IMY (Sweden) - DI-2021-5544 Avanza Bank
From GDPRhub
| IMY - DI-2021-5544 Avanza Bank | |
|---|---|
 | |
| Authority: | IMY (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 5(1)(f) GDPR Article 32(1) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 24.06.2021 |
| Decided: | 24.06.2024 |
| Published: | 25.06.2024 |
| Fine: | 15000000 SEK |
| Parties: | Avanza Bank |
| National Case Number/Name: | DI-2021-5544 Avanza Bank |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Swedish |
| Original Source: | IMY (in SV) |
| Initial Contributor: | Andreea Lisievici |
The Swedish Authority for Privacy Protection (IMY) fined Avanza Bank AB 15 million SEK for violating GDPR Articles 5.1(f) and 32.1. Between November 15, 2019, and June 2, 2021, Avanza used Meta Pixel without implementing proper technical and organizational measures, leading to unauthorized transfer of personal data, including personal IDs and financial information, to Meta (Facebook). The incident affected between 500,001 and 1 million individuals. IMY found that Avanza failed to follow its procedures and detect these unauthorized data transfers promptly.
English Summary
Facts
Notification and Initial Discovery:
On June 8, 2021, the Swedish Authority for Privacy Protection (IMY) received a breach notification from Avanza Bank AB. The notification stated that personal data of 500,001 to 1 million individuals were incorrectly transferred to Meta (formerly Facebook) between November 15, 2019, and June 2, 2021.
Data Transferred:
The data included personal identity numbers, loan amounts, and account numbers. The erroneous transfer was due to the activation of Meta’s Automatic Advanced Matching (AAM) feature in the Meta pixel tool, which was used to optimize the bank’s marketing.
Meta Pixel Tool:
The Meta pixel is an analytics tool that helps measure the effectiveness of Facebook advertising. The AAM and Automatic Events (AH) functions within the Meta pixel were inadvertently activated, leading to unauthorized data transfer.
Organizational Procedures:
Avanza Bank had formalized procedures for the correct processing of personal data, documented in governing documents. A review and risk analysis were required before implementing new features, but the procedures were not followed in this instance.
Technical Failures:
The bank failed to detect the activation of the AAM and AH functions. Data transferred included sensitive information such as personal identification numbers, contact details, loan amounts, account numbers, and employment details. Most of the data was transferred in plain text, posing a high risk to data subjects.
Holding
IMY found that Avanza failed to implement adequate technical and organizational measures to protect personal data, as required by GDPR Articles 5.1(f) and 32.1. Article 5.1(f) mandates that personal data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage, using appropriate technical or organizational measures. Article 32.1 requires data controllers to implement measures ensuring a level of security appropriate to the risk. Due to these breaches, IMY imposed a fine of 15 million SEK (approx. 1.34 million EUR) on Avanza for violating these GDPR provisions.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
1(15)
Avanza Bank AB
Regeringsgatan 103
111 39 Stockholm
Diary number:
DI-2021-5544 Decision after supervision according to
data protection regulation against Avanza
Date:
2024-06-24 Bank AB
The Privacy Protection Authority's decision
The Swedish Privacy Protection Authority states that Avanza Bank AB (organisation number
556573-5668) has processed personal data in violation of articles 5.1 f and 32.1 i
the data protection regulation by, in the period from 15 November 2019 to 2
June 2021 when using the analysis tool Meta-pixeln have not taken appropriate measures
technical and organizational measures to ensure an appropriate level of security for
personal data.
The Privacy Protection Authority decides with the support of articles 58.2 and 83 i
data protection regulation that Avanza Bank AB must pay an administrative
sanction fee of 15,000,000 (fifteen million) kroner for the violations of
articles 5.1 f and 32.1 of the data protection regulation.
Account of the supervisory matter
Starting point for supervision
The Swedish Privacy Agency (IMY) received on June 8, 2021, a notification about a
personal data incident from Avanza Bank AB (the bank). The report showed that
personal data of 500,001 – 1 million during the period from November 15, 2019 to
with June 2, 2021 erroneously transferred to the bank's partner Facebook
(now Meta). Among the data transferred were social security numbers, loan amounts and
account number.
The background to the incident was that the bank started using Meta's service Facebook-
the pixel (now the Meta pixel) in order to optimize the bank's marketing. During 2019
Meta developed a new sub-function within the Meta pixel, called Automatic Advanced
Mailing address: Matching (AAM). The incorrect transfer of personal data was caused by the
Box 8114 the new AAM feature was activated by the bank by mistake. The bank became aware of
104 20 Stockholm the transfer via external information. As soon as the bank became aware of the incident
Website:
the bank deactivated the Meta pixel in its entirety.
www.imy.se
E-mail:
imy@imy.se 1
European Parliament and Council Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with
Telephone: regarding the processing of personal data and on the free flow of such data and on the cancellation of
08-657 61 00 directive 95/46/EC (general data protection regulation). The Swedish Privacy Agency Diary number: DI-2021-5544 2(15)
Date: 2024-06-24
Against the background of the information in the notification about the personal data incident, IMY started
supervision of the bank. The supervision has been limited to what the bank has undertaken
appropriate technical and organizational measures to protect website visitors and
app users' personal data in accordance with articles 5.1 f and 32.1 i
data protection regulation during the period from 15 November 2019 to 2 June 2021.
What the bank has stated
The bank has essentially stated the following regarding the issues that are the subject of IMY's
examination.
Personal data responsibility
The bank is responsible for personal data for the introduction of the Meta pixel and the subsequent one
the transfer of personal data to Meta.
The original implementation of the Meta pixel
The bank has routines to ensure correct processing of personal data before, i
in connection with and after the introduction of new functions on the website. These routines are
formalized and documented in the bank's governing documents. According to the bank
procedures to ensure correct processing of personal data must initially
before each new or changed personal data processing, a review is made and
assessment of the planned treatment to ensure that it meets the requirements of
data protection regulation. The review is done with the help of, among other things, a
documented template for personal data processing which contains several steps which
the employee who is responsible for the introduction of a new or changed
personal data processing must go through. The steps mean, among other things, that it must
a risk analysis of the treatment is carried out, a legal basis must be able to be established and it must
ensure that those registered are given correct information about the new one
the processing of personal data. Furthermore, the processing must be entered into the bank's
register list.
The Meta pixel is an analytics tool provided by Meta that helps to
measure the effectiveness of the bank's Facebook advertising. The meta pixel transferred and
linked a website visitor's activity and behavior on the bank's
website with a unique registered user of any of Meta's services. the purpose with
introducing and using the Meta pixel was to optimize the bank's marketing.
The purpose of the personal data processing was to use targeted advertising
Facebook and be able to market the bank to a relevant target group. The meta pixel
enabled more relevant marketing to be produced by
the marketing could be based on information about which pages on the bank's website
as a person visited.
Before the bank started the collaboration with Meta, an approval process was carried out
where functions at the bank within risk, compliance, legal and information security
was involved. Within the framework of this process, issues of bank secrecy were addressed
and personal data processing. It was only information about a person's visits
web pages, IP address and information about certain unique events, e.g. product selection and
searches on the website, which were necessary to process for the purpose in question. Data Protection Agency Diary number: DI-2021-5544 3(15)
Date: 2024-06-24
Activation of new sub-functions in the Meta pixel
In 2019, Meta developed the Meta pixel service by also providing
the Automatic Advanced Matching (“AAM”) function. This is a sub-function within Meta-
the pixel. In addition to AAM, the Meta pixel also offers the Automatic Events feature
("AH") which can be activated manually and which then tries to detect on its own
and capture events and interactions, such as clicks, searches and menu selections, at
visit the company's website or in the app.
In 2019, the bank's legal department received a request from the marketing department about
the opportunity to use one of Meta's functions through which customer data would
transferred to Meta. The bank's legal department found that the function in question could not
is implemented. It is further the bank's view that if an implementation of a
function as AAM would have been subject to internal processes and procedures had it
led to the assessment that the bank had not been able to accept the terms and that it did not
would be possible to use the function. This is because the function risks
involve a transfer of data to Meta that the bank cannot legally carry out in its
banking.
It has never been the bank's intention to use the functions AAM and AH.
The bank has not been able to verify how the functions have been activated. Should the feature have
activated by an employee of the bank, it is the bank's opinion that it has taken place
mistake. The bank has not taken any decision to activate the AAM function.
The bank's transfer of personal data via the AAM function to
Meta
Automatic Advanced Matching (AAM) feature
The function AAM transmitted data in hashed form (with the hashing function
SHA256) to Meta if the user filled in one of the five different forms on
the bank's website or in the bank's mobile app. Two forms were in the new customer flow (open
for visitors, where the visitor intended to become a customer). Three forms related to mortgages and
was behind login and could only transfer data from existing customers who
entered into a customer agreement with the bank. In order for the data to be transferred, it was required
so that a person was logged in to the bank's website and that the person agreed
to marketing cookies at the bank. If these conditions were not met
AAM was not activated and no data was transferred. If the conditions were
met, the following hashed data could be transferred to Meta:
• Social security number
• Contact information, such as phone number, email address, postal code and
postal address
• Loan amount on existing loan
• Employer
• Form of employment
• Account number
2IMY's addition: Hashing is a one-way cryptographic function that can be used to accomplish
pseudonymization, which is a possible security measure according to Article 32 of the Data Protection Regulation, by
personal data is replaced with a so-called hash sum. This means that the replaced personal data is not available
in plain text and that additional information is needed to be able to identify the registered person. The Swedish Privacy Agency Diary number: DI-2021-5544 4(15)
Date: 2024-06-24
By inadvertently activating the AAM feature by the bank, the Meta pixel was able to match
they hashed the data with visitors' behavior on the site for profiling.
This made it possible to get a more detailed picture of the visitors. Profiling applied
only the bank's marketing and was not used by Meta for its own, or others
actors' business purposes.
Exactly how AAM has affected advertising is not established. That this resulted in directed
advertising cannot be excluded.
The Automatic Events (AH) feature
The AH function passed information in plain text to Meta when a user navigated on
the bank's website or in the mobile app. A condition for transfer was that
the user agreed to marketing cookies at the bank and was logged in as
customer of the bank (with one exception, see below).
The data that was transferred in clear text to Meta was unknowingly transferred as it did not exist
any intention to show the information to anyone other than the customer. It was from
browser or app on the customer's device that the transfer took place and that because of
three main factors:
1) The function inadvertently activated by the bank at Meta also follows how a
users move on a site/mobile (convert). To do so is sent
information about which "buttons" – that is, elements on the page/screen – the user
presses when he navigates on the site/in the app. Meta accordingly collects
information that tells you which button presses take place to understand which context
the user converts in. For example, Meta wants to understand that the customer buys something at print
on a button with the text "Buy" even if the advertiser has not picked up the buy button
as a conversion. This information was sent to Meta.
2) The bank uses elements that Meta perceives as buttons, e.g. button marked
boxes and drop-down menus, in their code to present certain information to the bank's
user. This mainly applies when there are elements on the site/apps that can be accessed
press to e.g. show more information. Often these appear as a smaller visual
elements that become larger when you press them, and then show more information. When
users have pressed these elements to see more information, it has been recorded
as regular keystrokes of Meta's script (Meta pixel IMY's note). The script has
then compiled the information and sent it to Meta as a registered keystroke.
3) Information about keystrokes is not pseudonymized (IMY's note is hashed) by
Meta the way other information they collect.
These three factors together have caused certain information to be sent to Meta i
plain text. It was thus a combination of the (incorrectly) activated functionality
along with Meta's handling of button presses and a specific technical solution from
the bank that caused the transfer to Meta.
In summary, AH analyzed which buttons on the website and mobile app
which the user pressed to then make suggestions about marketing on Facebook.
The bank's transfer of data via AH arose because the bank categorized
visual fields such as buttons on the website and in the mobile app code. Via AH could
the following categories of data are transferred to Meta in plain text: The Swedish Privacy Agency Diary number: DI-2021-5544 5(15)
Date: 2024-06-24
• Securities holdings and value, such as amount available for purchase, withdrawal and
value development
• Information on loan amount
• Account number and credit limit
• Fees, taxes and current interest rates
• Current orders and today's close
• Company signatory and bank from which the pension is transferred
• Email address and social security number
The majority of data transmitted via AH came from buttons behind logged in
location with the bank, i.e. buttons that were only shown to customers who signed up
customer agreement with the bank. In one place on the bank's website, however, there were expandables
panels in the flow for signing occupational pensions, both for individual companies and for
limited company, which was open to all visitors, i.e. also information from one
limited number of visitors without a customer agreement with the bank and who were therefore not
logged in.
Measures taken after the personal data incident
Meta has confirmed to the bank that the personal data processed has been deleted at
Meta in a way that does not allow Meta to reproduce them.
The bank's opinion is that the transfer of the data did not entail any damage or
risk for the data subjects because Meta did not use the data for its own purposes or
transferred them on and that the data is deleted. All information has been transferred by
The Meta pixel for Meta and the bank's own advertising account with Meta.
In order to detect outgoing traffic, the bank has now established a process for how
the bank introduces and manages third-party scripts. It describes how these scripts should
are evaluated from a security and integrity perspective and how they are maintained
long term.
The bank has also moved the scripts from the third-party suppliers to the bank's own
system to avoid changes in the script being introduced without the bank
draws attention to it.
The bank has also supplemented internal guidelines to more clearly describe the error scenario,
how it is avoided and what expectations are incumbent on the bank's development team when they
handles this type of product.
In addition to this, the bank has implemented additional governing documents and routines aimed at
to ensure correct processing of personal data. These governing documents
contains, among other things, requirements and guidelines in relation to the processing of personal data
before, in connection with and after the introduction of new functions on the bank's website.
Justification of the decision
Applicable regulations, etc.
It follows from Article 95 of the Data Protection Regulation that the Data Protection Regulation shall not
entail any additional obligations for natural or legal persons who
processes personal data, for such areas that are already covered by obligations of the Swedish Data Protection Agency Diary number: DI-2021-5544 6(15)
Date: 2024-06-24
3
according to the so-called eData protection directive. The eData Protection Directive has been implemented in
Swedish law through the Act (2003:389) on Electronic Communications (LEK), including
other collection of data through cookies is regulated.
According to ch. 9 Section 28 LEK, which implements Article 5.3 of the eData Protection Directive, receives data
stored in or retrieved from a subscriber's or user's terminal equipment only if
the subscriber or user gets access to information about the purpose of
the treatment and consent to it. Furthermore, it appears that this does not prevent such
storage or access needed to transmit an electronic message via a
electronic communication network or which is necessary to provide a service
which the user or subscriber has expressly requested. LEK entered into force on
22 August 2022. During the time in question in the case, however, the same requirements applied according to
6 ch. Section 18 of the Act on (2003:389) on electronic communications. It is Postal and
The Swedish Telecom Agency, which is the supervisory authority according to LEK (chapter 1 § 5 of the regulation (2022:511)
on electronic communication).
The European Data Protection Board (EDPB) has commented on the interaction between
eData Protection Directive and the Data Protection Regulation. From the opinion, i.a. follows that it
national supervisory authority appointed according to the eData Protection Directive is alone
competent to monitor compliance with the Directive. However, the supervisory authority is according to
data protection regulation competent supervisory authority for the processing that does not
regulated in particular in the eData Protection Directive.4
According to Article 4.7 of the Data Protection Regulation, the person in charge of personal data is a physical or
legal person, public authority, institution or other body which alone or
together with others determines the purposes and means of the processing of
personal data. If the purposes and means of the processing are determined by
Union law or the national law of the Member States can the personal data controller
or the special criteria for how he is to be appointed are prescribed in Union law or in
national law of the Member States.
The personal data controller is responsible for and must be able to demonstrate that the basic
the principles in Article 5 of the Data Protection Regulation are followed. This is apparent from Article 5.2 i
the data protection regulation (principle of liability).
According to Article 5.1 f of the data protection regulation, personal data must be processed in one way
which ensures appropriate security for the personal data, including protection against
unauthorized or unauthorized processing and against loss, destruction or damage by
accident, using appropriate technical or organizational measures.
It follows from Article 32.1 of the data protection regulation that the person in charge of personal data must
take appropriate technical and organizational measures to ensure a
safety level that is appropriate in relation to the risk of the treatment. At
the assessment of which technical and organizational measures are appropriate must
data controller take into account the latest developments, implementation costs
and the nature, scope, context and purpose of the treatment as well as the risks for
rights and freedoms of natural persons.
3 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 on the processing of personal data and
privacy protection in the electronic communications sector (Directive on Privacy and Electronic Communications).
4Opinion 5/2019 on the interaction between the directive on privacy and electronic communications and the general
the data protection regulation, especially with regard to the competence, tasks and powers of the data protection authorities,
adopted on 12 March 2019, paragraphs 68 and 69. The Swedish Privacy Protection Agency Diary number: DI-2021-5544 7(15)
Date: 2024-06-24
According to Article 32(1), appropriate safeguards include, where appropriate,
a) pseudonymisation and encryption of personal data,
b) the ability to continuously ensure confidentiality, integrity, availability
and resilience of treatment systems and services,
c) the ability to restore the availability and access to personal data i
reasonable time in the event of a physical or technical incident, and
d) a procedure for regularly testing, examining and evaluating effectiveness
in the technical and organizational measures that must ensure
the safety of the treatment.
According to article 32.2 of the data protection regulation, when assessing the appropriate
security level special consideration is given to the risks that the treatment entails, in particular
for accidental or unlawful destruction, loss or alteration or for unauthorized disclosure of
or unauthorized access to the personal data transmitted, stored or otherwise
treated.
According to ch. 3 Section 10 of the law (2018:218) with supplementary regulations to the EU's
data protection regulation, social security numbers and coordination numbers may be processed without
consent only when it is clearly justified with regard to the purpose of
the processing, the importance of a secure identification or any other reasonable reason.
From ch. 1 Section 10 first paragraph of the Act (2004:297) on banking and financing operations
(Banking Act) states that individuals' relationships with credit institutions may not be obtained without authorization
cleared.
The Swedish Privacy Protection Authority's assessment
From the investigation in the case it appears that two functions in the analysis tool Meta-pixeln
inadvertently activated by the bank. As a result of the features being activated
personal data about a large number of people who were logged on to the bank's website
or in the bank's app unauthorized transferred to Meta. In some cases also have personal data
regarding people who visited the website or app and used a specific service
without having been logged in transferred. It is mainly the bank's own customers who have
affected by the transfer. The personal data transferred has included, among other things
social security number and extensive financial information. The information, including
detailed information about customers' finances, has in several cases been transmitted in plain text.
According to the bank, it has not been possible to verify afterwards how the functions
activated or by whom.
IMY initially takes a position on whether the data protection regulation is applicable and whether IMY
is the competent supervisory authority.
IMY is the competent supervisory authority
IMY's review aims at a situation where information about people, mainly customers
who were logged in to the bank, inadvertently transferred by the Meta pixel to Meta i
in connection with their visiting different parts of the bank's website. This one
information management does not mean that data is stored in or retrieved from a
subscriber's or user's terminal equipment and is therefore not covered by
Chapter 9 Section 28 of LEK or previously applicable corresponding provision in the law (2003:389)
on electronic communication. IMY thus states that the data protection regulation is the Swedish Privacy Agency Diary number: DI-2021-5544 8(15)
Date: 2024-06-24
applicable to the personal data processing in question and that IMY is authorized
supervisory authority. It can also be stated that IMY's review concerns the bank
have taken sufficient security measures, which is not something that is specifically regulated in LEK.
Even that relationship thus means that IMY is the competent supervisory authority.
IMY then assesses the issue of personal data responsibility and whether the bank has taken action
appropriate security measures according to articles 5.1 f and 32 of the data protection regulation for
to protect the personal data of affected website visitors and app users.
The bank is responsible for personal data
The bank has stated that the bank is responsible for personal data for it
personal data processing reviewed in the case. The investigation shows that the purpose
with implementing and using the Meta pixel has been to optimize the bank's
marketing. By processing information about e.g. visited by a person
web pages, searches and product selection have the bank's marketing on Meta's service
Facebook could thus be optimized.
IMY notes that the bank has determined the purpose and means for the processing of
the personal data, i.e. how and why the personal data is to be processed. IMY
assesses that it is the bank which according to Article 4.7 of the data protection regulation is
personal data controller for the personal data processing covered by the supervision.
The treatment involved a high risk and required a high level of protection
According to Article 32 of the data protection regulation, the bank has an obligation to protect them
personal data that the bank processes by taking appropriate technical and
organizational measures. The measures must ensure an appropriate level of security. At
the assessment of which level of security is appropriate shall be the responsibility of the personal data controller
take into account the costs, the nature, extent, context and purpose of the processing and the
risks to the rights and freedoms of natural persons that the processing entails.
From ch. 1 Section 10 first paragraph of the Banking Act follows that the person who is or has been connected to
a bank may not unauthorizedly disclose information relating to a bank customer's dealings with
the bank. The information that a certain person is a customer of the bank or not is also covered
the duty of confidentiality. These legal requirements on confidentiality thus apply in the bank's operations.
It places high demands on the protection of the personal data processed in the bank's
Operation.
IMY notes that the data that was handled consisted of, among other things, special
personal data worthy of protection, namely social security numbers, which may only be processed
under certain conditions. There has also been a question of financial data, such as
information on account number, securities holdings, loan amount, and credit limit, for which
the data subjects have legitimate expectations of a high degree of confidentiality and a
robust protection against unauthorized access. The data transferred has been covered by
statutory duty of confidentiality. The processing of personal data has taken place within the framework of
the bank's core business, which entails even higher requirements for the level of protection. The bank
should have had good ability to ensure a security that was suitable from the outside
the scope and sensitivity of the treatment.
With regard, among other things, to the fact that the data processed by the bank has been deleted
protective nature and affected a very large number of people has the bank's treatment
of the personal data in total meant a high risk for natural persons The Swedish Privacy Protection Agency Diary number: DI-2021-5544 9(15)
Date: 2024-06-24
rights and freedoms. The nature, extent and context of the treatment therefore have
entailed a requirement for a high level of protection for the data. The measures would, among other things,
ensure that the personal data was protected against unauthorized disclosure and unauthorized
access.
The bank has not taken sufficient measures to protect the data
IMY notes initially that the relationship that the bank transferred the relevant
the information to Meta means that the information has not actually been protected against
unauthorized disclosure.
The bank's information shows that it has formalized procedures to ensure a
correct processing of personal data before, in connection with and after the introduction of
new functions on the website and that these procedures are documented in the bank's
governing document.
IMY notes that the bank thus had organizational measures in place in the form of
procedures documented in the bank's governing documents. However, the bank currently has
the case did not follow its procedures. The bank has had the Meta pixel inserted on parts of the bank's
website and app that were intended only for logged-in customers and prospects
customers. The two functions AAM and AH in the Meta pixel have subsequently been activated without
the bank was aware of it. As a consequence of the fact that the bank upon the introduction of
these functions did not follow their routines and documented what happened, it has not
been possible for the bank to subsequently verify how or by whom these functions
was activated.
As a result of the two functions AAM and AH being activated without the bank's knowledge
has an unauthorized disclosure of information subject to confidentiality and an unauthorized
transfer of personal data has taken place to Meta. This went on for just over a year and a half. To
the clearing and the unauthorized transfer stopped was not due to the bank itself
paying attention to what was going on, but that the bank received via an external source
knowledge of it.
The bank has thus lacked the ability to detect the clearing of and the ongoing one
the transfer of personal data to Meta. IMY believes that the bank should have had one
such systematic security work that this would have been discovered by the bank. One
such security work involves checks being carried out with some regularity.
Because the bank has only had routines to follow up on documented changes
carried out according to established procedures, the bank has lacked the ability to detect and
address changes that, as in the current case, were carried out without the routines
followed. Against this background, IMY states that the bank has lacked technical and
organizational security procedures to systematically follow up and detect accidental
changes in their systems.
As a result of the bank not applying its organizational security routines when
the bank introduced the functions AAM and AH, partly lacking organizational and technical ones
security procedures to detect transmissions have personal data of a large number
persons unauthorized transferred to Meta. The investigation shows that there has been a question of
personal data of approximately 500,000 – 1,000,000 people.
In summary, IMY notes that the bank, when using the Meta pixel, does not
has taken sufficient technical and organizational measures to ensure a
security level that was appropriate in relation to the risk. This means that the bank under the Swedish Privacy Agency Diary number: DI-2021-5544 10(15)
Date: 2024-06-24
the period from 15 November 2019 to 2 June 2021 has processed personal data in
violation of Article 32.1 of the Data Protection Regulation.
According to the basic security principle in Article 5.1 f of the data protection regulation
personal data must be processed in a way that ensures appropriate security for
the personal data, including protection against unauthorized or unauthorized processing and against
loss, destruction or accidental damage, using appropriate
technical or organizational measures. Through what happened has information about
the bank's customers, for example information about social security numbers, account numbers,
securities holdings, loan amount and credit limit, transferred to Meta in plain text.
In addition, certain information has been transferred in hashed form, which enabled matching with
personal data at Meta. It has been a matter of information that is covered by
statutory duty of confidentiality. Loss of control of banking information can mean a lot
risk to the freedoms and rights of the data subjects. That the matter concerns bank information and that
the personal data has also predominantly been cleared and transferred in plain text from
According to IMY, a mode logged in for the customers means that what happened is particularly serious.
The bank's failure to follow its formalized procedures and lack of ability
to discover the unauthorized transfer of personal data is therefore deemed to be of such
serious type that the deficiency also involves a violation of Article 5.1 f i
data protection regulation.
Choice of intervention
Legal regulation
In the event of violations of the data protection regulation, IMY has a number of corrective measures
powers, including reprimands, injunctions and penalty charges. It follows from
article 58.2 a–j of the data protection regulation. IMY shall impose penalty fees in addition to or
instead of other corrective measures referred to in Article 58(2), depending
the circumstances of each individual case.
Each supervisory authority must ensure that the imposition of administrative
penalty charges in each individual case are effective, proportionate and dissuasive. The
stated in Article 83.1 of the Data Protection Regulation.
In Article 83.2, the factors to be taken into account in deciding whether an administrative
penalty fee must be imposed and what can affect the size of the penalty fee. Of
significance for the assessment of the seriousness of the violation is, among other things, its nature,
severity and duration.
According to Article 83.4, in the event of violations of, among other things, Article 32, it must be imposed
administrative penalty fees of up to EUR 10,000,000 or, if one applies
company, of up to two percent of the total global annual turnover during
previous budget year, depending on which value is the highest.
According to Article 83.5, in the event of violations of, among other things, Article 5, it must be imposed
administrative penalty fees of up to EUR 20,000,000 or, if one applies
companies, of up to four percent of the total global annual turnover during
previous budget year, depending on which value is the highest. Privacy Protection Agency Diary number: DI-2021-5544 11(15)
Date: 2024-06-24
The EDPB has adopted guidelines on the calculation of administrative penalty fees according to
the data protection regulation which aims to create a harmonized method and principles
5
for calculation of penalty fees.
If it is a question of a minor violation, IMY receives according to what is stated in reason 148 i
instead of imposing a penalty charge, issue a reprimand in accordance with Article 58.2 b i
the regulation.
IMY's assessment
A penalty fee must be imposed
IMY has made the assessment that the bank has processed personal data in violation of
article 32.1 of the data protection regulation and that the violation is of such a serious nature
that it is also a question of a violation of the principles of integrity and
confidentiality in Article 5.1 f.
The violation has occurred through the bank's processing of personal data with a
insufficient level of security, which has led to, among other things, financial information about
around 500,000 - 1,000,000 people were unauthorized transferred to Meta for just over a year and
half a year's time. The bank has also lacked the ability to detect during this time
the transfer of personal data to Meta. IMY believes that the bank should have had one
such systematic security work that the transfer of personal data would have
discovered in connection with a regular check. The unauthorized transfer has
entailed a high risk for the freedoms and rights of the registered, among other things
loss of confidentiality of data worthy of protection. Against this background, IMY assesses
that it is not a question of such minor violations as referred to in reason 148 i
data protection regulation.
The European Court of Justice has clarified that it is required that the person in charge of personal data has committed a
Violation intentionally or negligently to administrative penalty fees
must be enforceable according to the data protection regulation. The European Court of Justice has stated that
data controllers may be subject to penalty fees for actions if they cannot
are deemed to have been unaware that the conduct constituted a breach, regardless of whether they
were aware that they violated the provisions of the data protection regulation. 6
According to the principle of responsibility which is expressed, among other things, in Article 5.2 i
the data protection regulation shall the person responsible for the processing of personal data
ensure and be able to demonstrate that the processing is compatible with the data protection regulation.
IMY thus states that the bank is responsible for the personal data being processed
in the business, is processed in a way that ensures an appropriate level of security. IMY
has established during its examination that the bank did not live up to the requirements that
the data protection regulation stipulates in this regard. The bank cannot be considered to have been
unaware that its actions entailed a breach of the regulation. The
5
EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR, adopted on 24 May
6023.
against Valstybinė daemono apogos inspekcija of December 5, 2023, point 81 prie Sveikatos apogos ministrijos
and judgment in case C 807/21 Deutsche Wohnen of 5 December 2023, paragraph 76Integritetsskyddsmyndigheten Diary number: DI-2021-5544 12(15)
Date: 2024-06-24
there are therefore prerequisites for imposing an administrative on the bank
penalty fee. 7
When determining the size of the penalty fee, IMY must take the circumstances into account
as specified in Article 83.2 as well as ensuring that the administrative sanction fee is
effective, proportionate and dissuasive.
IMY states that violations of Article 5.1 f of the data protection regulation are covered by
article 83.5 which means that a penalty fee of up to twenty million euros or four
percentage of the global annual turnover in the previous fiscal year, depending
whichever is higher, may be imposed.
The Avanza group's annual turnover according to the parent company's consolidated accounts must
is added as a basis for the calculation
When determining the maximum amount of a penalty charge to be imposed on a company
shall the definition of the concept of company be used as used by the EU Court of Justice
application of Articles 101 and 102 of the TFEU (see recital 150 i
data protection regulation). It appears from the court's practice that this includes every entity
that carries out economic activities, regardless of the legal form of the entity and the way of doing so
financing as well as even if the unit in the legal sense consists of several physical or
legal entities.
The assessment of what constitutes a company must therefore be based on competition law
definitions. The rules for group liability in EU competition law revolve around
the concept of economic unity. A parent company and a subsidiary are considered one part
of the same economic entity when the parent company exercises decisive influence over
the subsidiary. The decisive influence (that is, control) can either be achieved
by ownership or by contract. Jurisprudence shows that one hundred percent or
almost one hundred percent ownership implies a presumption for control to be considered
exist. However, the presumption can be rebutted if the company provides sufficient evidence
to prove that the subsidiary acts independently on the market. To refute
the presumption, the company must therefore provide evidence relating to the organizational,
the financial and legal links between the subsidiary and its parent company which
shows that they do not constitute an economic unit even though the parent company owns 100 percent
9
or almost 100 percent of the shares.
Avanza Bank AB is a wholly owned subsidiary of the parent company Avanza Bank Holding AB
(publ). According to the presumption described above, it is therefore the turnover for Avanza
the group according to Avanza Bank Holding AB's (publ) consolidated accounts which shall
is added as a basis for calculating the maximum penalty fee amount.
From Avanza Bank Holding AB's consolidated accounts for 2023 it appears that the total
global annual turnover was approx. SEK 4,716,000,000. Four percent of it
annual turnover is approx. SEK 189,000,000. As this amount is less than the maximum amount
as stated in Article 83(5) is the maximum penalty amount that can be determined in
the case 20,000,000 euros.
7 For the assessment of negligence, see also the Court of Appeal in Stockholm's judgment of 11 March 2024 in case 2829-23 p.12.
8 The EU Court's judgment in case C-97/08 P Akzo Nobel NV et al. against the European Commission of 10 September 2009, paragraph 59-
61 Adapt/unify footnotes where we refer to the rulings of the European Court of Justice.
9 Cf. EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR, point 125 and
where reported rulings. The Privacy Protection Agency Diary number: DI-2021-5544 13(15)
Date: 2024-06-24
The seriousness of the violation
The EDPB's guidelines state that the supervisory authority must assess whether the violation is
10
of low, medium or high severity.
IMY assesses that the following factors are important for the assessment of the infringement
seriousness.
IMY has established that the bank did not follow its procedures in connection with the functions
AAM and AH in the Meta pixel were activated and that the bank has lacked the systematic
security work required to detect the unauthorized disclosure and transfer
of personal data to Meta. The current security flaws have led to an incident that
has affected a large number of registrants and Meta has been able to take part in a large amount
personal data, in many cases in plain text, which would not have been transferred to Meta.
The information has included financial information and information about social security numbers, i.e.
information that requires a high level of protection. The violation has been going on for a long time,
from 15 November 2019 until 2 June 2021 when the bank became
alerted to the unauthorized transfer of the data. The treatment of
the personal data on the bank's website is part of the bank's core business there
the information is subject to statutory confidentiality, which means that the breach must
considered more serious than if this had not been the case. 11
IMY has established that the violation is so serious that it is in addition to a violation of
Article 32.1 of the data protection regulation also constitutes a violation of it
the fundamental principle of integrity and confidentiality according to Article 5.1 f. IMY
assesses, overall, that the violation in question has a low degree of seriousness
within the scope of violations of Article 5.1 f.
In its assessment of the size of the penalty fee, IMY must also take these into account
aggravating and mitigating factors listed in Article 83.2 i
data protection regulation. IMY notes that the bank has taken certain measures to
alleviate the damage suffered by the registrants according to Article 83.2 c. The bank closed
immediately by the pixel functions when the bank was made aware of the transfer.
The bank also contacted Meta to ensure that Meta had not processed
the data for own purposes and that the data has been deleted at Meta. In addition to this have
the bank has implemented additional control documents and routines that aim to ensure
a correct processing of personal data. IMY assesses that the bank through these
measures taken that could be expected given the nature of the treatment,
purpose and scope. The measures taken therefore do not constitute mitigation
factor. IMY states that no other circumstances have come to light either
which affects IMY's assessment of the size of the sanction fee neither in aggravating manner
or mitigating direction
The penalty fee must be effective, proportionate and dissuasive
The administrative penalty fee must be effective, proportionate and
deterrent. This means that the amount must be determined so that the administrative
the penalty fee leads to correction, that it provides a preventive effect and that it
in addition, is proportionate in relation to current violations as well as to
the supervised entity's ability to pay.
10 EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR, point 60.
11 EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR, point 53. Data Protection Authority Diary number: DI-2021-5544 14(15)
Date: 2024-06-24
In light of the seriousness of the violation, IMY decides that the bank must pay a
administrative sanction fee of SEK 15,000,000 for the identified violations.
IMY considers this amount to be effective, proportionate and dissuasive.
This decision has been taken by acting general manager David Törngren after
presentation by senior lawyer Hans Kärnlöf. At the final processing has
also Acting Head of Justice Cecilia Agnehall and Head of Unit Catharina Fernquist
and the IT and information security specialist Petter Flink participated.
David Törngren, 2024-06-24 (This is an electronic signature)
Copy to
DSOIntegritysskyddsmyndigheten Diary number: DI-2021-5544 15(15)
Date: 2024-06-24
How to appeal
If you want to appeal the decision, you must write to the Swedish Privacy Protection Authority. Enter in
the letter which decision you are appealing and the change you are requesting. The appeal shall
have been received by the Privacy Protection Authority no later than three weeks from the day you received it
part of the decision. If the appeal has been received in time send
The Privacy Protection Authority forwards it to the Administrative Court in Stockholm
examination.
You can e-mail the appeal to the Privacy Protection Authority if it does not contain
any privacy-sensitive personal data or information that may be covered by
secrecy. The authority's contact details appear on the first page of the decision.
