IMY (Sweden) - IMY-2022-3270

From GDPRhub
Revision as of 11:38, 3 September 2024 by Wp (talk | contribs) (wording changed - short summary, facts and holding)
IMY - IMY-2022-3270
LogoSE.png
Authority: IMY (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 32(1) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 29.08.2024
Published:
Fine: 37000000 SEK
Parties: Apoteket AB
Meta
National Case Number/Name: IMY-2022-3270
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Swedish
Original Source: IMY (Sweden) (in SV)
Initial Contributor: wp

The DPA fined the controller SEK 37,000,000 (approximately €3,200,000) for violation of Article 32 GDPR. Erroneous setting of Meta’s pixel embedded with controller’s website led to subsequent transfer of additional personal data to Meta than intended.

English Summary

Facts

A Swedish pharmacy company - Apoteket AB (the controller) was using the Meta pixel for marketing purposes since 2017. The purpose of the pixel was to measure the controller’s marketing activity within Facebook and Instagram and additionally to promote controller’s products to visitors of certain pages (self-care product category). By default, the controller disabled the pixel within the part of the website dedicated to the prescription goods. At the same time, the pixel collected the data about other products offered by the controller, in particular products to treat variety of disorders (for example allergy or stomach disorder) or sexual wellness products.

In 2020, an employee of controller, acting without the authorisation or knowledge of the controller, activated Advanced Matching function of the pixel. The employee was one of three employees managing the pixel within the controller structure. As a result, the controller was provided with supplementary data, which was not necessary for the purposes of data processing, as the pixel collected more data referring to the customers. Additionally, the additional data was transferred to Meta.

When a customer made a purchase with the controller, Meta received hashed data related to the customer, namely the contact data, name and surname, social security data, address data. Meta was then able to match the data with Facebook user ID and eventually deleted the hashed data. The estimated number of data subjects affected by the incident was up to 930,000.

As soon as the controller identified the new settings of the pixel (2022), they disabled the Advanced Matching function. The controller requested Meta to delete the data collected via the pixel. Meta explained they already deleted the data older than two years ago and regarding a newer data, Meta claimed to be unable to delete them manually. Additionally, the controller published an announcement on their website, informing the data subjects about the current situation. Moreover, the controller implemented new technical and organisational measures to reduce the risk of future violations of that kind (inter alia, additional screening of cookie settings of the website, e-learning course for the employees).

The controller notified the Swedish DPA (IMY) about the incident.

Holding

The DPA found the controller violated Article 32(1) GDPR. According to the DPA, the category of data processed by the controller via the pixel entailed a high risk for the data subjects (inter alia, due to a potential sensitive nature). Because of that, the controller was obliged, by default, to adequately implement the technical and organisational measures.

The DPA acknowledged the controller’s proactive approach to data protection duties, inter alia detailed risk assessment performed and ongoing compliance monitoring. The controller also established and implemented a policy review of purchased service from the perspective of IT security and data protection. Nevertheless, the employee of controller didn’t follow these rules in practice. Hence, for the DPA, the controller failed to adequately assess the risk associated to the pixel. Also, the controller didn’t identify the erroneous setting of the pixel for two years, which meant the compliance monitoring was not functioning well.

Accordingly, the DPA fined the controller SEK 37,000,000 (approximately €3,200,000).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

Postal Address:
Box 8114
104 20 Stockholm

Website:
www.imy.se

Email:
imy@imy.se

Phone:
+46 8-657 61 00


Decision after Supervision according to the General Data Protection Regulation – Apoteket AB
Decision by the Swedish Authority for Privacy Protection

The Swedish Authority for Privacy Protection (IMY) has determined that Apoteket AB (registration number: 556138-6532) has processed personal data in violation of Article 32.1 of the General Data Protection Regulation (GDPR) by not implementing appropriate technical and organisational measures to ensure a suitable level of security for personal data when using the analytics tool Metapixel during the period from 19 January 2020 to 25 April 2022.

IMY has decided, pursuant to Articles 58.2 and 83 of the GDPR, that Apoteket AB shall pay an administrative fine of SEK 37,000,000.


Account of the Supervision Case
Background

On 25 April 2022, Apoteket AB (hereinafter referred to as "Apoteket") submitted a report of a personal data breach to the Swedish Authority for Privacy Protection (IMY). The report stated that Apoteket had used the analytics tool Metapixel from Meta Platforms Ireland Limited (formerly known as Facebook Pixel) on its website www.apoteket.se (the website) to enhance advertising targeting towards customers, thus allowing the transfer of data related to customers and website visitors to Meta, which was not intended to be transferred. Apoteket discovered the incident through information received from an external source. The breach report was preceded by media reports that Apoteket had transferred certain data about its customers’ online purchases to Meta.

IMY initiated supervision in May 2022 based on the information contained in the breach report. The supervision was limited to the question of whether Apoteket had implemented appropriate technical and organisational measures in accordance with Article 32 of the GDPR.


What Apoteket has stated

Responsibility for Personal Data

Apoteket is responsible for the personal data processing regarding the implementation of Metapixel (formerly Facebook Pixel) and the transfer of data to Meta (formerly Facebook).

Purpose of Processing

Apoteket has used Metapixel since 2017 for marketing purposes. The primary goal was to measure the effectiveness of the company's marketing on Meta’s social media platforms, Facebook and Instagram. The secondary purpose was to market products to visitors who had viewed self-care product pages without making a purchase, to encourage them to buy later. The pixel was used for the secondary purpose to a limited extent and only during specific periods. On 19 January 2020, the automatic advanced matching (AAM) function of Metapixel was activated, leading to more data being processed than before. The activation of the AAM function was not necessary to fulfil the processing purposes. The activation of Metapixel and the AAM function was carried out by individual employees without prior risk assessment, contrary to Apoteket's procedures. Apoteket became aware that potentially sensitive data had been shared only after the media reported on it. Apoteket decided to immediately deactivate Metapixel and the AAM function on 25 April 2022 after becoming aware of the extent of the data transferred.

Personal Data Transferred to Meta

The data transfer to Meta was not the same for all customers and depended on the customer's actions on the website. Apoteket did not transfer data about customers who had declined marketing cookies. For customers who consented to marketing cookies, the following event data was generally transferred through Metapixel:


URL
Value (value of the product or total cart)
Currency (e.g., "SEK")
Content IDs (Product ID, Apoteket's internal product number)
Content Type (e.g., "Product")
IP address

Since the activation of the AAM function, the following contact information was also transferred:


First and last name
Email address
Phone number
Personal identity number
Gender
City
Postal code
Country

The contact information was only transferred during completed purchases and in hashed form, meaning Meta could only read the information if they had previously had the corresponding information. Meta then tried to match the transferred contact information with a Facebook user ID and subsequently deleted it. If a customer logged in to "My Pages" with mobile BankID, the personal identity number was transferred as it was interpreted as a phone number.

Apoteket made a conscious decision not to transfer data about prescription drugs. This exclusion was achieved by not including Metapixel on the part of the website where a customer could add a prescription drug to the cart. Additionally, order lines containing prescription drugs were filtered out at the time of purchase from the product data by Apoteket's server before being transferred to Meta. If a visitor accepted marketing cookies and completed a purchase, data on the following products and/or product categories were shared via Metapixel with the AAM function activated:

a) Self-tests and treatments for sexually transmitted diseases
b) Contraceptives and morning-after pills
c) Sex toys
d) Products for vaginal health (e.g., dry mucous membranes, menopause symptoms, and yeast infections)
e) Products for prostate issues and urination problems
f) Pregnancy tests, ovulation tests, and pregnancy products
g) Products for the treatment of fungus (e.g., athlete's foot or nail fungus)
h) Products for the treatment and control of diabetes
i) Products for the treatment of rectal issues (e.g., anal fissures and haemorrhoids)
j) Products for the treatment of gastrointestinal problems (e.g., IBS, constipation, and diarrhoea)
k) Products for the treatment of migraines
l) Products for the treatment of allergies
m) Hearing aid accessories
n) Products for the treatment of bacterial infections
o) Products for the treatment of psoriasis
p) Products for the treatment of rosacea
q) Stoma products

Meta is fundamentally an authorised recipient, and not all data transfers of website visitors' information have been impermissible. The personal data breach concerns the potential transfer of sensitive personal data. However, not all products in Apoteket's range can be considered to provide information about a person's health or sex life, only products from a so-called privacy-sensitive range in combination with direct personal data. A person's actions on the website also do not necessarily indicate anything about their health or sex life until the customer adds a privacy-sensitive product to the cart or completes a purchase of such a product. However, it is not clear that this necessarily says anything about the individual customer, as many buy products for others, for preventive purposes, or for a "home pharmacy." Additionally, the self-care products sold by Apoteket do not necessarily belong to the so-called privacy-sensitive range. The legal situation is unclear, making it difficult to categorically state that sensitive personal data has been transferred.

If the transfer of sensitive personal data has occurred, it was not Apoteket's intention. However, Apoteket has a data processing agreement with Meta, and it is not a case of an unknown recipient of the data. The transfer has not occurred in an uncontrolled manner in the sense that unauthorised individuals accessed the information through a malicious hacker attack. The actual risk to the data subjects is therefore assessed as moderate. The transfer of personal identity numbers has not increased the risk to the data subjects since the data was transferred in a hashed form, using SHA256, and then deleted by Meta as the data could not be matched. The primary issue is that the data subjects have, to some extent, lost control over their personal data, but Apoteket's actions did not increase the risk to the data subjects. It should be considered mitigating that Meta has had an active signal filtering mechanism that filtered out sensitive data. Thus, the information has not been shared further or used by Apoteket or Meta. The harm to the data subjects is therefore limited.

Extent of the Incident

At the time of the report, the incident was estimated to have affected 500,001–1,000,000 data subjects. Apoteket has since stated that it is not possible to provide an exact number of data subjects affected by the event, partly because it does not involve a leak from a register or database that Apoteket had full control and oversight of, and because data transfer occurred directly between the user's browser and Meta. The group of potentially affected data subjects is influenced by several factors. The maximum number of affected individuals is 930,000. This estimate is based on the number of online purchases during the relevant period, considering that a certain proportion of purchases are made by returning customers and customers using ad blockers or who have declined cookies. Apoteket's view is that the incident only involves completed purchases and not data on individuals who clicked on products, added products to their cart, or started the payment process. Nine per cent of the total online sales during the relevant period of the incident consisted of products from the categories listed above in points a–q. Regarding the quantity of transferred personal data, Apoteket has noted that the number of unique products per purchase during the period was 1.41 products per customer. However, when assessing how many sensitive personal data items have been transferred, it must be considered that some purchases included self-care products (which do not reveal health information), were made for others, or involved multiple packages of the same product.

Technical and Organisational Security

Before the incident, Apoteket had proactive processes in place to ensure the correct handling of personal data, including comprehensive risk assessments and reviews by the Data Protection Officer regarding personal data issues. Apoteket's development process includes several control points to identify risks and ensure correct personal data processing. These control points include reviewing new solutions or features on the website from an information security and data protection perspective (through an information

analysis), an architectural perspective, and a contractual perspective (if the solution is purchased), as well as code reviews before the solution is deployed on the website. Apoteket also conducts audits and penetration tests of the website to detect and address vulnerabilities.

In this case, Apoteket’s established IT development and risk assessment procedures were not followed by individual employees. A possible reason, which is not a justification, could be that the functionality was very easy to activate without significant development effort. At the time of activating the AAM function, administrative privileges in the Meta Business Manager tool were required, which two professional roles, comprising a total of three people, had. According to routine, privileges to the Meta Business Manager tool, including the AAM function, are regularly reviewed and controlled to ensure that only those who need access have it. However, no other desired routines for review and follow-up were established due to the activation of the pixel and AAM function not following Apoteket’s usual procedures.

After deactivating Metapixel and the AAM function, Apoteket had a dialogue with Meta about data deletion. Meta stated that data older than two years had already been deleted but that the company could not manually delete data from the last two years. Apoteket provided general information to the data subjects about the incident, which was published on the website at the end of April and in May 2022. To address specific questions and answers from customers, informational materials were provided to Apoteket employees. Apoteket has also taken measures to reduce the risk of similar incidents in the long term. The company conducted an inventory and analysis of cookies and analytics tools on the website, introduced a role with overall responsibility for the marketing department to ensure compliance with rules and guidelines, and improved its information security governance model. Employees already completed annual e-learning in security, including a chapter on data protection and information security. To further raise awareness after the incident, short e-learning courses on IT and information security were introduced.

Choice of Corrective Measure

Apoteket has transferred data to Meta that should not have been shared. However, the harm has been limited. The violation has not affected the core fulfilment of Apoteket’s obligations under Article 32 of the GDPR. Apoteket promptly reported the violation to IMY and took the possible measures to mitigate the consequences of the violation. These circumstances, combined with the fact that the violation occurred due to negligence, indicate that it is a minor violation, and a reprimand is therefore sufficient.

Regarding the seriousness of the violation, it has only slightly hindered the effective application of Article 32 of the GDPR. Furthermore, the violation occurred within a business activity, and the nature of the processing has therefore not involved any particular risks. There was also no dependency relationship between the data subjects and Apoteket. The processing was carried out for marketing purposes, which is not part of Apoteket's core business, which is to provide prescription and over-the-counter medicines. The personal data breach has indeed affected a relatively large number of data subjects, but the level of harm caused by the violation is low. The violation should at most be considered of medium severity.

There are reasons to consider how turnover is calculated in other EU legal areas, primarily competition law. This is because the majority of Apoteket's turnover comes from other parts of Apoteket's business, such as traditional retail trade and healthcare and dose business, than the area where the violation occurred. According to the European Commission's Guidelines on the calculation of fines imposed under Article 23.2 a of Regulation No 1/2003, the base amount for calculation should be determined by considering the value of sales for the goods or services directly or indirectly related to the violation and which the company sold in the relevant geographic area within the EEA. Analogously, the part of Apoteket's turnover related to the business area where the violation occurred should be considered, that is, the turnover related to online sales of over-the-counter medicines, self-care products, hygiene articles, and skincare.

There are several mitigating factors regarding the violation, including the measures Apoteket has taken to mitigate the consequences for the data subjects, that Apoteket has fully cooperated with IMY, and that data was filtered out and thus not reached Meta for further processing. Apoteket also reported the incident on its initiative to IMY. Since economic gain from the violation can be seen as an aggravating factor in calculating the fine, Apoteket wants to clarify that the increase in sales that can possibly be linked to the use of the AAM function is negligible.


Reasoning of the Decision
IMY must first determine whether the GDPR applies and whether IMY is the competent supervisory authority. If so, IMY must consider whether Apoteket is the data controller and whether the company has implemented appropriate security measures under Article 32 of the GDPR to protect the personal data processed through Metapixel, with the AAM function activated, during the period from 19 January 2020 to 25 April 2022.

IMY’s Competence

Applicable Provisions

Article 95 of the GDPR states that the regulation should not impose additional obligations on natural or legal persons who process personal data for areas already covered by obligations under the so-called ePrivacy Directive. The ePrivacy Directive has been implemented into Swedish law through the Electronic Communications Act (2003:389) (LEK), which regulates, among other things, the collection of data through cookies.

According to Chapter 9, Section 28 of the LEK, which implements Article 5.3 of the ePrivacy Directive, data may only be stored in or retrieved from a subscriber's or user's terminal equipment if the subscriber or user has access to information about the purpose of the processing and consents to it. It also states that this does not prevent storage or access necessary to transmit an electronic message via an electronic communications network or is necessary to provide a service that the user or subscriber has expressly requested. The LEK entered into force on 22 August 2022. However, during the relevant time in this case, the same requirements applied under Chapter 6, Section 18 of the Electronic Communications Act (2003:389). The Swedish Post and Telecom Authority (PTS) is the supervisory authority under the LEK.

The European Data Protection Board (EDPB) has expressed its views on the interaction between the ePrivacy Directive and the GDPR. The opinion states that the national supervisory authority appointed under the ePrivacy Directive is solely competent to monitor compliance with the Directive. However, IMY is the competent supervisory authority under the GDPR for processing not specifically regulated by the ePrivacy Directive.

IMY's Assessment

IMY's review focuses on a situation where data subjects have used a service on Apoteket's website to order a product and have voluntarily provided the information captured by Metapixel. This data processing does not involve storing or retrieving data from a subscriber's or user's terminal equipment and is thus not covered by Chapter 9, Section 28 of the LEK or the previous corresponding provision in the Electronic Communications Act. This means that the GDPR's regulation applies to the personal data processing in question and that IMY is the competent supervisory authority. Furthermore, IMY's review concerns whether Apoteket has implemented adequate security measures, which is not specifically regulated in the LEK. Therefore, IMY is competent to investigate the issue covered by the supervision case.

Responsibility for Personal Data

Applicable Provisions

A data controller, according to Article 4.7 of the GDPR, is the entity that alone or together with others determines the purposes and means of processing personal data. The fact that the purposes and means can be determined by more than one entity means that several entities can be data controllers for the same processing.

The data controller must ensure and be able to demonstrate that the principles in Article 5.1 are complied with, as stated in Article 5.2 of the GDPR (the accountability principle).

IMY's Assessment

Apoteket has stated that it is the data controller for the implementation of Metapixel and the transfer of data to Meta.

The investigation in the case shows that Apoteket implemented Metapixel, a script-based tool in the form of a piece of code that records visitors' actions and transfers the information to Meta on its website, and subsequently activated the AAM function. The purpose of Metapixel was to increase the effectiveness of the company's marketing and, to some extent, target ads at previous visitors to the website. Apoteket has therefore determined how the processing should be conducted and for what purpose the personal data should be processed. IMY therefore assesses that Apoteket is the data controller for the processing of personal data carried out through the use of Metapixel with the AAM function activated.


Has Apoteket Ensured an Appropriate Level of Security for the Personal Data?

Applicable Provisions

The Requirement to Implement Appropriate Safeguards

Article 32.1 of the GDPR requires the data controller to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing. This must be done considering the state of the art, the implementation costs, and the nature, scope, context, and purpose of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons. According to the same provision, appropriate safeguards, where appropriate, include:

a) Pseudonymisation and encryption of personal data,
b) The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services,
c) The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, and
d) A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures to ensure the security of processing.

In assessing the appropriate level of security, specific consideration must be given to the risks posed by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure

of, or access to personal data transmitted, stored, or otherwise processed, as stated in Article 32.2.

Recital 75 of the GDPR specifies factors to be considered when assessing the risk to the rights and freedoms of natural persons. Among other things, it mentions the loss of confidentiality concerning personal data that is subject to professional secrecy and whether the processing involves data concerning health or sexual life. It should also be considered if the processing concerns personal data of vulnerable natural persons, especially children, or if the processing involves a large amount of personal data concerning many data subjects.

Recital 76 of the GDPR states that the likelihood and severity of the risk to the data subjects' rights and freedoms should be determined based on the nature, scope, context, and purpose of the processing. The risk should be evaluated based on an objective assessment, determining whether the data processing involves a risk or a high risk.

Processing of Sensitive Personal Data

Data concerning health and sexual life constitutes special categories of personal data, so-called sensitive personal data, which is afforded particularly strong protection under the GDPR. As a general rule, processing such personal data is prohibited under Article 9.1 of the GDPR unless the processing falls under one of the exceptions in Article 9.2 of the Regulation.

Health data is defined in Article 4.15 of the GDPR as personal data related to the physical or mental health of a natural person, providing information about their health status. Recital 35 of the GDPR states that health data should include all data related to a data subject's health condition, providing information about the data subject's past, present, or future physical or mental health status.

The Court of Justice of the European Union (CJEU) in the Lindqvist case ruled that information that a person has injured their foot and is on part-time sick leave constitutes personal data concerning health under the Data Protection Directive (which was repealed by the GDPR). The CJEU stated that considering the purpose of the Data Protection Directive, the term "data concerning health" should be interpreted broadly and should include information related to all aspects of a person's health, both physical and mental. In the subsequent case, Vyriausioji tarnybinės etikos komisija, the CJEU concluded that the term sensitive personal data under Article 9.1 of the GDPR should be interpreted broadly and determined that even personal data that indirectly, after intellectual reasoning or cross-referencing, reveals a natural person's sexual orientation constitutes sensitive personal data under the relevant provision.

IMY’s Assessment

The Processing Involved a High Risk and Required a High Level of Protection

The data controller must implement measures to ensure a level of protection appropriate to the risks of processing. The assessment of the appropriate level of protection should consider, among other things, the nature, scope, context, and purpose of the processing, as well as the risks, of varying likelihood and severity, to the rights and freedoms of natural persons.

IMY must first determine what personal data Apoteket has transferred to Meta through Metapixel with the AAM function activated.

The investigation in the case shows that the activation of Metapixel's AAM function has resulted in Apoteket, provided a customer has accepted marketing cookies and not used an ad blocker, transferring information about completed purchases to Meta. The information transferred included data about purchased products (including the URL of the products on the website, product ID, and product type) and customer contact information (including first and last name, address, and phone number). The data transferred to Meta did not include prescription products but did include the following products and product categories:

a) Self-tests and treatments for sexually transmitted diseases
b) Contraceptives and morning-after pills
c) Sex toys
d) Products for vaginal health (e.g., dry mucous membranes, menopause symptoms, and yeast infections)
e) Products for prostate issues and urination problems
f) Pregnancy tests, ovulation tests, and pregnancy products
g) Products for the treatment of fungus (e.g., athlete's foot or nail fungus)
h) Products for the treatment and control of diabetes
i) Products for the treatment of rectal issues (e.g., anal fissures and haemorrhoids)
j) Products for the treatment of gastrointestinal problems (e.g., IBS, constipation, and diarrhoea)
k) Products for the treatment of migraines
l) Products for the treatment of allergies
m) Hearing aid accessories
n) Products for the treatment of bacterial infections
o) Products for the treatment of psoriasis
p) Products for the treatment of rosacea
q) Stoma products

It has emerged in the case that Meta has implemented a so-called filtering mechanism designed to detect and delete information transferred to Meta in violation of the company's policy. IMY has therefore requested information from Meta on how the filtering mechanism works. According to Meta's statement on 16 February 2024, the mechanism is designed to detect and delete potentially unauthorised information, such as health and financial data, in data users of the pixel transfer to Meta before it is stored and used in Meta's advertising system. When such data is detected and deleted, the user is notified, but the filtering mechanism operates even if no such notification is sent to the user. Based on this, IMY concludes that the pixel does not inherently contain a filtering mechanism that prevents data transfer to Meta. The filtering mechanism is designed to filter out potentially privacy-sensitive data only after it has been transferred to Meta and if Meta's system has identified that the transferred data contains such unauthorised information. The absence of notifications about unauthorised and deleted information cannot be considered confirmation that potentially privacy-sensitive data has not been transferred to Meta. The presence of the filtering function has, in summary, not prevented the confirmed transfer of personal data to Meta.

IMY makes the following assessment of the risks associated with the current data processing.

Processing involving sensitive personal data typically involves higher risks. The term sensitive personal data should be interpreted broadly and includes data that indirectly reveals such information. Apoteket has transferred data to Meta about which product a customer has purchased and data that identifies the customer, such as name, address, and phone number. IMY considers that the combination of data transferred to Meta has made it possible to determine that a specific person has purchased a specific product.

Apoteket has not transferred data about prescription products. However, many products in Apoteket's other range (see points a–q above) are such that information about a person purchasing them could reveal details about their health condition or sexual life. Apoteket has argued that the buyer is not necessarily the actual user of the product, and it is difficult to categorically state that sensitive personal data has been transferred. However, IMY considers that it is likely that at least some of the purchases of, for example, stoma products, products for rectal, urinary, and prostate issues, vaginal issues, and treatment for sexually transmitted diseases and diabetes have been made for personal use to treat a specific health condition. IMY therefore considers it likely that the processing has involved health data as defined in Article 4.15 of the GDPR. 

IMY makes the same assessment regarding purchases of, for example, morning-after pills and sex toys, i.e., it is likely that purchases in at least some cases were made for personal use and that the processing therefore revealed information about the individual's sexual life. When assessing the appropriate level of protection, Apoteket should therefore have considered that the processing might involve sensitive personal data.

IMY also considers that data on purchases of the specified products in points a–q, regardless of whether the data constitutes sensitive personal data or not, is of such a privacy-sensitive nature that it requires strong protection under the GDPR. It has also emerged that Apoteket in some cases has transferred other sensitive personal data in the form of personal identity numbers. Furthermore, the processing was carried out by a pharmacy where customers are assumed to have specific expectations that their personal data is handled with a high degree of confidentiality. IMY therefore concludes that both the nature of the personal data and the context in which it was processed have increased the risks to the data subjects' rights and freedoms.

IMY also notes that the processing was extensive. Apoteket had many customers during the period when Metapixel's AAM function was activated, and the company estimates that up to 930,000 people were affected by the incident. This estimate is based on the number of online purchases during the relevant period, considering that a certain percentage of purchases were made by returning customers and individuals using ad blockers or who declined cookies. Apoteket has also stated that 9 per cent of the total online purchases made during the period involved the privacy-sensitive products listed in points a–q. Although it is impossible to determine precisely how many of these purchases were made by data subjects who did not use ad blockers or decline marketing cookies, it can at least be concluded that the incident affected a large number of data subjects.

In summary, IMY assesses that the processing, given its nature, scope, and context, involved high risks that required a high level of protection for the personal data. The measures should have ensured, among other things, that the personal data was protected against unauthorised disclosure and loss of control.

Apoteket Has Not Implemented Sufficient Security Measures

IMY must then assess whether Apoteket has ensured the high level of protection required for personal data.

Apoteket has stated that the company had proactive processes in place before the incident to ensure the correct handling of personal data. In this case, however, established IT development and risk assessment procedures, including reviewing and updating information analyses for all changes to systems and tools, were not followed by individual employees. The investigation shows that Apoteket did not analyse the risks and consequences of the personal data processing involved in the implementation of Metapixel and the activation of the AAM function before the processing began. Apoteket also did not select and categorise which products would be processed. This led to the absence of a technical limitation on which data

would be processed, beyond the exclusion of prescription products, and that privacy-sensitive data about purchases of over-the-counter medicines and medical devices was transferred to Meta.

A fundamental requirement for Apoteket to fulfil its obligations under the GDPR is that the company is aware of the processing under its responsibility. Apoteket, from 19 January 2020, when the AAM function was activated, until 25 April 2022, when Metapixel was removed, transferred more data to Meta than intended without detecting it themselves. Apoteket has stated that the activation of Metapixel's AAM function did not follow Apoteket's standard procedures, and no desired routines for review and follow-up were established. Since Apoteket only had routines to follow up on documented changes made according to set procedures, Apoteket lacked the ability to detect and address other changes that had been made or occurred otherwise. IMY, therefore, concludes that Apoteket lacked organisational procedures for systematically following up on unintentional changes in its systems.

IMY thus assesses that Apoteket, even considering what has been stated about the procedures in place at the time of the violation, cannot be considered to have implemented appropriate technical and organisational measures in relation to the high risks involved in the processing. Apoteket has therefore processed personal data in violation of Article 32.1 of the GDPR.

Choice of Sanctions

Applicable Provisions, etc.

In the event of violations of the GDPR, IMY has several corrective powers at its disposal under Article 58.2 of the GDPR. Article 58.2 of the GDPR states that IMY shall impose administrative fines in addition to or instead of other corrective measures referred to in Article 58.2, depending on the circumstances of each case.

Each supervisory authority shall ensure that the imposition of administrative fines is, in each case, effective, proportionate, and dissuasive, as stated in Article 83.1 of the GDPR.

Article 83.2 lists the factors to be considered when determining whether an administrative fine should be imposed and what should influence the amount of the fine. Relevant to the assessment of the severity of the violation is its nature, gravity, and duration. The EDPB has adopted guidelines on calculating administrative fines under the GDPR, which aim to create a harmonised method and principles for calculating fines.

According to Article 83.4, administrative fines of up to 10,000,000 EUR, or, in the case of a company, up to 2 per cent of the total worldwide annual turnover of the preceding financial year, whichever is higher, shall be imposed for violations of, among other things, Article 32.

If the violation is minor, IMY may, according to Recital 148, issue a reprimand under Article 58.2(b) of the Regulation instead of imposing a fine.

IMY’s Assessment

A Fine Should be Imposed

IMY has assessed that Apoteket processed personal data in violation of Article 32.1 of the GDPR.

The violation occurred because Apoteket processed personal data with an insufficient level of security, resulting in personal data of a privacy-sensitive and protected nature concerning a large number of data subjects being inadvertently transferred to Meta. Unauthorised access to this type of data poses a high risk to the rights and freedoms of the data subjects. The transfer continued for an extended period and was not detected and addressed until Apoteket was informed of the issue by an external party. IMY considers that this is not a minor violation that could result in a reprimand instead of a fine.

The CJEU has clarified that for administrative fines to be imposed under the GDPR, the data controller must have committed a violation intentionally or negligently. The CJEU has stated that data controllers can be fined for actions if they could not be considered ignorant that the action constituted a violation, regardless of whether they were aware they were breaching the GDPR provisions.

According to the accountability principle expressed in Article 5.2 of the GDPR, the data controller must ensure and be able to demonstrate that the processing complies with the GDPR. IMY, therefore, concludes that Apoteket is responsible for ensuring that the personal data processed within the company is processed in a manner that ensures an appropriate level of security. IMY has, in its assessment, determined that Apoteket has not met the requirements set out in the GDPR in this regard. Apoteket cannot be considered ignorant that its actions constituted a violation of the Regulation.

IMY therefore assesses that the conditions for imposing an administrative fine on Apoteket for the violations are met. When determining the size of the fine, IMY shall consider the circumstances listed in Article 83.2 and ensure that the fine is effective, proportionate, and dissuasive.

Basis for Calculating the Fine

IMY assesses that Apoteket’s annual turnover should form the basis for calculating the administrative fines in this case. The maximum fine applicable to companies for violations of Article 32 amounts to the higher of 10,000,000 EUR or 2 per cent of the total worldwide annual turnover of the previous financial year.

According to Apoteket's annual report for 2023, the annual turnover for that year was SEK 23,270,000,000. The maximum fine that can be imposed in this case is therefore 2 per cent of that amount, which is SEK 465,400,000. IMY notes that there is no legal basis in the applicable legislation to calculate the fine based on another amount, as Apoteket suggested is done under other EU legislation.

Severity of the Violation

According to the EDPB’s guidelines, the supervisory authority should assess whether the violation is of low, medium, or high severity according to Article 83.2(a), (b), and (g) of the GDPR.

The current violation affected a large number of data subjects and continued for an extended period. The data transferred included personal identity numbers and data indicating that directly identifiable individuals had purchased privacy-sensitive products. The unauthorised transfer has therefore posed a high risk to the rights and freedoms of the data subjects, in the form of a risk of loss of confidentiality for protected information. Furthermore, the violation occurred in a pharmacy business where data subjects must be assumed to have had a legitimate expectation of high confidentiality and that their personal data would not be disclosed to unauthorised parties. The sale of over-the-counter and other health-related products must also be considered part of Apoteket’s core business, which makes the violation more serious than if this had not been the case.

In assessing the severity of the violation, IMY also considers that Apoteket had implemented several appropriate technical and organisational security measures at the time of the violation. Furthermore, the personal data was transferred in hashed, i.e., unreadable, format to a single recipient, and therefore it was not an uncontrolled disclosure where the data, for example, was shared with many unauthorised parties or made publicly available on the web.

Considering the above circumstances, IMY assesses that this is a violation of Article 32.1 of the GDPR of low severity.

IMY must also consider any aggravating and mitigating factors listed in Article 83.2 of the GDPR when determining the amount of the fine. Following the violation, Apoteket has had a dialogue with Meta about deletion, provided information to the data subjects, and taken measures to reduce the risk of similar incidents in the long term. However, IMY notes that these measures were only taken after Apoteket was alerted to the existing deficiencies by an external party and that they cannot be considered to exceed what is expected of Apoteket in this case. Therefore, the measures taken do not affect IMY's assessment of the fine amount in a mitigating direction. The same applies to the fact that Apoteket submitted a report of the personal data breach and cooperated with IMY in investigating the violation, as these are circumstances that should be considered neutral when determining the fine amount.

IMY notes that no other circumstances affect IMY's assessment of the fine amount in an aggravating or mitigating direction.

The Fine Must be Effective, Proportionate, and Dissuading

The administrative fine must be effective, proportionate, and dissuasive. This means that the amount should be set so that the administrative fine leads to correction, provides a preventive effect, and is also proportionate in relation to both the current violation and the supervised entity’s financial capacity.

IMY determines, based on an overall assessment, that Apoteket shall pay an administrative fine of SEK 37,000,000. IMY assesses that this amount is effective, proportionate, and dissuasive.


This decision has been made by the acting Director General David Törngren after a presentation by the lawyer Maja Welander. The final handling also involved the acting Chief Legal Officer Cecilia Agnehall, the Head of Unit Nidia Nordenström, the lawyer Shirin Daneshgari Nejad, and the IT and information security specialist Petter Flink.

David Törngren, 2024-08-29 (This is an electronic signature)

Attachment:
Information on Payment of the Fine

Copy to:
Data Protection Officer for Apoteket


How to Appeal
If you wish to appeal this decision, you must write to IMY. In your letter, indicate the decision you are appealing and the change you are requesting. The appeal must be received by IMY no later than three weeks from the day you received the decision. If you represent a public authority, the appeal must be submitted within three weeks from the date the decision was issued. If the appeal is submitted on time, IMY will forward it to the Administrative Court in Stockholm for review.

You can email the appeal to IMY if it does not contain any privacy-sensitive personal data or information that may be subject to confidentiality. The authority's contact details are listed on the first page of the decision.