The Swedish Authority for Privacy Protection (IMY) has now stated that four large companies in Sweden have violated the GDPR while using Google Analytics (GA) as a measurement tool. The four companies IMY has reviewed are CDON, Coop, Dagens Industri and Tele2, all of which now have to stop using GA. In addition, Tele2 receives a fine of SEK 12 million and CDON of SEK 300,000. The version of GA the companies used is from August 14, 2020.
The basis is how the four companies transfer personal data to the United States through GA. The European Court of Justice determined in 2020 that the United States doesn’t have a sufficiently high level of protection of personal data. Because of that, forwarding personal data from a country within the EU/EEA to the USA is a violation of GDPR. GA is a common measurement tool for many companies. So this case is also relevant for other companies in Sweden that use GA.
According to IMY, information has been transferred that IMY believes can be connected with other unique information also being passed on. IMY also believes that the companies haven’t taken any technical measures to protect users personal data according to EU/EEA standard. Even if the companies have other technical solutions aiming to protect personal data, they aren’t sufficient. The companies have also used standard contract clauses as a basis for decisions on the transfer of personal data.
– These decisions have bearing not only on these four companies, but can also provide guidance for other organizations that use Google Analytics, says Sandra Arvidsson, lawyer who led the reviews of the companies.
Spotify receives fine of SEK 58 million for violations of the GDPR
Spotify was also fined in June for violating GDPR. At the time, IMY determined that the information from Spotify isn’t clear enough regarding how they use saved personal data. According to GDPR, every individual has the right to know which personal data a company handles and how it’s used.
Ensuring that a company follows GDPR regulations isn’t always easy. As a company, you can transfer personal data if the country you forward the data to is one that the EU Commission has decided has a sufficiently high level of protection of personal data. If it’s a country the EU Commission hasn’t made a decision about, companies can transfer data with the support of standard contract clauses that the EU Commission has decided on. However, sometimes additional protective measures has to be taken as well along with standard clauses according to the EU Court.
Making sure your company follows GDPR regulations isn’t always easy. Especially when you also have to make sure that the tools and programs you use also comply with GDPR.
