IMY (Sweden) - DI-2019-11737
IMY - DI-2019-11737 | |
---|---|
Authority: | IMY (Sweden) |
Jurisdiction: | Sweden |
Relevant Law: | Article 4(4) GDPR Article 6(1)(f) GDPR Article 60 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 26.06.2023 |
Published: | |
Fine: | 13000000 SEK |
Parties: | Bonier News AB |
National Case Number/Name: | DI-2019-11737 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Swedish |
Original Source: | IMY (Sweden) (in SV) |
Initial Contributor: | n/a |
The Swedish DPA found that the group-wide processing of personal data within the Bonnier group for various marketing purposes did not have a legal basis under Article 6(1) GDPR. Bonnier News AB was fined 13 000 000 SEK (approx. € 1 090 000 EUR).
English Summary
Facts
Bonnier News AB (Bonnier) processed personal data together with a number of affiliated companies belonging to the Bonnier group for various marketing purposes.
The affiliated companies collected information on their customers as well as browsing behavior of their website visitors through cookies. That data was transmitted to two Bonnier group-wide databases: (1) the customer database and (2) the behavioral database to create profiles of individuals (the data subjects).
In some cases, information relating to a data subject in those two databases were linked which allowed the customer data, including contact information of an individual data subject, to be linked with behavioral data collected about them. Furthermore, in some cases, information obtained from Bisnode Sverige AB – a company offering business, marketing and credit information – was also linked to individual data subjects within the customer database.
Bonnier made the behavioral data available to the affiliated companies for the purpose of displaying personalised ads, and the customer information for telemarkting and postal marketing purposes. This allowed Bonnier to collect data from several different websites through the affiliated companies. However, an affiliated company could only retrieve information based on behavioral data collected from that company's own services.
Bonnier claimed to have a legitimate under Article 6(1)(f) GDPR for the collection and processing of personal data in question.
Following various complaints lodged with the Swedish DPA against companies of the Bonnier group, the DPA initiated an investigation on whether Bonnier had a legal basis under Article 6(1) GDPR for its processing of the personal data included in the group-wide databases.
Holding
The DPA assessed the question whether Bonnier had a separate legal basis under the GDPR for processing personal data for 1) the purpose of displaying personalised ads based on the behavioral data, and 2) the purpose of making the customer data available for telemarketing and postal marketing purposes.
1) Purpose of displaying personalised ads based on behavioral data
Essentially, the DPA found that the interests of the data subjects outweighed the interests of Bonnier when it processed the behavioral because such processing enables profiling of individual data subjects as defined in Article 4(4) GDPR.
Furthermore, the fact that in some cases the behavioral data of an individual data subject was linked with their customer data in the customer database, was considered to be profiling that is extensive in nature and that a data subject could not expect such profiling without having consented to it.
2) Purpose of making customer data available for telemarketing and postal direct marketing
In cases where the customer information of an individual data subject was linked with behavioral data collected about them, the DPA held that the interests of the data subjects outweighed the interests of Bonnier. This was because such processing also constituted profiling pursuant to Article 4(4) GDPR, and the DPA considered the profiling to be extensive in nature, since it provides an in-depth picture of the data subject. Further, because the data was collected from various websites and combined with additional data collected from Bisnode Sverige AB.
On the other hand, when the customer information of an individual data subject was not linked with behavioral data collected about them, the DPA held that the interests of the data subjects do not override the interests of Bonnier. In this case, the DPA considered that the individuals could reasonably expect such processing and took into consideration that the data was only disclosed to affiliated companies within the Bonnier group, and that the data did not include information collected through cookies (behavioral data).
Consequently, the DPA found that Bonnier had processed personal data in breach of Article 6(1)(f) GDPR when the interests of data subjects were found to outweigh the interests of Bonnier, and imposed a fine of 13 000 000 (thirteen million) SEK (approx. € 1 094 000) on Bonnier.
Comment
This case concerned cross-border processing, and thus, the DPA applied the cooperation and consistency mechanisms provided for in the GDPR. The supervisory authorities concerned were the authorities of Denmark, Estonia, Finland, Norway and Germany.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
1(29) Bonnier News AB 105 15 Stockholm Diary number: Decision after supervision according to DI-2019-11737 data protection regulation – Bonnier Date: News AB 2023-06-26 Content 1. The Privacy Protection Authority's decision............................................... ..........................3 2. Statement of the supervisory matter ............................................... .....................................3 2.1 Description of the group-wide personal data processing......4 2.1.1 Description of the processing of personal data contained in the behavior database ................................................... ................................5 2.1.2 Description of the processing of stored personal data in KDB................................................ ................................................... .......6 3. Justification of the decision................................... ................................................ ..8 3.1 IMY's authority................................................ ..............................................8 3.1.1 Current circumstances................................................ ......................8 3.1.2 Applicable regulations, etc. ................................................ .....8 3.1.3 IMY's assessment ........................................... ...................................9 3.2 Bonnier News AB's responsibility for personal data............................................ ..........9 3.2.1 Current circumstances and Bonnier News AB's approach.........9 3.2.2 Applicable regulations, etc. ................................................... .....9 3.2.3 IMY's assessment ........................................... ................................10 3.3 What information constitutes personal data?............................................. .............10 3.3.1 Current circumstances and Bonnier News AB's approach.......10 Postal address: 3.3.2 Applicable regulations and other general starting points....10 Box 8114 104 20 Stockholm 3.3.3 IMY's assessment............................................ ................................12 3.4 The processing constitutes profiling............................................... .......................13 Website: www.imy.se 3.4.1 Applicable regulations ......................................... ......................13 E-mail: imy@imy.se 3.4.2 IMY's assessment ....................................... .....................................13 Phone: 08-657 61 00 2 3.5 Legal basis for processing for the purpose of displaying customized advertisements from outside data in the behavior database .............................................. ..........................13 3.5.1 Current circumstances and Bonnier News AB's approach.......13 3.5.2 Applicable regulations, etc. ................................................... ...15 3.5.3 Starting points for IMY's assessment............................................ ...17 3.5.4 Legitimate interest ............................................. ............................19 3.5.5 Is the processing necessary for the legitimate interest?.............19 3.5.6 The balancing of interests for the processing of personal data i supplemented behavioral profiles ................................................ ..............19 3.5.7 Balance of interests for the processing of personal data in simple behavioral profiles ................................................... .....................................21 3.6 Legal basis for processing for the purpose of making available contact information for telephone sales and postal direct marketing............................................21 3.6.1 Applicable regulations, etc. ................................................... ...21 3.6.2 Current circumstances and Bonnier News AB's approach.......22 3.6.3 IMY's assessment ........................................... ................................24 3.6.4 Is Bonnier News AB's interest in profiling individuals for the purpose of make data available to affiliated companies for use in telephone sales and postal direct marketing eligible?...............24 3.6.5 Is the processing necessary for the purpose of profiling individuals to make information available to companies for use in telephone sales and postal direct marketing?................................24 3.6.6 Balance of interests for processing personal data i completed customer database profiles................................................... .........24 3.6.7 Balance of interests for personal data without connection to the behavior database ................................................... ..............................25 3.7 Choice of intervention............................................... ..........................................26 3.7.1 Applicable regulations and other general starting points....26 3.7.2 Same or connected data processing...................26 3.7.3 Penalty fee............................................... ................................26 Appendix ................................................ ................................................... ...28 Copy to................................................ ................................................... .28 4. How to appeal ............................................ ................................................ ...29 3 1. The Data Protection Authority's decision The Privacy Protection Authority notes that Bonnier News AB (559080-0917) under the period from 7 November 2019 to 11 June 2020 has processed personal data without having a legal basis for it according to article 6.1 of the data protection regulation through a) to process personal data for the purpose of profiling the registered based on their behavioral data in so-called supplemented behavioral profiles and make the profiles available to affiliated companies in order to show customized Adverts, b) to process personal data for the purpose of profiling the registered based on their behavioral data in so-called simple behavioral profiles and make available the profiles of affiliated companies for the purpose of displaying customized advertisements, c) to process personal data by profiling the registered based on their completed customer database profiles for the purpose of making available contact details for affiliated companies for telephone and postal sales marketing. The Privacy Protection Authority decides with the support of articles 58.2 and 83 i the data protection regulation that Bonnier News AB must pay an administrative penalty fee of 13,000,000 (thirteen million) kroner. 2. Statement of the supervisory matter The Swedish Privacy Protection Agency (IMY) has in a supervision against former Bonnier Magazine and Brands AB, now Expressen Lifestyle (dnr DI-2019- 6523) noted that Bonnier News AB together with other companies within the Bonnier Group processes personal data for e.g. marketing purposes supported by the legal basis legitimate interest according to Article 6.1 f of the data protection regulation. IMY has initiated supervision of Bonnier News AB for the purpose of investigating whether Bonnier News AB complies the data protection regulation's requirements for the processing of personal data that takes place for marketing purposes. Within the framework of this supervision, Bonnier News AB has had to comment on seven complaints submitted to IMY regarding various marketing measures taken by companies within The Bonnier Group. Bonnier News AB has commented on the complaints and it has then revealed that the marketing measures taken have not been caused by withdrawals from the group-wide databases and also did not happen under Bonnier News AB's personal data responsibility. Against this background, IMY finds no reason to within the framework of this matter investigate these complaints further. IMY has, within the scope of supervision, examined whether Bonnier News AB has a legal basis according to article 6 of the data protection regulation for the personal data processing that takes place in the group-wide databases for marketing purposes. Supervision includes the processing of personal data that takes place by creating profiles and making such data available for use by affiliated companies for to display personalized ads. It also covers the processing of personal data, 1Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regarding the processing of personal data and on the free flow of such data and on the cancellation of directive 95/46/EC (General Data Protection Regulation). 2DI-2018-22602, DI-2019-10121, DI-2019-10513, DI-2019-11057, DI-2019-7484, DI-2019-8104 and DI-2019-9556 4 creation of profiles and making information available to affiliated companies for the purpose of used by affiliated companies for telephone sales and postal direct marketing. IMY has not taken a position on Bonnier News AB's processing of personal data in general complies with the data protection regulation. The supervisory case began with an inspection on November 7, 2019. In connection with IMY sent the inspection report to Bonnier News AB, IMY provided additional information questions to the company on 20 December 2019. Bonnier provided comments on the inspection protocol and submitted with answers to IMY's questions on 14 February 2020. IMY asked additional supplementary questions to Bonnier News AB on 15 May 2020, which the company submitted a response on June 11, 2020. Due to the fact that Bonnier News AB updated its personal data policy, the company came in with supplementary information on July 21, 2020. Bonnier News AB has commented on IMY's draft decision on April 13, 2023. Since the case concerns cross-border treatment, IMY has used them cooperation and consistency mechanisms found in Article 56 and Chapter VII i data protection regulation. The supervisory authorities concerned have been the authorities in Denmark, Estonia, Finland, Norway and Germany. 2.1 Description of the group common the processing of personal data The following has emerged during the inspection and subsequent exchange of letters. Within The Bonnier Group is a collaboration between Bonnier News AB and a number of affiliates companies that are part of the group (the affiliated companies). Which companies are connected changes over time. At the time of the inspection, there were 15 affiliated companies which in the spring of 2020 fell to 8. The processing of personal data that takes place within the scope of the collaboration is limited to refer to the affiliated companies' customers on it Swedish market. The affiliated companies collect personal data from their customers and people who visit the companies' websites. The collected data is transferred to two group-wide databases, a customer database (KDB) and a behavior database (the behavior database). In these databases, profiles are created about individuals people. The profiles are also linked to information taken from Bisnode Sverige AB. Bonnier News AB has stated that it stores collected data in them the group-wide databases to use for the following purposes: • To establish a common customer register for affiliated companies with approval data quality, which includes compiling customer and user data and to check that the data is correct, updated and appropriate • To offer the affiliated companies' customers a simple way to redeem theirs rights and an opportunity to ask questions about personal data to it joint customer service • To make personal data available to affiliated companies in order to: • Use other affiliated companies' contact details to be able to market the affiliated companies' own products and services through direct mail marketing and telephone sales. 5 • Show custom content and custom ads in the affiliates the companies' digital services, based on customers' and users' customer profile and behavior on the affiliated companies' sites. • Perform analysis of customer data in order to, using obtained customer insight carry out customer communication, marketing of their own products, services and service. • Perform analysis of customer data in order to improve and develop existing ones services and products. The personal data processing that takes place for the purpose of adaptation of affiliated companies ads are based on data stored in the behavioral database. The personal data processing that takes place to disclose personal data to affiliated companies for use in telephone sales and direct mail marketing is based on data in KDB. 2.1.1 Description of the processing of personal data contained in the behavior database The investigation into the matter shows the following. The information contained in the behavioral database is processed for the purpose of displaying customized information content and customized advertisements in the connected companies' digital services. In connection with an individual visiting an affiliated company's website, it collects the affiliated company enters information about the individual's surfing behavior. This is done by the affiliated company has placed a script on its web page requesting to save one text file (web cookie) on the visitor's computer, tablet or mobile phone. The information in the web cookie can be used to track the user's browsing on the website. The information (behavioral data) that is collected when the individual surfs and then transferred to the behavior database and added to the individual's profile is: • Details of the visited page's URL (web address), its category and a content tag . • Details of the user's device type in which the page was viewed, browser type and the part of the user's IP address that refers to country, • Data on behavior in the form of time spent and time of the page view, • Statement of a unique randomly generated web cookie value (below called cookie identifier), • Information on whether the page was viewed in logged-in mode. Bonnier News AB deletes the cookie identifier after 30 days and from today 31, the generated behavioral data is no longer used for the adaptation of advertisements to individuals. Data in the behavior database and in the KDB can in some cases be linked together. 3A content tag is a description of the content that has been consumed in the participating companies' services. Bonnie News AB collects two types of tags, predefined according to the IAB's (The Interactive Advertising Bureau) standard and tags produced by the affiliated companies' editorial offices. 6 When the data in the behavior database cannot be linked with data in the KDB the data subject's behavioral profile consists only of the data listed above, a profile which in this decision will be called simple behavior profile. In cases where data in the behavior database and data in the KDB can be linked in the behavior database is supplied with data from KDB on purchase history gender, age, household's car ownership and zip code, as well as statistical variables based on the individual residential area such as life phase, purchasing power and form of living to the behavioral database. These profiles will henceforth in this decision be referred to as supplemented behavioral profile. The availability to affiliated companies takes place through a search tool linked to the behavioral database where the affiliated company can order a segment of customer data based on their chosen variables. An administrator reviews the order fulfills certain criteria determined within the collaboration. If so, it gets connected the company access to a code that makes it possible to target ads to users who included in the segment. The affiliated companies can only retrieve information from the behavioral database based on on behavioral data collected from the company's own digital services. It applies regardless whether it is a simple or supplemented behavioral profile. As for it supplemented the behavioral profile, however, it may also contain purchase history from others affiliated companies. In KDB, information is thinned out after two years, which is why older information cannot linked to the behavioral database or disclosed to affiliated companies. 2.1.2 Description of the processing of personal data stored in KDB The investigation into the matter shows the following. The information about individuals that is in KDB is processed for the purpose of being used for affiliates the company's marketing of its own products and services by postal mail direct marketing and telephone sales. In connection with an individual making a purchase or signing a subscription, it collects affiliated companies that have a contractual relationship with the customer enter information from him. Some of this data is transferred to KDB. In KDB, information is linked to a profile. In KDB the customer profile is assigned a KDB ID. If the connected company's customer already exists registered in KDB, the existing customer profile is updated/supplemented with the new one the commitment. Otherwise, a new customer profile is created with a new KDB ID. The data which are stored in KDB and which are collected from the customer's contact with the connected the company's name, address, telephone number, social security number, e-mail address and information which are linked to the customer's purchase, such as product category, brand, type of packaging (if it is a digital or traditional item and if it is a free or paid product). In KDB, it is also registered if the customer has objected to data in KDB is used for marketing as well as information on whether the customer has registered in it called the NIX registry. For the following categories of data there are restrictions: • Information about e-mail address is not disclosed to affiliated companies at telephone sales and postal direct marketing. • Information about social security number is only used to check whether the customer has registered to oppose marketing in the NIX registry (NIX block) as well to check that the customer is not deceased. • Information on social security numbers is not made available to the affiliated companies. 7 In addition to the data collected by the affiliated companies, Bonnier News collects AB enters information from Bisnode Sverige AB for the purpose of checking and supplementing individuals' contact details, as well as to add statistical data such as life phase, purchasing power and form of accommodation. Furthermore, information is collected on car ownership and on deceased persons as well as information about a so-called GEDI ID (which is a unique identifier in the form of a pseudonymised ID). Data in the KDB and the behavior database can in some cases be linked together in the KDB as well. The profile then constitutes what in this decision below will be called supplemented customer database profile. This is done by a customer of an affiliated company visiting the company's website and logs into their account with the company. The behavioral data that has collected about the customer and which is linked to a cookie identifier can then under certain prerequisites are linked with the customer's KDB–ID. In cases where the customer's KDB The ID and the cookie value can be linked together if the KDB profile is supplemented with data collected in the last 30 days from the behavioral database. The data that is retrieved is information about which websites the customer has visited, which section on the website the customer visited (so-called content tags), as well as which device type the customer surfed from. Bonnier News AB has limited the type of content tags that companies other than the one whose website the individual surfed on can base their profiling on 4 for the purposes of telephone sales and postal direct marketing. When a person ceases to be a customer of an affiliated company, KDB is notified that the customer's commitment has ended and the customer is flagged as a passive customer. Then deleted the customer's data in KDB after two years. Data obtained from the behavioral database thinned after 30 days. Any NIX block is always activated when making available contact details in KDB for customers of other affiliated companies and contact details for own customers when these have been inactive for 12 months. Information is made available to affiliated companies upon request through an application in KDB. IN KDB creates a selection file based on the criteria specified by the affiliated company. Within the scope of the collaboration applies something called purpose-adapted schedules. These regulate what information is disclosed from KDB. In the case of disclosure, only those are left data points defined as necessary for the marketing channel that specified at the time of disclosure, i.e. for example telephone numbers in the case of telephone sales campaign and address for postal direct marketing. The data points that the segmentation is based on, is not disclosed. The data is made available through a interface in KDB to the connected company. It is possible for the registered person to request deletion from KDB. It registered also has the right to object to the data being used for telephone and postal sales direct marketing. Bonnier News AB has stated that all affiliated companies are majority owned by Bonnier Group AB and subordinate Bonnier Group's framework for personal data processing and that only a small part of the profiles in question have been able to be made one connection to data in the behavior database. 4Only tags categorized with the IAB's taxonomy are collected. 8 3. Justification of the decision 3.1 IMY's authority 3.1.1 Current circumstances Part of the personal data that is processed within the group the collaboration has been collected by affiliated companies placing a cookie on the visitor's computer, tablet or mobile phone. Bonnier News AB has stated that the collection is done through affiliated companies' websites. The affiliated companies transfer then this data to the behavior database and in some cases the data is linked also together with profile information in KDB. Bonnier News AB has stated that they obligations that resulted from the provisions of the Act (2003:389) on electronic communication and now follows from the Act (2022:482) on electronic communication (LEK), meets affiliated companies and not Bonnier News AB because it is those companies who is responsible for the actual collection of the data. 3.1.2 Applicable regulations, etc. It follows from Article 95 of the Data Protection Regulation that the Data Protection Regulation shall not entail any additional obligations for natural or legal persons who processes personal data, for such areas that are already covered by obligations according to the so-called eData protection directive. The eData Protection Directive has been implemented in Swedish law through LEK, where, among other things, collection of information through web cookies regulated. According to ch. 9 Section 28 LEK may store data in or retrieve from a subscriber's or user's terminal equipment only if the subscriber or user gets access to information about the purpose of the treatment and consent to it. Furthermore, it appears that this does not prevent such storage or access as is necessary to transfer one electronic message via an electronic communication network or which is necessary to provide a service that the user or subscriber expressly has requested. Before August 1, 2022, when LEK entered into force, corresponding requirements were made according to ch. 6 Section 18 of the Act on (2003:389) on electronic communications. It's Post- and the Swedish Telecom Agency (PTS), which is the supervisory authority according to LEK (chapter 1 § 5 of the regulation [2022:511] on electronic communication). The EDPB has commented on the interaction between the eData Protection Directive and 6 the data protection regulation. From the opinion, i.a. follows that the national regulatory authority appointed under the eData Protection Directive is solely authorized to monitor compliance of the directive. However, according to the data protection regulation, the supervisory authority is competent supervisory authority for the processing that is not specifically regulated in the eData Protection Directive. If only part of the processing falls under the eData Protection Directive, does not limit this the authority of the data protection authority to test other parts of the processing according to the data protection regulation. 7 This means, among other things, that the supervisory authority according to the data protection regulation is authorized to assess the legality of the personal data processing that takes place after the information is retrieved from the individual's terminal equipment, e.g. storage of collected 5 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 on the processing of personal data and privacy protection in the electronic communications sector (Directive on Privacy and Electronic Communications). 6Opinion 5/2019 on the interaction between the directive on privacy and electronic communications and the general the data protection regulation, especially with regard to the competence, tasks and powers of the data protection authorities, adopted on 12 March 2019 7 See points 68 and 69 of the opinion. 9 data and analysis of such data for purposes related to behavioral advertising 8 online. 3.1.3 IMY's assessment The information added to the behavioral database has been collected by the affiliated companies through cookies. The personal data processing that is reviewed in this supervisory matter is Bonnier News AB's subsequent processing of personal data i the behavior database. That processing is not covered by the regulation in LEK or the previously applicable regulations in the Act on (2003:389) on electronic communications. This means that the regulation in the data protection regulation is applicable to the processing and that IMY is the competent supervisory authority. 3.2 Bonnier News AB's responsibility for personal data 3.2.1 Current circumstances and Bonnier News AB's attitude It is Bonnier News AB's opinion that Bonnier News AB and the respective affiliate companies have joint personal data responsibility for the processing that takes place in KDB and the behavioral database for the purposes listed above as common. Furthermore, Bonnier News AB has stated that Bonnier News AB and affiliated companies have a common view of goals and means and that Bonnier News AB has entered into so-called Joint Data Controller Agreement with the affiliated companies in accordance with Article 26.2 i data protection regulation. Bonnier News AB has stated that each affiliated company has its own independent ("local") personal data responsibility for its own collection of data. Bonnier News AB has further stated that it has no joint personal data responsibility for them personal data processing that is carried out after the data has been disclosed to affiliated companies from the common databases. It is the affiliated company which retrieved the data who is responsible for personal data for the treatments like this company carries out after collection. 3.2.2 Applicable regulations, etc. According to Article 4.7 of the data protection regulation, the person responsible for personal data is the person alone or together with others determine the purposes and means of the processing of personal data. That means and ends can be determined by more than one actor means that several actors can be responsible for personal data for the same processing. According to Article 4.2 of the Data Protection Regulation, processing is an action or combination of measures concerning personal data or sets of personal data. In the Fashion-ID case, the European Court of Justice has found that a website owner who using plug-ins from social networks on their website can become common personal data controller with the social network. This applies to the collection as well the disclosure by transmission of the website visitors' personal data which takes place with the help of the social network plug-in. The court also stated that each party is only responsible for the parts of the processing chain that it actually 9 definite end and means for. 8 See point 75 of the opinion. 9 See judgment Fashion-ID, C-40/17, EU:C:2019:629, paragraphs 64-85 10 In the Wirtschaftsakademie case, the European Court of Justice stated that a joint responsibility for a treatment does not necessarily mean that the various actors involved in 10 the processing of personal data has the same responsibility. These actors can do the opposite involved in different stages of the processing of personal data to varying degrees, and where and one's level of responsibility must be assessed taking into account all the relevant circumstances therein individual case. 3.2.3 IMY's assessment Bonnier News AB provides two databases, KDB and the behavior database, there information from affiliated companies is combined into profiles of individuals. Under them prerequisites that Bonnier News AB and the companies determined, the information is made available to Bonnier News AB and respective affiliated companies. IMY notes that, in addition to making the databases available to the affiliated companies, Bonnier News AB, together with the companies, has set up the framework for the processing of different ways. IMY therefore makes the assessment that Bonnier News AB is joint personal data controller with the affiliated companies for that part of the personal data processing that takes place for the common purposes of make personal data available, through profiling of individual data, to connected company to display customized ads and for use in telemarketing and postal direct marketing. This includes collecting data for the databases, the storage in the databases and the profiling, obtaining additional data from Bisnode Sverige AB, the connection between the behavior database and KDB as well as the transfer of data between the databases. Further is Bonnier News AB jointly responsible for personal data with the affiliated companies for them measures that take place before and during a disclosure to an affiliated company. 3.3 What information constitutes personal data? 3.3.1 Current circumstances and Bonnier News AB's attitude Under the section “Description of the group common the processing of personal data" it is clear that a lot of data collected from individuals are processed in the KDB and the common behavior database. Bonnier News AB considers that what is referred to in this decision as a completed behavioral profile constitutes personal data. In contrast, data in the behavior database - which cannot be linked together with data in KDB - according to Bonnier News AB anonymous behavioral data. This because they cannot be linked to a person either via KDB ID, customer ID, IP address or any other identifier for a person. Bonnier News AB thus believes that they behavioral profiles which in this decision are referred to as simple behavioral profiles do not constitute personal data. The segmentation that is done on these simple profiles is, according to Bonnier News AB, based only on the affiliated company's own collected information i the behavior database (a company can, for example, choose to sports-related content and advertisements must be adapted to the data registered via a web cookie during the last the 30 days). 3.3.2 Applicable regulations and other general starting points According to Article 4.1 of the Data Protection Regulation, personal data is any information which refers to an identified or identifiable natural person (ie the data subject). Of the same provision states that an identifiable natural person is a person who directly or 10 See judgment Wirtschaftsakademie, C-210/16, EU:C:2018:388, paragraph 43 11 indirect can be identified especially by reference to an identifier such as a name, one identification number, a location data or online identifiers or a or several factors specific to the natural person's physical, physiological, genetic, psychological, economic, cultural or social identity. According to recital 26 of the data protection regulation, the principles of data protection should apply to everyone information relating to an identified or identifiable natural person. Personal data which has been pseudonymised and which could be attributed to a natural person through that supplementary information is used should be considered as information about an identifiable person physical person. To determine whether a natural person is identifiable, all should be considered aids, such as thinning out, which, either by the data controller or by another person, may reasonably be used to directly or indirectly identify the natural person. To determine whether aids with reasonable probability may be used to identify the physical person should one take into account all objective factors, such as costs and time required for identification, taking into account the technology available at the time of the treatment as well as the technological development. According to reason 26, the principles for data protection should not apply to anonymous information that does not relate to an identified or identifiable physical person, or for personal data that has been anonymized in such a way that it registered is no longer identifiable. The regulation therefore does not affect the treatment of such anonymous information, which includes information for statistical purposes or research purposes. According to recital 30 of the data protection regulation, natural persons can be linked to network identifiers provided by their equipment, applications, tools and protocols; for example IP addresses, cookies or other identifiers, such as radio frequency tags. This can leave traces that, especially in combination with unique identifiers and other data received by the servers, can be used to create profiles of natural persons and identify them. 11 From an opinion of the Article 29 Working Party, which contains an analysis of the concept of personal data, it appears that a natural person in a group is considered "identified" 12 when he or she can in some way be "distinguished" from other persons. European The Danish Data Protection Agency (EDPB) has in its guidelines on targeted advertising in social media found that even people who use a social media service without having created an account or profile with the social media service may constitute registrants therein meaning referred to in Article 4.1 of the Data Protection Regulation if the person is directly or 13 indirectly identified or identifiable. The EDPB has referred to the concept "thinning" in recital 26 to the data protection regulation and to the above-mentioned opinion from Article 29 Group. In the Article 29 group's opinion regarding behavioral advertising on the Internet is developed further what it means to be identifiable: The Article 29 Group notes that behavioral advertising often leads to Processing of personal data. Behavioral advertising normally includes collection of IP addresses and processing of unique identifiers (by the cookie). The use of such functions with a unique identifier does so 11The so-called the Article 29 Group was an advisory and independent working group consisting of representatives of the supervisory authorities in the EU and EEA. , The group had the task of, among other things, recommendations contribute to a uniform application of the data protection directive. On 25 May 2018, the working group was replaced by European Data Protection Board, EDPB. 12See WP 136. Article 29 Group Opinion 4/2007 on the concept of personal data, adopted on 20 June 2007, p 12 f 13 See EDPB guidelines 8/2020 on targeted advertising in social media Version 2.0, adopted 13 April 2021, p 19 12 possible to track users of a particular computer even if dynamic IP addresses is used. In other words, such functions make it possible to "point out" individuals registered, even if their names are not known. Furthermore, the information relates which is collected in behavioral advertising to (that is, about) a person's characteristics or behavior and is used to influence this specific person. This point of view is further strengthened if one considers the possibility that profiles at any time can be linked to directly identifiable information such as provided by the data subject, for example information specified at registration on a website. Other scenarios that can lead to identifiability are mergers, data loss and the growing accessibility of the Internet to personal data linked to IP addresses. 14 3.3.3 IMY's assessment IMY initially states that the completed behavioral profiles (i.e. behavioral profiles linked to KDB) contain information relating to identified persons or identifiable natural persons. The complementary behavioral profiles are thus personal data. In the case of the simple behavioral profiles (ie behavioral profiles without connection to KDB) IMY makes the following assessment. In order for a piece of data to be qualified as personal data, it is first required that the information relates to a natural person. This requirement is met with respect to simple behavioral profiles because the data describes how the individual surfed with a number different parameters. Furthermore, it is required that the natural person is identified or identifiable. Of Article 4.1 i the data protection regulation states that it is sufficient that a person can be identified indirectly. IN the provision further states that identification can be made by reference to a online identifier. Recital 30 of the regulation states cookies ("cookie identifiers" in it the English language version) as an example of a network identifier. Identification in it meaning referred to in Article 4.1 can thus take place with the help of such unique cookie values used in the behavior database. IMY further notes that it appears from recital 26 to the data protection regulation that thinning is a way of identifying a person. This means that a person can identified by being distinguished from other persons. It is therefore not required to the person is identified by name or social security number. Such a distinctive or thinning occurs when the information being processed makes it possible to point out, draw conclusions about or take specific actions in relation to a user. In the behavioral database, the information is linked with a unique identifier, a unique cookie value, which is linked to a specific browser or app, which in turn is connected to a device such as a computer or telephone. One of the purposes of the treatment of the data is to, on the basis of the user's behavior, target marketing to a user based on that particular user's past behavior in an identified browser or app. The purpose of the treatment is thus to draw conclusions about it individual by creating a profile and based on this influence the individual. IMY thus states that even the simple behavioral profiles that are not connected with KDB means that individuals are identifiable. 14See WP 171, Article 29 Working Party Opinion 2/2010 on Behavioral Advertising on the Internet, adopted on 22 June 2010, p. 9 f 15 See WP 136. f Article 29 Group opinion 4/2007 on the concept of personal data, adopted on 20 June 2007 p. 12 13 Against this background, IMY makes the assessment that the simple behavior profiles constitute personal data. 3.4 The processing constitutes profiling 3.4.1 Applicable regulations Profiling is defined in Article 4.4 of the Data Protection Regulation as any form of automatic processing of personal data which consists of personal data being used for to assess certain personal characteristics of a natural person, in particular to analyze or predict this natural person's work performance, financial situation, health, personal preferences, interests, reliability, behavior, whereabouts or transfers. 3.4.2 IMY's assessment IMY notes that both the processing of personal data based on simple behavioral profiles and supplemented behavioral profiles that take place for the purpose of make the data available to affiliated companies in order to display customized advertisements includes profiling of data subjects as defined in Article 4.4 i data protection regulation. This is because it is a question of automatic processing of personal data aimed at categorizing the registrants based on their past behavior pattern which in turn makes it possible to assess some of their personal characteristics. IMY further notes that the processing of personal data that takes place for the purpose of make available contact details for telephone sales and postal direct marketing includes profiling of data subjects as defined in Article 4.4 i data protection regulation. This is because it is a question of automatic processing of personal data for the purpose of categorizing the registrants based on their purchase history and i in some cases also behavioral patterns. 3.5 Legal basis for processing for the purpose of displaying customized advertisements based on information in the behavioral database 3.5.1 Current circumstances and Bonnier News AB's attitude Bonnier News AB has stated that within the group it has coordinated its activities for to achieve a better data basis and make it possible to process the customers' and users' personal data for specified purposes in a cost-effective and privacy-friendly way. Bonnier News AB uses its profiling of individuals to make information available to affiliated companies for the purpose of displaying customized advertisements on collected behavioral data that cannot be linked to KDB, partly on behavioral data where a such connection can be made and where additional personal data is added it is registered profile. Bonnier News AB supports its processing to make information available to connected users company for the purpose of displaying customized advertisements on the legal basis in Article 6.1 f i data protection regulation. Legitimate interest Bonnier News AB has stated the following. The company has a legitimate interest that consists in a need to understand its customers and users' wishes and needs in order to achieve relevance in content and advertising that is aimed at customers and users and thereby be able to offer competitive products/services and attractive advertising space. Many of the connected the companies also engage in journalistic activities. Publicists' business model of 14 today consists of revenue streams from readership and advertising revenue. The Group-wide personal data processing is important for the financing of the companies' journalistic activities. Bonnier News AB has also pointed to the protection for freedom and diversity of the media in Article 11 of the EU Charter on the fundamentals the rights. Necessary treatment Bonnier News AB has stated that the processing of personal data is necessary to achieve the purposes of making individuals' profiles available to affiliated companies for viewing customized ads. The company, together with the other companies, has taken measures to minimize the number of collected data and limit the duration of this data processed and ensured that the databases are kept separate and that only certain data transferred in between. Balance of interests Bonnier News AB has stated the following. Bonnier News AB's interest outweighs the individual's interest in protection for their own personal data. Processing of personal data to display customized advertisements based on it an individual's profile is a basic prerequisite for journalists and publicists to be able to obtain income and, by extension, be able to conduct journalism. It is possible to object to profiling based on behavioral data. According to it information that individuals receive in Bonnier News AB's personal data policy it can individuals object to information about their online behavior being processed in it 16 common customer database. This means that the connection between the individual customer data and their surfing behavior are deleted. Those registered have a direct relationship with one or more affiliated companies. The users/customers have either visited an affiliated company's website, purchased products of an affiliated company or an active digital subscription. Many of the customers are subscribers who have a long-term relationship with the company that provides the service or product and can therefore be considered to have a greater expectation of that their data is processed. Many readers have a strong commitment to theirs preference for news media. To a certain extent, customer profiles in KDB belong to piece purchases such as literature, newspaper and merchandise purchases. In these cases, the relationship between customer and supplier gets considered somewhat less unique. Furthermore, the interaction is voluntary, clear information is provided and there are alternative products such as physical newspapers that one can partake of completely anonymously. The processing is unlikely to have any negative impact on the data subject's interests. Individuals interacting with affiliated companies is voluntary and it is in their interest to the companies' services are as relevant as possible. Furthermore, Bonnier News AB has referred to that the Article 29 Group found that targeted marketing based on simple customer profiles, such as gender, age, place of residence and broad interests (eg "fashion") typically seen not to have any significant impact on the individuals. Bonnier News AB has further taken measures to ensure that a minimum of data is processed in relation for the purposes and to reduce integrity risks in general. Among other things shared the personal data not with companies other than the affiliated companies within the group and 16The version of Bonnier News AB's personal data policy that was submitted on 21 July 2020, see under the heading "How you accesses and controls your personal data", file attachment 20.1. 15 all of these companies are subject to the Bonnier Group's framework for 17 personal data processing. The current processing is within the data subject's reasonable expectations of the fact that the individuals who come into contact with the companies do so of their own free will in order to take part of content on websites, buy services and/or products and that they always have one customer/user relationship with one or more companies in the group. The company's personal data policies contain clear information about how customers and users personal data is processed and shared within the group. The treatment that is carried out within the framework of KDB and the behavioral database is closely associated with the companies' services and products, which is likely to have an impact on consumer expectations. That many of the companies' products and services are online and in many cases free or ad-financed should entail a special expectation and acceptance for certain personal data processing for e.g. customization of content and advertising. Today is also many digital products that are consumed by a very large part of consumers in society adapted to the individual and that is Bonnier News AB's perception that today's consumers expect the digital products and services which they consume to some extent will be tailored to the individual. 3.5.2 Applicable regulations, etc. Personal data must be processed in a legal, correct and transparent manner in relation to the data subject, according to Article 5.1 a of the data protection regulation. That the data should processed legally means i.a. that at least one of the conditions stated in Article 6.1 is fulfilled. Consent is, according to Article 6.1 a, one of the legal grounds that a The personal data controller can support its processing of personal data at Another legal basis is legitimate interest according to Article 6.1 f , which requires that three cumulative conditions are met. It must (i) have a legitimate interest personal data controller or with a third party to whom the data is disclosed, (ii) the processing of personal data must be necessary for the legitimate interest which is pursued and (iii) the data subject's interest in the protection of his personal data may not weigh heavier. 18 Recital 47 of the data protection regulation states that a legitimate interest can, for example exist when there is a relevant and appropriate relationship between the data subject and the personal data controller, for example if the data subject is a customer of it personal data controller. It is stated that the processing of personal data for direct marketing can be considered a legitimate interest. Furthermore, it is stated that a legitimate interest requires a careful assessment, which includes whether it registered at the time and in connection with the collection of personal data can reasonably expect that processing for the stated purpose may take place. The data subject's interests and fundamental rights could weigh in particular heavier if personal data is processed in circumstances where the data subject is not can reasonably expect some further treatment. According to ch. 9 § 28 LEK, which implements Article 5.3 of the eData Protection Directive in Swedish law, may data be stored in or retrieved from users' or subscribers' terminal equipment only if the subscriber or user gets access to information about the purpose of the treatment and consent to it. This does not prevent such storage or access which is needed to transmit an electronic message via an electronic 17Further measures taken can be seen from the opinion filed on February 14, 2020, file appendix 13, in appendix O 18 See, Judgment in Fashion ID, C-40/17, EU:C:2019:629, point. 95. 16 communication network or which is necessary to provide a service which the user or subscriber has expressly requested. Corresponding requirements previously applied according to ch. 6 § 18 of the Act (2003:389) on electronic communications. It appears from the EDPB's guidelines on connected vehicles that data collected on basis of consent in accordance with Article 5.3 of the eData Protection Directive or covered of the exceptions in Article 5.3 of that directive can only be further processed for another purposes, if the person in charge of personal data requests further consent or has support in Union law or the legislation of a Member State. The EDPB further states that such further processing cannot rely on a compatibility test according to Article 6.4 i the data protection regulation because it would undermine the protection in eData Protection Directive. Furthermore, the EDPB states that a consent must, when required by eData Protection Directive, be specific and informed, which means that the registered must be aware of each processing purpose and have the right to refuse specific purposes. If further processing on the basis of a compatibility test according to Article 6.4 i the data protection regulation would be possible would the very principle of consent requirements in the current directive is circumvented. 20 In the EDPB's guidelines on targeted advertising in social media, personal data is divided into the categories of data that it actively recorded and knowingly provided to it personal data controller, observed data provided by the data subject through use of the Service or Device and derivative and derived data that 21 created on the basis of the data provided by the data subject. According to the EDPB there are two legal bases that may come into question for processing such data which the data subject actively and knowingly provided, namely consent according to 6.1 a and legitimate interest according to 6.1 f of the data protection regulation. When it comes to data which was collected through observed data provided by the data subject through use of a Service or Device, including that collected through cookies, the EDPB states that Article 6.1 f cannot constitute a legal basis for such directed advertising where individuals are tracked across multiple websites and locations. 22 Furthermore, the EDPB states that for such processing, consent is probably the most appropriate the legal basis in Article 6 of the Data Protection Regulation. In the assessment, one must move on take into account that the processing includes activities that the legislator in the EU has wanted to provide additional protection.23 The EDPB has stated in its guidelines on consent that if the data controller chooses to invoke consent for any part of the processing they must be prepared to respect this choice and stop this part of the processing about an individual revokes his consent. It would be fundamentally unfair to the data subjects to give the message that the data will be processed based on consent while one actually refers to another legal basis. In other words, don't get it personal data controller change the legal basis from consent to other legal grounds. The EDPB further states that, for example, retroactive fair use is not permitted interest as a basis for justifying the treatment, if there have been problems with obtain valid consent. Due to the requirement that the data controllers must 19 See Guidelines 01/2020 on the processing of personal data in connection with connected vehicles and Safety-related applications, Version 2.0, Adopted on 9 March 2021, paragraph 53 21 See previous note 22 See EDPB guidelines 8/2020 on targeted advertising in social media Version 2.0, adopted 13 April 2021, point 40 See previous note, point 77 23 See previous note point 78 17 specify a legal basis when the personal data is collected, they must have determined which one the legal basis is before they collect the data. 24 In an opinion of the Article 29 Working Party on the concept of legitimate interest in directives 95/46/EG it appears that when carrying out the balancing of interests should be taken into account what type of interest is stated, what damage the personal data controller would hit by whether the data was not processed, the nature of the data, how the personal data is processed, the position of the data subjects and the the position of the data controller, the data subject's reasonable expectations of what will happen to their data and the consequences for the data subjects. If that, after the above factors are analyzed, it is still unclear how this trade-off occurs, the design of the so-called additional protective measures are essential for the outcome in the balancing of interests. 25 In the Article 29 Working Party Guidelines on Automated Individual Decision-Making and profiling is given guidance when profiling can be based on legitimate interests according to 6.1 f. According to the guidelines, the following factors are relevant: • How detailed the profile is. • How extensive the profile is. • The consequences of profiling. • The safeguards intended to ensure a fair, non- discriminatory and accurate profiling process. In several opinions, the Article 29 group has repeated its position that it is difficult to rely on Article 6.1 f of the data protection regulation for such profiling that takes place for marketing or advertising purposes when individuals are tracked on several different 26 websites, locations, devices, services or for data brokerage operations. 3.5.3 Starting points for IMY's assessment Bonnier News AB supports its processing of personal data for the purpose of make individuals' profiles available to affiliated companies for the purpose of displaying customized advertisements on the legal basis legitimate interest according to Article 6.1 f i data protection regulation. Before IMY examines whether the legal basis can constitute a basis for Bonnier News AB's processing, IMY finds reason to go into how the processing relates to certain statements made in the EDPB guidelines. From the EDPB's guidelines on targeted advertising in social media, it appears that when applicable data that the registrant actively and knowingly provided so can both consent and legitimate interest constitute a legal basis for the processing. Of however, the guidelines state that for such data collected through observation (e.g. through cookies) legitimate interest cannot serve as an appropriate legal basis when the targeted advertising is based on individuals being tracked over several websites and locations. 24 See EDPB Guidelines 05/2020 on consent under Regulation (EU) 2016/679, Version 1.1, adopted on 4 May 2020, Chapters 122-123 See Article 29 Working Party Opinion 6/2014 on the concept of the controller's legitimate interests in Article 7 of directive 95/46/EC 26See the opinion of the Article 29 group Guidelines on automated individual decision-making and profiling according to Regulation (EU) 2016/679, adopted on 3 October 2017, p.15 and Article 29 Working Party Opinion 6/2014 on the concept the controller's legitimate interest in Article 7 of Directive 95/46/EC, adopted on 9 April 2014, p. 47, and the examples on pp. 59–60 as well as the EDPB's guidelines 8/2020 on targeted advertising in social media Version 2.0, adopted 13 April 2021 p. 77 18 IMY states that Bonnier News AB collects data for its behavioral database from several sources different websites but an affiliated company can only extract data based on behavioral data collected from the company's own digital services. It applies regardless whether it is a simple or supplemented behavioral profile. The EDPB's guidelines on connected vehicles state that data collected on basis of consent according to 5.3 of the eData Protection Directive can only be further processed for another purpose if the controller requests further consent or the processing is supported by EU law or national regulation. Also the section on interaction between consent and other legal grounds in Article 6 of the EDPB guidelines on consent takes aim when the data subject is given the message that they have obtained the rights as one consent entails and the unfairness of not respecting these by referring to a other legal basis. IMY states that the situation in the case differs to some extent from that described in these guidelines. In the matter, it is the affiliated companies that collect the data according to 5.3 of the eData Protection Directive and which is thus covered by the requirement for consent therein the provision. The affiliated companies have to ensure that they have legal support for their processing according to the eData Protection Directive and the Data Protection Regulation. The connected the companies' processing of personal data is not covered by this supervision. It is thus not Bonnier News AB that collects the data with the support of consent according to the national provisions implementing Article 5.3 i eData Protection Directive. It is only when the affiliated companies enter the personal data in the behavior database and KDB as Bonnier News AB's treatment begins. Bonnie News AB thus does not change the legal basis from consent to legitimate interest. IMY notes at the same time that Bonnier News AB is part of the same group as them affiliated companies and that Bonnier News AB is jointly responsible for personal data with the affiliated companies for the processing of personal data in the databases. The the fact that group-wide databases have been established should not mean that they data subjects receive less protection compared to if the processing took place with them group company that collected the personal data. In other words, Bonnier should not News AB have greater opportunities to process the personal data with the support of it legal basis justified interest than the affiliated companies have. According to IMY should therefore the guidelines reported above have significance for the assessment of the possibility to use legitimate interest as a legal basis in the matter. From the above, it can be concluded that the space with the support of Article 6.1 f i the data protection regulation, to further process data collected with the support of consent according to LEK is very limited. At the same time, it can be stated that in data protection regulation there is no prohibition against using article 6.1 f as legal basis for the current form of treatment. IMY therefore goes ahead and tries if the processing is supported by Article 6.1 f of the data protection regulation. IMY's examination of if Bonnier News AB has support for its processing in Article 6.1 f i the data protection regulation is based on the three conditions that must be met according to the provision: (i) Is there a legitimate interest of the personal data controller or with third parties to whom the data is disclosed? (ii) Is the processing of personal data necessary for the legitimate purpose interest pursued? 19 (iii) Weighs the data subject's interest in protection of his personal data heavier? IMY treats the first two steps in the balancing of interests jointly for them supplemented and simple behavioral profiles (sections 3.5.3 and 3.5.4). Then the third and final step is treated separately for the completed behavioral profiles (section 3.5.5) and the simple behavioral profiles (section 3.5.6). 3.5.4 Legitimate interest Bonnier News AB's interest in creating profiles to make information available for affiliates to display customized ads are of a commercial nature. That one interest is commercial does not exclude that the interest is justified but decisive for this assessment is whether the interest is legal, specific and constitutes a real and actual interest.7 The interest of Bonnier News AB and affiliated companies is legal, real and factual. IMY therefore states that Bonnier News AB's interest in creating profiles for making available and the affiliated companies' interest in processing personal data for to display customized ads based on customers' and users' customer profiles and behavioral profiles is justified. 3.5.5 Is the processing necessary for the legitimate interest? The requirement of necessity in Article 6.1 f of the data protection regulation must be tested together with the principle of data minimization in Article 5.1 c. The purpose of the processing is to make data available to affiliates to display customized ads based on individual profiles. In the case it has emerged that Bonnier News AB together with them affiliated companies have taken measures to minimize the number of data collected and limit how long these data are processed and ensure that the databases in which the data processed is kept separate and that only certain data is transferred in between. Against this background, IMY finds that the treatment described herein decision is necessary for the stated purpose. 3.5.6 The balancing of interests for the processing of personal data in supplemented behavioral profiles Bonnier News AB's interest, to create profiles to make data available for affiliated companies to show customized ads can, according to the company, benefit the individual either by higher income enabling free or cheaper services or that it individuals are met with offers that they are interested in. Bonnier News AB has further emphasized that many of the affiliated companies engage in journalistic activities and that publishers' business model today consists of revenue streams from readers and advertising revenue and that the group-wide personal data processing is important for the financing of the companies' journalistic activities. The company has against it background assessed that its interest weighs particularly heavily. As IMY has already stated, the interest in displaying customized ads is justified in it meaning referred to in article 6.1 f of the data protection regulation. As for the question how heavy this interest weighs, IMY states that the interest is not journalistic in itself, but of a commercial nature. Through profiling, knowledge is created about customers and potential customers customers that enable revenue from customized advertising. IMY assesses that Bonnier 27 See the Article 29 Group's opinion 6/2014 on the concept of the controller's legitimate interests in Article 7 of directive 95/46/EC 28 See judgment Asociaţia de Proprietari bloc M5A-ScaraA, C-708/18, EU:C:2019:1064, paragraph 48 20 The commercial interest of News AB and the affiliated companies does not weigh as much as Bonnier News AB claims. With regard to the assessment of the interests of the data subjects, IMY considers the following. As stated above, Bonnier News AB collects personal data in the behavioral database originally collected by the affiliated companies through 29 web cookies. The consent requirement that applies according to ch. 9 § 28 PLAY for it the collection provides a strong privacy protection and an opportunity for the registered to control the use of the collected data. This protection risks, as EDPB found in several of its guidelines, to be undermined if the collected the personal data is processed with the support of other legal bases, such as, for example legitimate interest according to Article 6.1 f of the data protection regulation. Like IMY already established, Bonnier News AB should not have more opportunity than the affiliated companies to invoke the legal basis legitimate interest for the processing of them personal data collected by the affiliated companies using cookies. IMY believes because the nature of the data means that the interest of the data subjects should be considered high weight in the balancing of interests. Furthermore, IMY assesses that the scope for using Article 6.1 f i the data protection regulation as the legal basis for profiling based on observed data is limited (cf. EDPB guidelines 8/2020 on targeted advertising in social media p. 77– 78). IMY therefore notes that the nature of the treatment also means that they data subject's privacy interest weighs heavily. Bonnier News AB has emphasized that profiling and customized advertisements can benefit it registered in that it enables higher revenues for the affiliated companies which in its luck enables them to offer free or cheaper services. It can also be beneficial the registrant by being met with offers in which he is interested. IMY does not question that the processing can to some extent benefit the data subjects, but considers that the overall interest of the profiling is to create as accurate advertising as possible to get customers and potential customers to buy goods or services and to get revenue from such advertising. In cases where behavioral data can be linked to KDB for the purpose of displaying customized advertisements (the so called the supplemented behavioral profiles) IMY considers the following in its assessment. Data for the profiling is admittedly not collected from different websites, which according to The EDPB's guidelines would make Article 6.1 f of the Data Protection Regulation not work as an appropriate legal basis, but profiling instead includes data collected from other contexts such as previously made purchases, collected demographic data as well as statistical data. IMY considers that the profiling is extensive in nature and that such profiling is not something a data subject can expect without having consented to such personal data processing. In a balanced assessment, IMY considers that the data subject's privacy interest outweighs the interests of Bonnier News AB and the affiliated companies. Against this background, IMY notes that Bonnier News AB has treated personal data in violation of Article 6.1 of the data protection regulation for the purpose of profiling them 29 At the time in question in the case, the same requirement according to ch. 6 applied. Section 18 of the Act (2003:389) on electronic communication. 21 registered based on their behavioral data in a so-called supplemented behavioral profile and make the profiles available to affiliated companies for the purpose of displaying customized advertisements. 3.5.7 Balance of interests for the processing of personal data in simple behavioral profiles As IMY stated above in section 3.5.4, Bonnier News AB's interest is to create profiles to make available information for affiliated companies to display custom advertisements are a commercial interest that does not carry as much weight as Bonnier News AB claims. With regard to the assessment of the interests of the data subjects, IMY considers the following. Bonnier News AB has taken measures to minimize the number of data collected, introduced integrity-enhancing rules for the segmentation, introduced thinning rules and ensured that information collected from an affiliated company can only be used by that company. The profiling thus only takes place on a company's "own visitors". Further informs Bonnier News AB through its personal data policy on the current processing. Against this must be weighed the collection and profiling of simple behavioral profiles enables a mapping of individuals through observed data which implies a larger breach of privacy than when the data is collected through the data subject's active participation. IMY considers that the data subjects' privacy interest is strong due to the nature of the data (that the collection of the data is given special protection in LEK). As As IMY has already stated, Bonnier News AB should not have a greater opportunity than the affiliates the companies to invoke the legal basis of legitimate interest for the processing of them personal data collected by the affiliated companies using cookies. Furthermore consider IMY that when the surfing behavior of individuals is monitored to show customized advertising this can give the data subject the feeling of losing control over his data and the feeling of to be monitored. This can result in individuals being influenced in the choice of what they take part in on a website. In a balanced assessment, IMY considers that the data subject's privacy interest weighs more heavily than the interests of Bonnier News AB and affiliated companies even at processing of personal data in simple behavioral profiles because this enables profiling of individuals. Against this background, IMY notes that Bonnier News AB has treated personal data without having a legal basis for it according to Article 6.1 i the data protection regulation in order to profile the data subjects based on their behavioral data in so-called simple behavioral profiles and make the profiles available to affiliated companies for the purpose of displaying customized advertisements. 3.6 Legal basis for processing for the purpose of making available contact details for telephone and postal sales direct marketing 3.6.1 Applicable regulations, etc. To be able to rely on Article 6.1 f of the data protection regulation must, as reported above, the three conditions stated in the article are met. There have to be a legitimate interest of the personal data controller or of a third party to which the information is disclosed, the processing of personal data must be necessary for the 22 legitimate interest pursued and the data subject's interest in protection for their personal data must not weigh more heavily. 30 The Article 29 Group and EDPB guidelines on profiling and the application of Article 6 has been explained in section 3.5. 3.6.2 Current circumstances and Bonnier News AB's approach Bonnier News AB has stated that the group has coordinated its activities for to achieve a better data base and make it possible to process the customers' and users' personal data for specified purposes in a cost-effective and privacy-friendly way. Bonnier News AB profiles registered users in order to make it available the data for telephone sales and direct mail marketing. The profiling that this means is partly based on data in KDB collected from affiliated companies at purchases and subscriptions (so-called customer engagement), partly on information obtained from Bisnode Sverige AB and, for a small part of the profiles, information from the behavior database. Bonnier News AB supports its treatment on Article 6.1 f i data protection regulation. Legitimate interest Bonnier News AB has stated that the affiliated companies have a legitimate interest to market their products and services in an efficient and privacy-friendly way. Necessary treatment Bonnier News AB has stated that they, together with the affiliated companies, have taken measures to minimize the number of collected data, how long these data processed and, in order to live up to the data minimization principle, kept the databases separated and only transferred certain data. Furthermore, Bonnier News AB has taken measures so that no more information than is necessary is disclosed to those connected the companies. When disclosing, only the data points defined as necessary for the marketing channel specified at the time of disclosure, i.e. to for example, telephone number in the case of a telephone sales campaign and address in the case of postal mail direct marketing. The data points on which the segmentation is based are not provided out. The balancing of interests Bonnier News AB has stated the following. Bonnier News AB's interest in making information available for affiliated companies is based on the registrant's profile to be used for telephone and postal sales direct marketing outweighs the data subject's privacy interest. By using the group's existing resources for telephone and postal sales direct marketing, instead of buying the same information/resource from an external party, a cost saving occurs at the same time as it enables a more controlled degree of utilization of addresses and telephone numbers than would have been possible otherwise. The treatment also aims to save on purchasing costs. Bonnier News AB, together with the affiliated companies, has taken measures to minimize the number of collected data, limited how long this data is processed and in order to live up to the data minimization principle, kept the databases separated. For the purposes of telephone sales and postal direct marketing, Bonnier News has 30 CJEU judgment Fashion ID, C-40/17, EU:C:2019:629, para. 95. 23 AB limited the type of content tags generated by the registrant surfed other companies' websites. A connection between the databases has also been possible is only done in a small percentage of users. Furthermore, within the framework of the collaboration, something called fit-for-purpose is applied schedules. These regulate which information is released from KDB. At the time of disclosure only the data points defined as necessary for it are left marketing channel specified at the time of disclosure, for example telephone number at a telephone sales campaign and address for postal direct marketing. The data points on which the segmentation is based, is not disclosed. There is a special possibility for the data subject to request deletion from it common database. The registered person also has the right to object to the information is used for telephone sales and postal direct marketing. Those registered have a direct relationship with one or more affiliated companies. The users/customers have either visited an affiliated company's website, purchased products of an affiliated company or have an active digital subscription. Many of the customers are subscribers who have a long-term relationship with the company that provides the service or product, and can therefore be considered to have a greater expectation of that their data is processed. Many readers have a strong commitment to theirs preference for news media. To a certain extent, customer profiles in KDB belong to piece purchases such as literature, newspaper and merchandise purchases, where the relationship between customer and supplier may be considered somewhat less unique. Furthermore, the interaction is voluntary, clear information is provided and that there are alternative products such as physical newspapers that you can read completely anonymously. According to Bonnier News AB, the treatment probably does not have a negative effect on it data subject's interest. The processing that takes place is within the data subjects' reasonable expectations of the fact that the individuals who come into contact with the companies do so of their own free will in order to take part of content on websites, buy services and/or products and that they always have one customer/user relationship with one or more group companies. Furthermore, the company's personal data policy's clear information about how customers and users personal data is processed and shared within the group. The treatment that is carried out within the framework of the KDB/behavioral database is closely associated with the companies' services and products, which is likely to have an impact on consumer expectations. That a group of efficiency reasons coordinate systems and central functions and share certain data torde nor be unexpected for those registered. Customers who have not signed up to the NIX register have a reasonable expectation that their contact details may be used for postal purposes direct marketing or telephone sales. Consumers are used to this type of marketing. The group-wide policy provides information on direct marketing and telephone sales. It states that addresses and telephone numbers can be used by Bonnierbolagen for direct marketing via mail and telephone sales. It appears furthermore, that the Bonnier companies can choose segments that they believe are relevant for the current one the campaign, e.g. "men in the 40-45 age range who live in Stockholm". It appears also that the Bonnier companies always respect NIX blocks and if anyone has objected the marketing. 31Only tags categorized with the IAB's taxonomy are collected. 24 3.6.3 IMY's assessment IMY treats the first two steps in the balancing of interests jointly for them supplemented and simple behavioral profiles (sections 3.6.4 and 3.6.5). Then the third and final step is treated separately for the completed behavioral profiles (section 3.6.6) and the simple behavioral profiles (section 3.6.7). 3.6.4 Is Bonnier News AB's interest in profiling individuals for the purpose of make data available to affiliated companies for use in telephone sales and direct mail marketing eligible? Bonnier News AB's interest in creating profiles to make the data available for affiliated companies for use in telephone sales and postal direct marketing is commercial in nature. IMY assesses that the companies' interest is legal, real and actually with Bonnier News AB and the affiliated companies to which the information is disclosed. Against this background, IMY assesses that the company's interest in creating profiles to make data available to affiliated companies for the purpose of being used in telephone sales and direct mail marketing is eligible. 3.6.5 Is the processing necessary for the interest of profiling individuals for the purpose of make information available to companies for use in telephone sales and direct mail marketing? The requirement of necessity in Article 6.1 f of the data protection regulation must be tested together with the principle of data minimization in Article 5. The purpose of the processing is to make information available to companies for use in telephone and postal sales direct marketing. In the case, it has emerged that Bonnier News AB together with the other companies have taken steps to minimize the amount of data collected and limit how long these data are processed and ensure that the databases in which the data processed is kept separate and that only certain data is transferred in between. Furthermore, the company has ensured that no more information than is necessary is provided out to the affiliated companies for use in telephone and postal sales direct marketing. Against this background, IMY finds that the treatment is necessary for the legitimate purpose. 3.6.6 Balance of interests for the processing of personal data in supplemented customer database profiles Bonnier News AB has emphasized that the affiliated companies have an interest in marketing its products and services in an efficient and privacy-friendly manner. IMY states however, that the interest in making information available for use in telephone sales and postal direct marketing is a commercial interest that does not weigh particularly heavily. With regard to the assessment of the interests of the data subjects, IMY considers the following. The profiling that is done on the completed customer database profiles includes information collected from affiliated companies during purchases and subscriptions (so-called customer engagement), information obtained from Bisnode Sverige AB as well as information from the behavioral database (including data collected by the affiliated companies through cookies). IMY has already stated above that Bonnier News AB should not have larger opportunity than the affiliated companies to invoke the legal basis of legitimate interest when processing personal data that the affiliated companies have collected with the help of cookies. The behavioral data retrieved from the behavioral database if a registered to KDB is also collected from various companies' websites. IMY considers that they registered cannot be considered to expect their behavioral data to be collected for marketing purposes 32 See judgment Asociaţia de Proprietari bloc M5A-ScaraA, C-708/18, EU:C:2019:1064, paragraph 48 25 just because they visit a web page. Nor can they be considered to expect that their behavioral data is combined with data from another purchase situation or obtained data from other registers for the purpose of being contacted for telephone or postal sales direct marketing. This is not changed by the privacy-enhancing measure that they the affiliated companies that carry out the marketing action do not get access to it collected the behavioral data but only contact details. From the EDPB's guidelines it appears that the scope to use legitimate interest as legal basis for profiling depends on how detailed the profile is, how extensive the profile is are, the consequences of the profiling and the protective measures that are intended to ensure a fair, non-discriminatory and accurate profiling process. IMY considers that data subjects' privacy interest is strong due to the nature of the data because the data enables the mapping of individuals' behavior and the collection of the data is given special protection in LEK. IMY further notes that this is the kind of profiling referred to in Article 4.4 i data protection regulation and that the profiling is extensive as it provides an in-depth image of the registrant. It is also a question of data collected from different web pages combined with data retrieved from customer engagement and statistical data from Bisnode Sweden AB. IMY notes against this background that the nature of the processing means that the privacy interest of the data subjects weighs heavily. In a balanced assessment, IMY considers that the data subject's privacy interest outweighs Bonnier News AB's and affiliated companies' interest in that treatment of personal data which is based on so-called supplemented customer database profile and which takes place with the aim of making contact information available to affiliated companies for telephone sales and postal marketing. Against this background, IMY notes that Bonnier News AB has treated personal data without having a legal basis for it according to Article 6.1 i the data protection regulation by profiling the data subjects based on their supplemented customer database profiles in order to make contact information available to affiliated companies for telephone sales and postal marketing. 3.6.7 Balance of interests for personal data without connection to the behavior database As IMY stated above in section 3.6.6, Bonnier News AB's interest is primarily one commercial interest that does not weigh particularly heavily. Regarding the assessment of data subjects' interests in such processing as lacks a connection to the behavior database, IMY considers the following. Bonnier News AB has taken measures to minimize the number of data points both in relation to the principles about data minimization and storage minimization by not sharing data on item level, but only on product category, brand and type of packaging. Profiling also does not include data collected through cookies. Of the investigation has further revealed that the individual has had the opportunity to object before the processing and that Bonnier News AB respects the wishes of the data subjects to avoid marketing that has been noted on national blacklists or with it personal data controller. Against this background, IMY considers that the treatment is within the framework of what individuals can reasonably expect because of the information that is provided and that information is only disclosed to affiliated companies within the group. 26 In a balanced assessment, IMY considers that the interests of the data subjects or fundamental rights do not outweigh those of Bonnier News AB and the affiliates the companies' interests for the current treatment. Against this background, IMY notes that Bonnier News AB has had support for its processing in Article 6.1 f of the data protection regulation. 3.7 Choice of intervention 3.7.1 Applicable regulations and other general starting points In the event of violations of the data protection regulation, IMY has a number of corrective measures powers, including reprimands, injunctions and penalty charges. It follows from article 58.2 a–j of the data protection regulation. IMY shall impose penalty fees in addition to or instead of other corrective measures referred to in Article 58(2), depending the circumstances of each individual case. If a personal data controller or a personal data assistant, with respect to a and the same or connected data processing, intentionally or by negligence violates several of the provisions of this regulation, it may the total amount of the administrative penalty fee does not exceed the amount determined for the most serious violation. It appears from Article 83.3 i data protection regulation. Each supervisory authority must ensure that the imposition of administrative penalty charges in each individual case are effective, proportionate and dissuasive. The stated in Article 83.1 of the Data Protection Regulation. Article 83.2 specifies the factors that must taken into account in determining whether an administrative penalty fee should be imposed and at the assessment of the size of the penalty fee. The EDPB has adopted guidelines on the calculation of administrative penalty fees according to the data protection regulation which aims to create a harmonized method and principles for calculation of penalty fees. 33 If it is a question of a minor violation, IMY receives according to reason 148 more the data protection regulation instead of imposing a penalty charge issue a reprimand according to Article 58.2 b. 3.7.2 Same or connected data processing IMY has assessed in three cases above that Bonnier News AB lacked support in Article 6.1 i data protection regulation for its processing of personal data. IMY assesses that these treatments, all of which take place in the company's databases through profiling i marketing purposes, are connected to each other in the manner referred to in article 83.3 of the data protection regulation. 3.7.3 Penalty fee IMY has assessed that Bonnier News AB has violated Article 6.1 of the data protection regulation in its processing of personal data that takes place for the purpose of displaying customized advertisements and to make contact information available to affiliated companies for telephone sales and postal direct marketing. IMY does not consider these to be minor violations. 33EDPB's guidelines 8/2020 Guidelines 04/2022 on the calculation of administrative fines under the GDPR (adopted for public consultation on 12 May 2022). 27 Bonnier News AB must therefore be charged an administrative sanction fee for these violations. IMY notes that violations of Article 6.1 of the data protection regulation are covered by article 83.5 which means that a penalty fee of up to twenty million EUR or four percentage of the global annual turnover in the previous fiscal year, depending whichever is higher, may be imposed. When determining the maximum amount of a penalty charge to be imposed on a company shall the definition of the concept of company be used as used by the EU Court of Justice application of Articles 101 and 102 of the TFEU (see recital 150 i data protection regulation). It appears from the court's practice that this includes every entity that carries out economic activities, regardless of the legal form of the entity and the way of doing so financing as well as even if the unit in the legal sense consists of several physical or legal entities.34 IMY assesses that the company's turnover to be used as a basis for calculation of the administrative sanction fee that Bonnier News AB can be imposed is Bonnier News AB's parent company Albert Bonnier AB. From information obtained it appears that Albert Bonnier AB's annual turnover in 2021 was SEK 23,299,000,000. The highest penalty amount that can be determined in the case is four percent of this amount, that is say approximately SEK 931,960,000. IMY assesses that the following factors are important for the assessment of the infringement seriousness. There has been a question of profiling of individuals that took place for profit both when the profiling took place to show customized ads and when it took place to disclose contact details for telephone sales and postal marketing. In those cases, the profiling that took place to display customized ads has data in the behavioral database on individuals' surfing behavior has been able to be connected to KDB included browsing history, purchase history and demographic and statistical data. It has been a question about a violation that has been going on for a long time and affected a large number of registered users and included a large amount of personal data. However, the data processed constitutes, as far as has been ascertained, not such special categories of personal data as are set out in Article 9 of the Data Protection Regulation. In this decision, IMY has assessed that the profiling through complementary behavioral profiles, has been comprehensive in nature. Also for the profiling of personal data in KDB where there was a connection to data in the behavior database, so-called supplemented customer database profiles, IMY has made the assessment that the profiling was extensive in nature, because it contained data collected about the individual's surfing behavior obtained from several websites combined with data from purchases made (customer engagement) as well as information obtained from Bisnode Sverige AB. However, IMY makes the assessment that current personal data processing does not entail major consequences for the data subjects. It touches about the impact which is judged to be moderate. In both of these cases, IMY considers that the profiling that took place where data could be linked together in the two databases, complementary behavioral profiles and those supplementary customer database profiles, has a higher severity level compared to it 34 See Judgment in Akzo Nobel, C-516/15, EU:C:2017:314, paragraph. 48 28 violation relating to the profiling that takes place in the so-called simple behavioral profiles to display personalized ads. IMY believes that the profiling that takes place in the so-called simple behavioral profiles to display personalized ads in and of themselves are grounds for sanctions, but that it has a lower degree of seriousness than the violations where a connection could be made between the different databases. The reason for that is that it touches less information about the registered and about indirect personal data. IMY weighs however, that this violation also includes systematic treatment that has been ongoing for a long time and affected a large number of registered users. The measures taken by Bonnier to limit the intrusion were recorded personal integrity, in the form of set storage deadlines, that information is not registered on product level, that no more information than necessary is disclosed to affiliated companies, entails according to IMY that the seriousness of the violations is reduced to a significant extent. The personal data has also not been disclosed outside the group. IMY has pointed out that Bonnier News AB has consistently taken measures to reduce the breach of privacy for those registered in their group-wide cooperation. This relationship is also taken into account when assessing the seriousness of the violations. In the light of the above circumstances, IMY assesses that, in total, it concerns for violations of a low level of seriousness. The starting point for the calculation of the penalty fee should therefore be low in relation to the current maximum amount. In addition to assessing the seriousness of the violation, IMY must assess whether it exists any aggravating or mitigating circumstances that become relevant the amount of the penalty fee. IMY assesses that there is no further aggravating factor or mitigating circumstances, in addition to those considered in the assessment of the degree of seriousness above, which affects the size of the penalty fee. In light of the seriousness of the violation, aggravating and mitigating circumstances and the high turnover in relation to the violations found IMY determines the administrative sanction fee for Bonnier News AB to SEK 13,000,000. IMY considers this amount to be effective, proportionate and deterrent. ________________________________________ This decision has been taken by the general manager Lena Lindgren Schelin after a presentation by lawyer Ulrika Bergström. In the final proceedings, the chief justice also has David Törngren and unit manager Catharina Fernquist participated. Lena Lindgren Schelin, 2023-06-26 (This is an electronic signature) Appendix Information on payment of penalty fee Copy to DSO 29 4. How to appeal If you want to appeal the decision, you must write to IMY. State in the letter which decision you made appeals and the change you request. The appeal must have been received by IMY no later than three weeks from the day you were informed of the decision. If the appeal has been received In due course, IMY forwards it to the Administrative Court in Stockholm for examination. You can e- mail the appeal to IMY if it does not contain any privacy sensitive items personal data or information that may be subject to confidentiality. The authority's contact details appear on the first page of the decision.