IMY (Sweden) - DI-2021-5544 Avanza Bank
IMY - DI-2021-5544 Avanza Bank | |
---|---|
Authority: | IMY (Sweden) |
Jurisdiction: | Sweden |
Relevant Law: | Article 5(1)(f) GDPR Article 32(1) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 24.06.2021 |
Decided: | 24.06.2024 |
Published: | 25.06.2024 |
Fine: | 15000000 SEK |
Parties: | Avanza Bank |
National Case Number/Name: | DI-2021-5544 Avanza Bank |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Swedish |
Original Source: | IMY (in SV) |
Initial Contributor: | Andreea Lisievici |
The DPA fined Avanza Bank AB €1,318,955.55 (SEK 15 million) for failing to implement security measures, leading to the unauthorised transfer of personal data of more than half a million data subjects to Meta by accidentally turning on two functions of the analytics tool Meta Pixel.
English Summary
Facts
The controller, Avanza Bank AB, used Meta’s analytics tool Meta Pixel to measure the effectiveness of the bank’s Facebook advertising. By collecting information about which pages on the controller’s website a person visited, the controller could optimise its marketing. This tool would only collect information about a data subject’s website visits, IP addresses and information about certain unique events such as searches on the websites.
Two new functions of the analytics tool, the Automatic Advanced Matching (AAM) and the Automatic Events (AH), were activated by the controller by mistake.
The AAM looked for recognisable form fields and other sources on the controller’s website that contain information such as first name, last name and email address. It transfered data in hashed form (an irreversible one-way process that converts data into a unique string of characters) to Meta if a data subject filled in any of the five different forms of the controller’s website or mobile app. When users logged in and accepted marketing cookies, the AMM collected the personal data, including personal identification number, contact details, loan amounts on existing loans, employers, type of employment and account numbers. With this, Meta-Pixel could match the hashed data with the behaviour of data subjects to the website to obtain a more detailed profile of the data subjects. It is unknown whether this resulted in targeted advertising.
The AH analysed which buttons on the controller’s website and mobile app the user pressed and transmitted this data in plain text to Meta to then make suggestions about marketing on Facebook. However, the controller categorised visual fields as buttons on their website and mobile app. Via AH, personal data of data subjects were collected, including securities holdings and value, loan amounts, account number and email address and social security number.
The controller found out by an external source that the personal data of 500,001 to 1 million individuals were incorrectly transferred to Meta (formerly Facebook) between 15 November 2019 and 2 June 2021 by accidentally turning on these two functions of Meta Pixel. The controller, afterwards, could not determine who and how these functions were turned on.
On June 8, 2021, the Swedish DPA (Integritetsskyddsmyndigheten - "IMY") received the breach notification from the controller.
The controller argued that the transfer of the data did not entail any harm or risk to the data subjects, as Meta did not use the data for its own purposes or transfer it further, and the data was erased after request by the controller. All data was transferred by the Meta pixel to Meta and the controller's own advertising account with Meta.
Holding
The DPA found that the two functions of the analytics tool that were accidently activated led to the unauthorised transfer of personal data to Meta. The DPA also noted that the controller failed to detect the activation of these functions. The DPA found that although the controller had formalised procedures in place to ensure the correct processing of personal data before, during and after the introduction of new functions on the website, the controller did not follow its procedures in this case. The controller only became aware of the unauthorised transfer by an external source.
The DPA held that the controller had an obligation under Article 5(1)(f) GDPR and Article 32 GDPR to protect personal data against unauthorised access and processing by implementing appropriate technical and organisational measures.
The DPA noted that the data transferred included sensitive information and concerned a very large number of people. Most of the data was transferred in plain text, posing a high risk to data subjects. The DPA held that the controller should have had a systematic security work that the unauthorised transfer of personal data would have been detected by regularly checks. The controller’s failure to detect and prevent the unauthorized disclosure of personal data indicated a lack of sufficient security measures, thus violating Article 5(1)(f) GDPR and Article 32(1) GDPR.
The DPA found that these were not minor infringement as referred to in Recital 148. Moreover, the controller could not be considered to have been unaware that its behaviour violated the GDPR according to the DPA. The DPA therefore held there were grounds for imposing a fine against the controller.
Thus, the DPA imposed a fine of €1,318,955.55 (SEK 15 million) against the controller for violating Article 5(1)(f) GDPR and Article 32(1) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
1(15) Avanza Bank AB Regeringsgatan 103 111 39 Stockholm Diary number: DI-2021-5544 Decision after supervision according to data protection regulation against Avanza Date: 2024-06-24 Bank AB The Privacy Protection Authority's decision The Swedish Privacy Protection Authority states that Avanza Bank AB (organisation number 556573-5668) has processed personal data in violation of articles 5.1 f and 32.1 i the data protection regulation by, in the period from 15 November 2019 to 2 June 2021 when using the analysis tool Meta-pixeln have not taken appropriate measures technical and organizational measures to ensure an appropriate level of security for personal data. The Privacy Protection Authority decides with the support of articles 58.2 and 83 i data protection regulation that Avanza Bank AB must pay an administrative sanction fee of 15,000,000 (fifteen million) kroner for the violations of articles 5.1 f and 32.1 of the data protection regulation. Account of the supervisory matter Starting point for supervision The Swedish Privacy Agency (IMY) received on June 8, 2021, a notification about a personal data incident from Avanza Bank AB (the bank). The report showed that personal data of 500,001 – 1 million during the period from November 15, 2019 to with June 2, 2021 erroneously transferred to the bank's partner Facebook (now Meta). Among the data transferred were social security numbers, loan amounts and account number. The background to the incident was that the bank started using Meta's service Facebook- the pixel (now the Meta pixel) in order to optimize the bank's marketing. During 2019 Meta developed a new sub-function within the Meta pixel, called Automatic Advanced Mailing address: Matching (AAM). The incorrect transfer of personal data was caused by the Box 8114 the new AAM feature was activated by the bank by mistake. The bank became aware of 104 20 Stockholm the transfer via external information. As soon as the bank became aware of the incident Website: the bank deactivated the Meta pixel in its entirety. www.imy.se E-mail: imy@imy.se 1 European Parliament and Council Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with Telephone: regarding the processing of personal data and on the free flow of such data and on the cancellation of 08-657 61 00 directive 95/46/EC (general data protection regulation). The Swedish Privacy Agency Diary number: DI-2021-5544 2(15) Date: 2024-06-24 Against the background of the information in the notification about the personal data incident, IMY started supervision of the bank. The supervision has been limited to what the bank has undertaken appropriate technical and organizational measures to protect website visitors and app users' personal data in accordance with articles 5.1 f and 32.1 i data protection regulation during the period from 15 November 2019 to 2 June 2021. What the bank has stated The bank has essentially stated the following regarding the issues that are the subject of IMY's examination. Personal data responsibility The bank is responsible for personal data for the introduction of the Meta pixel and the subsequent one the transfer of personal data to Meta. The original implementation of the Meta pixel The bank has routines to ensure correct processing of personal data before, i in connection with and after the introduction of new functions on the website. These routines are formalized and documented in the bank's governing documents. According to the bank procedures to ensure correct processing of personal data must initially before each new or changed personal data processing, a review is made and assessment of the planned treatment to ensure that it meets the requirements of data protection regulation. The review is done with the help of, among other things, a documented template for personal data processing which contains several steps which the employee who is responsible for the introduction of a new or changed personal data processing must go through. The steps mean, among other things, that it must a risk analysis of the treatment is carried out, a legal basis must be able to be established and it must ensure that those registered are given correct information about the new one the processing of personal data. Furthermore, the processing must be entered into the bank's register list. The Meta pixel is an analytics tool provided by Meta that helps to measure the effectiveness of the bank's Facebook advertising. The meta pixel transferred and linked a website visitor's activity and behavior on the bank's website with a unique registered user of any of Meta's services. the purpose with introducing and using the Meta pixel was to optimize the bank's marketing. The purpose of the personal data processing was to use targeted advertising Facebook and be able to market the bank to a relevant target group. The meta pixel enabled more relevant marketing to be produced by the marketing could be based on information about which pages on the bank's website as a person visited. Before the bank started the collaboration with Meta, an approval process was carried out where functions at the bank within risk, compliance, legal and information security was involved. Within the framework of this process, issues of bank secrecy were addressed and personal data processing. It was only information about a person's visits web pages, IP address and information about certain unique events, e.g. product selection and searches on the website, which were necessary to process for the purpose in question. Data Protection Agency Diary number: DI-2021-5544 3(15) Date: 2024-06-24 Activation of new sub-functions in the Meta pixel In 2019, Meta developed the Meta pixel service by also providing the Automatic Advanced Matching (“AAM”) function. This is a sub-function within Meta- the pixel. In addition to AAM, the Meta pixel also offers the Automatic Events feature ("AH") which can be activated manually and which then tries to detect on its own and capture events and interactions, such as clicks, searches and menu selections, at visit the company's website or in the app. In 2019, the bank's legal department received a request from the marketing department about the opportunity to use one of Meta's functions through which customer data would transferred to Meta. The bank's legal department found that the function in question could not is implemented. It is further the bank's view that if an implementation of a function as AAM would have been subject to internal processes and procedures had it led to the assessment that the bank had not been able to accept the terms and that it did not would be possible to use the function. This is because the function risks involve a transfer of data to Meta that the bank cannot legally carry out in its banking. It has never been the bank's intention to use the functions AAM and AH. The bank has not been able to verify how the functions have been activated. Should the feature have activated by an employee of the bank, it is the bank's opinion that it has taken place mistake. The bank has not taken any decision to activate the AAM function. The bank's transfer of personal data via the AAM function to Meta Automatic Advanced Matching (AAM) feature The function AAM transmitted data in hashed form (with the hashing function SHA256) to Meta if the user filled in one of the five different forms on the bank's website or in the bank's mobile app. Two forms were in the new customer flow (open for visitors, where the visitor intended to become a customer). Three forms related to mortgages and was behind login and could only transfer data from existing customers who entered into a customer agreement with the bank. In order for the data to be transferred, it was required so that a person was logged in to the bank's website and that the person agreed to marketing cookies at the bank. If these conditions were not met AAM was not activated and no data was transferred. If the conditions were met, the following hashed data could be transferred to Meta: • Social security number • Contact information, such as phone number, email address, postal code and postal address • Loan amount on existing loan • Employer • Form of employment • Account number 2IMY's addition: Hashing is a one-way cryptographic function that can be used to accomplish pseudonymization, which is a possible security measure according to Article 32 of the Data Protection Regulation, by personal data is replaced with a so-called hash sum. This means that the replaced personal data is not available in plain text and that additional information is needed to be able to identify the registered person. The Swedish Privacy Agency Diary number: DI-2021-5544 4(15) Date: 2024-06-24 By inadvertently activating the AAM feature by the bank, the Meta pixel was able to match they hashed the data with visitors' behavior on the site for profiling. This made it possible to get a more detailed picture of the visitors. Profiling applied only the bank's marketing and was not used by Meta for its own, or others actors' business purposes. Exactly how AAM has affected advertising is not established. That this resulted in directed advertising cannot be excluded. The Automatic Events (AH) feature The AH function passed information in plain text to Meta when a user navigated on the bank's website or in the mobile app. A condition for transfer was that the user agreed to marketing cookies at the bank and was logged in as customer of the bank (with one exception, see below). The data that was transferred in clear text to Meta was unknowingly transferred as it did not exist any intention to show the information to anyone other than the customer. It was from browser or app on the customer's device that the transfer took place and that because of three main factors: 1) The function inadvertently activated by the bank at Meta also follows how a users move on a site/mobile (convert). To do so is sent information about which "buttons" – that is, elements on the page/screen – the user presses when he navigates on the site/in the app. Meta accordingly collects information that tells you which button presses take place to understand which context the user converts in. For example, Meta wants to understand that the customer buys something at print on a button with the text "Buy" even if the advertiser has not picked up the buy button as a conversion. This information was sent to Meta. 2) The bank uses elements that Meta perceives as buttons, e.g. button marked boxes and drop-down menus, in their code to present certain information to the bank's user. This mainly applies when there are elements on the site/apps that can be accessed press to e.g. show more information. Often these appear as a smaller visual elements that become larger when you press them, and then show more information. When users have pressed these elements to see more information, it has been recorded as regular keystrokes of Meta's script (Meta pixel IMY's note). The script has then compiled the information and sent it to Meta as a registered keystroke. 3) Information about keystrokes is not pseudonymized (IMY's note is hashed) by Meta the way other information they collect. These three factors together have caused certain information to be sent to Meta i plain text. It was thus a combination of the (incorrectly) activated functionality along with Meta's handling of button presses and a specific technical solution from the bank that caused the transfer to Meta. In summary, AH analyzed which buttons on the website and mobile app which the user pressed to then make suggestions about marketing on Facebook. The bank's transfer of data via AH arose because the bank categorized visual fields such as buttons on the website and in the mobile app code. Via AH could the following categories of data are transferred to Meta in plain text: The Swedish Privacy Agency Diary number: DI-2021-5544 5(15) Date: 2024-06-24 • Securities holdings and value, such as amount available for purchase, withdrawal and value development • Information on loan amount • Account number and credit limit • Fees, taxes and current interest rates • Current orders and today's close • Company signatory and bank from which the pension is transferred • Email address and social security number The majority of data transmitted via AH came from buttons behind logged in location with the bank, i.e. buttons that were only shown to customers who signed up customer agreement with the bank. In one place on the bank's website, however, there were expandables panels in the flow for signing occupational pensions, both for individual companies and for limited company, which was open to all visitors, i.e. also information from one limited number of visitors without a customer agreement with the bank and who were therefore not logged in. Measures taken after the personal data incident Meta has confirmed to the bank that the personal data processed has been deleted at Meta in a way that does not allow Meta to reproduce them. The bank's opinion is that the transfer of the data did not entail any damage or risk for the data subjects because Meta did not use the data for its own purposes or transferred them on and that the data is deleted. All information has been transferred by The Meta pixel for Meta and the bank's own advertising account with Meta. In order to detect outgoing traffic, the bank has now established a process for how the bank introduces and manages third-party scripts. It describes how these scripts should are evaluated from a security and integrity perspective and how they are maintained long term. The bank has also moved the scripts from the third-party suppliers to the bank's own system to avoid changes in the script being introduced without the bank draws attention to it. The bank has also supplemented internal guidelines to more clearly describe the error scenario, how it is avoided and what expectations are incumbent on the bank's development team when they handles this type of product. In addition to this, the bank has implemented additional governing documents and routines aimed at to ensure correct processing of personal data. These governing documents contains, among other things, requirements and guidelines in relation to the processing of personal data before, in connection with and after the introduction of new functions on the bank's website. Justification of the decision Applicable regulations, etc. It follows from Article 95 of the Data Protection Regulation that the Data Protection Regulation shall not entail any additional obligations for natural or legal persons who processes personal data, for such areas that are already covered by obligations of the Swedish Data Protection Agency Diary number: DI-2021-5544 6(15) Date: 2024-06-24 3 according to the so-called eData protection directive. The eData Protection Directive has been implemented in Swedish law through the Act (2003:389) on Electronic Communications (LEK), including other collection of data through cookies is regulated. According to ch. 9 Section 28 LEK, which implements Article 5.3 of the eData Protection Directive, receives data stored in or retrieved from a subscriber's or user's terminal equipment only if the subscriber or user gets access to information about the purpose of the treatment and consent to it. Furthermore, it appears that this does not prevent such storage or access needed to transmit an electronic message via a electronic communication network or which is necessary to provide a service which the user or subscriber has expressly requested. LEK entered into force on 22 August 2022. During the time in question in the case, however, the same requirements applied according to 6 ch. Section 18 of the Act on (2003:389) on electronic communications. It is Postal and The Swedish Telecom Agency, which is the supervisory authority according to LEK (chapter 1 § 5 of the regulation (2022:511) on electronic communication). The European Data Protection Board (EDPB) has commented on the interaction between eData Protection Directive and the Data Protection Regulation. From the opinion, i.a. follows that it national supervisory authority appointed according to the eData Protection Directive is alone competent to monitor compliance with the Directive. However, the supervisory authority is according to data protection regulation competent supervisory authority for the processing that does not regulated in particular in the eData Protection Directive.4 According to Article 4.7 of the Data Protection Regulation, the person in charge of personal data is a physical or legal person, public authority, institution or other body which alone or together with others determines the purposes and means of the processing of personal data. If the purposes and means of the processing are determined by Union law or the national law of the Member States can the personal data controller or the special criteria for how he is to be appointed are prescribed in Union law or in national law of the Member States. The personal data controller is responsible for and must be able to demonstrate that the basic the principles in Article 5 of the Data Protection Regulation are followed. This is apparent from Article 5.2 i the data protection regulation (principle of liability). According to Article 5.1 f of the data protection regulation, personal data must be processed in one way which ensures appropriate security for the personal data, including protection against unauthorized or unauthorized processing and against loss, destruction or damage by accident, using appropriate technical or organizational measures. It follows from Article 32.1 of the data protection regulation that the person in charge of personal data must take appropriate technical and organizational measures to ensure a safety level that is appropriate in relation to the risk of the treatment. At the assessment of which technical and organizational measures are appropriate must data controller take into account the latest developments, implementation costs and the nature, scope, context and purpose of the treatment as well as the risks for rights and freedoms of natural persons. 3 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 on the processing of personal data and privacy protection in the electronic communications sector (Directive on Privacy and Electronic Communications). 4Opinion 5/2019 on the interaction between the directive on privacy and electronic communications and the general the data protection regulation, especially with regard to the competence, tasks and powers of the data protection authorities, adopted on 12 March 2019, paragraphs 68 and 69. The Swedish Privacy Protection Agency Diary number: DI-2021-5544 7(15) Date: 2024-06-24 According to Article 32(1), appropriate safeguards include, where appropriate, a) pseudonymisation and encryption of personal data, b) the ability to continuously ensure confidentiality, integrity, availability and resilience of treatment systems and services, c) the ability to restore the availability and access to personal data i reasonable time in the event of a physical or technical incident, and d) a procedure for regularly testing, examining and evaluating effectiveness in the technical and organizational measures that must ensure the safety of the treatment. According to article 32.2 of the data protection regulation, when assessing the appropriate security level special consideration is given to the risks that the treatment entails, in particular for accidental or unlawful destruction, loss or alteration or for unauthorized disclosure of or unauthorized access to the personal data transmitted, stored or otherwise treated. According to ch. 3 Section 10 of the law (2018:218) with supplementary regulations to the EU's data protection regulation, social security numbers and coordination numbers may be processed without consent only when it is clearly justified with regard to the purpose of the processing, the importance of a secure identification or any other reasonable reason. From ch. 1 Section 10 first paragraph of the Act (2004:297) on banking and financing operations (Banking Act) states that individuals' relationships with credit institutions may not be obtained without authorization cleared. The Swedish Privacy Protection Authority's assessment From the investigation in the case it appears that two functions in the analysis tool Meta-pixeln inadvertently activated by the bank. As a result of the features being activated personal data about a large number of people who were logged on to the bank's website or in the bank's app unauthorized transferred to Meta. In some cases also have personal data regarding people who visited the website or app and used a specific service without having been logged in transferred. It is mainly the bank's own customers who have affected by the transfer. The personal data transferred has included, among other things social security number and extensive financial information. The information, including detailed information about customers' finances, has in several cases been transmitted in plain text. According to the bank, it has not been possible to verify afterwards how the functions activated or by whom. IMY initially takes a position on whether the data protection regulation is applicable and whether IMY is the competent supervisory authority. IMY is the competent supervisory authority IMY's review aims at a situation where information about people, mainly customers who were logged in to the bank, inadvertently transferred by the Meta pixel to Meta i in connection with their visiting different parts of the bank's website. This one information management does not mean that data is stored in or retrieved from a subscriber's or user's terminal equipment and is therefore not covered by Chapter 9 Section 28 of LEK or previously applicable corresponding provision in the law (2003:389) on electronic communication. IMY thus states that the data protection regulation is the Swedish Privacy Agency Diary number: DI-2021-5544 8(15) Date: 2024-06-24 applicable to the personal data processing in question and that IMY is authorized supervisory authority. It can also be stated that IMY's review concerns the bank have taken sufficient security measures, which is not something that is specifically regulated in LEK. Even that relationship thus means that IMY is the competent supervisory authority. IMY then assesses the issue of personal data responsibility and whether the bank has taken action appropriate security measures according to articles 5.1 f and 32 of the data protection regulation for to protect the personal data of affected website visitors and app users. The bank is responsible for personal data The bank has stated that the bank is responsible for personal data for it personal data processing reviewed in the case. The investigation shows that the purpose with implementing and using the Meta pixel has been to optimize the bank's marketing. By processing information about e.g. visited by a person web pages, searches and product selection have the bank's marketing on Meta's service Facebook could thus be optimized. IMY notes that the bank has determined the purpose and means for the processing of the personal data, i.e. how and why the personal data is to be processed. IMY assesses that it is the bank which according to Article 4.7 of the data protection regulation is personal data controller for the personal data processing covered by the supervision. The treatment involved a high risk and required a high level of protection According to Article 32 of the data protection regulation, the bank has an obligation to protect them personal data that the bank processes by taking appropriate technical and organizational measures. The measures must ensure an appropriate level of security. At the assessment of which level of security is appropriate shall be the responsibility of the personal data controller take into account the costs, the nature, extent, context and purpose of the processing and the risks to the rights and freedoms of natural persons that the processing entails. From ch. 1 Section 10 first paragraph of the Banking Act follows that the person who is or has been connected to a bank may not unauthorizedly disclose information relating to a bank customer's dealings with the bank. The information that a certain person is a customer of the bank or not is also covered the duty of confidentiality. These legal requirements on confidentiality thus apply in the bank's operations. It places high demands on the protection of the personal data processed in the bank's Operation. IMY notes that the data that was handled consisted of, among other things, special personal data worthy of protection, namely social security numbers, which may only be processed under certain conditions. There has also been a question of financial data, such as information on account number, securities holdings, loan amount, and credit limit, for which the data subjects have legitimate expectations of a high degree of confidentiality and a robust protection against unauthorized access. The data transferred has been covered by statutory duty of confidentiality. The processing of personal data has taken place within the framework of the bank's core business, which entails even higher requirements for the level of protection. The bank should have had good ability to ensure a security that was suitable from the outside the scope and sensitivity of the treatment. With regard, among other things, to the fact that the data processed by the bank has been deleted protective nature and affected a very large number of people has the bank's treatment of the personal data in total meant a high risk for natural persons The Swedish Privacy Protection Agency Diary number: DI-2021-5544 9(15) Date: 2024-06-24 rights and freedoms. The nature, extent and context of the treatment therefore have entailed a requirement for a high level of protection for the data. The measures would, among other things, ensure that the personal data was protected against unauthorized disclosure and unauthorized access. The bank has not taken sufficient measures to protect the data IMY notes initially that the relationship that the bank transferred the relevant the information to Meta means that the information has not actually been protected against unauthorized disclosure. The bank's information shows that it has formalized procedures to ensure a correct processing of personal data before, in connection with and after the introduction of new functions on the website and that these procedures are documented in the bank's governing document. IMY notes that the bank thus had organizational measures in place in the form of procedures documented in the bank's governing documents. However, the bank currently has the case did not follow its procedures. The bank has had the Meta pixel inserted on parts of the bank's website and app that were intended only for logged-in customers and prospects customers. The two functions AAM and AH in the Meta pixel have subsequently been activated without the bank was aware of it. As a consequence of the fact that the bank upon the introduction of these functions did not follow their routines and documented what happened, it has not been possible for the bank to subsequently verify how or by whom these functions was activated. As a result of the two functions AAM and AH being activated without the bank's knowledge has an unauthorized disclosure of information subject to confidentiality and an unauthorized transfer of personal data has taken place to Meta. This went on for just over a year and a half. To the clearing and the unauthorized transfer stopped was not due to the bank itself paying attention to what was going on, but that the bank received via an external source knowledge of it. The bank has thus lacked the ability to detect the clearing of and the ongoing one the transfer of personal data to Meta. IMY believes that the bank should have had one such systematic security work that this would have been discovered by the bank. One such security work involves checks being carried out with some regularity. Because the bank has only had routines to follow up on documented changes carried out according to established procedures, the bank has lacked the ability to detect and address changes that, as in the current case, were carried out without the routines followed. Against this background, IMY states that the bank has lacked technical and organizational security procedures to systematically follow up and detect accidental changes in their systems. As a result of the bank not applying its organizational security routines when the bank introduced the functions AAM and AH, partly lacking organizational and technical ones security procedures to detect transmissions have personal data of a large number persons unauthorized transferred to Meta. The investigation shows that there has been a question of personal data of approximately 500,000 – 1,000,000 people. In summary, IMY notes that the bank, when using the Meta pixel, does not has taken sufficient technical and organizational measures to ensure a security level that was appropriate in relation to the risk. This means that the bank under the Swedish Privacy Agency Diary number: DI-2021-5544 10(15) Date: 2024-06-24 the period from 15 November 2019 to 2 June 2021 has processed personal data in violation of Article 32.1 of the Data Protection Regulation. According to the basic security principle in Article 5.1 f of the data protection regulation personal data must be processed in a way that ensures appropriate security for the personal data, including protection against unauthorized or unauthorized processing and against loss, destruction or accidental damage, using appropriate technical or organizational measures. Through what happened has information about the bank's customers, for example information about social security numbers, account numbers, securities holdings, loan amount and credit limit, transferred to Meta in plain text. In addition, certain information has been transferred in hashed form, which enabled matching with personal data at Meta. It has been a matter of information that is covered by statutory duty of confidentiality. Loss of control of banking information can mean a lot risk to the freedoms and rights of the data subjects. That the matter concerns bank information and that the personal data has also predominantly been cleared and transferred in plain text from According to IMY, a mode logged in for the customers means that what happened is particularly serious. The bank's failure to follow its formalized procedures and lack of ability to discover the unauthorized transfer of personal data is therefore deemed to be of such serious type that the deficiency also involves a violation of Article 5.1 f i data protection regulation. Choice of intervention Legal regulation In the event of violations of the data protection regulation, IMY has a number of corrective measures powers, including reprimands, injunctions and penalty charges. It follows from article 58.2 a–j of the data protection regulation. IMY shall impose penalty fees in addition to or instead of other corrective measures referred to in Article 58(2), depending the circumstances of each individual case. Each supervisory authority must ensure that the imposition of administrative penalty charges in each individual case are effective, proportionate and dissuasive. The stated in Article 83.1 of the Data Protection Regulation. In Article 83.2, the factors to be taken into account in deciding whether an administrative penalty fee must be imposed and what can affect the size of the penalty fee. Of significance for the assessment of the seriousness of the violation is, among other things, its nature, severity and duration. According to Article 83.4, in the event of violations of, among other things, Article 32, it must be imposed administrative penalty fees of up to EUR 10,000,000 or, if one applies company, of up to two percent of the total global annual turnover during previous budget year, depending on which value is the highest. According to Article 83.5, in the event of violations of, among other things, Article 5, it must be imposed administrative penalty fees of up to EUR 20,000,000 or, if one applies companies, of up to four percent of the total global annual turnover during previous budget year, depending on which value is the highest. Privacy Protection Agency Diary number: DI-2021-5544 11(15) Date: 2024-06-24 The EDPB has adopted guidelines on the calculation of administrative penalty fees according to the data protection regulation which aims to create a harmonized method and principles 5 for calculation of penalty fees. If it is a question of a minor violation, IMY receives according to what is stated in reason 148 i instead of imposing a penalty charge, issue a reprimand in accordance with Article 58.2 b i the regulation. IMY's assessment A penalty fee must be imposed IMY has made the assessment that the bank has processed personal data in violation of article 32.1 of the data protection regulation and that the violation is of such a serious nature that it is also a question of a violation of the principles of integrity and confidentiality in Article 5.1 f. The violation has occurred through the bank's processing of personal data with a insufficient level of security, which has led to, among other things, financial information about around 500,000 - 1,000,000 people were unauthorized transferred to Meta for just over a year and half a year's time. The bank has also lacked the ability to detect during this time the transfer of personal data to Meta. IMY believes that the bank should have had one such systematic security work that the transfer of personal data would have discovered in connection with a regular check. The unauthorized transfer has entailed a high risk for the freedoms and rights of the registered, among other things loss of confidentiality of data worthy of protection. Against this background, IMY assesses that it is not a question of such minor violations as referred to in reason 148 i data protection regulation. The European Court of Justice has clarified that it is required that the person in charge of personal data has committed a Violation intentionally or negligently to administrative penalty fees must be enforceable according to the data protection regulation. The European Court of Justice has stated that data controllers may be subject to penalty fees for actions if they cannot are deemed to have been unaware that the conduct constituted a breach, regardless of whether they were aware that they violated the provisions of the data protection regulation. 6 According to the principle of responsibility which is expressed, among other things, in Article 5.2 i the data protection regulation shall the person responsible for the processing of personal data ensure and be able to demonstrate that the processing is compatible with the data protection regulation. IMY thus states that the bank is responsible for the personal data being processed in the business, is processed in a way that ensures an appropriate level of security. IMY has established during its examination that the bank did not live up to the requirements that the data protection regulation stipulates in this regard. The bank cannot be considered to have been unaware that its actions entailed a breach of the regulation. The 5 EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR, adopted on 24 May 6023. against Valstybinė daemono apogos inspekcija of December 5, 2023, point 81 prie Sveikatos apogos ministrijos and judgment in case C 807/21 Deutsche Wohnen of 5 December 2023, paragraph 76Integritetsskyddsmyndigheten Diary number: DI-2021-5544 12(15) Date: 2024-06-24 there are therefore prerequisites for imposing an administrative on the bank penalty fee. 7 When determining the size of the penalty fee, IMY must take the circumstances into account as specified in Article 83.2 as well as ensuring that the administrative sanction fee is effective, proportionate and dissuasive. IMY states that violations of Article 5.1 f of the data protection regulation are covered by article 83.5 which means that a penalty fee of up to twenty million euros or four percentage of the global annual turnover in the previous fiscal year, depending whichever is higher, may be imposed. The Avanza group's annual turnover according to the parent company's consolidated accounts must is added as a basis for the calculation When determining the maximum amount of a penalty charge to be imposed on a company shall the definition of the concept of company be used as used by the EU Court of Justice application of Articles 101 and 102 of the TFEU (see recital 150 i data protection regulation). It appears from the court's practice that this includes every entity that carries out economic activities, regardless of the legal form of the entity and the way of doing so financing as well as even if the unit in the legal sense consists of several physical or legal entities. The assessment of what constitutes a company must therefore be based on competition law definitions. The rules for group liability in EU competition law revolve around the concept of economic unity. A parent company and a subsidiary are considered one part of the same economic entity when the parent company exercises decisive influence over the subsidiary. The decisive influence (that is, control) can either be achieved by ownership or by contract. Jurisprudence shows that one hundred percent or almost one hundred percent ownership implies a presumption for control to be considered exist. However, the presumption can be rebutted if the company provides sufficient evidence to prove that the subsidiary acts independently on the market. To refute the presumption, the company must therefore provide evidence relating to the organizational, the financial and legal links between the subsidiary and its parent company which shows that they do not constitute an economic unit even though the parent company owns 100 percent 9 or almost 100 percent of the shares. Avanza Bank AB is a wholly owned subsidiary of the parent company Avanza Bank Holding AB (publ). According to the presumption described above, it is therefore the turnover for Avanza the group according to Avanza Bank Holding AB's (publ) consolidated accounts which shall is added as a basis for calculating the maximum penalty fee amount. From Avanza Bank Holding AB's consolidated accounts for 2023 it appears that the total global annual turnover was approx. SEK 4,716,000,000. Four percent of it annual turnover is approx. SEK 189,000,000. As this amount is less than the maximum amount as stated in Article 83(5) is the maximum penalty amount that can be determined in the case 20,000,000 euros. 7 For the assessment of negligence, see also the Court of Appeal in Stockholm's judgment of 11 March 2024 in case 2829-23 p.12. 8 The EU Court's judgment in case C-97/08 P Akzo Nobel NV et al. against the European Commission of 10 September 2009, paragraph 59- 61 Adapt/unify footnotes where we refer to the rulings of the European Court of Justice. 9 Cf. EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR, point 125 and where reported rulings. The Privacy Protection Agency Diary number: DI-2021-5544 13(15) Date: 2024-06-24 The seriousness of the violation The EDPB's guidelines state that the supervisory authority must assess whether the violation is 10 of low, medium or high severity. IMY assesses that the following factors are important for the assessment of the infringement seriousness. IMY has established that the bank did not follow its procedures in connection with the functions AAM and AH in the Meta pixel were activated and that the bank has lacked the systematic security work required to detect the unauthorized disclosure and transfer of personal data to Meta. The current security flaws have led to an incident that has affected a large number of registrants and Meta has been able to take part in a large amount personal data, in many cases in plain text, which would not have been transferred to Meta. The information has included financial information and information about social security numbers, i.e. information that requires a high level of protection. The violation has been going on for a long time, from 15 November 2019 until 2 June 2021 when the bank became alerted to the unauthorized transfer of the data. The treatment of the personal data on the bank's website is part of the bank's core business there the information is subject to statutory confidentiality, which means that the breach must considered more serious than if this had not been the case. 11 IMY has established that the violation is so serious that it is in addition to a violation of Article 32.1 of the data protection regulation also constitutes a violation of it the fundamental principle of integrity and confidentiality according to Article 5.1 f. IMY assesses, overall, that the violation in question has a low degree of seriousness within the scope of violations of Article 5.1 f. In its assessment of the size of the penalty fee, IMY must also take these into account aggravating and mitigating factors listed in Article 83.2 i data protection regulation. IMY notes that the bank has taken certain measures to alleviate the damage suffered by the registrants according to Article 83.2 c. The bank closed immediately by the pixel functions when the bank was made aware of the transfer. The bank also contacted Meta to ensure that Meta had not processed the data for own purposes and that the data has been deleted at Meta. In addition to this have the bank has implemented additional control documents and routines that aim to ensure a correct processing of personal data. IMY assesses that the bank through these measures taken that could be expected given the nature of the treatment, purpose and scope. The measures taken therefore do not constitute mitigation factor. IMY states that no other circumstances have come to light either which affects IMY's assessment of the size of the sanction fee neither in aggravating manner or mitigating direction The penalty fee must be effective, proportionate and dissuasive The administrative penalty fee must be effective, proportionate and deterrent. This means that the amount must be determined so that the administrative the penalty fee leads to correction, that it provides a preventive effect and that it in addition, is proportionate in relation to current violations as well as to the supervised entity's ability to pay. 10 EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR, point 60. 11 EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR, point 53. Data Protection Authority Diary number: DI-2021-5544 14(15) Date: 2024-06-24 In light of the seriousness of the violation, IMY decides that the bank must pay a administrative sanction fee of SEK 15,000,000 for the identified violations. IMY considers this amount to be effective, proportionate and dissuasive. This decision has been taken by acting general manager David Törngren after presentation by senior lawyer Hans Kärnlöf. At the final processing has also Acting Head of Justice Cecilia Agnehall and Head of Unit Catharina Fernquist and the IT and information security specialist Petter Flink participated. David Törngren, 2024-06-24 (This is an electronic signature) Copy to DSOIntegritysskyddsmyndigheten Diary number: DI-2021-5544 15(15) Date: 2024-06-24 How to appeal If you want to appeal the decision, you must write to the Swedish Privacy Protection Authority. Enter in the letter which decision you are appealing and the change you are requesting. The appeal shall have been received by the Privacy Protection Authority no later than three weeks from the day you received it part of the decision. If the appeal has been received in time send The Privacy Protection Authority forwards it to the Administrative Court in Stockholm examination. You can e-mail the appeal to the Privacy Protection Authority if it does not contain any privacy-sensitive personal data or information that may be covered by secrecy. The authority's contact details appear on the first page of the decision.