IMY (Sweden) - IMY-2022-3270

From GDPRhub
Revision as of 13:17, 2 September 2024 by Wp (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Sweden |DPA-BG-Color= |DPAlogo=LogoSE.png |DPA_Abbrevation=IMY |DPA_With_Country=IMY (Sweden) |Case_Number_Name=IMY-2022-3270 |ECLI= |Original_Source_Name_1=IMY (Sweden) |Original_Source_Link_1=https://www.imy.se/globalassets/dokument/beslut/2024/beslut-tillsyn-apoteket-ab.pdf |Original_Source_Language_1=Swedish |Original_Source_Language__Code_1=SV |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
IMY - IMY-2022-3270
LogoSE.png
Authority: IMY (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 32(1) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 29.08.2024
Published:
Fine: 37000000 SEK
Parties: Apoteket AB
Meta
National Case Number/Name: IMY-2022-3270
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Swedish
Original Source: IMY (Sweden) (in SV)
Initial Contributor: wp

The DPA fined the controller SEK 37,000,000 (approximately €3,200,000) for violation of Article 32 GDPR. Erroneous setting of Meta’s pixel embedded with controller’s website led to subsequent transfer of users’ personal data to Meta.

English Summary

Facts

A Swedish pharmacy company - Apoteket AB (the controller) was using the Meta pixel for marketing purposes since 2017. The purpose of the pixel was to measure the controller’s marketing activity within Facebook and Instagram and additionally to promote controller’s products to visitors of certain pages (self-care product category). By default, the controller disabled the pixel within the part of the website dedicated to the prescription goods.

In 2020, an employee of controller, acting without the authorisation or knowledge of the controller, activated Advanced Matching function of the pixel. As a result, the controller was provided with supplementary data, which was not necessary for the purposes of data processing, as the pixel collected more data referring to the customers. Additionally, website visitors’ data was transferred to Meta.

When a customer made a purchase with the controller, Meta received hashed data related to the customer, namely the contact data, name and surname, social security data, address data. Meta was then able to match the data with Facebook user ID and eventually deleted the hashed data. The estimated number of data subjects affected by the incident was 930,000.

As soon as the controller identified the new settings of the pixel (2022), they disabled the Advanced Matching function. The controller requested Meta to delete the data collected via the pixel. Meta explained they already deleted the data older than two years ago and regarding a newer data, Meta claimed to be unable to delete them manually. Additionally, the controller published an announcement on their website, informing the data subjects about the current situation. Moreover, the controller implemented new technical and organisational measures to reduce the risk of future violations of that kind (inter alia, additional screening of cookie settings of the website, e-learning course for the employees).

The controller notified the Swedish DPA (IMY) about the incident.

Holding

The DPA found the controller violated Article 32(1) GDPR. According to the DPA, the category of data processed by the controller via the pixel entailed a high risk for the data subjects (inter alia, due to a potential sensitive nature). Because of that, the controller was obliged to adequate implement the technical and organisational measures.

The DPA acknowledged the controller’s proactive approach to data protection duties, inter alia detailed risk assessment performed and ongoing compliance monitoring. The controller also established and implemented a policy review of purchased service from the perspective of IT security and data protection. Nevertheless, the employee of controller didn’t follow these rules in practice. Hence, for the DPA, the controller failed to adequately assess the risk associated to the pixel. Also, the controller didn’t identify the erroneous setting of the pixel for two years, which meant the compliance monitoring was not functioning well.

Accordingly, the DPA fined the controller SEK 37,000,000 (approximately €3,200,000).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

1(16)






                                                                     Apoteket AB









Diary number:
IMY-2022-3270 Decision after supervision according to

Date: data protection regulation – Apoteket
2024-08-29
                               AB





                               The Privacy Protection Authority's decision


                               The Swedish Data Protection Authority states that Apoteket AB (556138-6532) has
                               processed personal data in violation of article 32.1 of the data protection regulation by

                               have not taken appropriate technical and organizational measures to ensure a
                               appropriate security level for personal data when using the analysis tool Meta-
                               the pixel during the period 19 January 2020–25 April 2022.


                               The Privacy Protection Authority decides with the support of articles 58.2 and 83 i
                               data protection regulation that Apoteket AB must pay an administrative sanction fee of
                               SEK 37,000,000.


                               Account of the supervisory matter


                               Background etc.


                               On April 25, 2022, Apoteket AB (Apoteket) submitted a notification about personal data
                               incident to the Privacy Protection Authority (IMY). The notification showed that Apoteket
                               used Meta Platforms Ireland Limited's (Metas) analytics tool the Meta pixel on its
                               website www.apoteket.se (the website) to improve advertising to customers

                               and thereby permitted the transfer of data regarding customers and website visitors to
                               Meta that was not meant to be transferred. The pharmacy discovered the incident through
                               information from an outsider. The incident report was preceded by information in the media about

                               that Apoteket transferred certain information about its customers' online purchases to Meta.

                               IMY began supervision in May 2022 against the background of the information contained in the incident-
                               notification. The supervision has been limited to the question of whether Apoteket has taken the appropriate measures

                               technical and organizational measures in accordance with Article 32 of the Data Protection Regulation
Postal address: ningen.
Box 8114
104 20 Stockholm

Website:
www.imy.se
E-mail:
imy@imy.se
                               1Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with
Telephone: regarding the processing of personal data and on the free flow of such data and on the cancellation of
08-657 61 00 directive 95/46/EC (general data protection regulation). The Swedish Privacy Agency Diary number: IMY-2022-3270 2(16)
                               Date: 2024-08-29






                               The processing at IMY has taken place through an exchange of letters with Apoteket. IMY also has
                               obtained investigation in the form of information from Meta about how the Meta pixel and its
                               filtering mechanism works.


                               What Apoteket has stated


                               Apoteket has essentially stated the following regarding the question that is the subject of
                               examination.


                               Personal data responsibility
                               Apoteket is responsible for personal data in the part that refers to the introduction of the Meta pixel
                               (formerly the Facebook pixel) and the transfer of data to Meta (formerly Facebook).


                               The purpose of the treatment
                               Apoteket has used the Meta pixel since 2017. The treatment has comprehensive

                               seen done for marketing purposes. The primary purpose was to measure the effect of
                               the company's marketing on Meta's social media platforms Facebook and Instagram.
                               The secondary purpose was to market products to visitors who visited product

                               pages for self-care without shopping, to get these customers to shop at a later time
                               opportunity. The pixel was used for the secondary purpose to a limited extent, under
                               limited periods. On January 19, 2020, the automatic type of was activated

                               The meta-pixel's function for advanced matching (AAM function) which meant that more
                               data than before came to be processed. The activation of the AAM function was not
                               necessary to fulfill the purposes of the treatment. The activation of the Meta pixel

                               and the AAM function has been carried out by individual employees without prior risk assessment
                               ning contrary to Apoteket's routines. The pharmacy became aware that information that would
                               could be considered sensitive shared only after the media reported on it. The pharmacy

                               decided to immediately disable the Meta pixel and AAM feature on April 25, 2022
                               after the company's attention has been drawn to the extent of data that has been transferred.


                               What personal data was transferred to Meta
                               The transfer to Meta has not looked the same for all customers, but has depended on
                               the customer's actions on the website. Apoteket has not transferred information about customers

                               who refused to marketing cookies. For customers who have agreed to marketing
                               Cookies generally have the following event data transferred through the Meta pixel:


                                   • URL
                                   • value (value of product or total customer basket)
                                   • currency (=”SEK”)

                                   • content IDs (Product ID, Apoteket's internal product number)
                                   • content Type (=”Product”)
                                   • IP address.


                               Since the AAM function was activated, the following contact information has also been transferred:

                                   • first and last name

                                   • email address
                                   • telephone number
                                   • social security number

                                   • gender
                                   • city
                                   • postal code

                                   • country. The Swedish Privacy Agency Diary number: IMY-2022-3270 3(16)
                                Date: 2024-08-29






                                The contact information has only been transferred in the case of completed purchases and then in hashed form,
                                which meant that Meta has only been able to read the information if they have had the equivalent
                                information from before. Meta has then attempted to match the transferred contact

                                the information with a user ID on Facebook and then deleted it. About one
                                customer logged in to "My pages" with mobile BankID, the social security number has been transferred because
                                it was interpreted as a phone number.


                                Apoteket has made an active choice not to transfer information about prescription goods.
                                The exclusion has taken place by the part of the website where a customer can put a

                                prescription item in the cart did not contain the Meta pixel. Furthermore, order lines such as
                                contains prescription products filtered out at the time of purchase from the product data itself by
                                Apoteket's server before it was transferred to Meta. If a visitor has accepted marketing

                                cookies and made a purchase have information about the following products and/or
                                product categories shared via the Meta pixel with the AAM feature enabled:

                                    a) self-tests and treatment for venereal diseases

                                    b) contraceptives and the morning-after pill
                                    c) sex toys
                                    d) products for vaginal health (eg dry mucous membranes, menopause and
                                         fungus in the vagina)
                                    e) products for prostate problems and urinary problems
                                    f) pregnancy tests, ovulation tests and pregnancy products

                                    g) products for the treatment of fungi (e.g. athlete's foot or nail fungus)
                                    h) products for the treatment and control of diabetes
                                    i) products for the treatment of rectal disorders (e.g. anal fissures and
                                         hemorrhoids)
                                    j) products for the treatment of stomach disorders (eg IBS, constipation and diarrhoea)
                                    k) products for the treatment of migraine
                                    l) products for the treatment of allergy

                                    m) accessories for hearing aids
                                    n) products for the treatment of bacterial infections
                                    o) products for the treatment of psoriasis
                                    p) products for the treatment of rosacea
                                    q) ostomy products.


                                Meta is essentially an authorized recipient and any transmission of website-
                                the visitors' information has not been unauthorized. What constituted a personal data incident

                                is the possible transfer of sensitive personal data. All products in Apotekets
                                assortment cannot, however, be considered to provide information about a person's health or sex life, but
                                only products from a so-called integrity-sensitive assortment in combination with a

                                direct personal data. A person's actions on the website need not either
                                indicate anything about the individual's health or sex life, until the customer has placed a privacy
                                sensitive product in the shopping cart or completed a purchase of such a product. It is, however

                                not obvious that it also says something about the individual customer because many
                                buys products for others, for preventive purposes or to a "home pharmacy". In addition, they belong
                                self-care products that Apoteket sells are certainly not the so-called integrity-

                                sensitive assortment. The legal situation is unclear in the area and it is difficult to categorize
                                say that sensitive personal data has been transferred.


                                If sensitive personal data has been transferred, it has not been Apoteket's
                                intention. However, Apoteket has a personal data processing agreement with Meta and it is not
                                ask about an unknown recipient of the data. The transfer has not taken place at once

                                uncontrolled way in the sense that unauthorized persons have accessed the information through a
                                hacker attack with obvious malicious intent. The actual risk to the data subjects
                                is therefore assessed as moderate. The transfer of social security numbers has not increased the risk for the Data Protection Agency Diary number: IMY-2022-3270 4(16)
                               Date: 2024-08-29






                               registered because the data was transferred in garbled form, hashed with SHA256,

                               and then deleted by Meta because the data could not be matched. The primary one
                               the shortcoming consists in the fact that the data subjects have to some extent lost control over their personal
                               data, but Apoteket's actions in themselves did not increase the risk for those registered. It should

                               seen as mitigating that Meta has had an active signal filtering mechanism that filtered
                               delete sensitive data. The information has therefore not been shared further or used by
                               Apoteket or Meta. The damage to those registered is thus limited.


                               Scope of the incident

                               The incident was estimated at the time of reporting to have affected 500,001–1,000,000
                               registered. The pharmacy has subsequently stated that it is not possible to give an exact figure
                               the number of registrants affected by the incident. This, among other things, with regard to

                               it is not about a leak from a register or a database that Apoteket has had
                               full control and transparency over and that the transfer of data took place directly between the user's
                               browser and Meta. The circle of potentially affected data subjects is affected by several

                               factors. The maximum number of affected individuals is 930,000. The calculation bases
                               itself on the number of purchases from the web during the current period, taking into account that

                               a certain percentage of purchases are made by repeat customers and customers who use
                               by ad blockers or have refused the use of cookies. The pharmacy's view
                               is that the incident only covers completed purchases and not information that a person

                               clicked on products, added products to the shopping cart or started payment. Nine percent
                               of the total share of web sales during the current period which
                               the incident took place consisted of products belonging to the categories listed above

                               under points a–q. In terms of the amount of personal data transferred, Apoteket is among the
                               otherwise stated that the number of unique products for each purchase carried out during
                               period amounts to 1.41 products per customer. In assessing how many sensitive

                               personal data transferred must, however, be taken into account that some of the purchases have included
                               self-care products (which do not reveal information about health), made for others or intended

                               several packages of the same product.

                               Technical and organizational security

                               Before the current incident, Apoteket had proactive processes in place to
                               ensure correct handling of personal data, including detailed risk assessments
                               and reviews by the data protection officer regarding matters relating to personal data.

                               Apoteket's development process contains several control points to capture risks
                               and ensure correct processing of personal data. The checkpoints consist of

                               that new solutions or functions on the website are reviewed from an information security
                               and data protection perspective (through an information analysis), architectural perspective and
                               contractually (if the solution is bought in) and code reviewed before the solution goes live

                               production on the website. Apoteket also carries out audits and penetration
                               tests of the website to be able to detect and fix vulnerabilities.


                               In the current case, Apoteket's established routines for IT development and risk assessment
                               ning has not been followed by individual employees. Probable cause, which is not a defense, can
                               have been that the functionality was very easy to activate without any real

                               development effort. At the time of enabling the AAM feature, admin-
                               authorization in the Meta Business Manager tool which two professional roles, comprehensive in total

                               three people, had. By routine, authorizations to the Meta Business Manager tool are seen,
                               including the AAM feature, over and regularly checked to ensure that


                               2 Hashing is a one-way cryptographic function that can be used to achieve pseudonymization, which is a
                               possible security measure according to article 32 of the data protection regulation, by replacing personal data with a so-called
                               hash sum. This means that the replaced personal data is not available in plain text and that it is necessary
                               supplementary information so that the registered person can be identified. The Swedish Privacy Agency Diary number: IMY-2022-3270 5(16)
                                Date: 2024-08-29






                                only people in need have access. Some other desirable routines for review

                                and follow-up has not been set up as a result of the activation of the pixel and AAM-
                                the function has not followed Apoteket's regular routines.


                                After the Meta pixel and the AAM function were deactivated, Apoteket had a dialogue with
                                Meta around deletion of data. Meta has stated that data older than two years has already been deleted,
                                but that the company cannot delete the data from the last two years manually. The pharmacy has

                                produced general information for those registered about the event that was published on
                                website during the end of April and in May 2022. To be able to respond to specific

                                questions and answers from customers, an information document was prepared for Apotekets
                                employees. Apoteket has also taken measures to reduce the long-term risk of
                                similar events. The company has carried out an inventory and analysis of cookies and

                                analysis tools on the website, introduced a professional role with overall responsibility for
                                the marketing department in order to ensure compliance with rules and guidelines as well as
                                improved its control model for information security. The employees then carried out

                                previously an annual security e-training that includes a chapter on data protection
                                and information security. To further strengthen awareness after the incident has

                                short e-training courses in IT and information security have been introduced.

                                Choice of corrective action

                                The pharmacy has transferred information to Meta that should not have been shared. However, the damage has
                                been limited. Nor has the breach affected the substance of the fulfillment of
                                Apoteket's obligations according to article 32 of the data protection regulation. The pharmacy has

                                immediately reported the violation to IMY and took the measures that were possible for
                                to reduce the consequences of the violation. These circumstances, along with
                                that the violation occurred through negligence means that it is a violation

                                of minor importance and it is therefore sufficient to issue a reprimand.


                                As for the seriousness of the violation, it has only prevented one to a small extent
                                effective application of Article 32 of the Data Protection Regulation. Furthermore, the violation has
                                carried out within business activities and the nature of the processing has therefore not entailed

                                some special risks. Nor has there been any dependency relationship between them
                                registered and Apoteket. The processing has taken place for marketing purposes which
                                is not part of Apoteket's core business, which consists of providing prescription

                                coated and non-prescription drugs. The personal data incident has certainly included one
                                relatively large number of registrants, but the level of damage caused by the breach

                                is low. The violation should be considered to be of medium seriousness at most.

                                There are reasons to consider how turnover is calculated in other areas of EU law,

                                primarily competition law. This is because the majority of Apoteket's turnover is derived from
                                from other parts of Apoteket's operations, such as, for example, traditional retail
                                as well as care and dose business, than that violation occurred within. According to the Commission

                                Guidelines for calculating fines imposed pursuant to Article 23.2 a of Regulation no
                                1/2003 states that the basic amount for the calculation must be determined by starting from
                                the sales value of the goods or services that have a direct or indirect connection

                                with the infringement and which the company sold in the relevant geographic area within
                                EEA. Analogously, the part of Apoteket's turnover that refers to the part of operations

                                the place where the infringement took place is taken into account, i.e. the turnover relating to online
                                sale of over-the-counter medicines, personal care products, hygiene items and skin care.




                                3Council Regulation (EC) No. 1/2003 of 16 December 2002 on the application of the competition rules in Articles 81
                                and 82 of the treaty. The Swedish Privacy Agency Diary number: IMY-2022-3270 6(16)
                                Date: 2024-08-29






                                There are several mitigating circumstances surrounding the violation, including form

                                of the measures taken by Apoteket to alleviate the consequences for the registered, that
                                Apoteket cooperated fully with IMY and that information was filtered out and therefore not

                                reached Meta for further processing. Apoteket has also reported the incident on its own initiative
                                to IMY. Because financial gain through the violation can be seen as an aggravating factor
                                factor when calculating the penalty fee, Apoteket wants to clarify that the increase in

                                the sales that can possibly be linked to the use of the AAM feature are second
                                next to non-existent.


                                Justification of the decision


                                IMY must initially decide whether the data protection regulation is applicable and if

                                IMY is the competent supervisory authority. If this is the case, IMY must examine the question of whether Apoteket is
                                personal data controller and whether the company has taken appropriate security measures according to
                                Article 32 of the Data Protection Regulation to protect the personal data processed

                                through the Meta pixel, with the AAM feature enabled, during the period January 19, 2020–
                                April 25, 2022.


                                IMY's authorization


                                Applicable regulations
                                It follows from Article 95 of the Data Protection Regulation that the Data Protection Regulation shall not

                                entail any additional obligations for natural or legal persons who
                                processes personal data, for such areas that are already covered by obligations
                                according to the so-called eData protection directive. The eData Protection Directive has been implemented in

                                Swedish law through the Act (2003:389) on Electronic Communications (LEK), including
                                other collection of data through cookies is regulated.


                                According to ch. 9 Section 28 LEK, which implements Article 5.3 of the eData Protection Directive, receives information
                                stored in or retrieved from a subscriber's or user's terminal equipment only if

                                the subscriber or user gets access to information about the purpose of
                                the treatment and consent to it. Furthermore, it appears that this does not prevent such
                                storage or access needed to transmit an electronic message via a

                                electronic communication network or which is necessary to provide a service
                                which the user or subscriber has expressly requested. LEK entered into force on

                                22 August 2022. During the time in question in the case, however, the same requirements applied according to
                                6 ch. Section 18 of the Act on (2003:389) on electronic communications. It is Postal and
                                the Swedish Telecommunications Board (PTS) which is the supervisory authority according to LEK (chapter 1 § 5 of the regulation

                                [2022:511] on electronic communication).


                                The European Data Protection Board (EDPB) has commented on the interaction between
                                eData Protection Directive and the Data Protection Regulation. From the opinion it follows, among other things, that
                                the national supervisory authority appointed under the eData Protection Directive is alone

                                competent to monitor compliance with the Directive. However, IMY is according to data protection
                                the regulation competent supervisory authority for the processing that is not specifically regulated in
                                eData Protection Directive.  5





                                4 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 on the processing of personal data and
                                privacy protection in the electronic communications sector (Directive on Privacy and Electronic Communications).
                                5Opinion 5/2019 on the interaction between the directive on privacy and electronic communications and the general
                                the data protection regulation, especially with regard to the competence, tasks and powers of the data protection authorities,
                                adopted on 12 March 2019, points 68 and 69. The Swedish Privacy Protection Agency Diary number: IMY-2022-3270 7(16)
                               Date: 2024-08-29





                               IMY's assessment

                               IMY's review aims at a situation where data subjects have used a service
                               on Apoteket's website for the purpose of ordering a product and provided the information yourself
                               which the Meta pixel has captured. This information management does not mean that

                               data is stored in or retrieved from a subscriber's or user's terminal equipment
                               and is thus not covered by ch. 9. Section 28 of LEK or the previously applicable equivalent
                               provision in the Act on Electronic Communications. This means that the regulation in

                               the data protection regulation is applicable to the current personal data processing and
                               that IMY is the competent supervisory authority. In addition, it can be stated that IMY's review refers to
                               if Apoteket has taken sufficient security measures, which is not something that is regulated

                               especially in PLAY. Even that relationship thus means that IMY is authorized to investigate it
                               issue to which the supervisory matter applies.


                               Personal data responsibility

                               Applicable regulations

                               According to Article 4.7 of the data protection regulation, the person in charge of personal data is the person who alone
                               or together with others determine the purpose and means for the processing of
                               personal data. That means and ends can be determined by more than one actor means

                               that several actors can be responsible for personal data for the same processing.

                               According to Article 5.2 of the Data Protection Regulation, the person in charge of personal data shall be responsible
                               for and be able to demonstrate that the principles in Article 5.1 are complied with (the principle of responsibility

                               obligation).

                               IMY's assessment

                               Apoteket has stated that the company is responsible for personal data regarding the introduction of
                               The Meta pixel and the transfer of data that has taken place to Meta.


                               The investigation into the matter shows that Apoteket has introduced the Meta pixel, a script-based one
                               tool in the form of a piece of code that records visitor actions and transmits
                               the information to Meta, on its website and then activated the AAM function. The purpose

                               with the Meta-pixel has been to increase the effectiveness of the company's marketing as well as in certain
                               may target ads to previous visitors to the website. The pharmacy thus has
                               determined how the processing is to be carried out and for what purpose the personal data is to be used
                               be treated. IMY therefore assesses that Apoteket is responsible for personal data for it

                               processing of personal data that has taken place through the use of the Meta pixel with
                               AAM function activated.


                               Has Apoteket ensured an appropriate security level for
                               the personal data?


                               Applicable regulations


                               The requirement to take appropriate protective measures

                               It follows from Article 32.1 of the data protection regulation that the person in charge of personal data must

                               take appropriate technical and organizational measures to ensure a security
                               level that is appropriate in relation to the risk of the treatment. It should, according to the same
                               provision, take into account the latest developments, implementation
                               the costs and the nature, scope, context and purpose of the treatment as well as

                               the risks, of varying degrees of probability and seriousness, to the rights of natural persons
                               and freedoms. According to Article 32.1, appropriate protective measures include, when appropriate, the Swedish Privacy Protection Agency Diary number: IMY-2022-3270 8(16)
                                 Date: 2024-08-29






                                     a) pseudonymisation and encryption of personal data,

                                     b) the ability to continuously ensure confidentiality, integrity, availability
                                          and resilience of treatment systems and services,

                                     c) the ability to restore the availability and access to personal data i
                                          reasonable time in the event of a physical or technical incident and
                                     d) a procedure for regularly testing, examining and evaluating effectiveness

                                          in the technical and organizational measures that must ensure
                                          the safety of the treatment.


                                 When assessing the appropriate level of security, according to Article 32.2, special consideration must be taken
                                 to the risks that the processing entails, in particular from accidental or illegal

                                 destruction, loss or alteration or to unauthorized disclosure of or unauthorized access to
                                 the personal data transferred, stored or otherwise processed.


                                 Recital 75 of the data protection regulation states factors that must be taken into account in the assessment
                                 of the risk to the rights and freedoms of natural persons. Loss of, among other things, is mentioned

                                 confidentiality with regard to personal data covered by the duty of confidentiality and whether
                                 the processing concerns information about health or sexual life. Further must be taken into account
                                 the processing concerns personal data about vulnerable natural persons, especially children,

                                 or if the processing involves a large number of personal data and applies to a large
                                 number of registrants.


                                 Recital 76 of the data protection regulation states that how likely and serious the risk is for it
                                 data subject's rights and freedoms should be determined based on the nature of the processing,

                                 scope, context and purpose. The risk should be evaluated on the basis of a
                                 objective assessment, through which it is determined whether the data processing
                                 involves a risk or high risk.


                                 Processing of sensitive personal data


                                 Information about health and sexual life constitute such special categories of personal data,
                                 so-called sensitive personal data, which is given particularly strong protection according to data-

                                 protection regulation. As a general rule, it is prohibited to treat such personal
                                 data according to Article 9.1 of the Data Protection Regulation, unless the processing is covered by
                                 any of the exceptions in Article 9.2 of the regulation.


                                 Information about health is defined in Article 4.15 of the Data Protection Regulation as personal

                                 data relating to a natural person's physical or mental health which provide information
                                 about his health status. Recital 35 of the data protection regulation states that personal data
                                 on health should include all the data relating to a registered person

                                 health status that provides information about the registrant's past, present or
                                 future physical or mental health conditions.


                                 In the Lindqvist case, the European Court of Justice has ruled that an information that a person injured
                                 his foot and is on part-time sick leave constitutes personal data relating to health according to
                                                      6
                                 the data protection directive (the directive was repealed by the data protection regulation). EU
                                 the court stated in the case that taking into account the purpose of the data protection directive shall
                                 the expression "data relating to health" is given a wide interpretation and is considered to include data which
                                                                                                                7
                                 concerns all aspects of a person's health, both physical and mental. EU
                                 the court has in the latter ruling Vyriausioji tarnybinės etikos komisija


                                 6 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with
                                 regarding the processing of personal data and the free flow of such data.
                                 7 Judgment of the EU Court of Justice of 6 November 2003, Lindqvist, C-101/01, EU:C:2003:596, paragraphs 50–51. Data Protection Agency Diary number: IMY-2022-3270 9(16)
                                Date: 2024-08-29






                                established that the concept of sensitive personal data according to Article 9.1 of the data protection
                                the regulation must be interpreted broadly and judged that even personal data that is indirect, according to

                                an intellectual inference or reconciliation, reveals a physical person's sexual
                                laying constitutes sensitive personal data according to the current provision.    8


                                IMY's assessment


                                The treatment involved a high risk and required a high level of protection

                                The personal data controller must take measures to ensure a level of protection

                                which is appropriate based on the risks of the treatment. The assessment of appropriateness
                                level of protection must be done taking into account, among other things, the nature of the treatment, scope,
                                context and purpose as well as the risks, of varying degree of probability and seriousness,

                                for the rights and freedoms of natural persons.

                                IMY must initially take a position on which personal data Apoteket has transferred to

                                Meta through the Meta pixel with the AAM feature enabled.

                                From the investigation in the case it appears that the activation of the Meta-pixel's AAM function has

                                meant that Apoteket, unless a customer accepted marketing cookies and did not
                                used ad blockers, has transferred information about completed purchases to Meta.

                                The data that has been transferred has included information on purchased products (including URL
                                the address of products on the website, product ID and product type) and contact
                                information about the customer (including first and last name, address and telephone number).


                                The data transferred to Meta has not included prescription products, however
                                however, the following products and product categories:


                                         a) self-tests and treatment for venereal diseases
                                         b) contraceptives and the morning-after pill
                                         c) sex toys
                                         d) products for vaginal health (eg dry mucous membranes, menopause and

                                             fungus in the vagina)
                                         e) products for prostate problems and urinary problems
                                         f) pregnancy tests, ovulation tests and pregnancy products
                                         g) products for the treatment of fungi (e.g. athlete's foot or nail fungus)
                                         h) products for the treatment and control of diabetes
                                         i) products for the treatment of rectal disorders (e.g. anal fissures and

                                             hemorrhoids)
                                         j) products for the treatment of stomach problems (eg IBS, constipation and
                                             diarrhea)
                                         k) products for the treatment of migraine
                                         l) products for the treatment of allergy

                                         m) accessories for hearing aids
                                         n) products for the treatment of bacterial infections
                                         o) products for the treatment of psoriasis
                                         p) products for the treatment of rosacea
                                         q) ostomy products.


                                In the case, it has emerged that Meta has implemented a so-called filtering mechanism
                                the purpose of which is to detect and delete information transferred to Meta in violation of

                                company policy. In connection with this, IMY has obtained information from Meta about
                                how the filtering mechanism works. It appears from Meta's statement on 16 February 2024


                                8 ECJ judgment of 1 August 2022, Vyriausioji tarnybinės etikos komisija, C-184/20, EU:C:2022:601, p. 123–
                                127. The Swedish Privacy Agency Diary number: IMY-2022-3270 10(16)
                                Date: 2024-08-29






                                that the mechanism is designed to detect and delete potentially unauthorized

                                information, such as information about health and finances, in data that users of
                                the pixel transfers to Meta before it is stored and used in Meta's advertising system. When
                                such data is detected and deleted, the user receives a notification about it, but

                                the filtering mechanism works even if such a message is not sent to
                                the user. Against this background, IMY notes that the pixel itself does not contain one
                                filtering mechanism that prevents a transfer of data to Meta. filtering

                                the mechanism is designed to filter out potentially privacy-sensitive data first
                                after they have been transferred to Meta and if Meta's system has been able to identify that transfer-

                                records contain such unauthorized information. The lack of notifications about
                                unauthorized and deleted information also cannot in itself be considered a confirmation that
                                potentially privacy-sensitive data has not been transferred to Meta. The occurrence of

                                in summary, the filtering function has not prevented the observed
                                the transfer of personal data to Meta.


                                IMY makes the following assessment of the risks with the current personal data
                                the treatment.


                                Processing that includes sensitive personal data normally involves higher risks.
                                The term sensitive personal data must be interpreted broadly and also includes information such as

                                indirectly disclose such information. The pharmacy has transferred information to Meta about which
                                product that a customer has purchased as well as information that identifies the customer in the form of among
                                other name, address and telephone number. IMY considers that the combination of data

                                transferred to Meta has made it possible to deduce that a specific person has purchased one
                                certain designated product.


                                The pharmacy has not transferred information about prescription products. Majority of
                                the products in Apoteket's other assortment (see points a–q above) are, however, of such type

                                character that information that a person bought such a product could reveal
                                information about the individual's state of health or sex life. Apoteket has objected that it does not
                                is certain that the buyer is the actual user of the product and it is difficult to

                                categorically state that sensitive personal data has been transferred. However, IMY believes that it is
                                likely that at least some of the purchases of, for example, ostomy products, products for
                                rectal, urinary and prostate problems, vaginal problems and treatment of

                                venereal diseases and diabetes have been made for personal use in order to treat a certain
                                state of health. IMY therefore assesses that it is likely that the treatment has included
                                information about health in the sense referred to in Article 4.15 of the Data Protection Regulation.

                                IMY makes the same assessment regarding the purchase of, for example, day-after pills and
                                sex toys, that is to say that it is likely that the purchases have taken place in at least some cases

                                for own use and that the processing thereby revealed information about the individual
                                sex life. When assessing the appropriate level of protection, Apoteket would therefore take into account that
                                the processing could include sensitive personal data.


                                IMY further assesses that information on the purchase of the specified goods in points a–q, regardless
                                whether the information constitutes sensitive personal data or not, is of such privacy-sensitive nature

                                nature that they require strong protection according to the data protection regulation. It has also emerged
                                that Apoteket has in some cases transferred other personal data worthy of protection in the form of
                                social security number. In addition, the treatment has been carried out by a pharmacy where the customer can be assumed to have

                                particular expectations that their personal data is handled with a high degree of
                                confidentiality. IMY therefore states that both the nature of the personal data and that



                                9 Social security numbers are subject to special protection according to Article 87 of the Data Protection Ordinance and Chapter 3. Section 10 of the Act
                                (2018:218) with supplementary provisions to the EU's data protection regulation. The Swedish Privacy Agency Diary number: IMY-2022-3270 11(16)
                                Date: 2024-08-29






                                context in which they were processed has entailed increased risks for the data subjects' freedom
                                and rights.


                                IMY also notes that the treatment has been extensive. The pharmacy has had a big one
                                number of customers during the period the Meta-pixel's AAM function has been activated and the company
                                estimates that up to 930,000 people have been affected by the current incident.

                                The calculation is based on the number of purchases from the web during the current period with
                                taken into account that a certain percentage of purchases were made by repeat customers and by individuals
                                who use ad blockers or have refused cookies. The pharmacy also has

                                stated that 9 percent of the total web purchases made during the period have
                                covered the privacy-sensitive products listed under points a–q. IMY assesses that
                                it based on these data, although it is not possible to determine exactly how many of

                                these purchases made by data subjects who did not use ad blockers or
                                denied to marketing cookies, in any case it can be established that the incident has affected one
                                large number of registrants.


                                In summary, IMY assesses that the processing with regard to its nature, scope
                                and context have meant high risks which entailed a requirement for a high level of protection for

                                the personal data. The measures would, among other things, ensure that the personal data
                                was protected against unauthorized disclosure and loss of control.


                                The pharmacy has not taken sufficient security measures

                                IMY must then assess whether Apoteket has ensured the high level of protection that was required

                                for the personal data.

                                Apoteket has stated that the company had proactive processes in place before the incident
                                to ensure correct handling of personal data. In the present case, however,

                                established routines for IT development and risk assessment, which include, among other things
                                review and update of information analyzes for all changes to systems and
                                tools, not followed by individual employees. The investigation shows that Apoteket

                                has therefore not analyzed the risks and consequences that the personal data
                                treatment as the introduction of the Meta pixel and the activation of the AAM function would
                                imply, before the treatment began. Apoteket has also not made a selection and

                                categorization of which products would be processed. It has led to
                                that, in addition to the exclusion of prescription goods, there was no technical
                                limitation of which data would be covered by the processing and that privacy

                                sensitive information about, for example, the purchase of non-prescription drugs and medical technology
                                products have been transferred to Meta.


                                A fundamental prerequisite for Apoteket to be able to fulfill its obligations
                                according to the data protection regulation is that the company is aware of which processing
                                takes place under its responsibility. The pharmacy has for a long period from 19 January 2020,

                                when the AAM feature was activated, through April 25, 2022, when the Meta pixel was taken
                                away, transferred more data than intended to Meta without discovering it themselves.
                                Apoteket has stated that the activation of the Meta-pixel's AAM function has not followed

                                The pharmacy's regular routines and that some desirable routines for review and follow-up
                                therefore not set up. Because Apoteket has only had routines to follow up
                                Apoteket has lacked documented changes, which were carried out according to set routines

                                ability to detect and remedy other changes actually implemented or
                                arose in another way. Against this background, IMY states that Apoteket has lacked
                                organizational routines to systematically follow up on unintended changes in their

                                system. The Swedish Privacy Agency Diary number: IMY-2022-3270 12(16)
                                Date: 2024-08-29






                                IMY therefore assesses that Apoteket, also taking into account what has been stated about them
                                procedures that existed at the time of the violation, cannot be considered to have taken appropriate steps

                                technical and organizational measures in relation to the high risks which
                                the treatment has entailed. Apoteket has therefore processed personal data in violation of
                                article 32.1 of the data protection regulation.


                                Choice of intervention


                                Applicable regulations, etc.

                                In the event of violations of the data protection regulation, IMY has a number of corrective measures
                                powers to be available according to article 58.2 of the data protection regulation. Of Article 58.2 i
                                the data protection regulation follows that IMY in accordance with article 83 must impose

                                penalty fees in addition to or in lieu of other corrective measures referred to in
                                Article 58(2), depending on the circumstances of each individual case.


                                Each supervisory authority must ensure that the imposition of administrative
                                penalty charges in each individual case are effective, proportionate and dissuasive. The
                                stated in Article 83.1 of the Data Protection Regulation.


                                Article 83(2) states the factors to be taken into account in deciding whether an administrative
                                penalty fee must be imposed, but also what will affect the penalty fee

                                size. Of importance for the assessment of the seriousness of the violation is, among other things, its
                                nature, severity and duration. The EDPB has adopted guidelines on the calculation of
                                administrative penalty charges according to the data protection regulation aimed at creating
                                                                                                             10
                                a harmonized method and principles for calculating penalty fees.

                                According to Article 83.4, in the event of violations of, among other things, Article 32, it must be imposed

                                administrative penalty fees of up to EUR 10,000,000 or, if one applies
                                companies, of up to 2 percent of the total global annual turnover in the previous year
                                budget year, depending on which value is the highest.


                                If it is a question of a minor violation, IMY receives according to what is stated in reason 148 i
                                instead of imposing a penalty charge, issue a reprimand in accordance with Article 58.2 b i

                                the regulation.

                                IMY's assessment


                                A penalty fee must be imposed


                                IMY has made the assessment that Apoteket processed personal data in violation of article
                                32.1 of the data protection regulation.


                                The violation has occurred through Apoteket processing personal data with a
                                insufficient level of security, which has resulted in privacy-sensitive personal data
                                and protectable character if a large number of data subjects have been inadvertently transferred to

                                Meta. Unauthorized access to this type of data poses a high risk to them
                                rights and freedoms were registered. The transfer has been going on for a long time and has not
                                detected and remedied until Apoteket was informed of the deficiency by an outside party.

                                IMY considers that it is not a question of such a less serious violation that can
                                result in a reprimand being issued instead of a penalty fee.



                                10 EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR. Data Protection Agency Diary number: IMY-2022-3270 13(16)
                                 Date: 2024-08-29






                                 The European Court of Justice has clarified that it is required that the person in charge of personal data has committed a

                                 Violation intentionally or negligently to administrative penalty fees
                                 must be enforceable according to the data protection regulation. The European Court of Justice has stated that

                                 controllers may be subject to penalty fees for actions if they cannot
                                 are deemed to have been ignorant that the conduct constituted a breach, regardless of whether they
                                                                                                                      11
                                 were aware that they violated the provisions of the data protection regulation.


                                 According to the principle of responsibility which is expressed, among other things, in Article 5.2 i
                                 the data protection regulation shall the person responsible for the processing of personal data

                                 ensure and be able to demonstrate that the processing is compatible with the data protection regulation.
                                 IMY thus states that Apoteket is responsible for the personal data that

                                 processed in the business, processed in a way that ensures a suitable
                                 security level. In its examination, IMY has found that Apoteket did not live up to them
                                 requirements set by the data protection regulation in this regard. The pharmacy cannot be considered to have

                                 was unaware that its actions entailed a breach of the regulation.      12


                                 IMY therefore assesses that the conditions for imposing an administrative on Apoteket
                                 penalty fee for the violations are met. When determining sanction-

                                 the size of the fee, IMY must take into account the circumstances stated in article 83.2 as well as
                                 ensure that the administrative penalty fee is effective, proportionate and

                                 deterrent.


                                 Starting points for the calculation of the penalty fee


                                 IMY assesses that it is the annual turnover for Apoteket that should be used as a basis for
                                 the calculation of the administrative penalty fees in the current case. The maximum

                                 the penalty fee applicable to companies for violations of Article 32 amounts to that
                                 amount which is the higher of EUR 10,000,000 or 2 percent of the total global

                                 the annual turnover during the previous budget year.

                                 Apoteket's annual report for the year 2023 shows that the annual turnover for that year was

                                 SEK 23,270,000,000. The highest sanction amount that can be determined in the case
                                 thus amounts to 2 percent of that amount, which is SEK 465,400,000. IMY

                                 notes that there is a lack of support in the applicable legislation for calculating the penalty fee
                                 based on a different amount in the manner that Apoteket presented is done when applying

                                 other EU legal legislation.


                                 The seriousness of the violation


                                 It appears from the EDPB's guidelines that the supervisory authority must assess whether the violation is
                                 of low, medium or high severity according to Article 83.2 a, b and g of the data protection
                                               14
                                 the regulation.


                                 The breach in question has involved a large number of registered users and has been ongoing
                                 for a long time. The data that has been transferred has included social security numbers and

                                 information that directly identifiable persons have purchased privacy-sensitive products. The


                                 1 Court of Justice of the European Union judgment of 5 December 2023, Nacionalinis södertätsää centras, C-683/21, EU:C:2023:949,
                                 p. 81 and the judgment of the European Court of Justice of 5 December 2023, Deutsche Wohnen SE C-807/21, EU:C:2023:950, p. 76.
                                 1For the assessment of negligence, see also the Court of Appeal in Stockholm's judgment of 11 March 2024 in case 2829-23 p.12.
                                 13
                                  Apoteket is the parent company of a group. If the company is subject to the obligation to prepare consolidated accounts is
                                 these consolidated accounts for the group's parent company relevant to reflect the company's total
                                 turnover, see EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR, point
                                 130.
                                 1EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR, point 60. The Data Protection Authority Diary number: IMY-2022-3270 14(16)
                                Date: 2024-08-29







                                the unauthorized transfer has therefore meant a high risk for the data subjects' freedom and
                                rights in the form of risk of loss of confidentiality for data worthy of protection. Further
                                the violation has occurred in a pharmacy operation where the registrants must be considered to have had

                                a legitimate expectation of high confidentiality and that their personal data will not be disseminated
                                to unauthorized persons. Sales of non-prescription and other health-related products must

                                in addition, is considered to be part of Apoteket's core business, which means that the violation must
                                considered more serious than if this had not been the case. 15


                                In assessing the degree of seriousness, IMY also takes into account that Apoteket at the time of
                                the breach had taken a number of appropriate technical and organizational security

                                actions. Furthermore, the personal data has been transferred in hashed, i.e. unreadable, format
                                to a single recipient and it is therefore not an uncontrolled disclosure there
                                the information has, for example, been shared with many unauthorized persons or has been publicly available on

                                the web.


                                In the light of the above circumstances, IMY assesses that, in total, it concerns
                                about a violation of Article 32.1 of the Data Protection Regulation of low seriousness
                                degree.


                                In its assessment of the size of the penalty fee, IMY must also take these into account

                                aggravating and mitigating factors listed in Article 83.2 of the data protection
                                the regulation. After the breach, Apoteket has, among other things, conducted a dialogue with Meta
                                about deletion, provided information to the registered and took measures to

                                reduce the risk of similar incidents in the long term. IMY notes, however, that the measures
                                has only been taken after Apoteket has been alerted to the present deficiencies by a
                                third parties and that they cannot be considered to go beyond what is expected of Apoteket in that regard

                                current case. The measures taken are therefore not influencing factors
                                IMY's assessment of the size of the sanction fee in a mitigating direction. The same

                                applies to the fact that Apoteket submitted a notification about a personal data incident and
                                cooperated with IMY in the investigation of the violation in question because it constitutes
                                circumstances that must be considered neutral when determining the penalty fee.          16

                                IMY notes that there were also no other circumstances that emerged that
                                affects IMY's assessment of the amount of the penalty fee in aggravating or

                                mitigating direction.

                                The penalty fee must be effective, proportionate and dissuasive


                                The administrative penalty fee must be effective, proportionate and

                                deterrent. This means that the amount must be determined so that the administrative
                                the penalty fee leads to correction, that it provides a preventive effect and that it
                                is also proportionate in relation to both the current infringement and to

                                the supervised entity's ability to pay.


                                IMY decides based on an overall assessment that Apoteket must pay an administrative fee
                                penalty fee of SEK 37,000,000. IMY considers this amount to be effective,
                                proportionate and dissuasive.







                                15 The more central a treatment is to the activity of the personal data controller, the more serious the irregularities in
                                the treatment. See the EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR,
                                point 53.
                                16 EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR, paragraphs 95–98. Data Protection Agency Diary number: IMY-2022-3270 15(16)
                               Date: 2024-08-29






                               This decision has been made by acting general manager David Törngren after

                               presentation by lawyer Maja Welander. In the final processing also has
                               Acting Head of Justice Cecilia Agnehall, Head of Unit Nidia Nordenström, the lawyer
                               Shirin Daneshgari Nejad and IT and information security specialist Petter Flink

                               participated.




                               David Törngren, 2024-08-29 (This is an electronic signature)


                               Appendix
                               Information on payment of penalty fee


                               Copy to
                               Data protection officer for the ApoteketIntegrityskyddsmyndigheten Diary number: IMY-2022-3270 16(16)
                                Date: 2024-08-29






                                How to appeal


                                If you want to appeal the decision, you must write to IMY. State in the letter which decision you made
                                appeals and the change you request. The appeal must have been received by IMY

                                no later than three weeks from the day you received the decision. If you are a representing party
                                however, the general appeal must have been received within three weeks from that day
                                the decision was announced. If the appeal has arrived in time, IMY forwards it to
                                The administrative court in Stockholm for examination.


                                You can e-mail the appeal to IMY if it does not contain any privacy-sensitive information
                                personal data or information that may be subject to confidentiality. The authority's

                                contact details appear on the first page of the decision.