IMY (Sweden) - DI-2021-5544 Avanza Bank

From GDPRhub
Revision as of 07:33, 3 July 2024 by Mba (talk | contribs) (→‎Facts)
IMY - DI-2021-5544 Avanza Bank
LogoSE.png
Authority: IMY (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 5(1)(f) GDPR
Article 32(1) GDPR
Type: Investigation
Outcome: Violation Found
Started: 24.06.2021
Decided: 24.06.2024
Published: 25.06.2024
Fine: 15000000 SEK
Parties: Avanza Bank
National Case Number/Name: DI-2021-5544 Avanza Bank
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Swedish
Original Source: IMY (in SV)
Initial Contributor: Andreea Lisievici

The DPA fined Avanza Bank AB €1,318,955.55 (SEK 15 million) for failing to implement security measures, leading to the unauthorised transfer of personal data of more than half a million data subjects to Meta by accidentally turning on two functions of the analytics tool Meta Pixel.

English Summary

Facts

The controller, Avanza Bank AB, used Meta’s analytics tool Meta Pixel to measure the effectiveness of the bank’s Facebook advertising. By collecting information about which pages on the controller’s website a person visited, the controller wanted to optimise its marketing measures. This tool would only collect information about a data subject’s website visits, IP addresses and information about certain unique events such as searches on the websites.

Two new functions of the analytics tool, the Automatic Advanced Matching (AAM) and the Automatic Events (AH), were activated by the controller by mistake.

The AAM looked for recognisable form fields and other sources on the controller’s website that contain information such as first name, last name and email address. It transferred data to Meta in hashed form (an irreversible one-way process that converts data into a unique string of characters) if a data subject filled in any of the five different forms of the controller’s website or mobile app. When users logged in and accepted marketing cookies, the AAM collected the personal data, including personal identification number, contact details, loan amounts on existing loans, employers, type of employment and account numbers. With this, Meta-Pixel could match the hashed data with the behaviour of data subjects to the website to obtain a more detailed profile of the data subjects. It is unknown whether this resulted in targeted advertising.

The AH analysed which buttons on the controller’s website and mobile app the user pressed and transmitted this data in plain text to Meta to then make suggestions about marketing on Facebook. However, the controller categorised visual fields as buttons on their website and mobile app. Via AH, personal data of data subjects were collected, including securities holdings and value, loan amounts, account number and email address and social security number.

The controller found out by an external source that the personal data of 500,001 to 1 million individuals were incorrectly transferred to Meta (formerly Facebook) between 15 November 2019 and 2 June 2021 by accidentally turning on these two functions of Meta Pixel. The controller, afterwards, could not determine who and how these functions were turned on.

On June 8, 2021, the Swedish DPA (Integritetsskyddsmyndigheten - "IMY") received the data breach notification from the controller.

The controller argued that the transfer of the data did not entail any harm or risk to the data subjects, as Meta did not use the data for its own purposes or transfer it further, and the data was erased after a request by the controller. All data was transferred by Meta pixel to Meta and the controller's own advertising account with Meta.

Holding

The DPA found that the two functions of the analytics tool that were accidentally activated led to the unauthorised transfer of personal data to Meta. The DPA also noted that the controller failed to detect the activation of these functions. The DPA found that although the controller had formalised procedures in place to ensure the correct processing of personal data before, during and after the introduction of new functions on the website, the controller did not follow its procedures in this case. The controller only became aware of the unauthorised transfer by an external source.

The DPA held that the controller had an obligation under Article 5(1)(f) GDPR and Article 32 GDPR to protect personal data against unauthorised access and processing by implementing appropriate technical and organisational measures.

The DPA noted that the data transferred included sensitive information and concerned a very large number of people. Most of the data was transferred in plain text, posing a high risk to data subjects. The DPA held that the controller should have had a systematic security work that the unauthorised transfer of personal data would have been detected by regularly checks. The controller’s failure to detect and prevent the unauthorized disclosure of personal data indicated a lack of sufficient security measures, thus violating Article 5(1)(f) GDPR and Article 32(1) GDPR.

The DPA found that these were not minor infringement as referred to in Recital 148. Moreover, the controller could not be considered to have been unaware that its behaviour violated the GDPR according to the DPA. The DPA therefore held there were grounds for imposing a fine against the controller.

Thus, the DPA imposed a fine of €1,318,955.55 (SEK 15 million) against the controller for violating Article 5(1)(f) GDPR and Article 32(1) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

1(15)






                                                                     Avanza Bank AB
                                                                     Regeringsgatan 103

                                                                     111 39 Stockholm






Diary number:
DI-2021-5544 Decision after supervision according to

                               data protection regulation against Avanza

Date:
2024-06-24 Bank AB





                               The Privacy Protection Authority's decision


                               The Swedish Privacy Protection Authority states that Avanza Bank AB (organisation number
                               556573-5668) has processed personal data in violation of articles 5.1 f and 32.1 i
                               the data protection regulation by, in the period from 15 November 2019 to 2
                               June 2021 when using the analysis tool Meta-pixeln have not taken appropriate measures

                               technical and organizational measures to ensure an appropriate level of security for
                               personal data.


                               The Privacy Protection Authority decides with the support of articles 58.2 and 83 i
                               data protection regulation that Avanza Bank AB must pay an administrative
                               sanction fee of 15,000,000 (fifteen million) kroner for the violations of
                               articles 5.1 f and 32.1 of the data protection regulation.



                               Account of the supervisory matter

                               Starting point for supervision


                               The Swedish Privacy Agency (IMY) received on June 8, 2021, a notification about a
                               personal data incident from Avanza Bank AB (the bank). The report showed that
                               personal data of 500,001 – 1 million during the period from November 15, 2019 to

                               with June 2, 2021 erroneously transferred to the bank's partner Facebook
                               (now Meta). Among the data transferred were social security numbers, loan amounts and
                               account number.


                               The background to the incident was that the bank started using Meta's service Facebook-
                               the pixel (now the Meta pixel) in order to optimize the bank's marketing. During 2019
                               Meta developed a new sub-function within the Meta pixel, called Automatic Advanced

Mailing address: Matching (AAM). The incorrect transfer of personal data was caused by the
Box 8114 the new AAM feature was activated by the bank by mistake. The bank became aware of
104 20 Stockholm the transfer via external information. As soon as the bank became aware of the incident
Website:
                               the bank deactivated the Meta pixel in its entirety.
www.imy.se
E-mail:
imy@imy.se 1
                                European Parliament and Council Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with
Telephone: regarding the processing of personal data and on the free flow of such data and on the cancellation of
08-657 61 00 directive 95/46/EC (general data protection regulation). The Swedish Privacy Agency Diary number: DI-2021-5544 2(15)
                               Date: 2024-06-24






                               Against the background of the information in the notification about the personal data incident, IMY started
                               supervision of the bank. The supervision has been limited to what the bank has undertaken
                               appropriate technical and organizational measures to protect website visitors and
                               app users' personal data in accordance with articles 5.1 f and 32.1 i

                               data protection regulation during the period from 15 November 2019 to 2 June 2021.


                               What the bank has stated

                               The bank has essentially stated the following regarding the issues that are the subject of IMY's

                               examination.

                               Personal data responsibility


                               The bank is responsible for personal data for the introduction of the Meta pixel and the subsequent one
                               the transfer of personal data to Meta.


                               The original implementation of the Meta pixel

                               The bank has routines to ensure correct processing of personal data before, i

                               in connection with and after the introduction of new functions on the website. These routines are
                               formalized and documented in the bank's governing documents. According to the bank
                               procedures to ensure correct processing of personal data must initially

                               before each new or changed personal data processing, a review is made and
                               assessment of the planned treatment to ensure that it meets the requirements of
                               data protection regulation. The review is done with the help of, among other things, a
                               documented template for personal data processing which contains several steps which

                               the employee who is responsible for the introduction of a new or changed
                               personal data processing must go through. The steps mean, among other things, that it must
                               a risk analysis of the treatment is carried out, a legal basis must be able to be established and it must

                               ensure that those registered are given correct information about the new one
                               the processing of personal data. Furthermore, the processing must be entered into the bank's
                               register list.


                               The Meta pixel is an analytics tool provided by Meta that helps to
                               measure the effectiveness of the bank's Facebook advertising. The meta pixel transferred and
                               linked a website visitor's activity and behavior on the bank's

                               website with a unique registered user of any of Meta's services. the purpose with
                               introducing and using the Meta pixel was to optimize the bank's marketing.
                               The purpose of the personal data processing was to use targeted advertising

                               Facebook and be able to market the bank to a relevant target group. The meta pixel
                               enabled more relevant marketing to be produced by
                               the marketing could be based on information about which pages on the bank's website
                               as a person visited.


                               Before the bank started the collaboration with Meta, an approval process was carried out
                               where functions at the bank within risk, compliance, legal and information security

                               was involved. Within the framework of this process, issues of bank secrecy were addressed
                               and personal data processing. It was only information about a person's visits
                               web pages, IP address and information about certain unique events, e.g. product selection and
                               searches on the website, which were necessary to process for the purpose in question. Data Protection Agency Diary number: DI-2021-5544 3(15)
                               Date: 2024-06-24






                               Activation of new sub-functions in the Meta pixel


                               In 2019, Meta developed the Meta pixel service by also providing
                               the Automatic Advanced Matching (“AAM”) function. This is a sub-function within Meta-

                               the pixel. In addition to AAM, the Meta pixel also offers the Automatic Events feature
                               ("AH") which can be activated manually and which then tries to detect on its own
                               and capture events and interactions, such as clicks, searches and menu selections, at

                               visit the company's website or in the app.

                               In 2019, the bank's legal department received a request from the marketing department about

                               the opportunity to use one of Meta's functions through which customer data would
                               transferred to Meta. The bank's legal department found that the function in question could not
                               is implemented. It is further the bank's view that if an implementation of a

                               function as AAM would have been subject to internal processes and procedures had it
                               led to the assessment that the bank had not been able to accept the terms and that it did not
                               would be possible to use the function. This is because the function risks

                               involve a transfer of data to Meta that the bank cannot legally carry out in its
                               banking.


                               It has never been the bank's intention to use the functions AAM and AH.
                               The bank has not been able to verify how the functions have been activated. Should the feature have

                               activated by an employee of the bank, it is the bank's opinion that it has taken place
                               mistake. The bank has not taken any decision to activate the AAM function.


                               The bank's transfer of personal data via the AAM function to
                               Meta


                               Automatic Advanced Matching (AAM) feature

                               The function AAM transmitted data in hashed form (with the hashing function

                               SHA256) to Meta if the user filled in one of the five different forms on
                               the bank's website or in the bank's mobile app. Two forms were in the new customer flow (open

                               for visitors, where the visitor intended to become a customer). Three forms related to mortgages and
                               was behind login and could only transfer data from existing customers who
                               entered into a customer agreement with the bank. In order for the data to be transferred, it was required

                               so that a person was logged in to the bank's website and that the person agreed
                               to marketing cookies at the bank. If these conditions were not met
                               AAM was not activated and no data was transferred. If the conditions were

                               met, the following hashed data could be transferred to Meta:

                                   • Social security number

                                   • Contact information, such as phone number, email address, postal code and
                                        postal address
                                   • Loan amount on existing loan

                                   • Employer
                                   • Form of employment
                                   • Account number




                               2IMY's addition: Hashing is a one-way cryptographic function that can be used to accomplish
                               pseudonymization, which is a possible security measure according to Article 32 of the Data Protection Regulation, by
                               personal data is replaced with a so-called hash sum. This means that the replaced personal data is not available
                               in plain text and that additional information is needed to be able to identify the registered person. The Swedish Privacy Agency Diary number: DI-2021-5544 4(15)
                                Date: 2024-06-24






                                By inadvertently activating the AAM feature by the bank, the Meta pixel was able to match
                                they hashed the data with visitors' behavior on the site for profiling.
                                This made it possible to get a more detailed picture of the visitors. Profiling applied

                                only the bank's marketing and was not used by Meta for its own, or others
                                actors' business purposes.


                                Exactly how AAM has affected advertising is not established. That this resulted in directed
                                advertising cannot be excluded.


                                The Automatic Events (AH) feature

                                The AH function passed information in plain text to Meta when a user navigated on

                                the bank's website or in the mobile app. A condition for transfer was that
                                the user agreed to marketing cookies at the bank and was logged in as
                                customer of the bank (with one exception, see below).


                                The data that was transferred in clear text to Meta was unknowingly transferred as it did not exist
                                any intention to show the information to anyone other than the customer. It was from

                                browser or app on the customer's device that the transfer took place and that because of
                                three main factors:


                                1) The function inadvertently activated by the bank at Meta also follows how a
                                users move on a site/mobile (convert). To do so is sent
                                information about which "buttons" – that is, elements on the page/screen – the user

                                presses when he navigates on the site/in the app. Meta accordingly collects
                                information that tells you which button presses take place to understand which context
                                the user converts in. For example, Meta wants to understand that the customer buys something at print
                                on a button with the text "Buy" even if the advertiser has not picked up the buy button

                                as a conversion. This information was sent to Meta.

                                2) The bank uses elements that Meta perceives as buttons, e.g. button marked

                                boxes and drop-down menus, in their code to present certain information to the bank's
                                user. This mainly applies when there are elements on the site/apps that can be accessed
                                press to e.g. show more information. Often these appear as a smaller visual

                                elements that become larger when you press them, and then show more information. When
                                users have pressed these elements to see more information, it has been recorded
                                as regular keystrokes of Meta's script (Meta pixel IMY's note). The script has

                                then compiled the information and sent it to Meta as a registered keystroke.

                                3) Information about keystrokes is not pseudonymized (IMY's note is hashed) by

                                Meta the way other information they collect.

                                These three factors together have caused certain information to be sent to Meta i

                                plain text. It was thus a combination of the (incorrectly) activated functionality
                                along with Meta's handling of button presses and a specific technical solution from
                                the bank that caused the transfer to Meta.


                                In summary, AH analyzed which buttons on the website and mobile app
                                which the user pressed to then make suggestions about marketing on Facebook.

                                The bank's transfer of data via AH arose because the bank categorized
                                visual fields such as buttons on the website and in the mobile app code. Via AH could
                                the following categories of data are transferred to Meta in plain text: The Swedish Privacy Agency Diary number: DI-2021-5544 5(15)
                               Date: 2024-06-24






                                   • Securities holdings and value, such as amount available for purchase, withdrawal and
                                        value development
                                   • Information on loan amount
                                   • Account number and credit limit

                                   • Fees, taxes and current interest rates
                                   • Current orders and today's close
                                   • Company signatory and bank from which the pension is transferred

                                   • Email address and social security number

                               The majority of data transmitted via AH came from buttons behind logged in
                               location with the bank, i.e. buttons that were only shown to customers who signed up

                               customer agreement with the bank. In one place on the bank's website, however, there were expandables
                               panels in the flow for signing occupational pensions, both for individual companies and for
                               limited company, which was open to all visitors, i.e. also information from one

                               limited number of visitors without a customer agreement with the bank and who were therefore not
                               logged in.


                               Measures taken after the personal data incident

                               Meta has confirmed to the bank that the personal data processed has been deleted at
                               Meta in a way that does not allow Meta to reproduce them.


                               The bank's opinion is that the transfer of the data did not entail any damage or
                               risk for the data subjects because Meta did not use the data for its own purposes or

                               transferred them on and that the data is deleted. All information has been transferred by
                               The Meta pixel for Meta and the bank's own advertising account with Meta.

                               In order to detect outgoing traffic, the bank has now established a process for how

                               the bank introduces and manages third-party scripts. It describes how these scripts should
                               are evaluated from a security and integrity perspective and how they are maintained
                               long term.


                               The bank has also moved the scripts from the third-party suppliers to the bank's own
                               system to avoid changes in the script being introduced without the bank
                               draws attention to it.


                               The bank has also supplemented internal guidelines to more clearly describe the error scenario,
                               how it is avoided and what expectations are incumbent on the bank's development team when they

                               handles this type of product.

                               In addition to this, the bank has implemented additional governing documents and routines aimed at
                               to ensure correct processing of personal data. These governing documents

                               contains, among other things, requirements and guidelines in relation to the processing of personal data
                               before, in connection with and after the introduction of new functions on the bank's website.


                               Justification of the decision


                               Applicable regulations, etc.

                               It follows from Article 95 of the Data Protection Regulation that the Data Protection Regulation shall not

                               entail any additional obligations for natural or legal persons who
                               processes personal data, for such areas that are already covered by obligations of the Swedish Data Protection Agency Diary number: DI-2021-5544 6(15)
                                Date: 2024-06-24






                                                                             3
                                according to the so-called eData protection directive. The eData Protection Directive has been implemented in
                                Swedish law through the Act (2003:389) on Electronic Communications (LEK), including

                                other collection of data through cookies is regulated.

                                According to ch. 9 Section 28 LEK, which implements Article 5.3 of the eData Protection Directive, receives data

                                stored in or retrieved from a subscriber's or user's terminal equipment only if
                                the subscriber or user gets access to information about the purpose of

                                the treatment and consent to it. Furthermore, it appears that this does not prevent such
                                storage or access needed to transmit an electronic message via a
                                electronic communication network or which is necessary to provide a service

                                which the user or subscriber has expressly requested. LEK entered into force on
                                22 August 2022. During the time in question in the case, however, the same requirements applied according to

                                6 ch. Section 18 of the Act on (2003:389) on electronic communications. It is Postal and
                                The Swedish Telecom Agency, which is the supervisory authority according to LEK (chapter 1 § 5 of the regulation (2022:511)
                                on electronic communication).


                                The European Data Protection Board (EDPB) has commented on the interaction between

                                eData Protection Directive and the Data Protection Regulation. From the opinion, i.a. follows that it
                                national supervisory authority appointed according to the eData Protection Directive is alone

                                competent to monitor compliance with the Directive. However, the supervisory authority is according to
                                data protection regulation competent supervisory authority for the processing that does not
                                regulated in particular in the eData Protection Directive.4


                                According to Article 4.7 of the Data Protection Regulation, the person in charge of personal data is a physical or

                                legal person, public authority, institution or other body which alone or
                                together with others determines the purposes and means of the processing of
                                personal data. If the purposes and means of the processing are determined by

                                Union law or the national law of the Member States can the personal data controller
                                or the special criteria for how he is to be appointed are prescribed in Union law or in

                                national law of the Member States.

                                The personal data controller is responsible for and must be able to demonstrate that the basic

                                the principles in Article 5 of the Data Protection Regulation are followed. This is apparent from Article 5.2 i
                                the data protection regulation (principle of liability).


                                According to Article 5.1 f of the data protection regulation, personal data must be processed in one way

                                which ensures appropriate security for the personal data, including protection against
                                unauthorized or unauthorized processing and against loss, destruction or damage by
                                accident, using appropriate technical or organizational measures.


                                It follows from Article 32.1 of the data protection regulation that the person in charge of personal data must

                                take appropriate technical and organizational measures to ensure a
                                safety level that is appropriate in relation to the risk of the treatment. At
                                the assessment of which technical and organizational measures are appropriate must

                                data controller take into account the latest developments, implementation costs
                                and the nature, scope, context and purpose of the treatment as well as the risks for

                                rights and freedoms of natural persons.




                                3 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 on the processing of personal data and
                                privacy protection in the electronic communications sector (Directive on Privacy and Electronic Communications).
                                4Opinion 5/2019 on the interaction between the directive on privacy and electronic communications and the general
                                the data protection regulation, especially with regard to the competence, tasks and powers of the data protection authorities,
                                adopted on 12 March 2019, paragraphs 68 and 69. The Swedish Privacy Protection Agency Diary number: DI-2021-5544 7(15)
                                Date: 2024-06-24






                                According to Article 32(1), appropriate safeguards include, where appropriate,

                                    a) pseudonymisation and encryption of personal data,

                                    b) the ability to continuously ensure confidentiality, integrity, availability
                                         and resilience of treatment systems and services,
                                    c) the ability to restore the availability and access to personal data i

                                         reasonable time in the event of a physical or technical incident, and
                                    d) a procedure for regularly testing, examining and evaluating effectiveness
                                         in the technical and organizational measures that must ensure

                                         the safety of the treatment.

                                According to article 32.2 of the data protection regulation, when assessing the appropriate

                                security level special consideration is given to the risks that the treatment entails, in particular
                                for accidental or unlawful destruction, loss or alteration or for unauthorized disclosure of
                                or unauthorized access to the personal data transmitted, stored or otherwise

                                treated.

                                According to ch. 3 Section 10 of the law (2018:218) with supplementary regulations to the EU's

                                data protection regulation, social security numbers and coordination numbers may be processed without
                                consent only when it is clearly justified with regard to the purpose of
                                the processing, the importance of a secure identification or any other reasonable reason.


                                From ch. 1 Section 10 first paragraph of the Act (2004:297) on banking and financing operations
                                (Banking Act) states that individuals' relationships with credit institutions may not be obtained without authorization

                                cleared.

                                The Swedish Privacy Protection Authority's assessment


                                From the investigation in the case it appears that two functions in the analysis tool Meta-pixeln
                                inadvertently activated by the bank. As a result of the features being activated
                                personal data about a large number of people who were logged on to the bank's website

                                or in the bank's app unauthorized transferred to Meta. In some cases also have personal data
                                regarding people who visited the website or app and used a specific service
                                without having been logged in transferred. It is mainly the bank's own customers who have

                                affected by the transfer. The personal data transferred has included, among other things
                                social security number and extensive financial information. The information, including
                                detailed information about customers' finances, has in several cases been transmitted in plain text.


                                According to the bank, it has not been possible to verify afterwards how the functions
                                activated or by whom.


                                IMY initially takes a position on whether the data protection regulation is applicable and whether IMY
                                is the competent supervisory authority.


                                IMY is the competent supervisory authority

                                IMY's review aims at a situation where information about people, mainly customers

                                who were logged in to the bank, inadvertently transferred by the Meta pixel to Meta i
                                in connection with their visiting different parts of the bank's website. This one
                                information management does not mean that data is stored in or retrieved from a

                                subscriber's or user's terminal equipment and is therefore not covered by
                                Chapter 9 Section 28 of LEK or previously applicable corresponding provision in the law (2003:389)
                                on electronic communication. IMY thus states that the data protection regulation is the Swedish Privacy Agency Diary number: DI-2021-5544 8(15)
                               Date: 2024-06-24






                               applicable to the personal data processing in question and that IMY is authorized
                               supervisory authority. It can also be stated that IMY's review concerns the bank
                               have taken sufficient security measures, which is not something that is specifically regulated in LEK.

                               Even that relationship thus means that IMY is the competent supervisory authority.

                               IMY then assesses the issue of personal data responsibility and whether the bank has taken action

                               appropriate security measures according to articles 5.1 f and 32 of the data protection regulation for
                               to protect the personal data of affected website visitors and app users.


                               The bank is responsible for personal data

                               The bank has stated that the bank is responsible for personal data for it

                               personal data processing reviewed in the case. The investigation shows that the purpose
                               with implementing and using the Meta pixel has been to optimize the bank's
                               marketing. By processing information about e.g. visited by a person

                               web pages, searches and product selection have the bank's marketing on Meta's service
                               Facebook could thus be optimized.


                               IMY notes that the bank has determined the purpose and means for the processing of
                               the personal data, i.e. how and why the personal data is to be processed. IMY
                               assesses that it is the bank which according to Article 4.7 of the data protection regulation is

                               personal data controller for the personal data processing covered by the supervision.

                               The treatment involved a high risk and required a high level of protection


                               According to Article 32 of the data protection regulation, the bank has an obligation to protect them
                               personal data that the bank processes by taking appropriate technical and
                               organizational measures. The measures must ensure an appropriate level of security. At

                               the assessment of which level of security is appropriate shall be the responsibility of the personal data controller
                               take into account the costs, the nature, extent, context and purpose of the processing and the
                               risks to the rights and freedoms of natural persons that the processing entails.


                               From ch. 1 Section 10 first paragraph of the Banking Act follows that the person who is or has been connected to
                               a bank may not unauthorizedly disclose information relating to a bank customer's dealings with

                               the bank. The information that a certain person is a customer of the bank or not is also covered
                               the duty of confidentiality. These legal requirements on confidentiality thus apply in the bank's operations.
                               It places high demands on the protection of the personal data processed in the bank's

                               Operation.

                               IMY notes that the data that was handled consisted of, among other things, special

                               personal data worthy of protection, namely social security numbers, which may only be processed
                               under certain conditions. There has also been a question of financial data, such as
                               information on account number, securities holdings, loan amount, and credit limit, for which

                               the data subjects have legitimate expectations of a high degree of confidentiality and a
                               robust protection against unauthorized access. The data transferred has been covered by
                               statutory duty of confidentiality. The processing of personal data has taken place within the framework of

                               the bank's core business, which entails even higher requirements for the level of protection. The bank
                               should have had good ability to ensure a security that was suitable from the outside
                               the scope and sensitivity of the treatment.


                               With regard, among other things, to the fact that the data processed by the bank has been deleted
                               protective nature and affected a very large number of people has the bank's treatment

                               of the personal data in total meant a high risk for natural persons The Swedish Privacy Protection Agency Diary number: DI-2021-5544 9(15)
                               Date: 2024-06-24






                               rights and freedoms. The nature, extent and context of the treatment therefore have
                               entailed a requirement for a high level of protection for the data. The measures would, among other things,
                               ensure that the personal data was protected against unauthorized disclosure and unauthorized

                               access.

                               The bank has not taken sufficient measures to protect the data


                               IMY notes initially that the relationship that the bank transferred the relevant
                               the information to Meta means that the information has not actually been protected against

                               unauthorized disclosure.

                               The bank's information shows that it has formalized procedures to ensure a

                               correct processing of personal data before, in connection with and after the introduction of
                               new functions on the website and that these procedures are documented in the bank's
                               governing document.


                               IMY notes that the bank thus had organizational measures in place in the form of
                               procedures documented in the bank's governing documents. However, the bank currently has

                               the case did not follow its procedures. The bank has had the Meta pixel inserted on parts of the bank's
                               website and app that were intended only for logged-in customers and prospects
                               customers. The two functions AAM and AH in the Meta pixel have subsequently been activated without

                               the bank was aware of it. As a consequence of the fact that the bank upon the introduction of
                               these functions did not follow their routines and documented what happened, it has not
                               been possible for the bank to subsequently verify how or by whom these functions

                               was activated.

                               As a result of the two functions AAM and AH being activated without the bank's knowledge
                               has an unauthorized disclosure of information subject to confidentiality and an unauthorized

                               transfer of personal data has taken place to Meta. This went on for just over a year and a half. To
                               the clearing and the unauthorized transfer stopped was not due to the bank itself
                               paying attention to what was going on, but that the bank received via an external source

                               knowledge of it.

                               The bank has thus lacked the ability to detect the clearing of and the ongoing one

                               the transfer of personal data to Meta. IMY believes that the bank should have had one
                               such systematic security work that this would have been discovered by the bank. One
                               such security work involves checks being carried out with some regularity.

                               Because the bank has only had routines to follow up on documented changes
                               carried out according to established procedures, the bank has lacked the ability to detect and
                               address changes that, as in the current case, were carried out without the routines

                               followed. Against this background, IMY states that the bank has lacked technical and
                               organizational security procedures to systematically follow up and detect accidental
                               changes in their systems.


                               As a result of the bank not applying its organizational security routines when
                               the bank introduced the functions AAM and AH, partly lacking organizational and technical ones

                               security procedures to detect transmissions have personal data of a large number
                               persons unauthorized transferred to Meta. The investigation shows that there has been a question of
                               personal data of approximately 500,000 – 1,000,000 people.


                               In summary, IMY notes that the bank, when using the Meta pixel, does not
                               has taken sufficient technical and organizational measures to ensure a

                               security level that was appropriate in relation to the risk. This means that the bank under the Swedish Privacy Agency Diary number: DI-2021-5544 10(15)
                                Date: 2024-06-24






                                the period from 15 November 2019 to 2 June 2021 has processed personal data in
                                violation of Article 32.1 of the Data Protection Regulation.


                                According to the basic security principle in Article 5.1 f of the data protection regulation
                                personal data must be processed in a way that ensures appropriate security for
                                the personal data, including protection against unauthorized or unauthorized processing and against
                                loss, destruction or accidental damage, using appropriate

                                technical or organizational measures. Through what happened has information about
                                the bank's customers, for example information about social security numbers, account numbers,
                                securities holdings, loan amount and credit limit, transferred to Meta in plain text.

                                In addition, certain information has been transferred in hashed form, which enabled matching with
                                personal data at Meta. It has been a matter of information that is covered by
                                statutory duty of confidentiality. Loss of control of banking information can mean a lot

                                risk to the freedoms and rights of the data subjects. That the matter concerns bank information and that
                                the personal data has also predominantly been cleared and transferred in plain text from
                                According to IMY, a mode logged in for the customers means that what happened is particularly serious.

                                The bank's failure to follow its formalized procedures and lack of ability
                                to discover the unauthorized transfer of personal data is therefore deemed to be of such
                                serious type that the deficiency also involves a violation of Article 5.1 f i
                                data protection regulation.



                                Choice of intervention

                                Legal regulation


                                In the event of violations of the data protection regulation, IMY has a number of corrective measures
                                powers, including reprimands, injunctions and penalty charges. It follows from

                                article 58.2 a–j of the data protection regulation. IMY shall impose penalty fees in addition to or
                                instead of other corrective measures referred to in Article 58(2), depending
                                the circumstances of each individual case.


                                Each supervisory authority must ensure that the imposition of administrative
                                penalty charges in each individual case are effective, proportionate and dissuasive. The

                                stated in Article 83.1 of the Data Protection Regulation.

                                In Article 83.2, the factors to be taken into account in deciding whether an administrative
                                penalty fee must be imposed and what can affect the size of the penalty fee. Of

                                significance for the assessment of the seriousness of the violation is, among other things, its nature,
                                severity and duration.


                                According to Article 83.4, in the event of violations of, among other things, Article 32, it must be imposed
                                administrative penalty fees of up to EUR 10,000,000 or, if one applies
                                company, of up to two percent of the total global annual turnover during

                                previous budget year, depending on which value is the highest.

                                According to Article 83.5, in the event of violations of, among other things, Article 5, it must be imposed

                                administrative penalty fees of up to EUR 20,000,000 or, if one applies
                                companies, of up to four percent of the total global annual turnover during
                                previous budget year, depending on which value is the highest. Privacy Protection Agency Diary number: DI-2021-5544 11(15)
                                Date: 2024-06-24







                                The EDPB has adopted guidelines on the calculation of administrative penalty fees according to
                                the data protection regulation which aims to create a harmonized method and principles
                                                                    5
                                for calculation of penalty fees.

                                If it is a question of a minor violation, IMY receives according to what is stated in reason 148 i

                                instead of imposing a penalty charge, issue a reprimand in accordance with Article 58.2 b i
                                the regulation.


                                IMY's assessment


                                A penalty fee must be imposed


                                IMY has made the assessment that the bank has processed personal data in violation of
                                article 32.1 of the data protection regulation and that the violation is of such a serious nature

                                that it is also a question of a violation of the principles of integrity and
                                confidentiality in Article 5.1 f.


                                The violation has occurred through the bank's processing of personal data with a
                                insufficient level of security, which has led to, among other things, financial information about

                                around 500,000 - 1,000,000 people were unauthorized transferred to Meta for just over a year and
                                half a year's time. The bank has also lacked the ability to detect during this time

                                the transfer of personal data to Meta. IMY believes that the bank should have had one
                                such systematic security work that the transfer of personal data would have
                                discovered in connection with a regular check. The unauthorized transfer has

                                entailed a high risk for the freedoms and rights of the registered, among other things
                                loss of confidentiality of data worthy of protection. Against this background, IMY assesses

                                that it is not a question of such minor violations as referred to in reason 148 i
                                data protection regulation.


                                The European Court of Justice has clarified that it is required that the person in charge of personal data has committed a
                                Violation intentionally or negligently to administrative penalty fees

                                must be enforceable according to the data protection regulation. The European Court of Justice has stated that
                                data controllers may be subject to penalty fees for actions if they cannot
                                are deemed to have been unaware that the conduct constituted a breach, regardless of whether they

                                were aware that they violated the provisions of the data protection regulation.        6


                                According to the principle of responsibility which is expressed, among other things, in Article 5.2 i
                                the data protection regulation shall the person responsible for the processing of personal data
                                ensure and be able to demonstrate that the processing is compatible with the data protection regulation.

                                IMY thus states that the bank is responsible for the personal data being processed
                                in the business, is processed in a way that ensures an appropriate level of security. IMY

                                has established during its examination that the bank did not live up to the requirements that
                                the data protection regulation stipulates in this regard. The bank cannot be considered to have been

                                unaware that its actions entailed a breach of the regulation. The




                                5
                                 EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR, adopted on 24 May
                                6023.
                                against Valstybinė daemono apogos inspekcija of December 5, 2023, point 81 prie Sveikatos apogos ministrijos
                                and judgment in case C 807/21 Deutsche Wohnen of 5 December 2023, paragraph 76Integritetsskyddsmyndigheten Diary number: DI-2021-5544 12(15)

                                Date: 2024-06-24






                                there are therefore prerequisites for imposing an administrative on the bank
                                penalty fee. 7


                                When determining the size of the penalty fee, IMY must take the circumstances into account

                                as specified in Article 83.2 as well as ensuring that the administrative sanction fee is
                                effective, proportionate and dissuasive.


                                IMY states that violations of Article 5.1 f of the data protection regulation are covered by
                                article 83.5 which means that a penalty fee of up to twenty million euros or four

                                percentage of the global annual turnover in the previous fiscal year, depending
                                whichever is higher, may be imposed.


                                The Avanza group's annual turnover according to the parent company's consolidated accounts must
                                is added as a basis for the calculation


                                When determining the maximum amount of a penalty charge to be imposed on a company

                                shall the definition of the concept of company be used as used by the EU Court of Justice
                                application of Articles 101 and 102 of the TFEU (see recital 150 i

                                data protection regulation). It appears from the court's practice that this includes every entity
                                that carries out economic activities, regardless of the legal form of the entity and the way of doing so
                                financing as well as even if the unit in the legal sense consists of several physical or

                                legal entities.


                                The assessment of what constitutes a company must therefore be based on competition law
                                definitions. The rules for group liability in EU competition law revolve around

                                the concept of economic unity. A parent company and a subsidiary are considered one part
                                of the same economic entity when the parent company exercises decisive influence over
                                the subsidiary. The decisive influence (that is, control) can either be achieved

                                by ownership or by contract. Jurisprudence shows that one hundred percent or
                                almost one hundred percent ownership implies a presumption for control to be considered

                                exist. However, the presumption can be rebutted if the company provides sufficient evidence
                                to prove that the subsidiary acts independently on the market. To refute

                                the presumption, the company must therefore provide evidence relating to the organizational,
                                the financial and legal links between the subsidiary and its parent company which
                                shows that they do not constitute an economic unit even though the parent company owns 100 percent
                                                                       9
                                or almost 100 percent of the shares.


                                Avanza Bank AB is a wholly owned subsidiary of the parent company Avanza Bank Holding AB
                                (publ). According to the presumption described above, it is therefore the turnover for Avanza
                                the group according to Avanza Bank Holding AB's (publ) consolidated accounts which shall

                                is added as a basis for calculating the maximum penalty fee amount.


                                From Avanza Bank Holding AB's consolidated accounts for 2023 it appears that the total
                                global annual turnover was approx. SEK 4,716,000,000. Four percent of it

                                annual turnover is approx. SEK 189,000,000. As this amount is less than the maximum amount
                                as stated in Article 83(5) is the maximum penalty amount that can be determined in
                                the case 20,000,000 euros.





                                7 For the assessment of negligence, see also the Court of Appeal in Stockholm's judgment of 11 March 2024 in case 2829-23 p.12.
                                8 The EU Court's judgment in case C-97/08 P Akzo Nobel NV et al. against the European Commission of 10 September 2009, paragraph 59-
                                61 Adapt/unify footnotes where we refer to the rulings of the European Court of Justice.
                                9 Cf. EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR, point 125 and
                                where reported rulings. The Privacy Protection Agency Diary number: DI-2021-5544 13(15)
                                Date: 2024-06-24






                                The seriousness of the violation


                                The EDPB's guidelines state that the supervisory authority must assess whether the violation is
                                                                               10
                                of low, medium or high severity.

                                IMY assesses that the following factors are important for the assessment of the infringement

                                seriousness.

                                IMY has established that the bank did not follow its procedures in connection with the functions

                                AAM and AH in the Meta pixel were activated and that the bank has lacked the systematic
                                security work required to detect the unauthorized disclosure and transfer

                                of personal data to Meta. The current security flaws have led to an incident that
                                has affected a large number of registrants and Meta has been able to take part in a large amount
                                personal data, in many cases in plain text, which would not have been transferred to Meta.

                                The information has included financial information and information about social security numbers, i.e.
                                information that requires a high level of protection. The violation has been going on for a long time,

                                from 15 November 2019 until 2 June 2021 when the bank became
                                alerted to the unauthorized transfer of the data. The treatment of
                                the personal data on the bank's website is part of the bank's core business there

                                the information is subject to statutory confidentiality, which means that the breach must
                                considered more serious than if this had not been the case. 11


                                IMY has established that the violation is so serious that it is in addition to a violation of
                                Article 32.1 of the data protection regulation also constitutes a violation of it

                                the fundamental principle of integrity and confidentiality according to Article 5.1 f. IMY
                                assesses, overall, that the violation in question has a low degree of seriousness
                                within the scope of violations of Article 5.1 f.


                                In its assessment of the size of the penalty fee, IMY must also take these into account
                                aggravating and mitigating factors listed in Article 83.2 i

                                data protection regulation. IMY notes that the bank has taken certain measures to
                                alleviate the damage suffered by the registrants according to Article 83.2 c. The bank closed

                                immediately by the pixel functions when the bank was made aware of the transfer.
                                The bank also contacted Meta to ensure that Meta had not processed
                                the data for own purposes and that the data has been deleted at Meta. In addition to this have

                                the bank has implemented additional control documents and routines that aim to ensure
                                a correct processing of personal data. IMY assesses that the bank through these

                                measures taken that could be expected given the nature of the treatment,
                                purpose and scope. The measures taken therefore do not constitute mitigation
                                factor. IMY states that no other circumstances have come to light either

                                which affects IMY's assessment of the size of the sanction fee neither in aggravating manner
                                or mitigating direction


                                The penalty fee must be effective, proportionate and dissuasive


                                The administrative penalty fee must be effective, proportionate and
                                deterrent. This means that the amount must be determined so that the administrative
                                the penalty fee leads to correction, that it provides a preventive effect and that it

                                in addition, is proportionate in relation to current violations as well as to
                                the supervised entity's ability to pay.



                                10 EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR, point 60.
                                11 EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR, point 53. Data Protection Authority Diary number: DI-2021-5544 14(15)
                                Date: 2024-06-24






                                In light of the seriousness of the violation, IMY decides that the bank must pay a

                                administrative sanction fee of SEK 15,000,000 for the identified violations.
                                IMY considers this amount to be effective, proportionate and dissuasive.


                                This decision has been taken by acting general manager David Törngren after
                                presentation by senior lawyer Hans Kärnlöf. At the final processing has
                                also Acting Head of Justice Cecilia Agnehall and Head of Unit Catharina Fernquist

                                and the IT and information security specialist Petter Flink participated.


                                David Törngren, 2024-06-24 (This is an electronic signature)

                                Copy to

                                DSOIntegritysskyddsmyndigheten Diary number: DI-2021-5544 15(15)
                                Date: 2024-06-24






                                How to appeal


                                If you want to appeal the decision, you must write to the Swedish Privacy Protection Authority. Enter in
                                the letter which decision you are appealing and the change you are requesting. The appeal shall

                                have been received by the Privacy Protection Authority no later than three weeks from the day you received it
                                part of the decision. If the appeal has been received in time send
                                The Privacy Protection Authority forwards it to the Administrative Court in Stockholm
                                examination.


                                You can e-mail the appeal to the Privacy Protection Authority if it does not contain
                                any privacy-sensitive personal data or information that may be covered by

                                secrecy. The authority's contact details appear on the first page of the decision.