IMY (Sweden) - 2023-16452

IMY - 2023-16452
Authority:	IMY (Sweden)
Jurisdiction:	Sweden
Relevant Law:	Article 6(1)(f) GDPR
Type:	Complaint
Outcome:	Upheld
Started:
Decided:	28.04.2025
Published:
Fine:	n/a
Parties:	Aller Media AB
National Case Number/Name:	2023-16452
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Swedish
Original Source:	IMY (in SV)
Initial Contributor:	cci

The DPA reprimanded a news outlet for unlawfully processing the data of its website’s visitors after collecting them through cookies. The DPA also clarified that the Post and Telecom authority is the competent enforcer of the e-Privacy Directive's national implementation.

English Summary

Facts

News outlet Aller Media AB (the controller) used non-necessary cookies on its website for purposes including profiling, targeted advertising, and offering the precise use of geodata.

For this purpose, the data controller implemented a cookie banner with the “Accept” and “Manage Choices” options in the first layer. Clicking the “Manage Choices” button led website users to the second layer of the banner. This second layer listed all the individual purposes for which cookies were placed based on the controller’s legitimate interest, and offered users the option to opt out for each individual purpose.

As a result of the complex design of the cookie banner, the data controller effectively invoked two distinct legal bases for writing non-essential cookies. In the first layer, the controller asked for the consent of website visitors. If consent was refused, the controller would rely on its legitimate interest and offer visitors the option of opting out in the second layer.

A data subject, represented by noyb, filed a complaint after Aller Media AB after visiting the company’s website in May 2021. The data subject claimed that the controller’s legitimate interest was not a valid legal basis for placing non-necessary cookies, and for processing the data collected through the cookies. The data subject also claimed that the controller’s cookie banner was deceptively designed and, therefore, could not collect valid consent.

Holding

The DPA reprimanded the controller for unlawfully processing personal data after their collection, in violation of Article 6(1)(f) GDPR. The DPA did not, however, assess the lawfulness of the collection of the data (see below).

On the DPA's competence and the scope of the decision

The e-Privacy Directive and its national implementations require consent before storing or accessing data on the device of the end user or subscriber of a public communications network and publicly available electronic communications services. In Swedish law, the Directive is implemented by the Electronic Communication Act, which is in turn enforced by the Post and Telecom Authority.

The DPA held that it was for the Post and Telecom Authority to examine whether the controller could lawfully write cookies under the Electronic Communication Act. For this reason, the DPA only examined whether the controller lawfully processed the data after their collection, and did not assess whether the data were collected lawfully to begin with.

On the legal basis of legitimate interest

During the procedure, the controller did not argue or prove that it had a legitimate interest, and did not show how that interest prevailed on the rights and freedom of the data subjects. Instead, the controller merely stated that it followed the recommendations of its CMP provider IAB Europe.

The DPA held that the controller could not rely on legitimate interest because it failed to document that interest in the first place. The DPA also clarified that data controllers are responsible for ensuring the lawfulness of the processing and may not waive this responsibility by simply referring to a provider’s recommendation.

On the design of the cookie banners

The data controller changed the design of its cookie banner in response to the complaint. For this reason, the DPA set aside the data subject’s complaints about the allegedly deceptive design of the banner.

Comment

The complaint was part of a series of complaints filed with different DPAs over the deceptive design of cookie banners, leading to the creation of the Task Banner Taskforce of the EDPB. The Report on the Taskforce’s work can be found on the EDPB’s website.

The DPA held that the case was cross-border in nature. For this reason, the Swedish DPA cooperated with the DPAs of Austria, Denmark, and Italy during the procedure.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

1(6)

COMPLAINT

See attachment

SUPERVISORY OBJECT
Aller Media AB

Case number:
Decision after supervision according to
IMY-2023-16452

Date: Data Protection Regulation – Aller Media
2025-04-28
AB

Decision of the Swedish Data Protection Authority

The Swedish Data Protection Authority (IMY) finds that Aller Media AB (556002-8325) has
violated Article 6(1)(f) of the Data Protection Regulation by processing the complainant's

personal data without a lawful basis.

IMY issues a reprimand to Aller Media AB pursuant to Article 58(2)(b) of

the Data Protection Regulation.

Statement of the supervisory case

IMY has initiated supervision against Aller Media AB (Aller or the company) for the purpose of investigating a

complaint. The complaint is one of several complaints submitted to the European
data protection authorities regarding cookies and cookie banners. The complaints mainly concern
the design of cookie banners, the placement of cookies and the subsequent processing of
personal data after the cookies have been placed on the complainant's browser or
device. In order to facilitate cooperation on these complaints, a working group
(Cookie Banner Taskforce) was created within the European Data Protection Board (EDPB).

Given the cross-border processing involved, IMY has made use of
the mechanisms for cooperation and consistency provided for in Chapter VII of the GDPR. The supervisory authorities concerned have been the data protection authorities of
Austria, Denmark and Italy.

The complainant has stated in essence the following. Aller has not had a legal basis to process

the complainant's personal data through the use of cookies on its website recept.se
on 21 May 2021. There has been neither a legitimate interest nor a valid consent.
By reinforcing in the cookie banner that it is consent that is the legal basis,

Postal address: Aller has led data subjects to believe that they do not have a choice to object under Article 6(1). f. It
Box 8114 has not been possible to object to the processing in the first layer and there has been no
104 20 Stockholm other easy way to exercise their right to object to the processing. The only option
Website:
www.imy.se to object has been hidden in the banner. It has also not been possible to refuse cookies in the
first layer and the company has thus made it more difficult to refuse the processing of
E-mail:
[email protected] 1
Phone: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with
Directive 95/46/EC (General Data Protection Regulation). the free flow of such data and on the repeal of
08-657 61 00Integritysskyddsmyndigheten Filing number: IMY-2023-16452 2(6)
Date: 2025-04-28

personal data. The design of the cookie banner has also been misleading through the choice of color, contrast and links, which has meant that it has not been possible to give informed and voluntary
consent in accordance with the Data Protection Regulation. This also contradicts the principle of

transparency and information.

Aller has stated the following in essence. At the stated time in 2021,

Aller used both legitimate interest and consent as a legal basis, following a recommendation
from the company's Consent Management Platform (CMP) provider. This is to meet
both the requirements of the Data Protection Regulation and to comply with the recommendations of the industry organization

Interactive Advertising Bureau (IAB). Legitimate interest was thus retained
but the company made adjustments in accordance with the IAB's requirements and an
adjustment in the text by explicitly mentioning the requirement for consent in the cookie banner. Aller

's assessment is that at least since 2023, only consent is the legal
basis. Aller only has two purposes that are always active and these are necessary
cookies and the visitor's privacy choice.

The complainant has been given the opportunity to comment on Aller's report and has stated that
the parts of the complaint that refer to the possibility of refusing cookies in the first layer, misleading
link design, misleading color and contrast on buttons and that it has not been as easy to
withdraw as to give consent have been addressed. The complainant has also argued
that Aller does not have a legal basis to save information that visitors have not consented and that
the company shares this information with other companies. In support of this, the complainant
has submitted screenshots from Aller's website from 2024.

Scope of the case

The Swedish Post and Telecom Agency is the sole competent supervisory authority over the Electronic Communications Act (LEK) (2022:482) which sets out specific requirements for the storage of cookies in
terminal equipment or the collection of data from such equipment. The
personal data processing that takes place after collection, for example analysis or
profiling, is, however, subject to the rules of the Data Protection Regulation where IMY is the competent
supervisory authority. Against this background, IMY's review has been limited to the
processing of personal data that took place after the data was collected and the shortcomings
alleged in the complaint regarding this subsequent processing.

During the handling of the case, the complainant has stated that the parts regarding
the possibility of refusing in the first layer, misleading link design, misleading color and contrast on

buttons and that it was not as easy to withdraw as to give consent have now
been addressed. IMY therefore sees no reason to investigate this further.

IMY's review concerns the question of whether Aller had a lawful basis to process the complainant's
personal data through the use of cookies on its website on 21 May 2021.
In connection with the statement on Aller's report, the complainant has raised new
objections to Aller's personal data processing concerning the design of the
cookie banner in 2024. IMY considers that the complaint has been investigated to an appropriate extent
without being extended to also include these issues and will therefore not take
a position on these in the case.Integrity Protection Authority Case number: IMY-2023-16452 3(6)
Date: 2025-04-28

Reasoning for the decision

Applicable provisions, etc.

According to the principle of accountability, the controller must be able to demonstrate that
the processing of personal data is carried out in accordance with the data protection provisions. 2

Processing of personal data is only lawful if one of the conditions set out in

Article 6 of the GDPR is met. Legitimate interest pursuant to 6(1)(f) is one of the
lawful grounds that may support the processing of personal data.

In order for processing to be based on a balancing of interests (also referred to as

a legitimate interest) pursuant to Article 6(1)(f) of the GDPR, three conditions must be
met. Firstly, the controller or a third party must have a

legitimate interest. Secondly, the processing must be necessary for

the purposes of the legitimate interest. Thirdly, the interests or fundamental rights and freedoms of the data subjects

must not override the legitimate interests (balancing of interests). 3

Recital 47 states that a legitimate interest may exist, for example, where there is a relevant and appropriate relationship between the data subject and the controller, such as the data subject being a customer of or working for the controller. A legitimate interest in any case requires a careful

assessment, including whether the data subject can reasonably expect, at the time of and in connection with the collection of the personal data, that the data will be processed for that purpose. In particular, the interests and fundamental rights of the data subject could outweigh the interests of the

controller if the personal data are processed in circumstances where the data subject cannot reasonably expect any further

processing.

The EDPB’s guidelines on the processing of personal data based on Article 6(1)(f) of the GDPR state that three criteria must be met for a
4
legitimate interest to be considered to exist. The interest must be lawful, which means that it must not conflict with either EU or national law. The fact that an interest is

commercial does not exclude that the interest is legitimate, but the decisive factor for this
assessment is whether the interest is lawful, specific and constitutes a real and actual
interest. Furthermore, the interest must be clearly and distinctly formulated and relate to a real
interest that exists at the time of the processing and is not hypothetical. 6

Assessment

The question in the case is whether Aller was able to support the processing of the complainant’s
personal data on 21 May 2021 on the basis of Article 6(1)(f) of the GDPR.

2 Articles 5(2) and 24 of the GDPR.

3 See the judgments of the European Court of Justice of 4 May 2017, Rīgas satiksme, C‑13/16, EU:C:2017:336, paragraph 28, of
                                 11 December 2019, Asociaţia de Proprietari bloc M5A-ScaraA, C-708/18, EU:C:2019:1064, paragraph 40, of 17 June
                                 2021, M.I.C.M., C-597/19, EU:C:2020:1063, paragraph 106 and of 4 July 2023, Meta Platforms and others, C-252/21,

                                 4U:C:2023:537, paragraph 106.
                                 5 See EDPB's Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR, version 1.0, paragraph 17.
See See judgment of the Court of Justice of the European Union of 4 October 2024, Koninklijke Nederlandse Lawn Tennisbond, C-621/22,
EU:C:2024:857, paragraph 49
6 See judgment of the Court of Justice of the European Union of 4 October 2024, Koninklijke Nederlandse Lawn Tennisbond, C-621/22,
EU:C:2024:857, paragraph 49
6 See judgment of the Court of Justice of the European Union of 708/18, paragraph 44.Dutch Data Protection Authority Case number: IMY-2023-16452 4(6)
Date: 2025-04-28

Aller provides information about the use of cookies on the website in a so-called

cookie banner which is displayed, among other things, when the user first accesses the
website. In the first layer of the cookie banner, as it appeared at the time of
the complaint, there was a button to consent and a link to display the purposes. The

information text in the first layer stated that one could consent or manage their choices,
including the right to object where legitimate interest is used. The possibility to object
was not present in the first layer of the banner. It was further stated that the company processes data to

offer the use of precise geodata, create personalized advertising and create a
personal profile. In order to be able to refuse all types of processing, a data subject first had to

refuse consent and then go ahead and find the option to object to
processing for certain purposes.

The assessment below is based on this cookie banner and the company's then
website.

Aller has stated in its cookie banner that the company has a legitimate interest in processing
data for profiling and precise geodata. In its communication with IMY, the company

has not argued that it actually had a legitimate interest in processing
the data. Aller has instead referred to the fact that its CMP supplier has recommended
the company to have both consent and legitimate interest as the legal basis for this type of
personal data processing. Taking into account the liability in the Data Protection Regulation, IMY does not believe that a data controller can waive its responsibility
to ensure that there is a legal basis for the company's personal data processing
by referring to a supplier's recommendations. IMY therefore notes that
Aller is responsible for ensuring that there is a legal basis for the processing of
personal data by the company.

IMY believes that the requirement for consent to collect data via cookies provides a particularly
strong privacy protection and gives data subjects the opportunity to choose and control
how their personal data is used. If the collected data is further processed at a later stage
with legitimate interest as the legal basis, this particular
privacy protection risks being eroded. This special privacy protection for the data subject is therefore something that should be taken into account in a balancing of interests pursuant to Article 6(1)(f).

During IMY's investigation of the case, Aller has not clearly stated what their legitimate interest in the personal data processing in question was or how a balancing of interests should have been carried out. IMY's assessment is that the complainant cannot be considered to have been able to expect such personal data processing solely by visiting Aller's website. Furthermore, the complainant has only been able to object to processing only

after having refused consent in the cookie banner. Against this background, IMY's assessment is that
Aller has not shown that the company was able to support the personal data processing on the legal basis of legitimate interest. In summary, Aller has violated Article 6(1)(f) of the Data Protection Regulation by processing the complainant's personal data without a legal basis.

Choice of intervention

It is clear from Article 58(2) and Article 83(2) of the Data Protection Regulation that the IMY has

the power to impose administrative sanctions in accordance with Article 83.

Depending on the circumstances of the individual case, administrative sanctions

7Article 5(3) Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) and Chapter 9, Section 28 of the Electronic Communications Act (2022:482).Integrity Protection Authority Case number: IMY-2023-16452 5(6)
Date: 2025-04-28


fees shall be imposed in addition to or instead of the other measures referred to in Article 58(2), such as
for example injunctions and prohibitions. Article 83(2) also states which factors

shall be taken into account when deciding whether to impose administrative penalty fees and when
determining the amount of the fee. If the infringement is minor, IMY may, as stated in recital 148, issue a

reprimand in accordance with Article 58(2)(b) instead of imposing a penalty fee. Consideration shall be given to aggravating and mitigating
circumstances in the case, such as the nature, severity and duration of the infringement
and previous infringements of relevance.

IMY notes the following relevant circumstances. The current supervision includes an
examination of whether Aller had a lawful basis for processing an individual complainant's

personal data. IMY has assessed that the company did not have a lawful basis for processing the complainant's personal data. Aller has made certain changes to
its cookie banner after IMY initiated supervision and now states that they have consent as a lawful basis. The company has

not previously been found to have violated the Data Protection Regulation.

In a balanced assessment, IMY considers that this is a minor

violation within the meaning of recital 148 of the Data Protection Regulation, which entails
that Aller Media AB should be given a reprimand in accordance with Article 58(2)(b) of the Data Protection Regulation
for the violation found.

__________________________

This decision has been made by the Head of Unit Albin Brunskog after a presentation by the lawyer
Michaela Prieto Ceric

Albin Brunskog

Appendix

The complainant's personal data

Copy to

The Data Protection OfficerIntegrity Protection Authority Case number: IMY-2023-16452 6(6)
Date: 2025-04-28

How to appeal

If you wish to appeal the decision, you should write to IMY. Indicate in the letter which decision you
are appealing and the change you are requesting. The appeal must be received by IMY

within three weeks of the date you received the decision. If you are a party representing
the public, however, the appeal must be received within three weeks of the date on which
the decision was announced. If the appeal has been received in good time, IMY will forward it
to the Administrative Court in Stockholm for review.

You can e-mail the appeal to IMY if it does not contain any privacy-sensitive
personal data or information that may be subject to confidentiality. The authority

contact details are provided on the first page of the decision.