use legitimate interest as a legal basis in the matter.
-From the above, it can be concluded that the space with the support of Article 6.1 f i
-the data protection regulation, to further process data collected with the support of
-consent according to LEK is very limited. At the same time, it can be stated that in
-data protection regulation there is no prohibition against using article 6.1 f as
-legal basis for the current form of treatment. IMY therefore goes ahead and tries
-if the processing is supported by Article 6.1 f of the data protection regulation. IMY's examination of
-if Bonnier News AB has support for its processing in Article 6.1 f i
-the data protection regulation is based on the three conditions that must be met according to
-the provision:
-    (i) Is there a legitimate interest of the personal data controller or
-             with third parties to whom the data is disclosed?
-    (ii) Is the processing of personal data necessary for the legitimate purpose
-             interest pursued? 19
-    (iii) Weighs the data subject's interest in protection of his personal data
+consent pursuant to the national provisions implementing Article 5.3 of the ePrivacy Directive. It is only when the affiliated companies enter the personal data into the behavioral database and KDB that Bonnier News AB's processing begins. Bonnier News AB therefore does not change the legal basis from consent to legitimate interest.
-             heavier?
+IMY also notes that Bonnier News AB is part of the same group as the affiliated companies and that Bonnier News AB is jointly responsible for personal data with the affiliated companies for the processing of personal data in the databases. The fact that group-wide databases have been established should not mean that the data subjects receive less protection than if the processing had taken place at the group company that collected the personal data. In other words, Bonnier
+News AB should not have greater opportunities to process personal data on the basis of the legal basis of legitimate interest than the affiliated companies have. According to IMY, the guidelines presented above should therefore be of importance for the assessment of the possibility of using legitimate interest as a legal basis in the case.
-IMY treats the first two steps in the balancing of interests jointly for them
+From the above, it can be concluded that the scope, based on Article 6(1)(f) of the Data Protection Regulation, to further process data collected on the basis of consent according to LEK is very limited. At the same time, it can be stated that the GDPR does not prohibit the use of Article 6(1)(f) as a legal basis for the current form of processing. IMY therefore proceeds to examine whether the processing is supported by Article 6(1)(f) of the GDPR. IMY's examination of whether Bonnier News AB is supported by Article 6(1)(f) of the GDPR is based on the three conditions that must be met according to the provision: (i) Is there a legitimate interest of the controller or a third party to whom the data is disclosed? (ii) Is the processing of personal data necessary for the legitimate interest pursued? 19 (iii) Does the data subject's interest in the protection of his or her personal data outweigh the interests of the data subject? IMY treats the first two steps in the balancing of interests jointly for the
-supplemented and simple behavioral profiles (sections 3.5.3 and 3.5.4). Then
+supplemented and simple behavioral profiles (sections 3.5.3 and 3.5.4). Then, the
-the third and final step is treated separately for the completed behavioral profiles
+third and final step is treated separately for the supplemented behavioral profiles
 (section 3.5.5) and the simple behavioral profiles (section 3.5.6).
 .5.4 Legitimate interest
-Bonnier News AB's interest in creating profiles to make information available for
+Bonnier News AB's interest in creating profiles to make data available to
-affiliates to display customized ads are of a commercial nature. That one
+affiliated companies to display tailored advertisements is of a commercial nature. The fact that an
-interest is commercial does not exclude that the interest is justified but decisive for
+interest is commercial does not exclude that the interest is legitimate, but the decisive factor for
-this assessment is whether the interest is legal, specific and constitutes a real and
+this assessment is whether the interest is legitimate, specific and constitutes a real and
 actual interest.7
+Bonnier News AB's and affiliated companies' interest is legitimate, real and actual. IMY
-The interest of Bonnier News AB and affiliated companies is legal, real and factual. IMY
+therefore finds that Bonnier News AB's interest in creating profiles for
+making available and the interest of the affiliated companies in processing personal data to
-therefore states that Bonnier News AB's interest in creating profiles for
+display customized advertisements based on customers' and users' customer profiles and
-making available and the affiliated companies' interest in processing personal data for
-to display customized ads based on customers' and users' customer profiles and
 behavioral profiles is justified.
 .5.5 Is the processing necessary for the legitimate interest?
-The requirement of necessity in Article 6.1 f of the data protection regulation must be tested together
-with the principle of data minimization in Article 5.1 c. The purpose of the processing is to
-make data available to affiliates to display customized ads based on
+The requirement of necessity in Article 6(1)(f) of the Data Protection Regulation shall be examined together
-individual profiles. In the case it has emerged that Bonnier News AB together with them
-affiliated companies have taken measures to minimize the number of data collected and
-limit how long these data are processed and ensure that the databases in which
+with the principle of data minimization in Article 5(1)(c). The purpose of the processing is to
-the data processed is kept separate and that only certain data is transferred
-in between. Against this background, IMY finds that the treatment described herein
+make data available to affiliated companies to display customized advertisements based on
-decision is necessary for the stated purpose.
+individuals' profiles. In the case, it has emerged that Bonnier News AB together with the
+affiliated companies have taken measures to minimize the amount of data collected and
-.5.6 The balancing of interests for the processing of personal data in supplemented
+limit how long this data is processed and ensured that the databases in which the data is processed are kept separate and that only certain data is transferred
-behavioral profiles
-Bonnier News AB's interest, to create profiles to make data available for
+between them. Against this background, IMY finds that the processing described in this
-affiliated companies to show customized ads can, according to the company, benefit the individual
+decision is necessary for the stated purpose.
-either by higher income enabling free or cheaper services or that it
-individuals are met with offers that they are interested in. Bonnier News AB has further
+.5.6 The balance of interests for the processing of personal data in supplemented
-emphasized that many of the affiliated companies engage in journalistic activities and
+behavioral profiles
-that publishers' business model today consists of revenue streams from readers and
+Bonnier News AB's interest in creating profiles to make data available to affiliated companies to display customized advertisements can, according to the company, benefit the individual
-advertising revenue and that the group-wide personal data processing is
+either by higher revenues enabling free or cheaper services or by the individual being met with offers that they are interested in. Bonnier News AB has further
-important for the financing of the companies' journalistic activities. The company has against it
+emphasised that many of the affiliated companies are engaged in journalistic activities and
+that the current operating model of publishers consists of revenue streams from reader and
+advertisement revenues and that the group-wide processing of personal data is
+important for the financing of the companies' journalistic activities. Against this
-background assessed that its interest weighs particularly heavily.
+background, the company has assessed that its interest weighs particularly heavily.
-As IMY has already stated, the interest in displaying customized ads is justified in it
+As IMY has already stated, the interest in displaying tailored advertisements is legitimate within the meaning of Article 6(1)(f) of the GDPR. As regards the question of how much weight this interest carries, IMY states that the interest is not journalistic in itself, but rather commercial in nature. Profiling creates knowledge about customers and potential customers that enables revenue from tailored advertising. IMY considers that Bonnier
-meaning referred to in article 6.1 f of the data protection regulation. As for the question how
+See Opinion 6/2014 of the Article 29 Working Party on the concept of legitimate interests of the controller in Article 7 of Directive 95/46/EC
-heavy this interest weighs, IMY states that the interest is not journalistic in itself, but
+See judgment in Asociaţia de Proprietari bloc M5A-ScaraA, C-708/18, EU:C:2019:1064, paragraph 48 20
-of a commercial nature. Through profiling, knowledge is created about customers and potential customers
+News AB and its affiliated companies do not carry as much weight as Bonnier News AB claims.
-customers that enable revenue from customized advertising. IMY assesses that Bonnier
+When assessing the interests of the data subjects, IMY takes the following into account.
+As stated above, Bonnier News AB collects personal data in the behavioral database that was originally collected by the affiliated companies through
+cookies. The consent requirement that applies under Chapter 9, Section 28 of the LEK for that
+collection provides strong privacy protection and an opportunity for the data subjects to
+control the use of the collected data. This protection risks, as the
-See the Article 29 Group's opinion 6/2014 on the concept of the controller's legitimate interests in Article 7 of
+EDPB has stated in several of its guidelines, being undermined if the collected
-directive 95/46/EC
+personal data is processed on the basis of other legal grounds, such as
-See judgment Asociaţia de Proprietari bloc M5A-ScaraA, C-708/18, EU:C:2019:1064, paragraph 48 20
+legitimate interest pursuant to Article 6(1)(f) of the GDPR. As IMY has already
+stated, Bonnier News AB should not have a greater opportunity than the affiliated companies to
+invite the legal basis of legitimate interest for the processing of the
+personal data that the affiliated companies have collected using cookies. IMY therefore believes that the nature of the data means that the interests of the data subjects should be given great weight in the balancing of interests.
+Furthermore, IMY considers that the scope for using Article 6(1)(f) of the GDPR as a legal basis for profiling based on observed data is limited (cf. EDPB Guidelines 8/2020 on targeted advertising in social media, p. 77–
+). IMY therefore notes that the nature of the processing also means that the privacy interests of the data subjects weigh heavily.
+Bonnier News AB has emphasized that profiling and customized advertisements can benefit the data subject by enabling higher revenues for the affiliated companies, which in turn enables them to offer free or cheaper services. It can also benefit the data subject by presenting them with offers that they are interested in. IMY
+does not dispute that the processing may to some extent benefit the data subjects, but considers that
+the overall interest of profiling is to create advertising that is as accurate as possible in order to get customers and potential customers to purchase goods or services and to generate revenue from such advertising.
+In cases where behavioral data can be linked to KDB for the purpose of displaying customized advertisements (the so-called
+supplemented behavioral profiles), IMY considers the following in its assessment.
-The commercial interest of News AB and the affiliated companies does not weigh as much as
+Although data for profiling is not collected from different websites, which according to
-Bonnier News AB claims.
+the EDPB guidelines would make Article 6(1)(f) of the Data Protection Regulation not an appropriate legal basis, the profiling instead includes data collected
+from other contexts such as previous purchases, demographic data collected
-With regard to the assessment of the interests of the data subjects, IMY considers the following.
+and statistical data. IMY considers that profiling is extensive in nature and
-As stated above, Bonnier News AB collects personal data in
-the behavioral database originally collected by the affiliated companies through
-web cookies. The consent requirement that applies according to ch. 9 § 28 PLAY for it
-the collection provides a strong privacy protection and an opportunity for the registered to
-control the use of the collected data. This protection risks, as
-EDPB found in several of its guidelines, to be undermined if the collected
-the personal data is processed with the support of other legal bases, such as, for example
-legitimate interest according to Article 6.1 f of the data protection regulation. Like IMY already
-established, Bonnier News AB should not have more opportunity than the affiliated companies to
-invoke the legal basis legitimate interest for the processing of them
-personal data collected by the affiliated companies using cookies. IMY believes
-because the nature of the data means that the interest of the data subjects should be considered high
-weight in the balancing of interests.
-Furthermore, IMY assesses that the scope for using Article 6.1 f i
-the data protection regulation as the legal basis for profiling based on observed data
-is limited (cf. EDPB guidelines 8/2020 on targeted advertising in social media p. 77–
-). IMY therefore notes that the nature of the treatment also means that they
-data subject's privacy interest weighs heavily.
-Bonnier News AB has emphasized that profiling and customized advertisements can benefit it
-registered in that it enables higher revenues for the affiliated companies which in its
-luck enables them to offer free or cheaper services. It can also be beneficial
-the registrant by being met with offers in which he is interested. IMY
-does not question that the processing can to some extent benefit the data subjects, but considers that
-the overall interest of the profiling is to create as accurate advertising as
-possible to get customers and potential customers to buy goods or services and to get
-revenue from such advertising.
-In cases where behavioral data can be linked to KDB for the purpose of displaying customized advertisements (the so
-called the supplemented behavioral profiles) IMY considers the following in its assessment.
-Data for the profiling is admittedly not collected from different websites, which according to
-The EDPB's guidelines would make Article 6.1 f of the Data Protection Regulation not work as
-an appropriate legal basis, but profiling instead includes data collected
-from other contexts such as previously made purchases, collected demographic data
-as well as statistical data. IMY considers that the profiling is extensive in nature and
 that such profiling is not something a data subject can expect without having
 consented to such personal data processing.
+IMY considers, on a balanced assessment, that the privacy interests of the data subject outweigh the interests of Bonnier News AB and the affiliated companies.
-In a balanced assessment, IMY considers that the data subject's privacy interest
+Against this background, IMY finds that Bonnier News AB has processed personal data in violation of Article 6(1) of the Data Protection Regulation for the purpose of profiling the
-outweighs the interests of Bonnier News AB and the affiliated companies.
-Against this background, IMY notes that Bonnier News AB has treated
-personal data in violation of Article 6.1 of the data protection regulation for the purpose of profiling them
-At the time in question in the case, the same requirement according to ch. 6 applied. Section 18 of the Act (2003:389) on electronic
-communication. 21
-registered based on their behavioral data in a so-called supplemented behavioral profile
-and make the profiles available to affiliated companies for the purpose of displaying customized advertisements.
-.5.7 Balance of interests for the processing of personal data in simple
-behavioral profiles
+At the time of the case, the same requirements applied according to Chapter 6, Section 18 of the Electronic Communications Act (2003:389). 21
-As IMY stated above in section 3.5.4, Bonnier News AB's interest is to create
-profiles to make available information for affiliated companies to display custom
-advertisements are a commercial interest that does not carry as much weight as Bonnier News AB
+registered persons based on their behavioral data in a so-called supplemented behavioral profile
-claims.
+and making the profiles available to affiliated companies for the purpose of displaying customized advertisements.
+.5.7 Balancing of interests for the processing of personal data in simple behavioral profiles
+As IMY stated above in section 3.5.4, Bonnier News AB's interest in creating profiles to make data available to affiliated companies to display customized advertisements is a commercial interest that does not weigh as heavily as Bonnier News AB claims.
-With regard to the assessment of the interests of the data subjects, IMY considers the following.
+When assessing the interests of the data subjects, IMY considers the following.
-Bonnier News AB has taken measures to minimize the number of data collected,
+Bonnier News AB has taken measures to minimize the amount of data collected,
-introduced integrity-enhancing rules for the segmentation, introduced thinning rules and ensured that
+introduced privacy-enhancing rules for segmentation, introduced filtering rules and ensured that
-information collected from an affiliated company can only be used by that company.
+data collected from an affiliated company can only be used by that company.
-The profiling thus only takes place on a company's "own visitors". Further informs
-Bonnier News AB through its personal data policy on the current processing.
+Profiling thus only takes place on a company's "own visitors". Furthermore, Bonnier News AB informs about the current processing through its personal data policy.
-Against this must be weighed the collection and profiling of simple behavioral profiles
+This should be weighed against the fact that the collection and profiling of simple behavioral profiles enables the mapping of individuals through observed data, which entails a greater invasion of privacy than when the data is collected through the active participation of the data subject. IMY believes that the data subject's privacy interest is strong due to the nature of the data (that the collection of the data is given special protection in the LEK). As IMY has already stated, Bonnier News AB should not have a greater opportunity than the affiliated companies to invoke the legal basis of legitimate interest for the processing of the personal data that the affiliated companies have collected using cookies. Furthermore, IMY believes that when individuals' surfing behavior is monitored to display tailored advertising, this can give the data subject the feeling of losing control over their data and the feeling of being monitored. This can result in individuals being influenced in their choice of what they see on a website.
-enables a mapping of individuals through observed data which implies a larger
-breach of privacy than when the data is collected through the data subject's active
-participation. IMY considers that the data subjects' privacy interest is strong due to
+IMY considers, on a balanced assessment, that the privacy interests of the data subject outweigh the interests of Bonnier News AB and affiliated companies even when processing personal data in simple behavioral profiles because this enables profiling of individuals.
-the nature of the data (that the collection of the data is given special protection in LEK). As
-As IMY has already stated, Bonnier News AB should not have a greater opportunity than the affiliates
-the companies to invoke the legal basis of legitimate interest for the processing of them
+Against this background, IMY states that Bonnier News AB has processed personal data without having a legal basis for it according to Article 6(1) of the
-personal data collected by the affiliated companies using cookies. Furthermore consider
-IMY that when the surfing behavior of individuals is monitored to show customized advertising this can
-give the data subject the feeling of losing control over his data and the feeling of
-to be monitored. This can result in individuals being influenced in the choice of what they take part in
+GDPR for the purpose of profiling the data subjects based on their behavioral data in so-called simple behavioral profiles and making the profiles available to affiliated companies for the purpose of displaying customized advertisements.
-on a website.
+.6 Legal basis for processing for the purpose of making contact details available for telephone sales and direct mail
-In a balanced assessment, IMY considers that the data subject's privacy interest
+marketing
-weighs more heavily than the interests of Bonnier News AB and affiliated companies even at
-processing of personal data in simple behavioral profiles because this enables
-profiling of individuals.
+.6.1 Applicable provisions, etc.
-Against this background, IMY notes that Bonnier News AB has treated
+In order to be able to rely on Article 6(1)(f) of the GDPR, the three conditions stated in the article must, as stated above, be met. There must be a legitimate interest of the controller or of the third party to whom the data are disclosed, the processing of personal data must be necessary for the 22 legitimate interest pursued and the data subject's interest in the protection of his or her personal data must not outweigh it. 30
-personal data without having a legal basis for it according to Article 6.1 i
-the data protection regulation in order to profile the data subjects based on their
+The Article 29 Working Party and the EDPB's guidelines on profiling and the application of
-behavioral data in so-called simple behavioral profiles and make the profiles available to
-affiliated companies for the purpose of displaying customized advertisements.
+Article 6 have been described in section 3.5.
-.6 Legal basis for processing for the purpose of making available
+.6.2 Current circumstances and Bonnier News AB's position
-contact details for telephone and postal sales
-direct marketing
+Bonnier News AB has stated that the group has coordinated its activities to
+achieve a better data basis and enable the processing of customers' and
+users' personal data for the specified purposes in a cost-effective and
-.6.1 Applicable regulations, etc.
+privacy-friendly manner. Bonnier News AB profiles data subjects with the aim of making the data available for telephone sales and direct mail marketing. The profiling that this entails is based partly on data in KDB collected from affiliated companies in connection with purchases and subscriptions (so-called customer engagement), partly on data obtained from Bisnode Sverige AB and, for a small part of the profiles, data from the behavioral database. Bonnier News AB bases its processing on Article 6(1)(f) of the GDPR.
-To be able to rely on Article 6.1 f of the data protection regulation must, as
-reported above, the three conditions stated in the article are met. There have to be
-a legitimate interest of the personal data controller or of a third party to which
-the information is disclosed, the processing of personal data must be necessary for the 22
-legitimate interest pursued and the data subject's interest in protection for their
-personal data must not weigh more heavily. 30
-The Article 29 Group and EDPB guidelines on profiling and the application of
-Article 6 has been explained in section 3.5.
-.6.2 Current circumstances and Bonnier News AB's approach
-Bonnier News AB has stated that the group has coordinated its activities for
-to achieve a better data base and make it possible to process the customers' and
-users' personal data for specified purposes in a cost-effective and
-privacy-friendly way. Bonnier News AB profiles registered users in order to make it available
-the data for telephone sales and direct mail marketing. The profiling that
-this means is partly based on data in KDB collected from affiliated companies at
-purchases and subscriptions (so-called customer engagement), partly on information obtained from
-Bisnode Sverige AB and, for a small part of the profiles, information from
-the behavior database. Bonnier News AB supports its treatment on Article 6.1 f i
-data protection regulation.
 Legitimate interest
-Bonnier News AB has stated that the affiliated companies have a legitimate interest to
+Bonnier News AB has stated that the affiliated companies have a legitimate interest in marketing their products and services in an efficient and privacy-friendly manner.
-market their products and services in an efficient and privacy-friendly way.
-Necessary treatment
-Bonnier News AB has stated that they, together with the affiliated companies, have taken
-measures to minimize the number of collected data, how long these data
-processed and, in order to live up to the data minimization principle, kept the databases
-separated and only transferred certain data. Furthermore, Bonnier News AB has taken
-measures so that no more information than is necessary is disclosed to those connected
-the companies. When disclosing, only the data points defined as
-necessary for the marketing channel specified at the time of disclosure, i.e. to
-for example, telephone number in the case of a telephone sales campaign and address in the case of postal mail
-direct marketing. The data points on which the segmentation is based are not provided
-out.
-The balancing of interests
+Necessary processing
-Bonnier News AB has stated the following.
-Bonnier News AB's interest in making information available for affiliated companies is based on
-the registrant's profile to be used for telephone and postal sales
-direct marketing outweighs the data subject's privacy interest.
-By using the group's existing resources for telephone and postal sales
-direct marketing, instead of buying the same information/resource from an external
-party, a cost saving occurs at the same time as it enables a more controlled
-degree of utilization of addresses and telephone numbers than would have been possible otherwise.
-The treatment also aims to save on purchasing costs.
+Bonnier News AB has stated that, together with the affiliated companies, they have taken measures to minimize the amount of data collected, how long this data is processed and, in order to comply with the data minimization principle, have kept the databases separate and only transferred certain data. Furthermore, Bonnier News AB has taken measures so that no more information than is necessary is disclosed to the affiliated companies. When disclosing, only the data points that are defined as necessary for the marketing channel specified at the time of disclosure are disclosed, i.e. for example, telephone numbers in a telephone sales campaign and addresses in postal direct marketing. The data points on which the segmentation is based are not disclosed. The balance of interests Bonnier News AB has stated the following. Bonnier News AB's interest in making information available to affiliated companies based on the data subject's profile for use in telephone sales and postal direct marketing outweighs the data subject's privacy interest. By utilizing the Group's existing resources for telephone sales and postal direct marketing, instead of purchasing the same information/resource from an external party, a cost saving occurs while enabling a more controlled degree of utilization of addresses and telephone numbers than would otherwise have been possible.
+The processing is also intended to save purchasing costs.
 Bonnier News AB, together with the affiliated companies, has taken measures to
-minimize the number of collected data, limited how long this data is processed
+minimize the amount of data collected, limit how long this data is processed
-and in order to live up to the data minimization principle, kept the databases separated.
+and, in order to comply with the data minimization principle, keep the databases separate.
-For the purposes of telephone sales and postal direct marketing, Bonnier News has
-CJEU judgment Fashion ID, C-40/17, EU:C:2019:629, para. 95. 23
-AB limited the type of content tags generated by the registrant
-surfed other companies' websites. A connection between the databases has also been possible
-is only done in a small percentage of users.
-Furthermore, within the framework of the collaboration, something called fit-for-purpose is applied
-schedules. These regulate which information is released from KDB. At the time of disclosure
-only the data points defined as necessary for it are left
-marketing channel specified at the time of disclosure, for example telephone number at a
-telephone sales campaign and address for postal direct marketing. The data points
-on which the segmentation is based, is not disclosed.
-There is a special possibility for the data subject to request deletion from it
-common database. The registered person also has the right to object to
-the information is used for telephone sales and postal direct marketing.
-Those registered have a direct relationship with one or more affiliated companies.
-The users/customers have either visited an affiliated company's website, purchased
-products of an affiliated company or have an active digital subscription. Many of
-the customers are subscribers who have a long-term relationship with the company that
-provides the service or product, and can therefore be considered to have a greater expectation of
-that their data is processed. Many readers have a strong commitment to theirs
-preference for news media. To a certain extent, customer profiles in KDB belong to piece purchases such as
-literature, newspaper and merchandise purchases, where the relationship between customer and supplier may be considered
-somewhat less unique. Furthermore, the interaction is voluntary, clear information is provided and that
-there are alternative products such as physical newspapers that you can read completely anonymously.
-According to Bonnier News AB, the treatment probably does not have a negative effect on it
-data subject's interest.
-The processing that takes place is within the data subjects' reasonable expectations
-of the fact that the individuals who come into contact with the companies do so of their own free will in order to take
-part of content on websites, buy services and/or products and that they always have one
-customer/user relationship with one or more group companies. Furthermore, the company's
-personal data policy's clear information about how customers and users
-personal data is processed and shared within the group. The treatment that is carried out
-within the framework of the KDB/behavioral database is closely associated with the companies' services and
-products, which is likely to have an impact on consumer expectations. That a group of
-efficiency reasons coordinate systems and central functions and share certain data torde
-nor be unexpected for those registered. Customers who have not signed up to the NIX register
-have a reasonable expectation that their contact details may be used for postal purposes
-direct marketing or telephone sales. Consumers are used to this type of
-marketing.
-The group-wide policy provides information on direct marketing and
-telephone sales. It states that addresses and telephone numbers can be used by
-Bonnierbolagen for direct marketing via mail and telephone sales. It appears
-furthermore, that the Bonnier companies can choose segments that they believe are relevant for the current one
-the campaign, e.g. "men in the 40-45 age range who live in Stockholm". It appears
+For the purposes of telephone sales and direct mail marketing, Bonnier News
-also that the Bonnier companies always respect NIX blocks and if anyone has objected
-the marketing.
+EU Court of Justice judgment Fashion ID, C-40/17, EU:C:2019:629, paragraph 95. 23
+AB has limited the type of content tags generated by the data subject's
+surfing of other companies' websites. Furthermore, a connection between the databases has only been
+made for a small percentage of users.
-Only tags categorized with the IAB's taxonomy are collected. 24
+Furthermore, something called purpose-adapted
+schemes is applied within the framework of the collaboration. These regulate what information is disclosed from the KDB. When disclosing, only the data points defined as necessary for the marketing channel specified at the time of disclosure are disclosed, for example, telephone numbers in the case of a telephone sales campaign and addresses in the case of postal direct marketing. The data points on which the segmentation is based are not disclosed.
+There is a specific possibility for the data subject to request deletion from the common database. The data subject also has the right to object to the data being used for telephone sales and postal direct marketing.
+The data subjects have a direct relationship with one or more affiliated companies.
+The users/customers have either visited the website of an affiliated company, purchased products from an affiliated company or have an active digital subscription. Many of the customers are subscribers who have a long-term relationship with the company that provides the service or product, and can therefore be considered to have a greater expectation that their data will be processed. Many readers have a strong commitment tied to their preference for news media. To some extent, customer profiles in KDB belong to piece purchases such as literature, newspaper and goods purchases, where the relationship between customer and supplier can be considered somewhat less unique. Furthermore, the interaction is voluntary, clear information is provided and there are alternative products such as physical newspapers that can be viewed completely anonymously.
+According to Bonnier News AB, the processing does not likely have a negative impact on the interests of the data subject.
+The processing that takes place is within the reasonable expectations of the data subjects because the individuals who come into contact with the companies do so of their own free will in order to access content on websites, purchase services and/or products and that they always have a customer/user relationship with one or more group companies. Furthermore, the companies' personal data policies contain clear information about how customers' and users' personal data is processed and shared within the group. The processing carried out within the framework of the KDB/behavioral database is closely linked to the companies' services and products, which should be of importance for the consumer's expectations. The fact that a group coordinates systems and central functions and shares certain data for efficiency reasons should not be unexpected for the data subjects. Customers who have not registered with the NIX register have a reasonable expectation that their contact details may be used for direct mail marketing or telephone sales. Consumers are used to this type of marketing. The group-wide policy provides information on direct marketing and telephone sales. It states that addresses and telephone numbers can be used by the Bonnier companies for direct mail marketing and telephone sales. It also states that the Bonnier companies can select segments that they believe are relevant for the current campaign, e.g. "men in the age range of 40-45 living in Stockholm". It also appears that the Bonnier companies always respect NIX restrictions and whether anyone has objected to the marketing.
+Only tags categorized with the IAB taxonomy are collected. 24
 .6.3 IMY's assessment
-IMY treats the first two steps in the balancing of interests jointly for them
+IMY treats the first two steps in the balancing of interests jointly for the supplemented and simple behavioral profiles (sections 3.6.4 and 3.6.5). The third and final step is then treated separately for the supplemented behavioral profiles
-supplemented and simple behavioral profiles (sections 3.6.4 and 3.6.5). Then
-the third and final step is treated separately for the completed behavioral profiles
 (section 3.6.6) and the simple behavioral profiles (section 3.6.7).
@@ Line 1,921: / Line 1,076: @@
 .6.4 Is Bonnier News AB's interest in profiling individuals for the purpose of
-make data available to affiliated companies for use in telephone sales
+making data available to affiliated companies for use in telephone sales
-and direct mail marketing eligible?
-Bonnier News AB's interest in creating profiles to make the data available for
-affiliated companies for use in telephone sales and postal direct marketing
-is commercial in nature. IMY assesses that the companies' interest is legal, real and
-actually with Bonnier News AB and the affiliated companies to which the information is disclosed.
-Against this background, IMY assesses that the company's interest in creating profiles to
-make data available to affiliated companies for the purpose of being used in telephone sales
-and direct mail marketing is eligible.
-.6.5 Is the processing necessary for the interest of profiling individuals for the purpose of
-make information available to companies for use in telephone sales and
-direct mail marketing?
-The requirement of necessity in Article 6.1 f of the data protection regulation must be tested together
-with the principle of data minimization in Article 5. The purpose of the processing is to
-make information available to companies for use in telephone and postal sales
-direct marketing. In the case, it has emerged that Bonnier News AB together with
-the other companies have taken steps to minimize the amount of data collected and
-limit how long these data are processed and ensure that the databases in which
-the data processed is kept separate and that only certain data is transferred
-in between. Furthermore, the company has ensured that no more information than is necessary is provided
-out to the affiliated companies for use in telephone and postal sales
-direct marketing. Against this background, IMY finds that the treatment is necessary
+and direct mail marketing justified?
-for the legitimate purpose.
+Bonnier News AB's interest in creating profiles to make the data available to affiliated companies for use in telephone sales and postal direct marketing is of a commercial nature. IMY assesses that the companies' interest is legitimate, real and actual with Bonnier News AB and the affiliated companies to which the data is disclosed. Against this background, IMY assesses that the company's interest in creating profiles to make data available to affiliated companies for use in telephone sales and postal direct marketing is justified. 3.6.5 Is the processing necessary for the interest in profiling individuals for the purpose of making data available to companies for use in telephone sales and postal direct marketing? The requirement of necessity in Article 6(1)(f) of the Data Protection Regulation shall be examined together with the principle of data minimization in Article 5. The purpose of the processing is to make data available to companies for use in telephone sales and direct mail marketing. In the case, it has emerged that Bonnier News AB, together with the other companies, has taken measures to minimize the amount of data collected and to limit the period for which this data is processed, and has ensured that the databases in which the data is processed are kept separate and that only certain data is transferred between them. Furthermore, the company has ensured that no more data than is necessary is disclosed to the affiliated companies for use in telephone sales and direct mail marketing. Against this background, IMY finds that the processing is necessary for the legitimate purpose.
-.6.6 Balance of interests for the processing of personal data in supplemented
+.6.6 Balancing of interests for the processing of personal data in supplemented
 customer database profiles
 Bonnier News AB has emphasized that the affiliated companies have an interest in marketing
-its products and services in an efficient and privacy-friendly manner. IMY states
+their products and services in an efficient and privacy-friendly manner. IMY notes, however, that the interest in making data available for use in telephone sales and
-however, that the interest in making information available for use in telephone sales and
-postal direct marketing is a commercial interest that does not weigh particularly heavily.
+direct mail marketing is a commercial interest that does not weigh particularly heavily.
-With regard to the assessment of the interests of the data subjects, IMY considers the following.
+When assessing the interests of the data subjects, IMY considers the following.
+The profiling carried out on the supplemented customer database profiles includes
+data collected from affiliated companies when purchasing and subscribing (so-called
-The profiling that is done on the completed customer database profiles includes
+customer engagement), data obtained from Bisnode Sverige AB and data from the
-information collected from affiliated companies during purchases and subscriptions (so-called
+behavioral database (including data collected by the affiliated companies through
-customer engagement), information obtained from Bisnode Sverige AB as well as information from
+cookies). IMY has already stated above that Bonnier News AB should not have a greater
-the behavioral database (including data collected by the affiliated companies through
-cookies). IMY has already stated above that Bonnier News AB should not have larger
 opportunity than the affiliated companies to invoke the legal basis of legitimate interest
-when processing personal data that the affiliated companies have collected with the help of
-cookies. The behavioral data retrieved from the behavioral database if a registered to
-KDB is also collected from various companies' websites. IMY considers that they registered
-cannot be considered to expect their behavioral data to be collected for marketing purposes
-See judgment Asociaţia de Proprietari bloc M5A-ScaraA, C-708/18, EU:C:2019:1064, paragraph 48 25
-just because they visit a web page. Nor can they be considered to expect that their
-behavioral data is combined with data from another purchase situation or obtained
-data from other registers for the purpose of being contacted for telephone or postal sales
-direct marketing. This is not changed by the privacy-enhancing measure that they
-the affiliated companies that carry out the marketing action do not get access to it
-collected the behavioral data but only contact details.
-From the EDPB's guidelines it appears that the scope to use legitimate interest as legal
-basis for profiling depends on how detailed the profile is, how extensive the profile is
-are, the consequences of the profiling and the protective measures that are intended to ensure
-a fair, non-discriminatory and accurate profiling process.
-IMY considers that data subjects' privacy interest is strong due to the nature of
-the data because the data enables the mapping of individuals' behavior and
-the collection of the data is given special protection in LEK.
-IMY further notes that this is the kind of profiling referred to in Article 4.4 i
-data protection regulation and that the profiling is extensive as it provides an in-depth
-image of the registrant. It is also a question of data collected from different
-web pages combined with data retrieved from customer engagement and
-statistical data from Bisnode Sweden AB. IMY notes against this background that
-the nature of the processing means that the privacy interest of the data subjects weighs heavily.
-In a balanced assessment, IMY considers that the data subject's privacy interest
-outweighs Bonnier News AB's and affiliated companies' interest in that treatment
-of personal data which is based on so-called supplemented customer database profile and
-which takes place with the aim of making contact information available to affiliated companies for
-telephone sales and postal marketing.
+when processing personal data that the affiliated companies have collected using
-Against this background, IMY notes that Bonnier News AB has treated
+cookies. The behavioural data retrieved from the behavioural database of a data subject to
-personal data without having a legal basis for it according to Article 6.1 i
-the data protection regulation by profiling the data subjects based on their
-supplemented customer database profiles in order to make contact information available to
-affiliated companies for telephone sales and postal marketing.
+KDB is also collected from the websites of various companies. IMY considers that data subjects
-.6.7 Balance of interests for personal data without connection to
+cannot be expected to have their behavioural data collected for marketing purposes
-the behavior database
+See judgment Asociaţia de Proprietari bloc M5A-ScaraA, C-708/18, EU:C:2019:1064, paragraph 48 25
-As IMY stated above in section 3.6.6, Bonnier News AB's interest is primarily one
-commercial interest that does not weigh particularly heavily.
+just because they visit a website. Nor can they be expected to have their
-Regarding the assessment of data subjects' interests in such processing as
+behavioural data combined with data from another purchasing situation or data collected
-lacks a connection to the behavior database, IMY considers the following. Bonnier News AB has
-taken measures to minimize the number of data points both in relation to the principles
+from other registers for the purpose of contacting them for telephone sales or direct mail
-about data minimization and storage minimization by not sharing data on
-item level, but only on product category, brand and type of packaging.
-Profiling also does not include data collected through cookies. Of
+marketing. This is not changed by the privacy-enhancing measure that the affiliated companies that carry out the marketing measure do not have access to the collected behavioral data, but only contact information.
-the investigation has further revealed that the individual has had the opportunity to object before
-the processing and that Bonnier News AB respects the wishes of the data subjects to
-avoid marketing that has been noted on national blacklists or with it
-personal data controller. Against this background, IMY considers that the treatment is within
+The EDPB guidelines state that the scope for using legitimate interest as a legal basis for profiling depends on how detailed the profile is, how extensive the profile is, the consequences of the profiling and the safeguards intended to ensure a fair, non-discriminatory and correct profiling process.
-the framework of what individuals can reasonably expect because of the information that
-is provided and that information is only disclosed to affiliated companies within the group. 26
+IMY believes that the privacy interest of the data subjects is strong due to the nature of the data, since the data enables the mapping of individual behavior and the collection of the data is given special protection in the LEK.
+IMY further notes that this is profiling as referred to in Article 4(4) of the GDPR and that the profiling is extensive as it provides an in-depth picture of the data subject. It is also a matter of data collected from various websites combined with data obtained from customer engagement and statistical data from Bisnode Sverige AB. Against this background, IMY notes that the nature of the processing means that the privacy interests of the data subjects outweigh the interests of Bonnier News AB and its affiliated companies in the processing of personal data based on a so-called supplemented customer database profile and which is carried out for the purpose of making contact details available to affiliated companies for telephone sales and postal marketing. Against this background, IMY notes that Bonnier News AB has processed personal data without having a legal basis for it according to Article 6(1) of the GDPR by profiling the data subjects based on their supplemented customer database profiles for the purpose of making contact details available to affiliated companies for telephone sales and postal marketing. 3.6.7 Balancing of interests for personal data not linked to the behavioral database As IMY stated above in section 3.6.6, Bonnier News AB's interest is primarily a commercial interest that does not weigh particularly heavily. When assessing the interests of the data subjects for such processing that is not linked to the behavioral database, IMY considers the following. Bonnier News AB has taken measures to minimize the number of data points both in relation to the principles of data minimization and storage minimization by not sharing data at the item level, but only at the product category, brand and type of packaging. The profiling also does not include data collected through cookies. The investigation has further shown that the individual has had the opportunity to object before the processing and that Bonnier News AB respects the data subjects' wishes to avoid marketing that has been noted in national blocking lists or with the data controller. Against this background, IMY believes that the processing is within the scope of what individuals can reasonably expect based on the information provided and that data is only disclosed to affiliated companies within the group. 26
+IMY believes that, on a balanced assessment, the interests or fundamental rights of the data subjects do not outweigh the interests of Bonnier News AB and the affiliated companies in the current processing.
+Against this background, IMY notes that Bonnier News AB has been supported for its processing in Article 6(1)(f) of the Data Protection Regulation.
-In a balanced assessment, IMY considers that the interests of the data subjects or
-fundamental rights do not outweigh those of Bonnier News AB and the affiliates
-the companies' interests for the current treatment.
-Against this background, IMY notes that Bonnier News AB has had support for its
-processing in Article 6.1 f of the data protection regulation.
 .7 Choice of intervention
-.7.1 Applicable regulations and other general starting points
+.7.1 Applicable provisions and other general starting points
-In the event of violations of the data protection regulation, IMY has a number of corrective measures
-powers, including reprimands, injunctions and penalty charges. It follows from
-article 58.2 a–j of the data protection regulation. IMY shall impose penalty fees in addition to or
-instead of other corrective measures referred to in Article 58(2), depending
-the circumstances of each individual case.
-If a personal data controller or a personal data assistant, with respect to a
-and the same or connected data processing, intentionally or by
-negligence violates several of the provisions of this regulation, it may
-the total amount of the administrative penalty fee does not exceed the amount determined
-for the most serious violation. It appears from Article 83.3 i
-data protection regulation.
-Each supervisory authority must ensure that the imposition of administrative
-penalty charges in each individual case are effective, proportionate and dissuasive. The
-stated in Article 83.1 of the Data Protection Regulation. Article 83.2 specifies the factors that must
-taken into account in determining whether an administrative penalty fee should be imposed and at
-the assessment of the size of the penalty fee.
-The EDPB has adopted guidelines on the calculation of administrative penalty fees according to
-the data protection regulation which aims to create a harmonized method and principles
-for calculation of penalty fees. 33
-If it is a question of a minor violation, IMY receives according to reason 148 more
+IMY has a number of corrective powers in the event of violations of the Data Protection Regulation, including reprimands, injunctions and penalty fees. This follows from
-the data protection regulation instead of imposing a penalty charge issue a reprimand
-according to Article 58.2 b.
+Article 58(2)(a)–(j) of the Data Protection Regulation. The IMY shall impose administrative fines in addition to or in place of other corrective measures referred to in Article 58(2), depending on the circumstances of each case. Where a controller or a processor, in relation to the same or connected processing operations, intentionally or negligently infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount set for the most serious infringement. This is stated in Article 83(3) of the GDPR. Each supervisory authority shall ensure that the imposition of administrative fines in each case is effective, proportionate and dissuasive. This is stated in Article 83(1) of the GDPR. Article 83(2) sets out the factors to be taken into account in determining whether an administrative fine should be imposed and in assessing the amount of the fine.
-.7.2 Same or connected data processing
+The EDPB has adopted guidelines on the calculation of administrative fines under the GDPR, which aim to create a harmonised method and principles for calculating fines. 33
-IMY has assessed in three cases above that Bonnier News AB lacked support in Article 6.1 i
+In the case of a minor infringement, the IMY may, in accordance with recital 148 of the GDPR, issue a reprimand in accordance with Article 58(2)(b) instead of imposing a fine.
-data protection regulation for its processing of personal data. IMY assesses that these
-treatments, all of which take place in the company's databases through profiling i
-marketing purposes, are connected to each other in the manner referred to in
+.7.2 Same or connected data processing operations
-article 83.3 of the data protection regulation.
+The IMY has assessed in three cases above that Bonnier News AB lacked support in Article 6(1) of the GDPR for its processing of personal data. IMY assesses that these
+processing operations, which all take place in the company's databases through profiling for
+marketing purposes, are interconnected in the manner referred to in
+Article 83(3) of the Data Protection Regulation.
 .7.3 Penalty fee
-IMY has assessed that Bonnier News AB has violated Article 6.1 of the data protection regulation
+IMY has assessed that Bonnier News AB has violated Article 6(1) of the Data Protection Regulation
-in its processing of personal data that takes place for the purpose of displaying customized advertisements
-and to make contact information available to affiliated companies for telephone sales and
-postal direct marketing. IMY does not consider these to be minor violations.
+in its processing of personal data for the purpose of displaying tailored advertisements
+and making contact details available to affiliated companies for telephone sales and
+direct postal marketing. IMY does not consider that these are minor infringements.
-EDPB's guidelines 8/2020 Guidelines 04/2022 on the calculation of administrative fines under the GDPR (adopted for
+EDPB Guidelines 8/2020 Guidelines 04/2022 on the calculation of administrative fines under the GDPR (adopted for
 public consultation on 12 May 2022). 27
+Bonnier News AB shall therefore be imposed an administrative penalty fee for these
+infringements.
+IMY notes that infringements of Article 6(1) of the GDPR are covered by
+Article 83(5) which means that a fine of up to EUR 20 million or four
+percent of the global annual turnover in the preceding financial year, whichever is higher, may be imposed.
+In determining the maximum amount of a fine to be imposed on an undertaking,
+the definition of the concept of undertaking used by the Court of Justice of the European Union in
+the application of Articles 101 and 102 TFEU (see recital 150 of the
-Bonnier News AB must therefore be charged an administrative sanction fee for these
+GDPR) shall be used. The Court's case law shows that this covers any entity that carries out economic activity, regardless of the legal form of the entity and the way in which it is financed, and even if the entity in legal terms consists of several natural or legal persons.34
-violations.
-IMY notes that violations of Article 6.1 of the data protection regulation are covered by
-article 83.5 which means that a penalty fee of up to twenty million EUR or four
-percentage of the global annual turnover in the previous fiscal year, depending
-whichever is higher, may be imposed.
-When determining the maximum amount of a penalty charge to be imposed on a company
-shall the definition of the concept of company be used as used by the EU Court of Justice
-application of Articles 101 and 102 of the TFEU (see recital 150 i
-data protection regulation). It appears from the court's practice that this includes every entity
-that carries out economic activities, regardless of the legal form of the entity and the way of doing so
-financing as well as even if the unit in the legal sense consists of several physical or
-legal entities.34
-IMY assesses that the company's turnover to be used as a basis for calculation of
-the administrative sanction fee that Bonnier News AB can be imposed is Bonnier
-News AB's parent company Albert Bonnier AB. From information obtained it appears that Albert
-Bonnier AB's annual turnover in 2021 was SEK 23,299,000,000. The highest
-penalty amount that can be determined in the case is four percent of this amount, that is
-say approximately SEK 931,960,000.
+IMY assesses that the turnover of the company that should be used as a basis for calculating the administrative penalty that can be imposed on Bonnier News AB is Bonnier News AB's parent company Albert Bonnier AB. From the information obtained, it appears that Albert Bonnier AB's annual turnover in 2021 was SEK 23,299,000,000. The maximum sanction amount that can be determined in the case is four percent of this amount, i.e. approximately SEK 931,960,000.
-IMY assesses that the following factors are important for the assessment of the infringement
+IMY assesses that the following factors are relevant to the assessment of the seriousness of the infringement.
-seriousness.
+This has been a matter of profiling of individuals for profit both when the profiling has been carried out to display tailored advertisements and when it has been carried out to disclose contact details for telephone sales and postal marketing. The profiling carried out to display tailored advertisements has, in cases where data in the behavioural database about individuals' surfing behaviour has been linked to the KDB, included surfing history, purchase history and demographic and statistical data. It has been a matter of a violation that has been ongoing for a long time and concerned a large number of data subjects and included a large amount of personal data. However, the data processed, as far as has been established, do not constitute special categories of personal data as specified in Article 9 of the Data Protection Regulation. In this decision, IMY has assessed that the profiling through supplementary behavioural profiles was extensive in nature.
-There has been a question of profiling of individuals that took place for profit both when
+Even for the profiling of personal data in KDB where there was a connection to data in the behavioral database, so-called supplemented customer database profiles, IMY has made the assessment that the profiling was extensive in nature, since it contained data collected about the individual's surfing behavior obtained from several websites combined with data from purchases made (customer engagement) and data obtained from Bisnode Sverige AB. However, IMY makes the assessment that the current personal data processing does not entail major consequences for the data subjects. It concerns an impact that is assessed to be moderate.
-the profiling took place to show customized ads and when it took place to disclose
+In both of these cases, IMY considers that the profiling that took place where data could be linked together in the two databases, supplementary behavioral profiles and the supplementary customer database profiles, has a higher degree of seriousness compared to the
-contact details for telephone sales and postal marketing.
+See Judgment in Akzo Nobel, C-516/15, EU:C:2017:314, paragraph. 48 28
-In those cases, the profiling that took place to display customized ads has data in
+violation concerning the profiling that takes place in the so-called simple behavioral profiles
-the behavioral database on individuals' surfing behavior has been able to be connected to KDB included
+to display customized advertisements. IMY believes that the profiling that takes place in the so-called simple behavioral profiles
-browsing history, purchase history and demographic and statistical data. It has been a question
+to display customized advertisements is in itself
+grounding for sanctions, but that it has a lower degree of seriousness than the violations
+where a connection could be made between the different databases. The reason for this is that it concerns
+less information about the data subjects and indirect personal data. IMY, however, considers
+that this violation also includes systematic processing that has been going on
+for a long time and has affected a large number of data subjects.
-about a violation that has been going on for a long time and affected a large number of registered users
+The measures that Bonnier has taken to limit the infringement of the data subjects'
-and included a large amount of personal data. However, the data processed constitutes,
+personal integrity, in the form of set storage periods, that data is not recorded at the product level, that no more data than necessary is disclosed to affiliated companies, according to IMY, result in a significant reduction in the seriousness of the violations.
-as far as has been ascertained, not such special categories of personal data as are set out in
-Article 9 of the Data Protection Regulation. In this decision, IMY has assessed that the profiling
+The personal data has also not been disclosed outside the group. IMY has noted that Bonnier News AB has consistently taken measures to reduce the privacy breach for the data subjects in its group-wide cooperation.
-through complementary behavioral profiles, has been comprehensive in nature.
+This situation is also taken into account when assessing the seriousness of the violations.
-Also for the profiling of personal data in KDB where there was a connection to data in
+In light of the above circumstances, IMY assesses that these are violations of low severity overall. The starting point for calculating the
-the behavior database, so-called supplemented customer database profiles, IMY has made
-the assessment that the profiling was extensive in nature, because it contained
+sanction fee should therefore be low in relation to the current maximum amount.
-data collected about the individual's surfing behavior obtained from several
-websites combined with data from purchases made (customer engagement) as well as
-information obtained from Bisnode Sverige AB. However, IMY makes the assessment that current
+In addition to assessing the seriousness of the violation, IMY shall assess whether there are
-personal data processing does not entail major consequences for the data subjects. It touches
-about the impact which is judged to be moderate.
+any aggravating or mitigating circumstances that are significant for the amount of the sanction fee. IMY assesses that there are no further aggravating or mitigating circumstances, in addition to those taken into account when assessing the
-In both of these cases, IMY considers that the profiling that took place where data could be linked
+severity above, that affect the amount of the sanction fee.
-together in the two databases, complementary behavioral profiles and those
-supplementary customer database profiles, has a higher severity level compared to it
-See Judgment in Akzo Nobel, C-516/15, EU:C:2017:314, paragraph. 48 28
-violation relating to the profiling that takes place in the so-called simple behavioral profiles
-to display personalized ads. IMY believes that the profiling that takes place in the so-called
-simple behavioral profiles to display personalized ads in and of themselves are
-grounds for sanctions, but that it has a lower degree of seriousness than the violations
-where a connection could be made between the different databases. The reason for that is that it touches
-less information about the registered and about indirect personal data. IMY weighs
-however, that this violation also includes systematic treatment that has been ongoing
-for a long time and affected a large number of registered users.
-The measures taken by Bonnier to limit the intrusion were recorded
-personal integrity, in the form of set storage deadlines, that information is not registered on
-product level, that no more information than necessary is disclosed to affiliated companies, entails
-according to IMY that the seriousness of the violations is reduced to a significant extent.
-The personal data has also not been disclosed outside the group. IMY has
-pointed out that Bonnier News AB has consistently taken measures to
-reduce the breach of privacy for those registered in their group-wide cooperation.
-This relationship is also taken into account when assessing the seriousness of the violations.
-In the light of the above circumstances, IMY assesses that, in total, it concerns
-for violations of a low level of seriousness. The starting point for the calculation of
-the penalty fee should therefore be low in relation to the current maximum amount.
-In addition to assessing the seriousness of the violation, IMY must assess whether it exists
-any aggravating or mitigating circumstances that become relevant
-the amount of the penalty fee. IMY assesses that there is no further aggravating factor or
-mitigating circumstances, in addition to those considered in the assessment of
-the degree of seriousness above, which affects the size of the penalty fee.
 In light of the seriousness of the violation, aggravating and mitigating circumstances
 and the high turnover in relation to the violations found
-IMY determines the administrative sanction fee for Bonnier News AB to
-SEK 13,000,000. IMY considers this amount to be effective, proportionate and
-deterrent.
-________________________________________
+, IMY sets the administrative sanction fee for Bonnier News AB at
-This decision has been taken by the general manager Lena Lindgren Schelin after a presentation
+,000,000 SEK. IMY assesses that this amount is effective, proportionate and
-by lawyer Ulrika Bergström. In the final proceedings, the chief justice also has
-David Törngren and unit manager Catharina Fernquist participated.
+dissuasive.
+__________________________________________
+This decision has been made by Director General Lena Lindgren Schelin after a presentation
+by lawyer Ulrika Bergström. The Head of Legal Affairs
+David Törngren and the Head of Unit Catharina Fernquist have also participated in the final processing.
 Lena Lindgren Schelin, 2023-06-26 (This is an electronic signature)
@@ Line 2,281: / Line 1,234: @@
 Appendix
-Information on payment of penalty fee
+Information on payment of sanction fee
 Copy to
 DSO 29
 . How to appeal
+If you wish to appeal the decision, you should write to IMY. Indicate in the letter which decision you are appealing and the change you are requesting. The appeal must be received by IMY no later than three weeks from the date you received the decision. If the appeal has been received in good time, IMY will forward it to the Administrative Court in Stockholm for review. You can e-mail the appeal to IMY if it does not contain any privacy-sensitive personal information or information that may be subject to confidentiality. The authority's contact information is provided on the first page of the decision.
-If you want to appeal the decision, you must write to IMY. State in the letter which decision you made
-appeals and the change you request. The appeal must have been received by IMY
-no later than three weeks from the day you were informed of the decision. If the appeal has been received
-In due course, IMY forwards it to the Administrative Court in Stockholm for examination. You can e-
-mail the appeal to IMY if it does not contain any privacy sensitive items
-personal data or information that may be subject to confidentiality. The authority's
-contact details appear on the first page of the decision.
 </pre>