IMY (Sweden) - IMY-2022-3270: Difference between revisions

From GDPRhub
m (→‎Facts: links added)
No edit summary
 
(2 intermediate revisions by 2 users not shown)
Line 63: Line 63:
}}
}}


The DPA fined the controller SEK 37,000,000 (approximately €3,200,000) for violation of [[Article 32 GDPR|Article 32 GDPR]]. Erroneous setting of Meta’s pixel embedded with controller’s website led to subsequent transfer of users’ personal data to Meta.
The DPA fined the controller SEK 37,000,000 (approximately €3,200,000) for violation of [[Article 32 GDPR|Article 32 GDPR]]. Erroneous setting of Meta’s pixel, embedded with the controller’s website, led to a larger transfer of personal data to Meta than intended.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
A Swedish pharmacy company - Apoteket AB (the controller) was using [https://www.facebook.com/business/tools/meta-pixel the Meta pixel] for marketing purposes since 2017. The purpose of the pixel was to measure the controller’s marketing activity within Facebook and Instagram and additionally to promote controller’s products to visitors of certain pages (self-care product category). By default, the controller disabled the pixel within the part of the website dedicated to the prescription goods.  
A Swedish pharmacy company - Apoteket AB (the controller) was using [https://www.facebook.com/business/tools/meta-pixel the Meta pixel] for marketing purposes since 2017. The purpose of the pixel was to measure the controller’s marketing activity within Facebook and Instagram and additionally to promote controller’s products to visitors of certain pages (self-care product category). By default, the controller disabled the pixel within the part of the website dedicated to the prescription goods. At the same time, the pixel collected the data about other products offered by the controller, in particular products to treat variety of disorders (for example allergy or stomach disorder) or sexual wellness products. 


In 2020, an employee of controller, acting without the authorisation or knowledge of the controller, activated [https://developers.facebook.com/docs/meta-pixel/advanced/advanced-matching/ Advanced Matching] function of the pixel. As a result, the controller was provided with supplementary data, which was not necessary for the purposes of data processing, as the pixel collected more data referring to the customers. Additionally, website visitors’ data was transferred to Meta.   
In 2020, an employee of controller, acting without the authorisation or knowledge of the controller, activated [https://developers.facebook.com/docs/meta-pixel/advanced/advanced-matching/ Advanced Matching] function of the pixel. The employee was one of three employees managing the pixel within the controller structure. As a result, the controller was provided with supplementary data, which was not necessary for the purposes of data processing, as the pixel collected more data referring to the customers. Additionally, the additional data was transferred to Meta.   


When a customer made a purchase with the controller, Meta received hashed data related to the customer, namely the contact data, name and surname, social security data, address data. Meta was then able to match the data with Facebook user ID and eventually deleted the hashed data. The estimated number of data subjects affected by the incident was 930,000.
When a customer made a purchase with the controller, Meta received hashed data related to the customer, namely the contact data, name and surname, social security data, address data. Meta was then able to match the data with Facebook user ID and eventually deleted the hashed data. The estimated number of data subjects affected by the incident was up to 930,000.


As soon as the controller identified the new settings of the pixel (2022), they disabled the Advanced Matching function. The controller requested Meta to delete the data collected via the pixel. Meta explained they already deleted the data older than two years ago and regarding a newer data, Meta claimed to be unable to delete them manually. Additionally, the controller published an announcement on their website, informing the data subjects about the current situation. Moreover, the controller implemented new technical and organisational measures to reduce the risk of future violations of that kind (inter alia, additional screening of cookie settings of the website, e-learning course for the employees).  
As soon as the controller identified the new settings of the pixel (2022), they disabled the Advanced Matching function. The controller requested Meta to delete the data collected via the pixel. Meta explained they already deleted the data older than two years ago and regarding a newer data, Meta claimed to be unable to delete them manually. Additionally, the controller published an announcement on their website, informing the data subjects about the current situation. Moreover, the controller implemented new technical and organisational measures to reduce the risk of future violations of that kind (inter alia, additional screening of cookie settings of the website, e-learning course for the employees).  
Line 79: Line 79:


=== Holding ===
=== Holding ===
The DPA found the controller violated [[Article 32 GDPR#1|Article 32(1) GDPR]].  
The DPA found the controller violated [[Article 32 GDPR#1|Article 32(1) GDPR]]. According to the DPA, the category of data processed by the controller via the pixel entailed a high risk for the data subjects (inter alia, due to a potential sensitive nature). Because of that, the controller was obliged, by default, to adequately implement the technical and organisational measures.  
According to the DPA, the category of data processed by the controller via the pixel entailed a high risk for the data subjects (inter alia, due to a potential sensitive nature). Because of that, the controller was obliged to adequate implement the technical and organisational measures.  


The DPA acknowledged the controller’s proactive approach to data protection duties, inter alia detailed risk assessment performed and ongoing compliance monitoring. The controller also established and implemented a policy review of purchased service from the perspective of IT security and data protection. Nevertheless, the employee of controller didn’t follow these rules in practice. Hence, for the DPA, the controller failed to adequately assess the risk associated to the pixel. Also, the controller didn’t identify the erroneous setting of the pixel for two years, which meant the compliance monitoring was not functioning well.   
The DPA acknowledged the controller’s proactive approach to data protection duties, inter alia detailed risk assessment performed and ongoing compliance monitoring. The controller also established and implemented a policy review of purchased service from the perspective of IT security and data protection. Nevertheless, the employee of controller didn’t follow these rules in practice. Hence, for the DPA, the controller failed to adequately assess the risk associated to the pixel. Also, the controller didn’t identify the erroneous setting of the pixel for two years, which meant the compliance monitoring was not functioning well.   
Line 96: Line 95:


<pre>
<pre>
1(16)
Postal Address:
 
 
 
 
 
 
                                                                    Apoteket AB
 
 
 
 
 
 
 
 
 
Diary number:
IMY-2022-3270 Decision after supervision according to
 
Date: data protection regulation – Apoteket
2024-08-29
                              AB
 
 
 
 
 
                              The Privacy Protection Authority's decision
 
 
                              The Swedish Data Protection Authority states that Apoteket AB (556138-6532) has
                              processed personal data in violation of article 32.1 of the data protection regulation by
 
                              have not taken appropriate technical and organizational measures to ensure a
                              appropriate security level for personal data when using the analysis tool Meta-
                              the pixel during the period 19 January 2020–25 April 2022.
 
 
                              The Privacy Protection Authority decides with the support of articles 58.2 and 83 i
                              data protection regulation that Apoteket AB must pay an administrative sanction fee of
                              SEK 37,000,000.
 
 
                              Account of the supervisory matter
 
 
                              Background etc.
 
 
                              On April 25, 2022, Apoteket AB (Apoteket) submitted a notification about personal data
                              incident to the Privacy Protection Authority (IMY). The notification showed that Apoteket
                              used Meta Platforms Ireland Limited's (Metas) analytics tool the Meta pixel on its
                              website www.apoteket.se (the website) to improve advertising to customers
 
                              and thereby permitted the transfer of data regarding customers and website visitors to
                              Meta that was not meant to be transferred. The pharmacy discovered the incident through
                              information from an outsider. The incident report was preceded by information in the media about
 
                              that Apoteket transferred certain information about its customers' online purchases to Meta.
 
                              IMY began supervision in May 2022 against the background of the information contained in the incident-
                              notification. The supervision has been limited to the question of whether Apoteket has taken the appropriate measures
 
                              technical and organizational measures in accordance with Article 32 of the Data Protection Regulation
Postal address: ningen.
Box 8114
Box 8114
104 20 Stockholm
104 20 Stockholm
Line 167: Line 101:
Website:
Website:
www.imy.se
www.imy.se
E-mail:
 
Email:
imy@imy.se
imy@imy.se
                              1Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with
Telephone: regarding the processing of personal data and on the free flow of such data and on the cancellation of
08-657 61 00 directive 95/46/EC (general data protection regulation). The Swedish Privacy Agency Diary number: IMY-2022-3270 2(16)
                              Date: 2024-08-29
                              The processing at IMY has taken place through an exchange of letters with Apoteket. IMY also has
                              obtained investigation in the form of information from Meta about how the Meta pixel and its
                              filtering mechanism works.
                              What Apoteket has stated
                              Apoteket has essentially stated the following regarding the question that is the subject of
                              examination.
                              Personal data responsibility
                              Apoteket is responsible for personal data in the part that refers to the introduction of the Meta pixel
                              (formerly the Facebook pixel) and the transfer of data to Meta (formerly Facebook).
                              The purpose of the treatment
                              Apoteket has used the Meta pixel since 2017. The treatment has comprehensive
                              seen done for marketing purposes. The primary purpose was to measure the effect of
                              the company's marketing on Meta's social media platforms Facebook and Instagram.
                              The secondary purpose was to market products to visitors who visited product
                              pages for self-care without shopping, to get these customers to shop at a later time
                              opportunity. The pixel was used for the secondary purpose to a limited extent, under
                              limited periods. On January 19, 2020, the automatic type of was activated
                              The meta-pixel's function for advanced matching (AAM function) which meant that more
                              data than before came to be processed. The activation of the AAM function was not
                              necessary to fulfill the purposes of the treatment. The activation of the Meta pixel
                              and the AAM function has been carried out by individual employees without prior risk assessment
                              ning contrary to Apoteket's routines. The pharmacy became aware that information that would
                              could be considered sensitive shared only after the media reported on it. The pharmacy
                              decided to immediately disable the Meta pixel and AAM feature on April 25, 2022
                              after the company's attention has been drawn to the extent of data that has been transferred.
                              What personal data was transferred to Meta
                              The transfer to Meta has not looked the same for all customers, but has depended on
                              the customer's actions on the website. Apoteket has not transferred information about customers
                              who refused to marketing cookies. For customers who have agreed to marketing
                              Cookies generally have the following event data transferred through the Meta pixel:
                                  • URL
                                  • value (value of product or total customer basket)
                                  • currency (=”SEK”)
                                  • content IDs (Product ID, Apoteket's internal product number)
                                  • content Type (=”Product”)
                                  • IP address.
                              Since the AAM function was activated, the following contact information has also been transferred:
                                  • first and last name
                                  • email address
                                  • telephone number
                                  • social security number
                                  • gender
                                  • city
                                  • postal code
                                  • country. The Swedish Privacy Agency Diary number: IMY-2022-3270 3(16)
                                Date: 2024-08-29
                                The contact information has only been transferred in the case of completed purchases and then in hashed form,
                                which meant that Meta has only been able to read the information if they have had the equivalent
                                information from before. Meta has then attempted to match the transferred contact
                                the information with a user ID on Facebook and then deleted it. About one
                                customer logged in to "My pages" with mobile BankID, the social security number has been transferred because
                                it was interpreted as a phone number.
                                Apoteket has made an active choice not to transfer information about prescription goods.
                                The exclusion has taken place by the part of the website where a customer can put a
                                prescription item in the cart did not contain the Meta pixel. Furthermore, order lines such as
                                contains prescription products filtered out at the time of purchase from the product data itself by
                                Apoteket's server before it was transferred to Meta. If a visitor has accepted marketing
                                cookies and made a purchase have information about the following products and/or
                                product categories shared via the Meta pixel with the AAM feature enabled:
                                    a) self-tests and treatment for venereal diseases
                                    b) contraceptives and the morning-after pill
                                    c) sex toys
                                    d) products for vaginal health (eg dry mucous membranes, menopause and
                                        fungus in the vagina)
                                    e) products for prostate problems and urinary problems
                                    f) pregnancy tests, ovulation tests and pregnancy products
                                    g) products for the treatment of fungi (e.g. athlete's foot or nail fungus)
                                    h) products for the treatment and control of diabetes
                                    i) products for the treatment of rectal disorders (e.g. anal fissures and
                                        hemorrhoids)
                                    j) products for the treatment of stomach disorders (eg IBS, constipation and diarrhoea)
                                    k) products for the treatment of migraine
                                    l) products for the treatment of allergy
                                    m) accessories for hearing aids
                                    n) products for the treatment of bacterial infections
                                    o) products for the treatment of psoriasis
                                    p) products for the treatment of rosacea
                                    q) ostomy products.
                                Meta is essentially an authorized recipient and any transmission of website-
                                the visitors' information has not been unauthorized. What constituted a personal data incident
                                is the possible transfer of sensitive personal data. All products in Apotekets
                                assortment cannot, however, be considered to provide information about a person's health or sex life, but
                                only products from a so-called integrity-sensitive assortment in combination with a
                                direct personal data. A person's actions on the website need not either
                                indicate anything about the individual's health or sex life, until the customer has placed a privacy
                                sensitive product in the shopping cart or completed a purchase of such a product. It is, however
                                not obvious that it also says something about the individual customer because many
                                buys products for others, for preventive purposes or to a "home pharmacy". In addition, they belong
                                self-care products that Apoteket sells are certainly not the so-called integrity-
                                sensitive assortment. The legal situation is unclear in the area and it is difficult to categorize
                                say that sensitive personal data has been transferred.
                                If sensitive personal data has been transferred, it has not been Apoteket's
                                intention. However, Apoteket has a personal data processing agreement with Meta and it is not
                                ask about an unknown recipient of the data. The transfer has not taken place at once
                                uncontrolled way in the sense that unauthorized persons have accessed the information through a
                                hacker attack with obvious malicious intent. The actual risk to the data subjects
                                is therefore assessed as moderate. The transfer of social security numbers has not increased the risk for the Data Protection Agency Diary number: IMY-2022-3270 4(16)
                              Date: 2024-08-29
                              registered because the data was transferred in garbled form, hashed with SHA256,
                              and then deleted by Meta because the data could not be matched. The primary one
                              the shortcoming consists in the fact that the data subjects have to some extent lost control over their personal
                              data, but Apoteket's actions in themselves did not increase the risk for those registered. It should
                              seen as mitigating that Meta has had an active signal filtering mechanism that filtered
                              delete sensitive data. The information has therefore not been shared further or used by
                              Apoteket or Meta. The damage to those registered is thus limited.
                              Scope of the incident
                              The incident was estimated at the time of reporting to have affected 500,001–1,000,000
                              registered. The pharmacy has subsequently stated that it is not possible to give an exact figure
                              the number of registrants affected by the incident. This, among other things, with regard to
                              it is not about a leak from a register or a database that Apoteket has had
                              full control and transparency over and that the transfer of data took place directly between the user's
                              browser and Meta. The circle of potentially affected data subjects is affected by several
                              factors. The maximum number of affected individuals is 930,000. The calculation bases
                              itself on the number of purchases from the web during the current period, taking into account that
                              a certain percentage of purchases are made by repeat customers and customers who use
                              by ad blockers or have refused the use of cookies. The pharmacy's view
                              is that the incident only covers completed purchases and not information that a person
                              clicked on products, added products to the shopping cart or started payment. Nine percent
                              of the total share of web sales during the current period which
                              the incident took place consisted of products belonging to the categories listed above
                              under points a–q. In terms of the amount of personal data transferred, Apoteket is among the
                              otherwise stated that the number of unique products for each purchase carried out during
                              period amounts to 1.41 products per customer. In assessing how many sensitive
                              personal data transferred must, however, be taken into account that some of the purchases have included
                              self-care products (which do not reveal information about health), made for others or intended
                              several packages of the same product.
                              Technical and organizational security
                              Before the current incident, Apoteket had proactive processes in place to
                              ensure correct handling of personal data, including detailed risk assessments
                              and reviews by the data protection officer regarding matters relating to personal data.
                              Apoteket's development process contains several control points to capture risks
                              and ensure correct processing of personal data. The checkpoints consist of
                              that new solutions or functions on the website are reviewed from an information security
                              and data protection perspective (through an information analysis), architectural perspective and
                              contractually (if the solution is bought in) and code reviewed before the solution goes live
                              production on the website. Apoteket also carries out audits and penetration
                              tests of the website to be able to detect and fix vulnerabilities.
                              In the current case, Apoteket's established routines for IT development and risk assessment
                              ning has not been followed by individual employees. Probable cause, which is not a defense, can
                              have been that the functionality was very easy to activate without any real
                              development effort. At the time of enabling the AAM feature, admin-
                              authorization in the Meta Business Manager tool which two professional roles, comprehensive in total
                              three people, had. By routine, authorizations to the Meta Business Manager tool are seen,
                              including the AAM feature, over and regularly checked to ensure that
                              2 Hashing is a one-way cryptographic function that can be used to achieve pseudonymization, which is a
                              possible security measure according to article 32 of the data protection regulation, by replacing personal data with a so-called
                              hash sum. This means that the replaced personal data is not available in plain text and that it is necessary
                              supplementary information so that the registered person can be identified. The Swedish Privacy Agency Diary number: IMY-2022-3270 5(16)
                                Date: 2024-08-29
                                only people in need have access. Some other desirable routines for review
                                and follow-up has not been set up as a result of the activation of the pixel and AAM-
                                the function has not followed Apoteket's regular routines.
                                After the Meta pixel and the AAM function were deactivated, Apoteket had a dialogue with
                                Meta around deletion of data. Meta has stated that data older than two years has already been deleted,
                                but that the company cannot delete the data from the last two years manually. The pharmacy has
                                produced general information for those registered about the event that was published on
                                website during the end of April and in May 2022. To be able to respond to specific
                                questions and answers from customers, an information document was prepared for Apotekets
                                employees. Apoteket has also taken measures to reduce the long-term risk of
                                similar events. The company has carried out an inventory and analysis of cookies and
                                analysis tools on the website, introduced a professional role with overall responsibility for
                                the marketing department in order to ensure compliance with rules and guidelines as well as
                                improved its control model for information security. The employees then carried out
                                previously an annual security e-training that includes a chapter on data protection
                                and information security. To further strengthen awareness after the incident has
                                short e-training courses in IT and information security have been introduced.
                                Choice of corrective action
                                The pharmacy has transferred information to Meta that should not have been shared. However, the damage has
                                been limited. Nor has the breach affected the substance of the fulfillment of
                                Apoteket's obligations according to article 32 of the data protection regulation. The pharmacy has
                                immediately reported the violation to IMY and took the measures that were possible for
                                to reduce the consequences of the violation. These circumstances, along with
                                that the violation occurred through negligence means that it is a violation
                                of minor importance and it is therefore sufficient to issue a reprimand.
                                As for the seriousness of the violation, it has only prevented one to a small extent
                                effective application of Article 32 of the Data Protection Regulation. Furthermore, the violation has
                                carried out within business activities and the nature of the processing has therefore not entailed
                                some special risks. Nor has there been any dependency relationship between them
                                registered and Apoteket. The processing has taken place for marketing purposes which
                                is not part of Apoteket's core business, which consists of providing prescription
                                coated and non-prescription drugs. The personal data incident has certainly included one
                                relatively large number of registrants, but the level of damage caused by the breach
                                is low. The violation should be considered to be of medium seriousness at most.
                                There are reasons to consider how turnover is calculated in other areas of EU law,
                                primarily competition law. This is because the majority of Apoteket's turnover is derived from
                                from other parts of Apoteket's operations, such as, for example, traditional retail
                                as well as care and dose business, than that violation occurred within. According to the Commission
                                Guidelines for calculating fines imposed pursuant to Article 23.2 a of Regulation no
                                1/2003 states that the basic amount for the calculation must be determined by starting from
                                the sales value of the goods or services that have a direct or indirect connection
                                with the infringement and which the company sold in the relevant geographic area within
                                EEA. Analogously, the part of Apoteket's turnover that refers to the part of operations
                                the place where the infringement took place is taken into account, i.e. the turnover relating to online
                                sale of over-the-counter medicines, personal care products, hygiene items and skin care.
                                3Council Regulation (EC) No. 1/2003 of 16 December 2002 on the application of the competition rules in Articles 81
                                and 82 of the treaty. The Swedish Privacy Agency Diary number: IMY-2022-3270 6(16)
                                Date: 2024-08-29
                                There are several mitigating circumstances surrounding the violation, including form
                                of the measures taken by Apoteket to alleviate the consequences for the registered, that
                                Apoteket cooperated fully with IMY and that information was filtered out and therefore not
                                reached Meta for further processing. Apoteket has also reported the incident on its own initiative
                                to IMY. Because financial gain through the violation can be seen as an aggravating factor
                                factor when calculating the penalty fee, Apoteket wants to clarify that the increase in
                                the sales that can possibly be linked to the use of the AAM feature are second
                                next to non-existent.
                                Justification of the decision
                                IMY must initially decide whether the data protection regulation is applicable and if
                                IMY is the competent supervisory authority. If this is the case, IMY must examine the question of whether Apoteket is
                                personal data controller and whether the company has taken appropriate security measures according to
                                Article 32 of the Data Protection Regulation to protect the personal data processed
                                through the Meta pixel, with the AAM feature enabled, during the period January 19, 2020–
                                April 25, 2022.
                                IMY's authorization
                                Applicable regulations
                                It follows from Article 95 of the Data Protection Regulation that the Data Protection Regulation shall not
                                entail any additional obligations for natural or legal persons who
                                processes personal data, for such areas that are already covered by obligations
                                according to the so-called eData protection directive. The eData Protection Directive has been implemented in
                                Swedish law through the Act (2003:389) on Electronic Communications (LEK), including
                                other collection of data through cookies is regulated.
                                According to ch. 9 Section 28 LEK, which implements Article 5.3 of the eData Protection Directive, receives information
                                stored in or retrieved from a subscriber's or user's terminal equipment only if
                                the subscriber or user gets access to information about the purpose of
                                the treatment and consent to it. Furthermore, it appears that this does not prevent such
                                storage or access needed to transmit an electronic message via a
                                electronic communication network or which is necessary to provide a service
                                which the user or subscriber has expressly requested. LEK entered into force on
                                22 August 2022. During the time in question in the case, however, the same requirements applied according to
                                6 ch. Section 18 of the Act on (2003:389) on electronic communications. It is Postal and
                                the Swedish Telecommunications Board (PTS) which is the supervisory authority according to LEK (chapter 1 § 5 of the regulation
                                [2022:511] on electronic communication).
                                The European Data Protection Board (EDPB) has commented on the interaction between
                                eData Protection Directive and the Data Protection Regulation. From the opinion it follows, among other things, that
                                the national supervisory authority appointed under the eData Protection Directive is alone
                                competent to monitor compliance with the Directive. However, IMY is according to data protection
                                the regulation competent supervisory authority for the processing that is not specifically regulated in
                                eData Protection Directive.  5
                                4 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 on the processing of personal data and
                                privacy protection in the electronic communications sector (Directive on Privacy and Electronic Communications).
                                5Opinion 5/2019 on the interaction between the directive on privacy and electronic communications and the general
                                the data protection regulation, especially with regard to the competence, tasks and powers of the data protection authorities,
                                adopted on 12 March 2019, points 68 and 69. The Swedish Privacy Protection Agency Diary number: IMY-2022-3270 7(16)
                              Date: 2024-08-29
                              IMY's assessment
                              IMY's review aims at a situation where data subjects have used a service
                              on Apoteket's website for the purpose of ordering a product and provided the information yourself
                              which the Meta pixel has captured. This information management does not mean that
                              data is stored in or retrieved from a subscriber's or user's terminal equipment
                              and is thus not covered by ch. 9. Section 28 of LEK or the previously applicable equivalent
                              provision in the Act on Electronic Communications. This means that the regulation in
                              the data protection regulation is applicable to the current personal data processing and
                              that IMY is the competent supervisory authority. In addition, it can be stated that IMY's review refers to
                              if Apoteket has taken sufficient security measures, which is not something that is regulated
                              especially in PLAY. Even that relationship thus means that IMY is authorized to investigate it
                              issue to which the supervisory matter applies.
                              Personal data responsibility
                              Applicable regulations
                              According to Article 4.7 of the data protection regulation, the person in charge of personal data is the person who alone
                              or together with others determine the purpose and means for the processing of
                              personal data. That means and ends can be determined by more than one actor means
                              that several actors can be responsible for personal data for the same processing.
                              According to Article 5.2 of the Data Protection Regulation, the person in charge of personal data shall be responsible
                              for and be able to demonstrate that the principles in Article 5.1 are complied with (the principle of responsibility
                              obligation).
                              IMY's assessment
                              Apoteket has stated that the company is responsible for personal data regarding the introduction of
                              The Meta pixel and the transfer of data that has taken place to Meta.
                              The investigation into the matter shows that Apoteket has introduced the Meta pixel, a script-based one
                              tool in the form of a piece of code that records visitor actions and transmits
                              the information to Meta, on its website and then activated the AAM function. The purpose
                              with the Meta-pixel has been to increase the effectiveness of the company's marketing as well as in certain
                              may target ads to previous visitors to the website. The pharmacy thus has
                              determined how the processing is to be carried out and for what purpose the personal data is to be used
                              be treated. IMY therefore assesses that Apoteket is responsible for personal data for it
                              processing of personal data that has taken place through the use of the Meta pixel with
                              AAM function activated.
                              Has Apoteket ensured an appropriate security level for
                              the personal data?
                              Applicable regulations
                              The requirement to take appropriate protective measures
                              It follows from Article 32.1 of the data protection regulation that the person in charge of personal data must
                              take appropriate technical and organizational measures to ensure a security
                              level that is appropriate in relation to the risk of the treatment. It should, according to the same
                              provision, take into account the latest developments, implementation
                              the costs and the nature, scope, context and purpose of the treatment as well as
                              the risks, of varying degrees of probability and seriousness, to the rights of natural persons
                              and freedoms. According to Article 32.1, appropriate protective measures include, when appropriate, the Swedish Privacy Protection Agency Diary number: IMY-2022-3270 8(16)
                                Date: 2024-08-29
                                    a) pseudonymisation and encryption of personal data,
                                    b) the ability to continuously ensure confidentiality, integrity, availability
                                          and resilience of treatment systems and services,
                                    c) the ability to restore the availability and access to personal data i
                                          reasonable time in the event of a physical or technical incident and
                                    d) a procedure for regularly testing, examining and evaluating effectiveness
                                          in the technical and organizational measures that must ensure
                                          the safety of the treatment.
                                When assessing the appropriate level of security, according to Article 32.2, special consideration must be taken
                                to the risks that the processing entails, in particular from accidental or illegal
                                destruction, loss or alteration or to unauthorized disclosure of or unauthorized access to
                                the personal data transferred, stored or otherwise processed.
                                Recital 75 of the data protection regulation states factors that must be taken into account in the assessment
                                of the risk to the rights and freedoms of natural persons. Loss of, among other things, is mentioned
                                confidentiality with regard to personal data covered by the duty of confidentiality and whether
                                the processing concerns information about health or sexual life. Further must be taken into account
                                the processing concerns personal data about vulnerable natural persons, especially children,
                                or if the processing involves a large number of personal data and applies to a large
                                number of registrants.
                                Recital 76 of the data protection regulation states that how likely and serious the risk is for it
                                data subject's rights and freedoms should be determined based on the nature of the processing,
                                scope, context and purpose. The risk should be evaluated on the basis of a
                                objective assessment, through which it is determined whether the data processing
                                involves a risk or high risk.
                                Processing of sensitive personal data
                                Information about health and sexual life constitute such special categories of personal data,
                                so-called sensitive personal data, which is given particularly strong protection according to data-
                                protection regulation. As a general rule, it is prohibited to treat such personal
                                data according to Article 9.1 of the Data Protection Regulation, unless the processing is covered by
                                any of the exceptions in Article 9.2 of the regulation.
                                Information about health is defined in Article 4.15 of the Data Protection Regulation as personal
                                data relating to a natural person's physical or mental health which provide information
                                about his health status. Recital 35 of the data protection regulation states that personal data
                                on health should include all the data relating to a registered person
                                health status that provides information about the registrant's past, present or
                                future physical or mental health conditions.
                                In the Lindqvist case, the European Court of Justice has ruled that an information that a person injured
                                his foot and is on part-time sick leave constitutes personal data relating to health according to
                                                      6
                                the data protection directive (the directive was repealed by the data protection regulation). EU
                                the court stated in the case that taking into account the purpose of the data protection directive shall
                                the expression "data relating to health" is given a wide interpretation and is considered to include data which
                                                                                                                7
                                concerns all aspects of a person's health, both physical and mental. EU
                                the court has in the latter ruling Vyriausioji tarnybinės etikos komisija
                                6 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with
                                regarding the processing of personal data and the free flow of such data.
                                7 Judgment of the EU Court of Justice of 6 November 2003, Lindqvist, C-101/01, EU:C:2003:596, paragraphs 50–51. Data Protection Agency Diary number: IMY-2022-3270 9(16)
                                Date: 2024-08-29
                                established that the concept of sensitive personal data according to Article 9.1 of the data protection
                                the regulation must be interpreted broadly and judged that even personal data that is indirect, according to
                                an intellectual inference or reconciliation, reveals a physical person's sexual
                                laying constitutes sensitive personal data according to the current provision.    8
                                IMY's assessment
                                The treatment involved a high risk and required a high level of protection
                                The personal data controller must take measures to ensure a level of protection
                                which is appropriate based on the risks of the treatment. The assessment of appropriateness
                                level of protection must be done taking into account, among other things, the nature of the treatment, scope,
                                context and purpose as well as the risks, of varying degree of probability and seriousness,
                                for the rights and freedoms of natural persons.
                                IMY must initially take a position on which personal data Apoteket has transferred to
                                Meta through the Meta pixel with the AAM feature enabled.
                                From the investigation in the case it appears that the activation of the Meta-pixel's AAM function has
                                meant that Apoteket, unless a customer accepted marketing cookies and did not
                                used ad blockers, has transferred information about completed purchases to Meta.
                                The data that has been transferred has included information on purchased products (including URL
                                the address of products on the website, product ID and product type) and contact
                                information about the customer (including first and last name, address and telephone number).
                                The data transferred to Meta has not included prescription products, however
                                however, the following products and product categories:
                                        a) self-tests and treatment for venereal diseases
                                        b) contraceptives and the morning-after pill
                                        c) sex toys
                                        d) products for vaginal health (eg dry mucous membranes, menopause and
                                            fungus in the vagina)
                                        e) products for prostate problems and urinary problems
                                        f) pregnancy tests, ovulation tests and pregnancy products
                                        g) products for the treatment of fungi (e.g. athlete's foot or nail fungus)
                                        h) products for the treatment and control of diabetes
                                        i) products for the treatment of rectal disorders (e.g. anal fissures and
                                            hemorrhoids)
                                        j) products for the treatment of stomach problems (eg IBS, constipation and
                                            diarrhea)
                                        k) products for the treatment of migraine
                                        l) products for the treatment of allergy
                                        m) accessories for hearing aids
                                        n) products for the treatment of bacterial infections
                                        o) products for the treatment of psoriasis
                                        p) products for the treatment of rosacea
                                        q) ostomy products.
                                In the case, it has emerged that Meta has implemented a so-called filtering mechanism
                                the purpose of which is to detect and delete information transferred to Meta in violation of
                                company policy. In connection with this, IMY has obtained information from Meta about
                                how the filtering mechanism works. It appears from Meta's statement on 16 February 2024
                                8 ECJ judgment of 1 August 2022, Vyriausioji tarnybinės etikos komisija, C-184/20, EU:C:2022:601, p. 123–
                                127. The Swedish Privacy Agency Diary number: IMY-2022-3270 10(16)
                                Date: 2024-08-29
                                that the mechanism is designed to detect and delete potentially unauthorized
                                information, such as information about health and finances, in data that users of
                                the pixel transfers to Meta before it is stored and used in Meta's advertising system. When
                                such data is detected and deleted, the user receives a notification about it, but
                                the filtering mechanism works even if such a message is not sent to
                                the user. Against this background, IMY notes that the pixel itself does not contain one
                                filtering mechanism that prevents a transfer of data to Meta. filtering
                                the mechanism is designed to filter out potentially privacy-sensitive data first
                                after they have been transferred to Meta and if Meta's system has been able to identify that transfer-
                                records contain such unauthorized information. The lack of notifications about
                                unauthorized and deleted information also cannot in itself be considered a confirmation that
                                potentially privacy-sensitive data has not been transferred to Meta. The occurrence of
                                in summary, the filtering function has not prevented the observed
                                the transfer of personal data to Meta.
                                IMY makes the following assessment of the risks with the current personal data
                                the treatment.
                                Processing that includes sensitive personal data normally involves higher risks.
                                The term sensitive personal data must be interpreted broadly and also includes information such as
                                indirectly disclose such information. The pharmacy has transferred information to Meta about which
                                product that a customer has purchased as well as information that identifies the customer in the form of among
                                other name, address and telephone number. IMY considers that the combination of data
                                transferred to Meta has made it possible to deduce that a specific person has purchased one
                                certain designated product.
                                The pharmacy has not transferred information about prescription products. Majority of
                                the products in Apoteket's other assortment (see points a–q above) are, however, of such type
                                character that information that a person bought such a product could reveal
                                information about the individual's state of health or sex life. Apoteket has objected that it does not
                                is certain that the buyer is the actual user of the product and it is difficult to
                                categorically state that sensitive personal data has been transferred. However, IMY believes that it is
                                likely that at least some of the purchases of, for example, ostomy products, products for
                                rectal, urinary and prostate problems, vaginal problems and treatment of
                                venereal diseases and diabetes have been made for personal use in order to treat a certain
                                state of health. IMY therefore assesses that it is likely that the treatment has included
                                information about health in the sense referred to in Article 4.15 of the Data Protection Regulation.
                                IMY makes the same assessment regarding the purchase of, for example, day-after pills and
                                sex toys, that is to say that it is likely that the purchases have taken place in at least some cases
                                for own use and that the processing thereby revealed information about the individual
                                sex life. When assessing the appropriate level of protection, Apoteket would therefore take into account that
                                the processing could include sensitive personal data.
                                IMY further assesses that information on the purchase of the specified goods in points a–q, regardless
                                whether the information constitutes sensitive personal data or not, is of such privacy-sensitive nature
                                nature that they require strong protection according to the data protection regulation. It has also emerged
                                that Apoteket has in some cases transferred other personal data worthy of protection in the form of
                                social security number. In addition, the treatment has been carried out by a pharmacy where the customer can be assumed to have
                                particular expectations that their personal data is handled with a high degree of
                                confidentiality. IMY therefore states that both the nature of the personal data and that
                                9 Social security numbers are subject to special protection according to Article 87 of the Data Protection Ordinance and Chapter 3. Section 10 of the Act
                                (2018:218) with supplementary provisions to the EU's data protection regulation. The Swedish Privacy Agency Diary number: IMY-2022-3270 11(16)
                                Date: 2024-08-29
                                context in which they were processed has entailed increased risks for the data subjects' freedom
                                and rights.
                                IMY also notes that the treatment has been extensive. The pharmacy has had a big one
                                number of customers during the period the Meta-pixel's AAM function has been activated and the company
                                estimates that up to 930,000 people have been affected by the current incident.
                                The calculation is based on the number of purchases from the web during the current period with
                                taken into account that a certain percentage of purchases were made by repeat customers and by individuals
                                who use ad blockers or have refused cookies. The pharmacy also has
                                stated that 9 percent of the total web purchases made during the period have
                                covered the privacy-sensitive products listed under points a–q. IMY assesses that
                                it based on these data, although it is not possible to determine exactly how many of
                                these purchases made by data subjects who did not use ad blockers or
                                denied to marketing cookies, in any case it can be established that the incident has affected one
                                large number of registrants.
                                In summary, IMY assesses that the processing with regard to its nature, scope
                                and context have meant high risks which entailed a requirement for a high level of protection for
                                the personal data. The measures would, among other things, ensure that the personal data
                                was protected against unauthorized disclosure and loss of control.
                                The pharmacy has not taken sufficient security measures
                                IMY must then assess whether Apoteket has ensured the high level of protection that was required
                                for the personal data.
                                Apoteket has stated that the company had proactive processes in place before the incident
                                to ensure correct handling of personal data. In the present case, however,
                                established routines for IT development and risk assessment, which include, among other things
                                review and update of information analyzes for all changes to systems and
                                tools, not followed by individual employees. The investigation shows that Apoteket
                                has therefore not analyzed the risks and consequences that the personal data
                                treatment as the introduction of the Meta pixel and the activation of the AAM function would
                                imply, before the treatment began. Apoteket has also not made a selection and
                                categorization of which products would be processed. It has led to
                                that, in addition to the exclusion of prescription goods, there was no technical
                                limitation of which data would be covered by the processing and that privacy
                                sensitive information about, for example, the purchase of non-prescription drugs and medical technology
                                products have been transferred to Meta.
                                A fundamental prerequisite for Apoteket to be able to fulfill its obligations
                                according to the data protection regulation is that the company is aware of which processing
                                takes place under its responsibility. The pharmacy has for a long period from 19 January 2020,
                                when the AAM feature was activated, through April 25, 2022, when the Meta pixel was taken
                                away, transferred more data than intended to Meta without discovering it themselves.
                                Apoteket has stated that the activation of the Meta-pixel's AAM function has not followed
                                The pharmacy's regular routines and that some desirable routines for review and follow-up
                                therefore not set up. Because Apoteket has only had routines to follow up
                                Apoteket has lacked documented changes, which were carried out according to set routines
                                ability to detect and remedy other changes actually implemented or
                                arose in another way. Against this background, IMY states that Apoteket has lacked
                                organizational routines to systematically follow up on unintended changes in their
                                system. The Swedish Privacy Agency Diary number: IMY-2022-3270 12(16)
                                Date: 2024-08-29
                                IMY therefore assesses that Apoteket, also taking into account what has been stated about them
                                procedures that existed at the time of the violation, cannot be considered to have taken appropriate steps
                                technical and organizational measures in relation to the high risks which
                                the treatment has entailed. Apoteket has therefore processed personal data in violation of
                                article 32.1 of the data protection regulation.
                                Choice of intervention
                                Applicable regulations, etc.
                                In the event of violations of the data protection regulation, IMY has a number of corrective measures
                                powers to be available according to article 58.2 of the data protection regulation. Of Article 58.2 i
                                the data protection regulation follows that IMY in accordance with article 83 must impose


                                penalty fees in addition to or in lieu of other corrective measures referred to in
Phone:
                                Article 58(2), depending on the circumstances of each individual case.
+46 8-657 61 00




                                Each supervisory authority must ensure that the imposition of administrative
Decision after Supervision according to the General Data Protection Regulation – Apoteket AB
                                penalty charges in each individual case are effective, proportionate and dissuasive. The
Decision by the Swedish Authority for Privacy Protection
                                stated in Article 83.1 of the Data Protection Regulation.


The Swedish Authority for Privacy Protection (IMY) has determined that Apoteket AB (registration number: 556138-6532) has processed personal data in violation of Article 32.1 of the General Data Protection Regulation (GDPR) by not implementing appropriate technical and organisational measures to ensure a suitable level of security for personal data when using the analytics tool Metapixel during the period from 19 January 2020 to 25 April 2022.


                                Article 83(2) states the factors to be taken into account in deciding whether an administrative
IMY has decided, pursuant to Articles 58.2 and 83 of the GDPR, that Apoteket AB shall pay an administrative fine of SEK 37,000,000.
                                penalty fee must be imposed, but also what will affect the penalty fee


                                size. Of importance for the assessment of the seriousness of the violation is, among other things, its
                                nature, severity and duration. The EDPB has adopted guidelines on the calculation of
                                administrative penalty charges according to the data protection regulation aimed at creating
                                                                                                            10
                                a harmonized method and principles for calculating penalty fees.


                                According to Article 83.4, in the event of violations of, among other things, Article 32, it must be imposed
Account of the Supervision Case
Background


                                administrative penalty fees of up to EUR 10,000,000 or, if one applies
On 25 April 2022, Apoteket AB (hereinafter referred to as "Apoteket") submitted a report of a personal data breach to the Swedish Authority for Privacy Protection (IMY). The report stated that Apoteket had used the analytics tool Metapixel from Meta Platforms Ireland Limited (formerly known as Facebook Pixel) on its website www.apoteket.se (the website) to enhance advertising targeting towards customers, thus allowing the transfer of data related to customers and website visitors to Meta, which was not intended to be transferred. Apoteket discovered the incident through information received from an external source. The breach report was preceded by media reports that Apoteket had transferred certain data about its customers’ online purchases to Meta.
                                companies, of up to 2 percent of the total global annual turnover in the previous year
                                budget year, depending on which value is the highest.


IMY initiated supervision in May 2022 based on the information contained in the breach report. The supervision was limited to the question of whether Apoteket had implemented appropriate technical and organisational measures in accordance with Article 32 of the GDPR.


                                If it is a question of a minor violation, IMY receives according to what is stated in reason 148 i
                                instead of imposing a penalty charge, issue a reprimand in accordance with Article 58.2 b i


                                the regulation.
What Apoteket has stated


                                IMY's assessment
Responsibility for Personal Data


Apoteket is responsible for the personal data processing regarding the implementation of Metapixel (formerly Facebook Pixel) and the transfer of data to Meta (formerly Facebook).


                                A penalty fee must be imposed
Purpose of Processing


Apoteket has used Metapixel since 2017 for marketing purposes. The primary goal was to measure the effectiveness of the company's marketing on Meta’s social media platforms, Facebook and Instagram. The secondary purpose was to market products to visitors who had viewed self-care product pages without making a purchase, to encourage them to buy later. The pixel was used for the secondary purpose to a limited extent and only during specific periods. On 19 January 2020, the automatic advanced matching (AAM) function of Metapixel was activated, leading to more data being processed than before. The activation of the AAM function was not necessary to fulfil the processing purposes. The activation of Metapixel and the AAM function was carried out by individual employees without prior risk assessment, contrary to Apoteket's procedures. Apoteket became aware that potentially sensitive data had been shared only after the media reported on it. Apoteket decided to immediately deactivate Metapixel and the AAM function on 25 April 2022 after becoming aware of the extent of the data transferred.


                                IMY has made the assessment that Apoteket processed personal data in violation of article
Personal Data Transferred to Meta
                                32.1 of the data protection regulation.


The data transfer to Meta was not the same for all customers and depended on the customer's actions on the website. Apoteket did not transfer data about customers who had declined marketing cookies. For customers who consented to marketing cookies, the following event data was generally transferred through Metapixel:


                                The violation has occurred through Apoteket processing personal data with a
                                insufficient level of security, which has resulted in privacy-sensitive personal data
                                and protectable character if a large number of data subjects have been inadvertently transferred to


                                Meta. Unauthorized access to this type of data poses a high risk to them
URL
                                rights and freedoms were registered. The transfer has been going on for a long time and has not
Value (value of the product or total cart)
                                detected and remedied until Apoteket was informed of the deficiency by an outside party.
Currency (e.g., "SEK")
Content IDs (Product ID, Apoteket's internal product number)
Content Type (e.g., "Product")
IP address


                                IMY considers that it is not a question of such a less serious violation that can
Since the activation of the AAM function, the following contact information was also transferred:
                                result in a reprimand being issued instead of a penalty fee.




First and last name
Email address
Phone number
Personal identity number
Gender
City
Postal code
Country


                                10 EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR. Data Protection Agency Diary number: IMY-2022-3270 13(16)
The contact information was only transferred during completed purchases and in hashed form, meaning Meta could only read the information if they had previously had the corresponding information. Meta then tried to match the transferred contact information with a Facebook user ID and subsequently deleted it. If a customer logged in to "My Pages" with mobile BankID, the personal identity number was transferred as it was interpreted as a phone number.
                                Date: 2024-08-29


Apoteket made a conscious decision not to transfer data about prescription drugs. This exclusion was achieved by not including Metapixel on the part of the website where a customer could add a prescription drug to the cart. Additionally, order lines containing prescription drugs were filtered out at the time of purchase from the product data by Apoteket's server before being transferred to Meta. If a visitor accepted marketing cookies and completed a purchase, data on the following products and/or product categories were shared via Metapixel with the AAM function activated:


a) Self-tests and treatments for sexually transmitted diseases
b) Contraceptives and morning-after pills
c) Sex toys
d) Products for vaginal health (e.g., dry mucous membranes, menopause symptoms, and yeast infections)
e) Products for prostate issues and urination problems
f) Pregnancy tests, ovulation tests, and pregnancy products
g) Products for the treatment of fungus (e.g., athlete's foot or nail fungus)
h) Products for the treatment and control of diabetes
i) Products for the treatment of rectal issues (e.g., anal fissures and haemorrhoids)
j) Products for the treatment of gastrointestinal problems (e.g., IBS, constipation, and diarrhoea)
k) Products for the treatment of migraines
l) Products for the treatment of allergies
m) Hearing aid accessories
n) Products for the treatment of bacterial infections
o) Products for the treatment of psoriasis
p) Products for the treatment of rosacea
q) Stoma products


Meta is fundamentally an authorised recipient, and not all data transfers of website visitors' information have been impermissible. The personal data breach concerns the potential transfer of sensitive personal data. However, not all products in Apoteket's range can be considered to provide information about a person's health or sex life, only products from a so-called privacy-sensitive range in combination with direct personal data. A person's actions on the website also do not necessarily indicate anything about their health or sex life until the customer adds a privacy-sensitive product to the cart or completes a purchase of such a product. However, it is not clear that this necessarily says anything about the individual customer, as many buy products for others, for preventive purposes, or for a "home pharmacy." Additionally, the self-care products sold by Apoteket do not necessarily belong to the so-called privacy-sensitive range. The legal situation is unclear, making it difficult to categorically state that sensitive personal data has been transferred.


If the transfer of sensitive personal data has occurred, it was not Apoteket's intention. However, Apoteket has a data processing agreement with Meta, and it is not a case of an unknown recipient of the data. The transfer has not occurred in an uncontrolled manner in the sense that unauthorised individuals accessed the information through a malicious hacker attack. The actual risk to the data subjects is therefore assessed as moderate. The transfer of personal identity numbers has not increased the risk to the data subjects since the data was transferred in a hashed form, using SHA256, and then deleted by Meta as the data could not be matched. The primary issue is that the data subjects have, to some extent, lost control over their personal data, but Apoteket's actions did not increase the risk to the data subjects. It should be considered mitigating that Meta has had an active signal filtering mechanism that filtered out sensitive data. Thus, the information has not been shared further or used by Apoteket or Meta. The harm to the data subjects is therefore limited.


Extent of the Incident


                                The European Court of Justice has clarified that it is required that the person in charge of personal data has committed a
At the time of the report, the incident was estimated to have affected 500,001–1,000,000 data subjects. Apoteket has since stated that it is not possible to provide an exact number of data subjects affected by the event, partly because it does not involve a leak from a register or database that Apoteket had full control and oversight of, and because data transfer occurred directly between the user's browser and Meta. The group of potentially affected data subjects is influenced by several factors. The maximum number of affected individuals is 930,000. This estimate is based on the number of online purchases during the relevant period, considering that a certain proportion of purchases are made by returning customers and customers using ad blockers or who have declined cookies. Apoteket's view is that the incident only involves completed purchases and not data on individuals who clicked on products, added products to their cart, or started the payment process. Nine per cent of the total online sales during the relevant period of the incident consisted of products from the categories listed above in points a–q. Regarding the quantity of transferred personal data, Apoteket has noted that the number of unique products per purchase during the period was 1.41 products per customer. However, when assessing how many sensitive personal data items have been transferred, it must be considered that some purchases included self-care products (which do not reveal health information), were made for others, or involved multiple packages of the same product.


                                Violation intentionally or negligently to administrative penalty fees
Technical and Organisational Security
                                must be enforceable according to the data protection regulation. The European Court of Justice has stated that


                                controllers may be subject to penalty fees for actions if they cannot
Before the incident, Apoteket had proactive processes in place to ensure the correct handling of personal data, including comprehensive risk assessments and reviews by the Data Protection Officer regarding personal data issues. Apoteket's development process includes several control points to identify risks and ensure correct personal data processing. These control points include reviewing new solutions or features on the website from an information security and data protection perspective (through an information
                                are deemed to have been ignorant that the conduct constituted a breach, regardless of whether they
                                                                                                                      11
                                were aware that they violated the provisions of the data protection regulation.


analysis), an architectural perspective, and a contractual perspective (if the solution is purchased), as well as code reviews before the solution is deployed on the website. Apoteket also conducts audits and penetration tests of the website to detect and address vulnerabilities.


                                According to the principle of responsibility which is expressed, among other things, in Article 5.2 i
In this case, Apoteket’s established IT development and risk assessment procedures were not followed by individual employees. A possible reason, which is not a justification, could be that the functionality was very easy to activate without significant development effort. At the time of activating the AAM function, administrative privileges in the Meta Business Manager tool were required, which two professional roles, comprising a total of three people, had. According to routine, privileges to the Meta Business Manager tool, including the AAM function, are regularly reviewed and controlled to ensure that only those who need access have it. However, no other desired routines for review and follow-up were established due to the activation of the pixel and AAM function not following Apoteket’s usual procedures.
                                the data protection regulation shall the person responsible for the processing of personal data


                                ensure and be able to demonstrate that the processing is compatible with the data protection regulation.
After deactivating Metapixel and the AAM function, Apoteket had a dialogue with Meta about data deletion. Meta stated that data older than two years had already been deleted but that the company could not manually delete data from the last two years. Apoteket provided general information to the data subjects about the incident, which was published on the website at the end of April and in May 2022. To address specific questions and answers from customers, informational materials were provided to Apoteket employees. Apoteket has also taken measures to reduce the risk of similar incidents in the long term. The company conducted an inventory and analysis of cookies and analytics tools on the website, introduced a role with overall responsibility for the marketing department to ensure compliance with rules and guidelines, and improved its information security governance model. Employees already completed annual e-learning in security, including a chapter on data protection and information security. To further raise awareness after the incident, short e-learning courses on IT and information security were introduced.
                                IMY thus states that Apoteket is responsible for the personal data that


                                processed in the business, processed in a way that ensures a suitable
Choice of Corrective Measure
                                security level. In its examination, IMY has found that Apoteket did not live up to them
                                requirements set by the data protection regulation in this regard. The pharmacy cannot be considered to have


                                was unaware that its actions entailed a breach of the regulation.     12
Apoteket has transferred data to Meta that should not have been shared. However, the harm has been limited. The violation has not affected the core fulfilment of Apoteket’s obligations under Article 32 of the GDPR. Apoteket promptly reported the violation to IMY and took the possible measures to mitigate the consequences of the violation. These circumstances, combined with the fact that the violation occurred due to negligence, indicate that it is a minor violation, and a reprimand is therefore sufficient.


Regarding the seriousness of the violation, it has only slightly hindered the effective application of Article 32 of the GDPR. Furthermore, the violation occurred within a business activity, and the nature of the processing has therefore not involved any particular risks. There was also no dependency relationship between the data subjects and Apoteket. The processing was carried out for marketing purposes, which is not part of Apoteket's core business, which is to provide prescription and over-the-counter medicines. The personal data breach has indeed affected a relatively large number of data subjects, but the level of harm caused by the violation is low. The violation should at most be considered of medium severity.


                                IMY therefore assesses that the conditions for imposing an administrative on Apoteket
There are reasons to consider how turnover is calculated in other EU legal areas, primarily competition law. This is because the majority of Apoteket's turnover comes from other parts of Apoteket's business, such as traditional retail trade and healthcare and dose business, than the area where the violation occurred. According to the European Commission's Guidelines on the calculation of fines imposed under Article 23.2 a of Regulation No 1/2003, the base amount for calculation should be determined by considering the value of sales for the goods or services directly or indirectly related to the violation and which the company sold in the relevant geographic area within the EEA. Analogously, the part of Apoteket's turnover related to the business area where the violation occurred should be considered, that is, the turnover related to online sales of over-the-counter medicines, self-care products, hygiene articles, and skincare.
                                penalty fee for the violations are met. When determining sanction-


                                the size of the fee, IMY must take into account the circumstances stated in article 83.2 as well as
There are several mitigating factors regarding the violation, including the measures Apoteket has taken to mitigate the consequences for the data subjects, that Apoteket has fully cooperated with IMY, and that data was filtered out and thus not reached Meta for further processing. Apoteket also reported the incident on its initiative to IMY. Since economic gain from the violation can be seen as an aggravating factor in calculating the fine, Apoteket wants to clarify that the increase in sales that can possibly be linked to the use of the AAM function is negligible.
                                ensure that the administrative penalty fee is effective, proportionate and


                                deterrent.


Reasoning of the Decision
IMY must first determine whether the GDPR applies and whether IMY is the competent supervisory authority. If so, IMY must consider whether Apoteket is the data controller and whether the company has implemented appropriate security measures under Article 32 of the GDPR to protect the personal data processed through Metapixel, with the AAM function activated, during the period from 19 January 2020 to 25 April 2022.


                                Starting points for the calculation of the penalty fee
IMY’s Competence


Applicable Provisions


                                IMY assesses that it is the annual turnover for Apoteket that should be used as a basis for
Article 95 of the GDPR states that the regulation should not impose additional obligations on natural or legal persons who process personal data for areas already covered by obligations under the so-called ePrivacy Directive. The ePrivacy Directive has been implemented into Swedish law through the Electronic Communications Act (2003:389) (LEK), which regulates, among other things, the collection of data through cookies.
                                the calculation of the administrative penalty fees in the current case. The maximum


                                the penalty fee applicable to companies for violations of Article 32 amounts to that
According to Chapter 9, Section 28 of the LEK, which implements Article 5.3 of the ePrivacy Directive, data may only be stored in or retrieved from a subscriber's or user's terminal equipment if the subscriber or user has access to information about the purpose of the processing and consents to it. It also states that this does not prevent storage or access necessary to transmit an electronic message via an electronic communications network or is necessary to provide a service that the user or subscriber has expressly requested. The LEK entered into force on 22 August 2022. However, during the relevant time in this case, the same requirements applied under Chapter 6, Section 18 of the Electronic Communications Act (2003:389). The Swedish Post and Telecom Authority (PTS) is the supervisory authority under the LEK.
                                amount which is the higher of EUR 10,000,000 or 2 percent of the total global


                                the annual turnover during the previous budget year.
The European Data Protection Board (EDPB) has expressed its views on the interaction between the ePrivacy Directive and the GDPR. The opinion states that the national supervisory authority appointed under the ePrivacy Directive is solely competent to monitor compliance with the Directive. However, IMY is the competent supervisory authority under the GDPR for processing not specifically regulated by the ePrivacy Directive.


                                Apoteket's annual report for the year 2023 shows that the annual turnover for that year was
IMY's Assessment


                                SEK 23,270,000,000. The highest sanction amount that can be determined in the case
IMY's review focuses on a situation where data subjects have used a service on Apoteket's website to order a product and have voluntarily provided the information captured by Metapixel. This data processing does not involve storing or retrieving data from a subscriber's or user's terminal equipment and is thus not covered by Chapter 9, Section 28 of the LEK or the previous corresponding provision in the Electronic Communications Act. This means that the GDPR's regulation applies to the personal data processing in question and that IMY is the competent supervisory authority. Furthermore, IMY's review concerns whether Apoteket has implemented adequate security measures, which is not specifically regulated in the LEK. Therefore, IMY is competent to investigate the issue covered by the supervision case.
                                thus amounts to 2 percent of that amount, which is SEK 465,400,000. IMY


                                notes that there is a lack of support in the applicable legislation for calculating the penalty fee
Responsibility for Personal Data
                                based on a different amount in the manner that Apoteket presented is done when applying


                                other EU legal legislation.
Applicable Provisions


A data controller, according to Article 4.7 of the GDPR, is the entity that alone or together with others determines the purposes and means of processing personal data. The fact that the purposes and means can be determined by more than one entity means that several entities can be data controllers for the same processing.


                                The seriousness of the violation
The data controller must ensure and be able to demonstrate that the principles in Article 5.1 are complied with, as stated in Article 5.2 of the GDPR (the accountability principle).


IMY's Assessment


                                It appears from the EDPB's guidelines that the supervisory authority must assess whether the violation is
Apoteket has stated that it is the data controller for the implementation of Metapixel and the transfer of data to Meta.
                                of low, medium or high severity according to Article 83.2 a, b and g of the data protection
                                              14
                                the regulation.


The investigation in the case shows that Apoteket implemented Metapixel, a script-based tool in the form of a piece of code that records visitors' actions and transfers the information to Meta on its website, and subsequently activated the AAM function. The purpose of Metapixel was to increase the effectiveness of the company's marketing and, to some extent, target ads at previous visitors to the website. Apoteket has therefore determined how the processing should be conducted and for what purpose the personal data should be processed. IMY therefore assesses that Apoteket is the data controller for the processing of personal data carried out through the use of Metapixel with the AAM function activated.


                                The breach in question has involved a large number of registered users and has been ongoing
                                for a long time. The data that has been transferred has included social security numbers and


                                information that directly identifiable persons have purchased privacy-sensitive products. The
Has Apoteket Ensured an Appropriate Level of Security for the Personal Data?


Applicable Provisions


                                1 Court of Justice of the European Union judgment of 5 December 2023, Nacionalinis södertätsää centras, C-683/21, EU:C:2023:949,
The Requirement to Implement Appropriate Safeguards
                                p. 81 and the judgment of the European Court of Justice of 5 December 2023, Deutsche Wohnen SE C-807/21, EU:C:2023:950, p. 76.
                                1For the assessment of negligence, see also the Court of Appeal in Stockholm's judgment of 11 March 2024 in case 2829-23 p.12.
                                13
                                  Apoteket is the parent company of a group. If the company is subject to the obligation to prepare consolidated accounts is
                                these consolidated accounts for the group's parent company relevant to reflect the company's total
                                turnover, see EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR, point
                                130.
                                1EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR, point 60. The Data Protection Authority Diary number: IMY-2022-3270 14(16)
                                Date: 2024-08-29


Article 32.1 of the GDPR requires the data controller to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing. This must be done considering the state of the art, the implementation costs, and the nature, scope, context, and purpose of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons. According to the same provision, appropriate safeguards, where appropriate, include:


a) Pseudonymisation and encryption of personal data,
b) The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services,
c) The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, and
d) A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures to ensure the security of processing.


In assessing the appropriate level of security, specific consideration must be given to the risks posed by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure


of, or access to personal data transmitted, stored, or otherwise processed, as stated in Article 32.2.


Recital 75 of the GDPR specifies factors to be considered when assessing the risk to the rights and freedoms of natural persons. Among other things, it mentions the loss of confidentiality concerning personal data that is subject to professional secrecy and whether the processing involves data concerning health or sexual life. It should also be considered if the processing concerns personal data of vulnerable natural persons, especially children, or if the processing involves a large amount of personal data concerning many data subjects.


Recital 76 of the GDPR states that the likelihood and severity of the risk to the data subjects' rights and freedoms should be determined based on the nature, scope, context, and purpose of the processing. The risk should be evaluated based on an objective assessment, determining whether the data processing involves a risk or a high risk.


                                the unauthorized transfer has therefore meant a high risk for the data subjects' freedom and
Processing of Sensitive Personal Data
                                rights in the form of risk of loss of confidentiality for data worthy of protection. Further
                                the violation has occurred in a pharmacy operation where the registrants must be considered to have had


                                a legitimate expectation of high confidentiality and that their personal data will not be disseminated
Data concerning health and sexual life constitutes special categories of personal data, so-called sensitive personal data, which is afforded particularly strong protection under the GDPR. As a general rule, processing such personal data is prohibited under Article 9.1 of the GDPR unless the processing falls under one of the exceptions in Article 9.2 of the Regulation.
                                to unauthorized persons. Sales of non-prescription and other health-related products must


                                in addition, is considered to be part of Apoteket's core business, which means that the violation must
Health data is defined in Article 4.15 of the GDPR as personal data related to the physical or mental health of a natural person, providing information about their health status. Recital 35 of the GDPR states that health data should include all data related to a data subject's health condition, providing information about the data subject's past, present, or future physical or mental health status.
                                considered more serious than if this had not been the case. 15


The Court of Justice of the European Union (CJEU) in the Lindqvist case ruled that information that a person has injured their foot and is on part-time sick leave constitutes personal data concerning health under the Data Protection Directive (which was repealed by the GDPR). The CJEU stated that considering the purpose of the Data Protection Directive, the term "data concerning health" should be interpreted broadly and should include information related to all aspects of a person's health, both physical and mental. In the subsequent case, Vyriausioji tarnybinės etikos komisija, the CJEU concluded that the term sensitive personal data under Article 9.1 of the GDPR should be interpreted broadly and determined that even personal data that indirectly, after intellectual reasoning or cross-referencing, reveals a natural person's sexual orientation constitutes sensitive personal data under the relevant provision.


                                In assessing the degree of seriousness, IMY also takes into account that Apoteket at the time of
IMY’s Assessment
                                the breach had taken a number of appropriate technical and organizational security


                                actions. Furthermore, the personal data has been transferred in hashed, i.e. unreadable, format
The Processing Involved a High Risk and Required a High Level of Protection
                                to a single recipient and it is therefore not an uncontrolled disclosure there
                                the information has, for example, been shared with many unauthorized persons or has been publicly available on


                                the web.
The data controller must implement measures to ensure a level of protection appropriate to the risks of processing. The assessment of the appropriate level of protection should consider, among other things, the nature, scope, context, and purpose of the processing, as well as the risks, of varying likelihood and severity, to the rights and freedoms of natural persons.


IMY must first determine what personal data Apoteket has transferred to Meta through Metapixel with the AAM function activated.


                                In the light of the above circumstances, IMY assesses that, in total, it concerns
The investigation in the case shows that the activation of Metapixel's AAM function has resulted in Apoteket, provided a customer has accepted marketing cookies and not used an ad blocker, transferring information about completed purchases to Meta. The information transferred included data about purchased products (including the URL of the products on the website, product ID, and product type) and customer contact information (including first and last name, address, and phone number). The data transferred to Meta did not include prescription products but did include the following products and product categories:
                                about a violation of Article 32.1 of the Data Protection Regulation of low seriousness
                                degree.


a) Self-tests and treatments for sexually transmitted diseases
b) Contraceptives and morning-after pills
c) Sex toys
d) Products for vaginal health (e.g., dry mucous membranes, menopause symptoms, and yeast infections)
e) Products for prostate issues and urination problems
f) Pregnancy tests, ovulation tests, and pregnancy products
g) Products for the treatment of fungus (e.g., athlete's foot or nail fungus)
h) Products for the treatment and control of diabetes
i) Products for the treatment of rectal issues (e.g., anal fissures and haemorrhoids)
j) Products for the treatment of gastrointestinal problems (e.g., IBS, constipation, and diarrhoea)
k) Products for the treatment of migraines
l) Products for the treatment of allergies
m) Hearing aid accessories
n) Products for the treatment of bacterial infections
o) Products for the treatment of psoriasis
p) Products for the treatment of rosacea
q) Stoma products


                                In its assessment of the size of the penalty fee, IMY must also take these into account
It has emerged in the case that Meta has implemented a so-called filtering mechanism designed to detect and delete information transferred to Meta in violation of the company's policy. IMY has therefore requested information from Meta on how the filtering mechanism works. According to Meta's statement on 16 February 2024, the mechanism is designed to detect and delete potentially unauthorised information, such as health and financial data, in data users of the pixel transfer to Meta before it is stored and used in Meta's advertising system. When such data is detected and deleted, the user is notified, but the filtering mechanism operates even if no such notification is sent to the user. Based on this, IMY concludes that the pixel does not inherently contain a filtering mechanism that prevents data transfer to Meta. The filtering mechanism is designed to filter out potentially privacy-sensitive data only after it has been transferred to Meta and if Meta's system has identified that the transferred data contains such unauthorised information. The absence of notifications about unauthorised and deleted information cannot be considered confirmation that potentially privacy-sensitive data has not been transferred to Meta. The presence of the filtering function has, in summary, not prevented the confirmed transfer of personal data to Meta.


                                aggravating and mitigating factors listed in Article 83.2 of the data protection
IMY makes the following assessment of the risks associated with the current data processing.
                                the regulation. After the breach, Apoteket has, among other things, conducted a dialogue with Meta
                                about deletion, provided information to the registered and took measures to


                                reduce the risk of similar incidents in the long term. IMY notes, however, that the measures
Processing involving sensitive personal data typically involves higher risks. The term sensitive personal data should be interpreted broadly and includes data that indirectly reveals such information. Apoteket has transferred data to Meta about which product a customer has purchased and data that identifies the customer, such as name, address, and phone number. IMY considers that the combination of data transferred to Meta has made it possible to determine that a specific person has purchased a specific product.
                                has only been taken after Apoteket has been alerted to the present deficiencies by a
                                third parties and that they cannot be considered to go beyond what is expected of Apoteket in that regard


                                current case. The measures taken are therefore not influencing factors
Apoteket has not transferred data about prescription products. However, many products in Apoteket's other range (see points a–q above) are such that information about a person purchasing them could reveal details about their health condition or sexual life. Apoteket has argued that the buyer is not necessarily the actual user of the product, and it is difficult to categorically state that sensitive personal data has been transferred. However, IMY considers that it is likely that at least some of the purchases of, for example, stoma products, products for rectal, urinary, and prostate issues, vaginal issues, and treatment for sexually transmitted diseases and diabetes have been made for personal use to treat a specific health condition. IMY therefore considers it likely that the processing has involved health data as defined in Article 4.15 of the GDPR.  
                                IMY's assessment of the size of the sanction fee in a mitigating direction. The same


                                applies to the fact that Apoteket submitted a notification about a personal data incident and
IMY makes the same assessment regarding purchases of, for example, morning-after pills and sex toys, i.e., it is likely that purchases in at least some cases were made for personal use and that the processing therefore revealed information about the individual's sexual life. When assessing the appropriate level of protection, Apoteket should therefore have considered that the processing might involve sensitive personal data.
                                cooperated with IMY in the investigation of the violation in question because it constitutes
                                circumstances that must be considered neutral when determining the penalty fee.         16


                                IMY notes that there were also no other circumstances that emerged that
IMY also considers that data on purchases of the specified products in points a–q, regardless of whether the data constitutes sensitive personal data or not, is of such a privacy-sensitive nature that it requires strong protection under the GDPR. It has also emerged that Apoteket in some cases has transferred other sensitive personal data in the form of personal identity numbers. Furthermore, the processing was carried out by a pharmacy where customers are assumed to have specific expectations that their personal data is handled with a high degree of confidentiality. IMY therefore concludes that both the nature of the personal data and the context in which it was processed have increased the risks to the data subjects' rights and freedoms.
                                affects IMY's assessment of the amount of the penalty fee in aggravating or


                                mitigating direction.
IMY also notes that the processing was extensive. Apoteket had many customers during the period when Metapixel's AAM function was activated, and the company estimates that up to 930,000 people were affected by the incident. This estimate is based on the number of online purchases during the relevant period, considering that a certain percentage of purchases were made by returning customers and individuals using ad blockers or who declined cookies. Apoteket has also stated that 9 per cent of the total online purchases made during the period involved the privacy-sensitive products listed in points a–q. Although it is impossible to determine precisely how many of these purchases were made by data subjects who did not use ad blockers or decline marketing cookies, it can at least be concluded that the incident affected a large number of data subjects.


                                The penalty fee must be effective, proportionate and dissuasive
In summary, IMY assesses that the processing, given its nature, scope, and context, involved high risks that required a high level of protection for the personal data. The measures should have ensured, among other things, that the personal data was protected against unauthorised disclosure and loss of control.


Apoteket Has Not Implemented Sufficient Security Measures


                                The administrative penalty fee must be effective, proportionate and
IMY must then assess whether Apoteket has ensured the high level of protection required for personal data.


                                deterrent. This means that the amount must be determined so that the administrative
Apoteket has stated that the company had proactive processes in place before the incident to ensure the correct handling of personal data. In this case, however, established IT development and risk assessment procedures, including reviewing and updating information analyses for all changes to systems and tools, were not followed by individual employees. The investigation shows that Apoteket did not analyse the risks and consequences of the personal data processing involved in the implementation of Metapixel and the activation of the AAM function before the processing began. Apoteket also did not select and categorise which products would be processed. This led to the absence of a technical limitation on which data
                                the penalty fee leads to correction, that it provides a preventive effect and that it
                                is also proportionate in relation to both the current infringement and to


                                the supervised entity's ability to pay.
would be processed, beyond the exclusion of prescription products, and that privacy-sensitive data about purchases of over-the-counter medicines and medical devices was transferred to Meta.


A fundamental requirement for Apoteket to fulfil its obligations under the GDPR is that the company is aware of the processing under its responsibility. Apoteket, from 19 January 2020, when the AAM function was activated, until 25 April 2022, when Metapixel was removed, transferred more data to Meta than intended without detecting it themselves. Apoteket has stated that the activation of Metapixel's AAM function did not follow Apoteket's standard procedures, and no desired routines for review and follow-up were established. Since Apoteket only had routines to follow up on documented changes made according to set procedures, Apoteket lacked the ability to detect and address other changes that had been made or occurred otherwise. IMY, therefore, concludes that Apoteket lacked organisational procedures for systematically following up on unintentional changes in its systems.


                                IMY decides based on an overall assessment that Apoteket must pay an administrative fee
IMY thus assesses that Apoteket, even considering what has been stated about the procedures in place at the time of the violation, cannot be considered to have implemented appropriate technical and organisational measures in relation to the high risks involved in the processing. Apoteket has therefore processed personal data in violation of Article 32.1 of the GDPR.
                                penalty fee of SEK 37,000,000. IMY considers this amount to be effective,
                                proportionate and dissuasive.


Choice of Sanctions


Applicable Provisions, etc.


In the event of violations of the GDPR, IMY has several corrective powers at its disposal under Article 58.2 of the GDPR. Article 58.2 of the GDPR states that IMY shall impose administrative fines in addition to or instead of other corrective measures referred to in Article 58.2, depending on the circumstances of each case.


Each supervisory authority shall ensure that the imposition of administrative fines is, in each case, effective, proportionate, and dissuasive, as stated in Article 83.1 of the GDPR.


Article 83.2 lists the factors to be considered when determining whether an administrative fine should be imposed and what should influence the amount of the fine. Relevant to the assessment of the severity of the violation is its nature, gravity, and duration. The EDPB has adopted guidelines on calculating administrative fines under the GDPR, which aim to create a harmonised method and principles for calculating fines.


According to Article 83.4, administrative fines of up to 10,000,000 EUR, or, in the case of a company, up to 2 per cent of the total worldwide annual turnover of the preceding financial year, whichever is higher, shall be imposed for violations of, among other things, Article 32.


                                15 The more central a treatment is to the activity of the personal data controller, the more serious the irregularities in
If the violation is minor, IMY may, according to Recital 148, issue a reprimand under Article 58.2(b) of the Regulation instead of imposing a fine.
                                the treatment. See the EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR,
                                point 53.
                                16 EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR, paragraphs 95–98. Data Protection Agency Diary number: IMY-2022-3270 15(16)
                              Date: 2024-08-29


IMY’s Assessment


A Fine Should be Imposed


IMY has assessed that Apoteket processed personal data in violation of Article 32.1 of the GDPR.


The violation occurred because Apoteket processed personal data with an insufficient level of security, resulting in personal data of a privacy-sensitive and protected nature concerning a large number of data subjects being inadvertently transferred to Meta. Unauthorised access to this type of data poses a high risk to the rights and freedoms of the data subjects. The transfer continued for an extended period and was not detected and addressed until Apoteket was informed of the issue by an external party. IMY considers that this is not a minor violation that could result in a reprimand instead of a fine.


The CJEU has clarified that for administrative fines to be imposed under the GDPR, the data controller must have committed a violation intentionally or negligently. The CJEU has stated that data controllers can be fined for actions if they could not be considered ignorant that the action constituted a violation, regardless of whether they were aware they were breaching the GDPR provisions.


                              This decision has been made by acting general manager David Törngren after
According to the accountability principle expressed in Article 5.2 of the GDPR, the data controller must ensure and be able to demonstrate that the processing complies with the GDPR. IMY, therefore, concludes that Apoteket is responsible for ensuring that the personal data processed within the company is processed in a manner that ensures an appropriate level of security. IMY has, in its assessment, determined that Apoteket has not met the requirements set out in the GDPR in this regard. Apoteket cannot be considered ignorant that its actions constituted a violation of the Regulation.


                              presentation by lawyer Maja Welander. In the final processing also has
IMY therefore assesses that the conditions for imposing an administrative fine on Apoteket for the violations are met. When determining the size of the fine, IMY shall consider the circumstances listed in Article 83.2 and ensure that the fine is effective, proportionate, and dissuasive.
                              Acting Head of Justice Cecilia Agnehall, Head of Unit Nidia Nordenström, the lawyer
                              Shirin Daneshgari Nejad and IT and information security specialist Petter Flink


                              participated.
Basis for Calculating the Fine


IMY assesses that Apoteket’s annual turnover should form the basis for calculating the administrative fines in this case. The maximum fine applicable to companies for violations of Article 32 amounts to the higher of 10,000,000 EUR or 2 per cent of the total worldwide annual turnover of the previous financial year.


According to Apoteket's annual report for 2023, the annual turnover for that year was SEK 23,270,000,000. The maximum fine that can be imposed in this case is therefore 2 per cent of that amount, which is SEK 465,400,000. IMY notes that there is no legal basis in the applicable legislation to calculate the fine based on another amount, as Apoteket suggested is done under other EU legislation.


Severity of the Violation


                              David Törngren, 2024-08-29 (This is an electronic signature)
According to the EDPB’s guidelines, the supervisory authority should assess whether the violation is of low, medium, or high severity according to Article 83.2(a), (b), and (g) of the GDPR.


The current violation affected a large number of data subjects and continued for an extended period. The data transferred included personal identity numbers and data indicating that directly identifiable individuals had purchased privacy-sensitive products. The unauthorised transfer has therefore posed a high risk to the rights and freedoms of the data subjects, in the form of a risk of loss of confidentiality for protected information. Furthermore, the violation occurred in a pharmacy business where data subjects must be assumed to have had a legitimate expectation of high confidentiality and that their personal data would not be disclosed to unauthorised parties. The sale of over-the-counter and other health-related products must also be considered part of Apoteket’s core business, which makes the violation more serious than if this had not been the case.


                              Appendix
In assessing the severity of the violation, IMY also considers that Apoteket had implemented several appropriate technical and organisational security measures at the time of the violation. Furthermore, the personal data was transferred in hashed, i.e., unreadable, format to a single recipient, and therefore it was not an uncontrolled disclosure where the data, for example, was shared with many unauthorised parties or made publicly available on the web.
                              Information on payment of penalty fee


Considering the above circumstances, IMY assesses that this is a violation of Article 32.1 of the GDPR of low severity.


                              Copy to
IMY must also consider any aggravating and mitigating factors listed in Article 83.2 of the GDPR when determining the amount of the fine. Following the violation, Apoteket has had a dialogue with Meta about deletion, provided information to the data subjects, and taken measures to reduce the risk of similar incidents in the long term. However, IMY notes that these measures were only taken after Apoteket was alerted to the existing deficiencies by an external party and that they cannot be considered to exceed what is expected of Apoteket in this case. Therefore, the measures taken do not affect IMY's assessment of the fine amount in a mitigating direction. The same applies to the fact that Apoteket submitted a report of the personal data breach and cooperated with IMY in investigating the violation, as these are circumstances that should be considered neutral when determining the fine amount.
                              Data protection officer for the ApoteketIntegrityskyddsmyndigheten Diary number: IMY-2022-3270 16(16)
                                Date: 2024-08-29


IMY notes that no other circumstances affect IMY's assessment of the fine amount in an aggravating or mitigating direction.


The Fine Must be Effective, Proportionate, and Dissuading


The administrative fine must be effective, proportionate, and dissuasive. This means that the amount should be set so that the administrative fine leads to correction, provides a preventive effect, and is also proportionate in relation to both the current violation and the supervised entity’s financial capacity.


IMY determines, based on an overall assessment, that Apoteket shall pay an administrative fine of SEK 37,000,000. IMY assesses that this amount is effective, proportionate, and dissuasive.




                                How to appeal
This decision has been made by the acting Director General David Törngren after a presentation by the lawyer Maja Welander. The final handling also involved the acting Chief Legal Officer Cecilia Agnehall, the Head of Unit Nidia Nordenström, the lawyer Shirin Daneshgari Nejad, and the IT and information security specialist Petter Flink.


David Törngren, 2024-08-29 (This is an electronic signature)


                                If you want to appeal the decision, you must write to IMY. State in the letter which decision you made
Attachment:
                                appeals and the change you request. The appeal must have been received by IMY
Information on Payment of the Fine


                                no later than three weeks from the day you received the decision. If you are a representing party
Copy to:
                                however, the general appeal must have been received within three weeks from that day
Data Protection Officer for Apoteket
                                the decision was announced. If the appeal has arrived in time, IMY forwards it to
                                The administrative court in Stockholm for examination.




                                You can e-mail the appeal to IMY if it does not contain any privacy-sensitive information
How to Appeal
                                personal data or information that may be subject to confidentiality. The authority's
If you wish to appeal this decision, you must write to IMY. In your letter, indicate the decision you are appealing and the change you are requesting. The appeal must be received by IMY no later than three weeks from the day you received the decision. If you represent a public authority, the appeal must be submitted within three weeks from the date the decision was issued. If the appeal is submitted on time, IMY will forward it to the Administrative Court in Stockholm for review.


                                contact details appear on the first page of the decision.
You can email the appeal to IMY if it does not contain any privacy-sensitive personal data or information that may be subject to confidentiality. The authority's contact details are listed on the first page of the decision.
</pre>
</pre>

Latest revision as of 11:16, 4 September 2024

IMY - IMY-2022-3270
LogoSE.png
Authority: IMY (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 32(1) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 29.08.2024
Published:
Fine: 37000000 SEK
Parties: Apoteket AB
Meta
National Case Number/Name: IMY-2022-3270
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Swedish
Original Source: IMY (Sweden) (in SV)
Initial Contributor: wp

The DPA fined the controller SEK 37,000,000 (approximately €3,200,000) for violation of Article 32 GDPR. Erroneous setting of Meta’s pixel, embedded with the controller’s website, led to a larger transfer of personal data to Meta than intended.

English Summary

Facts

A Swedish pharmacy company - Apoteket AB (the controller) was using the Meta pixel for marketing purposes since 2017. The purpose of the pixel was to measure the controller’s marketing activity within Facebook and Instagram and additionally to promote controller’s products to visitors of certain pages (self-care product category). By default, the controller disabled the pixel within the part of the website dedicated to the prescription goods. At the same time, the pixel collected the data about other products offered by the controller, in particular products to treat variety of disorders (for example allergy or stomach disorder) or sexual wellness products.

In 2020, an employee of controller, acting without the authorisation or knowledge of the controller, activated Advanced Matching function of the pixel. The employee was one of three employees managing the pixel within the controller structure. As a result, the controller was provided with supplementary data, which was not necessary for the purposes of data processing, as the pixel collected more data referring to the customers. Additionally, the additional data was transferred to Meta.

When a customer made a purchase with the controller, Meta received hashed data related to the customer, namely the contact data, name and surname, social security data, address data. Meta was then able to match the data with Facebook user ID and eventually deleted the hashed data. The estimated number of data subjects affected by the incident was up to 930,000.

As soon as the controller identified the new settings of the pixel (2022), they disabled the Advanced Matching function. The controller requested Meta to delete the data collected via the pixel. Meta explained they already deleted the data older than two years ago and regarding a newer data, Meta claimed to be unable to delete them manually. Additionally, the controller published an announcement on their website, informing the data subjects about the current situation. Moreover, the controller implemented new technical and organisational measures to reduce the risk of future violations of that kind (inter alia, additional screening of cookie settings of the website, e-learning course for the employees).

The controller notified the Swedish DPA (IMY) about the incident.

Holding

The DPA found the controller violated Article 32(1) GDPR. According to the DPA, the category of data processed by the controller via the pixel entailed a high risk for the data subjects (inter alia, due to a potential sensitive nature). Because of that, the controller was obliged, by default, to adequately implement the technical and organisational measures.

The DPA acknowledged the controller’s proactive approach to data protection duties, inter alia detailed risk assessment performed and ongoing compliance monitoring. The controller also established and implemented a policy review of purchased service from the perspective of IT security and data protection. Nevertheless, the employee of controller didn’t follow these rules in practice. Hence, for the DPA, the controller failed to adequately assess the risk associated to the pixel. Also, the controller didn’t identify the erroneous setting of the pixel for two years, which meant the compliance monitoring was not functioning well.

Accordingly, the DPA fined the controller SEK 37,000,000 (approximately €3,200,000).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

Postal Address:
Box 8114
104 20 Stockholm

Website:
www.imy.se

Email:
imy@imy.se

Phone:
+46 8-657 61 00


Decision after Supervision according to the General Data Protection Regulation – Apoteket AB
Decision by the Swedish Authority for Privacy Protection

The Swedish Authority for Privacy Protection (IMY) has determined that Apoteket AB (registration number: 556138-6532) has processed personal data in violation of Article 32.1 of the General Data Protection Regulation (GDPR) by not implementing appropriate technical and organisational measures to ensure a suitable level of security for personal data when using the analytics tool Metapixel during the period from 19 January 2020 to 25 April 2022.

IMY has decided, pursuant to Articles 58.2 and 83 of the GDPR, that Apoteket AB shall pay an administrative fine of SEK 37,000,000.


Account of the Supervision Case
Background

On 25 April 2022, Apoteket AB (hereinafter referred to as "Apoteket") submitted a report of a personal data breach to the Swedish Authority for Privacy Protection (IMY). The report stated that Apoteket had used the analytics tool Metapixel from Meta Platforms Ireland Limited (formerly known as Facebook Pixel) on its website www.apoteket.se (the website) to enhance advertising targeting towards customers, thus allowing the transfer of data related to customers and website visitors to Meta, which was not intended to be transferred. Apoteket discovered the incident through information received from an external source. The breach report was preceded by media reports that Apoteket had transferred certain data about its customers’ online purchases to Meta.

IMY initiated supervision in May 2022 based on the information contained in the breach report. The supervision was limited to the question of whether Apoteket had implemented appropriate technical and organisational measures in accordance with Article 32 of the GDPR.


What Apoteket has stated

Responsibility for Personal Data

Apoteket is responsible for the personal data processing regarding the implementation of Metapixel (formerly Facebook Pixel) and the transfer of data to Meta (formerly Facebook).

Purpose of Processing

Apoteket has used Metapixel since 2017 for marketing purposes. The primary goal was to measure the effectiveness of the company's marketing on Meta’s social media platforms, Facebook and Instagram. The secondary purpose was to market products to visitors who had viewed self-care product pages without making a purchase, to encourage them to buy later. The pixel was used for the secondary purpose to a limited extent and only during specific periods. On 19 January 2020, the automatic advanced matching (AAM) function of Metapixel was activated, leading to more data being processed than before. The activation of the AAM function was not necessary to fulfil the processing purposes. The activation of Metapixel and the AAM function was carried out by individual employees without prior risk assessment, contrary to Apoteket's procedures. Apoteket became aware that potentially sensitive data had been shared only after the media reported on it. Apoteket decided to immediately deactivate Metapixel and the AAM function on 25 April 2022 after becoming aware of the extent of the data transferred.

Personal Data Transferred to Meta

The data transfer to Meta was not the same for all customers and depended on the customer's actions on the website. Apoteket did not transfer data about customers who had declined marketing cookies. For customers who consented to marketing cookies, the following event data was generally transferred through Metapixel:


URL
Value (value of the product or total cart)
Currency (e.g., "SEK")
Content IDs (Product ID, Apoteket's internal product number)
Content Type (e.g., "Product")
IP address

Since the activation of the AAM function, the following contact information was also transferred:


First and last name
Email address
Phone number
Personal identity number
Gender
City
Postal code
Country

The contact information was only transferred during completed purchases and in hashed form, meaning Meta could only read the information if they had previously had the corresponding information. Meta then tried to match the transferred contact information with a Facebook user ID and subsequently deleted it. If a customer logged in to "My Pages" with mobile BankID, the personal identity number was transferred as it was interpreted as a phone number.

Apoteket made a conscious decision not to transfer data about prescription drugs. This exclusion was achieved by not including Metapixel on the part of the website where a customer could add a prescription drug to the cart. Additionally, order lines containing prescription drugs were filtered out at the time of purchase from the product data by Apoteket's server before being transferred to Meta. If a visitor accepted marketing cookies and completed a purchase, data on the following products and/or product categories were shared via Metapixel with the AAM function activated:

a) Self-tests and treatments for sexually transmitted diseases
b) Contraceptives and morning-after pills
c) Sex toys
d) Products for vaginal health (e.g., dry mucous membranes, menopause symptoms, and yeast infections)
e) Products for prostate issues and urination problems
f) Pregnancy tests, ovulation tests, and pregnancy products
g) Products for the treatment of fungus (e.g., athlete's foot or nail fungus)
h) Products for the treatment and control of diabetes
i) Products for the treatment of rectal issues (e.g., anal fissures and haemorrhoids)
j) Products for the treatment of gastrointestinal problems (e.g., IBS, constipation, and diarrhoea)
k) Products for the treatment of migraines
l) Products for the treatment of allergies
m) Hearing aid accessories
n) Products for the treatment of bacterial infections
o) Products for the treatment of psoriasis
p) Products for the treatment of rosacea
q) Stoma products

Meta is fundamentally an authorised recipient, and not all data transfers of website visitors' information have been impermissible. The personal data breach concerns the potential transfer of sensitive personal data. However, not all products in Apoteket's range can be considered to provide information about a person's health or sex life, only products from a so-called privacy-sensitive range in combination with direct personal data. A person's actions on the website also do not necessarily indicate anything about their health or sex life until the customer adds a privacy-sensitive product to the cart or completes a purchase of such a product. However, it is not clear that this necessarily says anything about the individual customer, as many buy products for others, for preventive purposes, or for a "home pharmacy." Additionally, the self-care products sold by Apoteket do not necessarily belong to the so-called privacy-sensitive range. The legal situation is unclear, making it difficult to categorically state that sensitive personal data has been transferred.

If the transfer of sensitive personal data has occurred, it was not Apoteket's intention. However, Apoteket has a data processing agreement with Meta, and it is not a case of an unknown recipient of the data. The transfer has not occurred in an uncontrolled manner in the sense that unauthorised individuals accessed the information through a malicious hacker attack. The actual risk to the data subjects is therefore assessed as moderate. The transfer of personal identity numbers has not increased the risk to the data subjects since the data was transferred in a hashed form, using SHA256, and then deleted by Meta as the data could not be matched. The primary issue is that the data subjects have, to some extent, lost control over their personal data, but Apoteket's actions did not increase the risk to the data subjects. It should be considered mitigating that Meta has had an active signal filtering mechanism that filtered out sensitive data. Thus, the information has not been shared further or used by Apoteket or Meta. The harm to the data subjects is therefore limited.

Extent of the Incident

At the time of the report, the incident was estimated to have affected 500,001–1,000,000 data subjects. Apoteket has since stated that it is not possible to provide an exact number of data subjects affected by the event, partly because it does not involve a leak from a register or database that Apoteket had full control and oversight of, and because data transfer occurred directly between the user's browser and Meta. The group of potentially affected data subjects is influenced by several factors. The maximum number of affected individuals is 930,000. This estimate is based on the number of online purchases during the relevant period, considering that a certain proportion of purchases are made by returning customers and customers using ad blockers or who have declined cookies. Apoteket's view is that the incident only involves completed purchases and not data on individuals who clicked on products, added products to their cart, or started the payment process. Nine per cent of the total online sales during the relevant period of the incident consisted of products from the categories listed above in points a–q. Regarding the quantity of transferred personal data, Apoteket has noted that the number of unique products per purchase during the period was 1.41 products per customer. However, when assessing how many sensitive personal data items have been transferred, it must be considered that some purchases included self-care products (which do not reveal health information), were made for others, or involved multiple packages of the same product.

Technical and Organisational Security

Before the incident, Apoteket had proactive processes in place to ensure the correct handling of personal data, including comprehensive risk assessments and reviews by the Data Protection Officer regarding personal data issues. Apoteket's development process includes several control points to identify risks and ensure correct personal data processing. These control points include reviewing new solutions or features on the website from an information security and data protection perspective (through an information

analysis), an architectural perspective, and a contractual perspective (if the solution is purchased), as well as code reviews before the solution is deployed on the website. Apoteket also conducts audits and penetration tests of the website to detect and address vulnerabilities.

In this case, Apoteket’s established IT development and risk assessment procedures were not followed by individual employees. A possible reason, which is not a justification, could be that the functionality was very easy to activate without significant development effort. At the time of activating the AAM function, administrative privileges in the Meta Business Manager tool were required, which two professional roles, comprising a total of three people, had. According to routine, privileges to the Meta Business Manager tool, including the AAM function, are regularly reviewed and controlled to ensure that only those who need access have it. However, no other desired routines for review and follow-up were established due to the activation of the pixel and AAM function not following Apoteket’s usual procedures.

After deactivating Metapixel and the AAM function, Apoteket had a dialogue with Meta about data deletion. Meta stated that data older than two years had already been deleted but that the company could not manually delete data from the last two years. Apoteket provided general information to the data subjects about the incident, which was published on the website at the end of April and in May 2022. To address specific questions and answers from customers, informational materials were provided to Apoteket employees. Apoteket has also taken measures to reduce the risk of similar incidents in the long term. The company conducted an inventory and analysis of cookies and analytics tools on the website, introduced a role with overall responsibility for the marketing department to ensure compliance with rules and guidelines, and improved its information security governance model. Employees already completed annual e-learning in security, including a chapter on data protection and information security. To further raise awareness after the incident, short e-learning courses on IT and information security were introduced.

Choice of Corrective Measure

Apoteket has transferred data to Meta that should not have been shared. However, the harm has been limited. The violation has not affected the core fulfilment of Apoteket’s obligations under Article 32 of the GDPR. Apoteket promptly reported the violation to IMY and took the possible measures to mitigate the consequences of the violation. These circumstances, combined with the fact that the violation occurred due to negligence, indicate that it is a minor violation, and a reprimand is therefore sufficient.

Regarding the seriousness of the violation, it has only slightly hindered the effective application of Article 32 of the GDPR. Furthermore, the violation occurred within a business activity, and the nature of the processing has therefore not involved any particular risks. There was also no dependency relationship between the data subjects and Apoteket. The processing was carried out for marketing purposes, which is not part of Apoteket's core business, which is to provide prescription and over-the-counter medicines. The personal data breach has indeed affected a relatively large number of data subjects, but the level of harm caused by the violation is low. The violation should at most be considered of medium severity.

There are reasons to consider how turnover is calculated in other EU legal areas, primarily competition law. This is because the majority of Apoteket's turnover comes from other parts of Apoteket's business, such as traditional retail trade and healthcare and dose business, than the area where the violation occurred. According to the European Commission's Guidelines on the calculation of fines imposed under Article 23.2 a of Regulation No 1/2003, the base amount for calculation should be determined by considering the value of sales for the goods or services directly or indirectly related to the violation and which the company sold in the relevant geographic area within the EEA. Analogously, the part of Apoteket's turnover related to the business area where the violation occurred should be considered, that is, the turnover related to online sales of over-the-counter medicines, self-care products, hygiene articles, and skincare.

There are several mitigating factors regarding the violation, including the measures Apoteket has taken to mitigate the consequences for the data subjects, that Apoteket has fully cooperated with IMY, and that data was filtered out and thus not reached Meta for further processing. Apoteket also reported the incident on its initiative to IMY. Since economic gain from the violation can be seen as an aggravating factor in calculating the fine, Apoteket wants to clarify that the increase in sales that can possibly be linked to the use of the AAM function is negligible.


Reasoning of the Decision
IMY must first determine whether the GDPR applies and whether IMY is the competent supervisory authority. If so, IMY must consider whether Apoteket is the data controller and whether the company has implemented appropriate security measures under Article 32 of the GDPR to protect the personal data processed through Metapixel, with the AAM function activated, during the period from 19 January 2020 to 25 April 2022.

IMY’s Competence

Applicable Provisions

Article 95 of the GDPR states that the regulation should not impose additional obligations on natural or legal persons who process personal data for areas already covered by obligations under the so-called ePrivacy Directive. The ePrivacy Directive has been implemented into Swedish law through the Electronic Communications Act (2003:389) (LEK), which regulates, among other things, the collection of data through cookies.

According to Chapter 9, Section 28 of the LEK, which implements Article 5.3 of the ePrivacy Directive, data may only be stored in or retrieved from a subscriber's or user's terminal equipment if the subscriber or user has access to information about the purpose of the processing and consents to it. It also states that this does not prevent storage or access necessary to transmit an electronic message via an electronic communications network or is necessary to provide a service that the user or subscriber has expressly requested. The LEK entered into force on 22 August 2022. However, during the relevant time in this case, the same requirements applied under Chapter 6, Section 18 of the Electronic Communications Act (2003:389). The Swedish Post and Telecom Authority (PTS) is the supervisory authority under the LEK.

The European Data Protection Board (EDPB) has expressed its views on the interaction between the ePrivacy Directive and the GDPR. The opinion states that the national supervisory authority appointed under the ePrivacy Directive is solely competent to monitor compliance with the Directive. However, IMY is the competent supervisory authority under the GDPR for processing not specifically regulated by the ePrivacy Directive.

IMY's Assessment

IMY's review focuses on a situation where data subjects have used a service on Apoteket's website to order a product and have voluntarily provided the information captured by Metapixel. This data processing does not involve storing or retrieving data from a subscriber's or user's terminal equipment and is thus not covered by Chapter 9, Section 28 of the LEK or the previous corresponding provision in the Electronic Communications Act. This means that the GDPR's regulation applies to the personal data processing in question and that IMY is the competent supervisory authority. Furthermore, IMY's review concerns whether Apoteket has implemented adequate security measures, which is not specifically regulated in the LEK. Therefore, IMY is competent to investigate the issue covered by the supervision case.

Responsibility for Personal Data

Applicable Provisions

A data controller, according to Article 4.7 of the GDPR, is the entity that alone or together with others determines the purposes and means of processing personal data. The fact that the purposes and means can be determined by more than one entity means that several entities can be data controllers for the same processing.

The data controller must ensure and be able to demonstrate that the principles in Article 5.1 are complied with, as stated in Article 5.2 of the GDPR (the accountability principle).

IMY's Assessment

Apoteket has stated that it is the data controller for the implementation of Metapixel and the transfer of data to Meta.

The investigation in the case shows that Apoteket implemented Metapixel, a script-based tool in the form of a piece of code that records visitors' actions and transfers the information to Meta on its website, and subsequently activated the AAM function. The purpose of Metapixel was to increase the effectiveness of the company's marketing and, to some extent, target ads at previous visitors to the website. Apoteket has therefore determined how the processing should be conducted and for what purpose the personal data should be processed. IMY therefore assesses that Apoteket is the data controller for the processing of personal data carried out through the use of Metapixel with the AAM function activated.


Has Apoteket Ensured an Appropriate Level of Security for the Personal Data?

Applicable Provisions

The Requirement to Implement Appropriate Safeguards

Article 32.1 of the GDPR requires the data controller to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing. This must be done considering the state of the art, the implementation costs, and the nature, scope, context, and purpose of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons. According to the same provision, appropriate safeguards, where appropriate, include:

a) Pseudonymisation and encryption of personal data,
b) The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services,
c) The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, and
d) A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures to ensure the security of processing.

In assessing the appropriate level of security, specific consideration must be given to the risks posed by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure

of, or access to personal data transmitted, stored, or otherwise processed, as stated in Article 32.2.

Recital 75 of the GDPR specifies factors to be considered when assessing the risk to the rights and freedoms of natural persons. Among other things, it mentions the loss of confidentiality concerning personal data that is subject to professional secrecy and whether the processing involves data concerning health or sexual life. It should also be considered if the processing concerns personal data of vulnerable natural persons, especially children, or if the processing involves a large amount of personal data concerning many data subjects.

Recital 76 of the GDPR states that the likelihood and severity of the risk to the data subjects' rights and freedoms should be determined based on the nature, scope, context, and purpose of the processing. The risk should be evaluated based on an objective assessment, determining whether the data processing involves a risk or a high risk.

Processing of Sensitive Personal Data

Data concerning health and sexual life constitutes special categories of personal data, so-called sensitive personal data, which is afforded particularly strong protection under the GDPR. As a general rule, processing such personal data is prohibited under Article 9.1 of the GDPR unless the processing falls under one of the exceptions in Article 9.2 of the Regulation.

Health data is defined in Article 4.15 of the GDPR as personal data related to the physical or mental health of a natural person, providing information about their health status. Recital 35 of the GDPR states that health data should include all data related to a data subject's health condition, providing information about the data subject's past, present, or future physical or mental health status.

The Court of Justice of the European Union (CJEU) in the Lindqvist case ruled that information that a person has injured their foot and is on part-time sick leave constitutes personal data concerning health under the Data Protection Directive (which was repealed by the GDPR). The CJEU stated that considering the purpose of the Data Protection Directive, the term "data concerning health" should be interpreted broadly and should include information related to all aspects of a person's health, both physical and mental. In the subsequent case, Vyriausioji tarnybinės etikos komisija, the CJEU concluded that the term sensitive personal data under Article 9.1 of the GDPR should be interpreted broadly and determined that even personal data that indirectly, after intellectual reasoning or cross-referencing, reveals a natural person's sexual orientation constitutes sensitive personal data under the relevant provision.

IMY’s Assessment

The Processing Involved a High Risk and Required a High Level of Protection

The data controller must implement measures to ensure a level of protection appropriate to the risks of processing. The assessment of the appropriate level of protection should consider, among other things, the nature, scope, context, and purpose of the processing, as well as the risks, of varying likelihood and severity, to the rights and freedoms of natural persons.

IMY must first determine what personal data Apoteket has transferred to Meta through Metapixel with the AAM function activated.

The investigation in the case shows that the activation of Metapixel's AAM function has resulted in Apoteket, provided a customer has accepted marketing cookies and not used an ad blocker, transferring information about completed purchases to Meta. The information transferred included data about purchased products (including the URL of the products on the website, product ID, and product type) and customer contact information (including first and last name, address, and phone number). The data transferred to Meta did not include prescription products but did include the following products and product categories:

a) Self-tests and treatments for sexually transmitted diseases
b) Contraceptives and morning-after pills
c) Sex toys
d) Products for vaginal health (e.g., dry mucous membranes, menopause symptoms, and yeast infections)
e) Products for prostate issues and urination problems
f) Pregnancy tests, ovulation tests, and pregnancy products
g) Products for the treatment of fungus (e.g., athlete's foot or nail fungus)
h) Products for the treatment and control of diabetes
i) Products for the treatment of rectal issues (e.g., anal fissures and haemorrhoids)
j) Products for the treatment of gastrointestinal problems (e.g., IBS, constipation, and diarrhoea)
k) Products for the treatment of migraines
l) Products for the treatment of allergies
m) Hearing aid accessories
n) Products for the treatment of bacterial infections
o) Products for the treatment of psoriasis
p) Products for the treatment of rosacea
q) Stoma products

It has emerged in the case that Meta has implemented a so-called filtering mechanism designed to detect and delete information transferred to Meta in violation of the company's policy. IMY has therefore requested information from Meta on how the filtering mechanism works. According to Meta's statement on 16 February 2024, the mechanism is designed to detect and delete potentially unauthorised information, such as health and financial data, in data users of the pixel transfer to Meta before it is stored and used in Meta's advertising system. When such data is detected and deleted, the user is notified, but the filtering mechanism operates even if no such notification is sent to the user. Based on this, IMY concludes that the pixel does not inherently contain a filtering mechanism that prevents data transfer to Meta. The filtering mechanism is designed to filter out potentially privacy-sensitive data only after it has been transferred to Meta and if Meta's system has identified that the transferred data contains such unauthorised information. The absence of notifications about unauthorised and deleted information cannot be considered confirmation that potentially privacy-sensitive data has not been transferred to Meta. The presence of the filtering function has, in summary, not prevented the confirmed transfer of personal data to Meta.

IMY makes the following assessment of the risks associated with the current data processing.

Processing involving sensitive personal data typically involves higher risks. The term sensitive personal data should be interpreted broadly and includes data that indirectly reveals such information. Apoteket has transferred data to Meta about which product a customer has purchased and data that identifies the customer, such as name, address, and phone number. IMY considers that the combination of data transferred to Meta has made it possible to determine that a specific person has purchased a specific product.

Apoteket has not transferred data about prescription products. However, many products in Apoteket's other range (see points a–q above) are such that information about a person purchasing them could reveal details about their health condition or sexual life. Apoteket has argued that the buyer is not necessarily the actual user of the product, and it is difficult to categorically state that sensitive personal data has been transferred. However, IMY considers that it is likely that at least some of the purchases of, for example, stoma products, products for rectal, urinary, and prostate issues, vaginal issues, and treatment for sexually transmitted diseases and diabetes have been made for personal use to treat a specific health condition. IMY therefore considers it likely that the processing has involved health data as defined in Article 4.15 of the GDPR. 

IMY makes the same assessment regarding purchases of, for example, morning-after pills and sex toys, i.e., it is likely that purchases in at least some cases were made for personal use and that the processing therefore revealed information about the individual's sexual life. When assessing the appropriate level of protection, Apoteket should therefore have considered that the processing might involve sensitive personal data.

IMY also considers that data on purchases of the specified products in points a–q, regardless of whether the data constitutes sensitive personal data or not, is of such a privacy-sensitive nature that it requires strong protection under the GDPR. It has also emerged that Apoteket in some cases has transferred other sensitive personal data in the form of personal identity numbers. Furthermore, the processing was carried out by a pharmacy where customers are assumed to have specific expectations that their personal data is handled with a high degree of confidentiality. IMY therefore concludes that both the nature of the personal data and the context in which it was processed have increased the risks to the data subjects' rights and freedoms.

IMY also notes that the processing was extensive. Apoteket had many customers during the period when Metapixel's AAM function was activated, and the company estimates that up to 930,000 people were affected by the incident. This estimate is based on the number of online purchases during the relevant period, considering that a certain percentage of purchases were made by returning customers and individuals using ad blockers or who declined cookies. Apoteket has also stated that 9 per cent of the total online purchases made during the period involved the privacy-sensitive products listed in points a–q. Although it is impossible to determine precisely how many of these purchases were made by data subjects who did not use ad blockers or decline marketing cookies, it can at least be concluded that the incident affected a large number of data subjects.

In summary, IMY assesses that the processing, given its nature, scope, and context, involved high risks that required a high level of protection for the personal data. The measures should have ensured, among other things, that the personal data was protected against unauthorised disclosure and loss of control.

Apoteket Has Not Implemented Sufficient Security Measures

IMY must then assess whether Apoteket has ensured the high level of protection required for personal data.

Apoteket has stated that the company had proactive processes in place before the incident to ensure the correct handling of personal data. In this case, however, established IT development and risk assessment procedures, including reviewing and updating information analyses for all changes to systems and tools, were not followed by individual employees. The investigation shows that Apoteket did not analyse the risks and consequences of the personal data processing involved in the implementation of Metapixel and the activation of the AAM function before the processing began. Apoteket also did not select and categorise which products would be processed. This led to the absence of a technical limitation on which data

would be processed, beyond the exclusion of prescription products, and that privacy-sensitive data about purchases of over-the-counter medicines and medical devices was transferred to Meta.

A fundamental requirement for Apoteket to fulfil its obligations under the GDPR is that the company is aware of the processing under its responsibility. Apoteket, from 19 January 2020, when the AAM function was activated, until 25 April 2022, when Metapixel was removed, transferred more data to Meta than intended without detecting it themselves. Apoteket has stated that the activation of Metapixel's AAM function did not follow Apoteket's standard procedures, and no desired routines for review and follow-up were established. Since Apoteket only had routines to follow up on documented changes made according to set procedures, Apoteket lacked the ability to detect and address other changes that had been made or occurred otherwise. IMY, therefore, concludes that Apoteket lacked organisational procedures for systematically following up on unintentional changes in its systems.

IMY thus assesses that Apoteket, even considering what has been stated about the procedures in place at the time of the violation, cannot be considered to have implemented appropriate technical and organisational measures in relation to the high risks involved in the processing. Apoteket has therefore processed personal data in violation of Article 32.1 of the GDPR.

Choice of Sanctions

Applicable Provisions, etc.

In the event of violations of the GDPR, IMY has several corrective powers at its disposal under Article 58.2 of the GDPR. Article 58.2 of the GDPR states that IMY shall impose administrative fines in addition to or instead of other corrective measures referred to in Article 58.2, depending on the circumstances of each case.

Each supervisory authority shall ensure that the imposition of administrative fines is, in each case, effective, proportionate, and dissuasive, as stated in Article 83.1 of the GDPR.

Article 83.2 lists the factors to be considered when determining whether an administrative fine should be imposed and what should influence the amount of the fine. Relevant to the assessment of the severity of the violation is its nature, gravity, and duration. The EDPB has adopted guidelines on calculating administrative fines under the GDPR, which aim to create a harmonised method and principles for calculating fines.

According to Article 83.4, administrative fines of up to 10,000,000 EUR, or, in the case of a company, up to 2 per cent of the total worldwide annual turnover of the preceding financial year, whichever is higher, shall be imposed for violations of, among other things, Article 32.

If the violation is minor, IMY may, according to Recital 148, issue a reprimand under Article 58.2(b) of the Regulation instead of imposing a fine.

IMY’s Assessment

A Fine Should be Imposed

IMY has assessed that Apoteket processed personal data in violation of Article 32.1 of the GDPR.

The violation occurred because Apoteket processed personal data with an insufficient level of security, resulting in personal data of a privacy-sensitive and protected nature concerning a large number of data subjects being inadvertently transferred to Meta. Unauthorised access to this type of data poses a high risk to the rights and freedoms of the data subjects. The transfer continued for an extended period and was not detected and addressed until Apoteket was informed of the issue by an external party. IMY considers that this is not a minor violation that could result in a reprimand instead of a fine.

The CJEU has clarified that for administrative fines to be imposed under the GDPR, the data controller must have committed a violation intentionally or negligently. The CJEU has stated that data controllers can be fined for actions if they could not be considered ignorant that the action constituted a violation, regardless of whether they were aware they were breaching the GDPR provisions.

According to the accountability principle expressed in Article 5.2 of the GDPR, the data controller must ensure and be able to demonstrate that the processing complies with the GDPR. IMY, therefore, concludes that Apoteket is responsible for ensuring that the personal data processed within the company is processed in a manner that ensures an appropriate level of security. IMY has, in its assessment, determined that Apoteket has not met the requirements set out in the GDPR in this regard. Apoteket cannot be considered ignorant that its actions constituted a violation of the Regulation.

IMY therefore assesses that the conditions for imposing an administrative fine on Apoteket for the violations are met. When determining the size of the fine, IMY shall consider the circumstances listed in Article 83.2 and ensure that the fine is effective, proportionate, and dissuasive.

Basis for Calculating the Fine

IMY assesses that Apoteket’s annual turnover should form the basis for calculating the administrative fines in this case. The maximum fine applicable to companies for violations of Article 32 amounts to the higher of 10,000,000 EUR or 2 per cent of the total worldwide annual turnover of the previous financial year.

According to Apoteket's annual report for 2023, the annual turnover for that year was SEK 23,270,000,000. The maximum fine that can be imposed in this case is therefore 2 per cent of that amount, which is SEK 465,400,000. IMY notes that there is no legal basis in the applicable legislation to calculate the fine based on another amount, as Apoteket suggested is done under other EU legislation.

Severity of the Violation

According to the EDPB’s guidelines, the supervisory authority should assess whether the violation is of low, medium, or high severity according to Article 83.2(a), (b), and (g) of the GDPR.

The current violation affected a large number of data subjects and continued for an extended period. The data transferred included personal identity numbers and data indicating that directly identifiable individuals had purchased privacy-sensitive products. The unauthorised transfer has therefore posed a high risk to the rights and freedoms of the data subjects, in the form of a risk of loss of confidentiality for protected information. Furthermore, the violation occurred in a pharmacy business where data subjects must be assumed to have had a legitimate expectation of high confidentiality and that their personal data would not be disclosed to unauthorised parties. The sale of over-the-counter and other health-related products must also be considered part of Apoteket’s core business, which makes the violation more serious than if this had not been the case.

In assessing the severity of the violation, IMY also considers that Apoteket had implemented several appropriate technical and organisational security measures at the time of the violation. Furthermore, the personal data was transferred in hashed, i.e., unreadable, format to a single recipient, and therefore it was not an uncontrolled disclosure where the data, for example, was shared with many unauthorised parties or made publicly available on the web.

Considering the above circumstances, IMY assesses that this is a violation of Article 32.1 of the GDPR of low severity.

IMY must also consider any aggravating and mitigating factors listed in Article 83.2 of the GDPR when determining the amount of the fine. Following the violation, Apoteket has had a dialogue with Meta about deletion, provided information to the data subjects, and taken measures to reduce the risk of similar incidents in the long term. However, IMY notes that these measures were only taken after Apoteket was alerted to the existing deficiencies by an external party and that they cannot be considered to exceed what is expected of Apoteket in this case. Therefore, the measures taken do not affect IMY's assessment of the fine amount in a mitigating direction. The same applies to the fact that Apoteket submitted a report of the personal data breach and cooperated with IMY in investigating the violation, as these are circumstances that should be considered neutral when determining the fine amount.

IMY notes that no other circumstances affect IMY's assessment of the fine amount in an aggravating or mitigating direction.

The Fine Must be Effective, Proportionate, and Dissuading

The administrative fine must be effective, proportionate, and dissuasive. This means that the amount should be set so that the administrative fine leads to correction, provides a preventive effect, and is also proportionate in relation to both the current violation and the supervised entity’s financial capacity.

IMY determines, based on an overall assessment, that Apoteket shall pay an administrative fine of SEK 37,000,000. IMY assesses that this amount is effective, proportionate, and dissuasive.


This decision has been made by the acting Director General David Törngren after a presentation by the lawyer Maja Welander. The final handling also involved the acting Chief Legal Officer Cecilia Agnehall, the Head of Unit Nidia Nordenström, the lawyer Shirin Daneshgari Nejad, and the IT and information security specialist Petter Flink.

David Törngren, 2024-08-29 (This is an electronic signature)

Attachment:
Information on Payment of the Fine

Copy to:
Data Protection Officer for Apoteket


How to Appeal
If you wish to appeal this decision, you must write to IMY. In your letter, indicate the decision you are appealing and the change you are requesting. The appeal must be received by IMY no later than three weeks from the day you received the decision. If you represent a public authority, the appeal must be submitted within three weeks from the date the decision was issued. If the appeal is submitted on time, IMY will forward it to the Administrative Court in Stockholm for review.

You can email the appeal to IMY if it does not contain any privacy-sensitive personal data or information that may be subject to confidentiality. The authority's contact details are listed on the first page of the decision.