Dutch regulator reprimands Takeaway over illegal Google Analytics data transfers

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) has formally reprimanded Takeaway.com, owner of the Thuisbezorgd.nl food delivery platform, for unlawful transfers of personal data to the United States via Google Analytics. The decision adds another chapter to the growing regulatory pressure across Europe on companies that rely on U.S.-based analytics tools without adequate data protection safeguards.

What the Dutch regulator found

According to the AP, Takeaway used Google Analytics in a way that resulted in personal data of website visitors being transmitted to the U.S. without sufficient legal protection under EU law. The processing in question took place before the introduction of Google Analytics 4 and before companies widely adopted enhanced privacy configurations and supplementary safeguards.

The regulator concluded that:

Data collected through Google Analytics could be linked to individual users or devices.
That data was transferred to servers in the United States, where it may be accessible to U.S. authorities.
At the time of the processing, there were no adequate safeguards in place to ensure a level of protection essentially equivalent to that required in the EU.

As a result, the AP found that Takeaway violated core provisions of the General Data Protection Regulation (GDPR) related to international data transfers.

Context: Schrems II and the EU–US data transfer problem

This reprimand cannot be understood in isolation. It is part of a broader legal and political context that began with the Schrems II judgment of the Court of Justice of the European Union (CJEU) in July 2020. In that ruling, the CJEU invalidated the EU–US Privacy Shield framework, which many companies had relied on to justify transferring data to the U.S.

Following Schrems II:

Companies using U.S.-based services, including analytics and cloud tools, were required to assess whether U.S. law allows authorities to access EU personal data in ways incompatible with EU privacy standards.
Supervisory authorities across Europe, including the Dutch AP, began examining Google Analytics implementations more closely.
Several regulators in other EU countries (such as Austria, France, and Italy) have already declared certain uses of Universal Analytics non-compliant with GDPR.

The Takeaway case fits into this pattern, highlighting that EU regulators are still scrutinizing how organizations handle transatlantic data flows, even as new frameworks like the EU–US Data Privacy Framework are being introduced.

Why Google Analytics is under scrutiny

Google Analytics is one of the most widely used web analytics tools globally, providing insights into user behavior, traffic sources, and conversion performance. However, its traditional architecture has raised concerns for privacy regulators because:

IP addresses and other identifiers can, in combination, be treated as personal data under the GDPR.
Data is often processed and stored on servers in the U.S., where intelligence agencies may have broad access powers.
Standard contractual clauses (SCCs) alone may not be sufficient if the legal environment in the destination country undermines those contractual protections.

The AP’s reprimand signals that even well-known, industry-standard tools are not exempt from GDPR scrutiny. Companies cannot assume that using a popular platform automatically makes their processing compliant.

Takeaway’s response and remedial measures

The Dutch authority opted for a reprimand rather than a fine, which suggests that Takeaway has since taken steps to address the issues raised. Typically, in such cases, remedial actions may include:

Adjusting Google Analytics settings to reduce the identifiability of users (e.g., IP anonymization, shorter data retention periods).
Implementing additional technical and organizational safeguards around international transfers.
Exploring alternative analytics solutions with EU-based hosting or stronger privacy guarantees.

The case nonetheless serves as a public warning: even if corrective measures are taken later, past non-compliance can still result in formal enforcement actions and reputational risk.

Implications for marketers and website operators

For digital marketers, e-commerce businesses, and publishers, this decision reinforces several key points:

Compliance is not optional: Analytics and tracking must be designed with GDPR and ePrivacy rules in mind from the outset.
International transfers require due diligence: Companies need to understand where data flows, which subprocessors are involved, and what legal basis is used.
Configuration matters: How tools like Google Analytics are implemented (e.g., IP masking, consent mechanisms, data minimization) can make the difference between lawful and unlawful processing.
Documentation is essential: Organizations should maintain records of transfer impact assessments, data processing agreements, and technical safeguards.

Regulators are increasingly aligning on the view that simply embedding third-party scripts without a robust compliance strategy is no longer acceptable.

Trends in privacy enforcement across Europe

The Takeaway case reflects a broader enforcement trend:

Data protection authorities are moving from guidance and soft law to concrete enforcement against specific implementations of analytics and adtech.
There is growing scrutiny of cookie banners, consent mechanisms, and tracking practices across the EU.
Regulators increasingly coordinate through the European Data Protection Board (EDPB), which can lead to more consistent decisions across member states.

Companies active in multiple EU markets should expect that similar implementations may be challenged in several jurisdictions at once, and that past enforcement actions—such as this reprimand—will be used as reference points in future cases.

What organizations should do now

In light of the Dutch authority’s findings, organizations using Google Analytics or similar tools should consider:

Conducting a data mapping exercise to understand what data is collected, where it is processed, and on what legal basis.
Reviewing their analytics configuration, including IP handling, user IDs, event data, and retention settings.
Ensuring that cookie consent banners and privacy policies are accurate, transparent, and reflect actual practices.
Evaluating whether an EU-hosted or privacy-centric analytics solution might better align with their risk appetite and compliance obligations.

For large platforms and brands, privacy is now a strategic issue, not just a legal checkbox. Non-compliance can result in regulatory action, user distrust, and operational disruption.

Conclusion: A clear signal to the digital industry

The reprimand against Takeaway by the Dutch Data Protection Authority is more than an isolated incident; it is a clear signal to the entire digital ecosystem that international data transfers via common tools like Google Analytics remain a high-risk area under GDPR.

As EU regulators continue to test the boundaries of lawful data flows to the U.S., companies that rely on transatlantic services must proactively adapt—by strengthening safeguards, rethinking tool choices, and embedding privacy-by-design into every aspect of their analytics and marketing stack.