IMY (Sweden) - IMY-2022-3270
From GDPRhub
| IMY - IMY-2022-3270 | |
|---|---|
 | |
| Authority: | IMY (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 32(1) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 29.08.2024 |
| Published: | |
| Fine: | 37000000 SEK |
| Parties: | Apoteket AB Meta |
| National Case Number/Name: | IMY-2022-3270 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Swedish |
| Original Source: | IMY (Sweden) (in SV) |
| Initial Contributor: | wp |
The DPA fined the controller SEK 37,000,000 (approximately €3,200,000) for violation of Article 32 GDPR. Erroneous setting of Meta’s pixel embedded with controller’s website led to subsequent transfer of users’ personal data to Meta.
English Summary
Facts
A Swedish pharmacy company - Apoteket AB (the controller) was using the Meta pixel for marketing purposes since 2017. The purpose of the pixel was to measure the controller’s marketing activity within Facebook and Instagram and additionally to promote controller’s products to visitors of certain pages (self-care product category). By default, the controller disabled the pixel within the part of the website dedicated to the prescription goods.
In 2020, an employee of controller, acting without the authorisation or knowledge of the controller, activated Advanced Matching function of the pixel. As a result, the controller was provided with supplementary data, which was not necessary for the purposes of data processing, as the pixel collected more data referring to the customers. Additionally, website visitors’ data was transferred to Meta.
When a customer made a purchase with the controller, Meta received hashed data related to the customer, namely the contact data, name and surname, social security data, address data. Meta was then able to match the data with Facebook user ID and eventually deleted the hashed data. The estimated number of data subjects affected by the incident was 930,000.
As soon as the controller identified the new settings of the pixel (2022), they disabled the Advanced Matching function. The controller requested Meta to delete the data collected via the pixel. Meta explained they already deleted the data older than two years ago and regarding a newer data, Meta claimed to be unable to delete them manually. Additionally, the controller published an announcement on their website, informing the data subjects about the current situation. Moreover, the controller implemented new technical and organisational measures to reduce the risk of future violations of that kind (inter alia, additional screening of cookie settings of the website, e-learning course for the employees).
The controller notified the Swedish DPA (IMY) about the incident.
Holding
The DPA found the controller violated Article 32(1) GDPR. According to the DPA, the category of data processed by the controller via the pixel entailed a high risk for the data subjects (inter alia, due to a potential sensitive nature). Because of that, the controller was obliged to adequate implement the technical and organisational measures.
The DPA acknowledged the controller’s proactive approach to data protection duties, inter alia detailed risk assessment performed and ongoing compliance monitoring. The controller also established and implemented a policy review of purchased service from the perspective of IT security and data protection. Nevertheless, the employee of controller didn’t follow these rules in practice. Hence, for the DPA, the controller failed to adequately assess the risk associated to the pixel. Also, the controller didn’t identify the erroneous setting of the pixel for two years, which meant the compliance monitoring was not functioning well.
Accordingly, the DPA fined the controller SEK 37,000,000 (approximately €3,200,000).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
1(16)
Apoteket AB
Diary number:
IMY-2022-3270 Decision after supervision according to
Date: data protection regulation – Apoteket
2024-08-29
AB
The Privacy Protection Authority's decision
The Swedish Data Protection Authority states that Apoteket AB (556138-6532) has
processed personal data in violation of article 32.1 of the data protection regulation by
have not taken appropriate technical and organizational measures to ensure a
appropriate security level for personal data when using the analysis tool Meta-
the pixel during the period 19 January 2020–25 April 2022.
The Privacy Protection Authority decides with the support of articles 58.2 and 83 i
data protection regulation that Apoteket AB must pay an administrative sanction fee of
SEK 37,000,000.
Account of the supervisory matter
Background etc.
On April 25, 2022, Apoteket AB (Apoteket) submitted a notification about personal data
incident to the Privacy Protection Authority (IMY). The notification showed that Apoteket
used Meta Platforms Ireland Limited's (Metas) analytics tool the Meta pixel on its
website www.apoteket.se (the website) to improve advertising to customers
and thereby permitted the transfer of data regarding customers and website visitors to
Meta that was not meant to be transferred. The pharmacy discovered the incident through
information from an outsider. The incident report was preceded by information in the media about
that Apoteket transferred certain information about its customers' online purchases to Meta.
IMY began supervision in May 2022 against the background of the information contained in the incident-
notification. The supervision has been limited to the question of whether Apoteket has taken the appropriate measures
technical and organizational measures in accordance with Article 32 of the Data Protection Regulation
Postal address: ningen.
Box 8114
104 20 Stockholm
Website:
www.imy.se
E-mail:
imy@imy.se
1Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with
Telephone: regarding the processing of personal data and on the free flow of such data and on the cancellation of
08-657 61 00 directive 95/46/EC (general data protection regulation). The Swedish Privacy Agency Diary number: IMY-2022-3270 2(16)
Date: 2024-08-29
The processing at IMY has taken place through an exchange of letters with Apoteket. IMY also has
obtained investigation in the form of information from Meta about how the Meta pixel and its
filtering mechanism works.
What Apoteket has stated
Apoteket has essentially stated the following regarding the question that is the subject of
examination.
Personal data responsibility
Apoteket is responsible for personal data in the part that refers to the introduction of the Meta pixel
(formerly the Facebook pixel) and the transfer of data to Meta (formerly Facebook).
The purpose of the treatment
Apoteket has used the Meta pixel since 2017. The treatment has comprehensive
seen done for marketing purposes. The primary purpose was to measure the effect of
the company's marketing on Meta's social media platforms Facebook and Instagram.
The secondary purpose was to market products to visitors who visited product
pages for self-care without shopping, to get these customers to shop at a later time
opportunity. The pixel was used for the secondary purpose to a limited extent, under
limited periods. On January 19, 2020, the automatic type of was activated
The meta-pixel's function for advanced matching (AAM function) which meant that more
data than before came to be processed. The activation of the AAM function was not
necessary to fulfill the purposes of the treatment. The activation of the Meta pixel
and the AAM function has been carried out by individual employees without prior risk assessment
ning contrary to Apoteket's routines. The pharmacy became aware that information that would
could be considered sensitive shared only after the media reported on it. The pharmacy
decided to immediately disable the Meta pixel and AAM feature on April 25, 2022
after the company's attention has been drawn to the extent of data that has been transferred.
What personal data was transferred to Meta
The transfer to Meta has not looked the same for all customers, but has depended on
the customer's actions on the website. Apoteket has not transferred information about customers
who refused to marketing cookies. For customers who have agreed to marketing
Cookies generally have the following event data transferred through the Meta pixel:
• URL
• value (value of product or total customer basket)
• currency (=”SEK”)
• content IDs (Product ID, Apoteket's internal product number)
• content Type (=”Product”)
• IP address.
Since the AAM function was activated, the following contact information has also been transferred:
• first and last name
• email address
• telephone number
• social security number
• gender
• city
• postal code
• country. The Swedish Privacy Agency Diary number: IMY-2022-3270 3(16)
Date: 2024-08-29
The contact information has only been transferred in the case of completed purchases and then in hashed form,
which meant that Meta has only been able to read the information if they have had the equivalent
information from before. Meta has then attempted to match the transferred contact
the information with a user ID on Facebook and then deleted it. About one
customer logged in to "My pages" with mobile BankID, the social security number has been transferred because
it was interpreted as a phone number.
Apoteket has made an active choice not to transfer information about prescription goods.
The exclusion has taken place by the part of the website where a customer can put a
prescription item in the cart did not contain the Meta pixel. Furthermore, order lines such as
contains prescription products filtered out at the time of purchase from the product data itself by
Apoteket's server before it was transferred to Meta. If a visitor has accepted marketing
cookies and made a purchase have information about the following products and/or
product categories shared via the Meta pixel with the AAM feature enabled:
a) self-tests and treatment for venereal diseases
b) contraceptives and the morning-after pill
c) sex toys
d) products for vaginal health (eg dry mucous membranes, menopause and
fungus in the vagina)
e) products for prostate problems and urinary problems
f) pregnancy tests, ovulation tests and pregnancy products
g) products for the treatment of fungi (e.g. athlete's foot or nail fungus)
h) products for the treatment and control of diabetes
i) products for the treatment of rectal disorders (e.g. anal fissures and
hemorrhoids)
j) products for the treatment of stomach disorders (eg IBS, constipation and diarrhoea)
k) products for the treatment of migraine
l) products for the treatment of allergy
m) accessories for hearing aids
n) products for the treatment of bacterial infections
o) products for the treatment of psoriasis
p) products for the treatment of rosacea
q) ostomy products.
Meta is essentially an authorized recipient and any transmission of website-
the visitors' information has not been unauthorized. What constituted a personal data incident
is the possible transfer of sensitive personal data. All products in Apotekets
assortment cannot, however, be considered to provide information about a person's health or sex life, but
only products from a so-called integrity-sensitive assortment in combination with a
direct personal data. A person's actions on the website need not either
indicate anything about the individual's health or sex life, until the customer has placed a privacy
sensitive product in the shopping cart or completed a purchase of such a product. It is, however
not obvious that it also says something about the individual customer because many
buys products for others, for preventive purposes or to a "home pharmacy". In addition, they belong
self-care products that Apoteket sells are certainly not the so-called integrity-
sensitive assortment. The legal situation is unclear in the area and it is difficult to categorize
say that sensitive personal data has been transferred.
If sensitive personal data has been transferred, it has not been Apoteket's
intention. However, Apoteket has a personal data processing agreement with Meta and it is not
ask about an unknown recipient of the data. The transfer has not taken place at once
uncontrolled way in the sense that unauthorized persons have accessed the information through a
hacker attack with obvious malicious intent. The actual risk to the data subjects
is therefore assessed as moderate. The transfer of social security numbers has not increased the risk for the Data Protection Agency Diary number: IMY-2022-3270 4(16)
Date: 2024-08-29
registered because the data was transferred in garbled form, hashed with SHA256,
and then deleted by Meta because the data could not be matched. The primary one
the shortcoming consists in the fact that the data subjects have to some extent lost control over their personal
data, but Apoteket's actions in themselves did not increase the risk for those registered. It should
seen as mitigating that Meta has had an active signal filtering mechanism that filtered
delete sensitive data. The information has therefore not been shared further or used by
Apoteket or Meta. The damage to those registered is thus limited.
Scope of the incident
The incident was estimated at the time of reporting to have affected 500,001–1,000,000
registered. The pharmacy has subsequently stated that it is not possible to give an exact figure
the number of registrants affected by the incident. This, among other things, with regard to
it is not about a leak from a register or a database that Apoteket has had
full control and transparency over and that the transfer of data took place directly between the user's
browser and Meta. The circle of potentially affected data subjects is affected by several
factors. The maximum number of affected individuals is 930,000. The calculation bases
itself on the number of purchases from the web during the current period, taking into account that
a certain percentage of purchases are made by repeat customers and customers who use
by ad blockers or have refused the use of cookies. The pharmacy's view
is that the incident only covers completed purchases and not information that a person
clicked on products, added products to the shopping cart or started payment. Nine percent
of the total share of web sales during the current period which
the incident took place consisted of products belonging to the categories listed above
under points a–q. In terms of the amount of personal data transferred, Apoteket is among the
otherwise stated that the number of unique products for each purchase carried out during
period amounts to 1.41 products per customer. In assessing how many sensitive
personal data transferred must, however, be taken into account that some of the purchases have included
self-care products (which do not reveal information about health), made for others or intended
several packages of the same product.
Technical and organizational security
Before the current incident, Apoteket had proactive processes in place to
ensure correct handling of personal data, including detailed risk assessments
and reviews by the data protection officer regarding matters relating to personal data.
Apoteket's development process contains several control points to capture risks
and ensure correct processing of personal data. The checkpoints consist of
that new solutions or functions on the website are reviewed from an information security
and data protection perspective (through an information analysis), architectural perspective and
contractually (if the solution is bought in) and code reviewed before the solution goes live
production on the website. Apoteket also carries out audits and penetration
tests of the website to be able to detect and fix vulnerabilities.
In the current case, Apoteket's established routines for IT development and risk assessment
ning has not been followed by individual employees. Probable cause, which is not a defense, can
have been that the functionality was very easy to activate without any real
development effort. At the time of enabling the AAM feature, admin-
authorization in the Meta Business Manager tool which two professional roles, comprehensive in total
three people, had. By routine, authorizations to the Meta Business Manager tool are seen,
including the AAM feature, over and regularly checked to ensure that
2 Hashing is a one-way cryptographic function that can be used to achieve pseudonymization, which is a
possible security measure according to article 32 of the data protection regulation, by replacing personal data with a so-called
hash sum. This means that the replaced personal data is not available in plain text and that it is necessary
supplementary information so that the registered person can be identified. The Swedish Privacy Agency Diary number: IMY-2022-3270 5(16)
Date: 2024-08-29
only people in need have access. Some other desirable routines for review
and follow-up has not been set up as a result of the activation of the pixel and AAM-
the function has not followed Apoteket's regular routines.
After the Meta pixel and the AAM function were deactivated, Apoteket had a dialogue with
Meta around deletion of data. Meta has stated that data older than two years has already been deleted,
but that the company cannot delete the data from the last two years manually. The pharmacy has
produced general information for those registered about the event that was published on
website during the end of April and in May 2022. To be able to respond to specific
questions and answers from customers, an information document was prepared for Apotekets
employees. Apoteket has also taken measures to reduce the long-term risk of
similar events. The company has carried out an inventory and analysis of cookies and
analysis tools on the website, introduced a professional role with overall responsibility for
the marketing department in order to ensure compliance with rules and guidelines as well as
improved its control model for information security. The employees then carried out
previously an annual security e-training that includes a chapter on data protection
and information security. To further strengthen awareness after the incident has
short e-training courses in IT and information security have been introduced.
Choice of corrective action
The pharmacy has transferred information to Meta that should not have been shared. However, the damage has
been limited. Nor has the breach affected the substance of the fulfillment of
Apoteket's obligations according to article 32 of the data protection regulation. The pharmacy has
immediately reported the violation to IMY and took the measures that were possible for
to reduce the consequences of the violation. These circumstances, along with
that the violation occurred through negligence means that it is a violation
of minor importance and it is therefore sufficient to issue a reprimand.
As for the seriousness of the violation, it has only prevented one to a small extent
effective application of Article 32 of the Data Protection Regulation. Furthermore, the violation has
carried out within business activities and the nature of the processing has therefore not entailed
some special risks. Nor has there been any dependency relationship between them
registered and Apoteket. The processing has taken place for marketing purposes which
is not part of Apoteket's core business, which consists of providing prescription
coated and non-prescription drugs. The personal data incident has certainly included one
relatively large number of registrants, but the level of damage caused by the breach
is low. The violation should be considered to be of medium seriousness at most.
There are reasons to consider how turnover is calculated in other areas of EU law,
primarily competition law. This is because the majority of Apoteket's turnover is derived from
from other parts of Apoteket's operations, such as, for example, traditional retail
as well as care and dose business, than that violation occurred within. According to the Commission
Guidelines for calculating fines imposed pursuant to Article 23.2 a of Regulation no
1/2003 states that the basic amount for the calculation must be determined by starting from
the sales value of the goods or services that have a direct or indirect connection
with the infringement and which the company sold in the relevant geographic area within
EEA. Analogously, the part of Apoteket's turnover that refers to the part of operations
the place where the infringement took place is taken into account, i.e. the turnover relating to online
sale of over-the-counter medicines, personal care products, hygiene items and skin care.
3Council Regulation (EC) No. 1/2003 of 16 December 2002 on the application of the competition rules in Articles 81
and 82 of the treaty. The Swedish Privacy Agency Diary number: IMY-2022-3270 6(16)
Date: 2024-08-29
There are several mitigating circumstances surrounding the violation, including form
of the measures taken by Apoteket to alleviate the consequences for the registered, that
Apoteket cooperated fully with IMY and that information was filtered out and therefore not
reached Meta for further processing. Apoteket has also reported the incident on its own initiative
to IMY. Because financial gain through the violation can be seen as an aggravating factor
factor when calculating the penalty fee, Apoteket wants to clarify that the increase in
the sales that can possibly be linked to the use of the AAM feature are second
next to non-existent.
Justification of the decision
IMY must initially decide whether the data protection regulation is applicable and if
IMY is the competent supervisory authority. If this is the case, IMY must examine the question of whether Apoteket is
personal data controller and whether the company has taken appropriate security measures according to
Article 32 of the Data Protection Regulation to protect the personal data processed
through the Meta pixel, with the AAM feature enabled, during the period January 19, 2020–
April 25, 2022.
IMY's authorization
Applicable regulations
It follows from Article 95 of the Data Protection Regulation that the Data Protection Regulation shall not
entail any additional obligations for natural or legal persons who
processes personal data, for such areas that are already covered by obligations
according to the so-called eData protection directive. The eData Protection Directive has been implemented in
Swedish law through the Act (2003:389) on Electronic Communications (LEK), including
other collection of data through cookies is regulated.
According to ch. 9 Section 28 LEK, which implements Article 5.3 of the eData Protection Directive, receives information
stored in or retrieved from a subscriber's or user's terminal equipment only if
the subscriber or user gets access to information about the purpose of
the treatment and consent to it. Furthermore, it appears that this does not prevent such
storage or access needed to transmit an electronic message via a
electronic communication network or which is necessary to provide a service
which the user or subscriber has expressly requested. LEK entered into force on
22 August 2022. During the time in question in the case, however, the same requirements applied according to
6 ch. Section 18 of the Act on (2003:389) on electronic communications. It is Postal and
the Swedish Telecommunications Board (PTS) which is the supervisory authority according to LEK (chapter 1 § 5 of the regulation
[2022:511] on electronic communication).
The European Data Protection Board (EDPB) has commented on the interaction between
eData Protection Directive and the Data Protection Regulation. From the opinion it follows, among other things, that
the national supervisory authority appointed under the eData Protection Directive is alone
competent to monitor compliance with the Directive. However, IMY is according to data protection
the regulation competent supervisory authority for the processing that is not specifically regulated in
eData Protection Directive. 5
4 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 on the processing of personal data and
privacy protection in the electronic communications sector (Directive on Privacy and Electronic Communications).
5Opinion 5/2019 on the interaction between the directive on privacy and electronic communications and the general
the data protection regulation, especially with regard to the competence, tasks and powers of the data protection authorities,
adopted on 12 March 2019, points 68 and 69. The Swedish Privacy Protection Agency Diary number: IMY-2022-3270 7(16)
Date: 2024-08-29
IMY's assessment
IMY's review aims at a situation where data subjects have used a service
on Apoteket's website for the purpose of ordering a product and provided the information yourself
which the Meta pixel has captured. This information management does not mean that
data is stored in or retrieved from a subscriber's or user's terminal equipment
and is thus not covered by ch. 9. Section 28 of LEK or the previously applicable equivalent
provision in the Act on Electronic Communications. This means that the regulation in
the data protection regulation is applicable to the current personal data processing and
that IMY is the competent supervisory authority. In addition, it can be stated that IMY's review refers to
if Apoteket has taken sufficient security measures, which is not something that is regulated
especially in PLAY. Even that relationship thus means that IMY is authorized to investigate it
issue to which the supervisory matter applies.
Personal data responsibility
Applicable regulations
According to Article 4.7 of the data protection regulation, the person in charge of personal data is the person who alone
or together with others determine the purpose and means for the processing of
personal data. That means and ends can be determined by more than one actor means
that several actors can be responsible for personal data for the same processing.
According to Article 5.2 of the Data Protection Regulation, the person in charge of personal data shall be responsible
for and be able to demonstrate that the principles in Article 5.1 are complied with (the principle of responsibility
obligation).
IMY's assessment
Apoteket has stated that the company is responsible for personal data regarding the introduction of
The Meta pixel and the transfer of data that has taken place to Meta.
The investigation into the matter shows that Apoteket has introduced the Meta pixel, a script-based one
tool in the form of a piece of code that records visitor actions and transmits
the information to Meta, on its website and then activated the AAM function. The purpose
with the Meta-pixel has been to increase the effectiveness of the company's marketing as well as in certain
may target ads to previous visitors to the website. The pharmacy thus has
determined how the processing is to be carried out and for what purpose the personal data is to be used
be treated. IMY therefore assesses that Apoteket is responsible for personal data for it
processing of personal data that has taken place through the use of the Meta pixel with
AAM function activated.
Has Apoteket ensured an appropriate security level for
the personal data?
Applicable regulations
The requirement to take appropriate protective measures
It follows from Article 32.1 of the data protection regulation that the person in charge of personal data must
take appropriate technical and organizational measures to ensure a security
level that is appropriate in relation to the risk of the treatment. It should, according to the same
provision, take into account the latest developments, implementation
the costs and the nature, scope, context and purpose of the treatment as well as
the risks, of varying degrees of probability and seriousness, to the rights of natural persons
and freedoms. According to Article 32.1, appropriate protective measures include, when appropriate, the Swedish Privacy Protection Agency Diary number: IMY-2022-3270 8(16)
Date: 2024-08-29
a) pseudonymisation and encryption of personal data,
b) the ability to continuously ensure confidentiality, integrity, availability
and resilience of treatment systems and services,
c) the ability to restore the availability and access to personal data i
reasonable time in the event of a physical or technical incident and
d) a procedure for regularly testing, examining and evaluating effectiveness
in the technical and organizational measures that must ensure
the safety of the treatment.
When assessing the appropriate level of security, according to Article 32.2, special consideration must be taken
to the risks that the processing entails, in particular from accidental or illegal
destruction, loss or alteration or to unauthorized disclosure of or unauthorized access to
the personal data transferred, stored or otherwise processed.
Recital 75 of the data protection regulation states factors that must be taken into account in the assessment
of the risk to the rights and freedoms of natural persons. Loss of, among other things, is mentioned
confidentiality with regard to personal data covered by the duty of confidentiality and whether
the processing concerns information about health or sexual life. Further must be taken into account
the processing concerns personal data about vulnerable natural persons, especially children,
or if the processing involves a large number of personal data and applies to a large
number of registrants.
Recital 76 of the data protection regulation states that how likely and serious the risk is for it
data subject's rights and freedoms should be determined based on the nature of the processing,
scope, context and purpose. The risk should be evaluated on the basis of a
objective assessment, through which it is determined whether the data processing
involves a risk or high risk.
Processing of sensitive personal data
Information about health and sexual life constitute such special categories of personal data,
so-called sensitive personal data, which is given particularly strong protection according to data-
protection regulation. As a general rule, it is prohibited to treat such personal
data according to Article 9.1 of the Data Protection Regulation, unless the processing is covered by
any of the exceptions in Article 9.2 of the regulation.
Information about health is defined in Article 4.15 of the Data Protection Regulation as personal
data relating to a natural person's physical or mental health which provide information
about his health status. Recital 35 of the data protection regulation states that personal data
on health should include all the data relating to a registered person
health status that provides information about the registrant's past, present or
future physical or mental health conditions.
In the Lindqvist case, the European Court of Justice has ruled that an information that a person injured
his foot and is on part-time sick leave constitutes personal data relating to health according to
6
the data protection directive (the directive was repealed by the data protection regulation). EU
the court stated in the case that taking into account the purpose of the data protection directive shall
the expression "data relating to health" is given a wide interpretation and is considered to include data which
7
concerns all aspects of a person's health, both physical and mental. EU
the court has in the latter ruling Vyriausioji tarnybinės etikos komisija
6 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with
regarding the processing of personal data and the free flow of such data.
7 Judgment of the EU Court of Justice of 6 November 2003, Lindqvist, C-101/01, EU:C:2003:596, paragraphs 50–51. Data Protection Agency Diary number: IMY-2022-3270 9(16)
Date: 2024-08-29
established that the concept of sensitive personal data according to Article 9.1 of the data protection
the regulation must be interpreted broadly and judged that even personal data that is indirect, according to
an intellectual inference or reconciliation, reveals a physical person's sexual
laying constitutes sensitive personal data according to the current provision. 8
IMY's assessment
The treatment involved a high risk and required a high level of protection
The personal data controller must take measures to ensure a level of protection
which is appropriate based on the risks of the treatment. The assessment of appropriateness
level of protection must be done taking into account, among other things, the nature of the treatment, scope,
context and purpose as well as the risks, of varying degree of probability and seriousness,
for the rights and freedoms of natural persons.
IMY must initially take a position on which personal data Apoteket has transferred to
Meta through the Meta pixel with the AAM feature enabled.
From the investigation in the case it appears that the activation of the Meta-pixel's AAM function has
meant that Apoteket, unless a customer accepted marketing cookies and did not
used ad blockers, has transferred information about completed purchases to Meta.
The data that has been transferred has included information on purchased products (including URL
the address of products on the website, product ID and product type) and contact
information about the customer (including first and last name, address and telephone number).
The data transferred to Meta has not included prescription products, however
however, the following products and product categories:
a) self-tests and treatment for venereal diseases
b) contraceptives and the morning-after pill
c) sex toys
d) products for vaginal health (eg dry mucous membranes, menopause and
fungus in the vagina)
e) products for prostate problems and urinary problems
f) pregnancy tests, ovulation tests and pregnancy products
g) products for the treatment of fungi (e.g. athlete's foot or nail fungus)
h) products for the treatment and control of diabetes
i) products for the treatment of rectal disorders (e.g. anal fissures and
hemorrhoids)
j) products for the treatment of stomach problems (eg IBS, constipation and
diarrhea)
k) products for the treatment of migraine
l) products for the treatment of allergy
m) accessories for hearing aids
n) products for the treatment of bacterial infections
o) products for the treatment of psoriasis
p) products for the treatment of rosacea
q) ostomy products.
In the case, it has emerged that Meta has implemented a so-called filtering mechanism
the purpose of which is to detect and delete information transferred to Meta in violation of
company policy. In connection with this, IMY has obtained information from Meta about
how the filtering mechanism works. It appears from Meta's statement on 16 February 2024
8 ECJ judgment of 1 August 2022, Vyriausioji tarnybinės etikos komisija, C-184/20, EU:C:2022:601, p. 123–
127. The Swedish Privacy Agency Diary number: IMY-2022-3270 10(16)
Date: 2024-08-29
that the mechanism is designed to detect and delete potentially unauthorized
information, such as information about health and finances, in data that users of
the pixel transfers to Meta before it is stored and used in Meta's advertising system. When
such data is detected and deleted, the user receives a notification about it, but
the filtering mechanism works even if such a message is not sent to
the user. Against this background, IMY notes that the pixel itself does not contain one
filtering mechanism that prevents a transfer of data to Meta. filtering
the mechanism is designed to filter out potentially privacy-sensitive data first
after they have been transferred to Meta and if Meta's system has been able to identify that transfer-
records contain such unauthorized information. The lack of notifications about
unauthorized and deleted information also cannot in itself be considered a confirmation that
potentially privacy-sensitive data has not been transferred to Meta. The occurrence of
in summary, the filtering function has not prevented the observed
the transfer of personal data to Meta.
IMY makes the following assessment of the risks with the current personal data
the treatment.
Processing that includes sensitive personal data normally involves higher risks.
The term sensitive personal data must be interpreted broadly and also includes information such as
indirectly disclose such information. The pharmacy has transferred information to Meta about which
product that a customer has purchased as well as information that identifies the customer in the form of among
other name, address and telephone number. IMY considers that the combination of data
transferred to Meta has made it possible to deduce that a specific person has purchased one
certain designated product.
The pharmacy has not transferred information about prescription products. Majority of
the products in Apoteket's other assortment (see points a–q above) are, however, of such type
character that information that a person bought such a product could reveal
information about the individual's state of health or sex life. Apoteket has objected that it does not
is certain that the buyer is the actual user of the product and it is difficult to
categorically state that sensitive personal data has been transferred. However, IMY believes that it is
likely that at least some of the purchases of, for example, ostomy products, products for
rectal, urinary and prostate problems, vaginal problems and treatment of
venereal diseases and diabetes have been made for personal use in order to treat a certain
state of health. IMY therefore assesses that it is likely that the treatment has included
information about health in the sense referred to in Article 4.15 of the Data Protection Regulation.
IMY makes the same assessment regarding the purchase of, for example, day-after pills and
sex toys, that is to say that it is likely that the purchases have taken place in at least some cases
for own use and that the processing thereby revealed information about the individual
sex life. When assessing the appropriate level of protection, Apoteket would therefore take into account that
the processing could include sensitive personal data.
IMY further assesses that information on the purchase of the specified goods in points a–q, regardless
whether the information constitutes sensitive personal data or not, is of such privacy-sensitive nature
nature that they require strong protection according to the data protection regulation. It has also emerged
that Apoteket has in some cases transferred other personal data worthy of protection in the form of
social security number. In addition, the treatment has been carried out by a pharmacy where the customer can be assumed to have
particular expectations that their personal data is handled with a high degree of
confidentiality. IMY therefore states that both the nature of the personal data and that
9 Social security numbers are subject to special protection according to Article 87 of the Data Protection Ordinance and Chapter 3. Section 10 of the Act
(2018:218) with supplementary provisions to the EU's data protection regulation. The Swedish Privacy Agency Diary number: IMY-2022-3270 11(16)
Date: 2024-08-29
context in which they were processed has entailed increased risks for the data subjects' freedom
and rights.
IMY also notes that the treatment has been extensive. The pharmacy has had a big one
number of customers during the period the Meta-pixel's AAM function has been activated and the company
estimates that up to 930,000 people have been affected by the current incident.
The calculation is based on the number of purchases from the web during the current period with
taken into account that a certain percentage of purchases were made by repeat customers and by individuals
who use ad blockers or have refused cookies. The pharmacy also has
stated that 9 percent of the total web purchases made during the period have
covered the privacy-sensitive products listed under points a–q. IMY assesses that
it based on these data, although it is not possible to determine exactly how many of
these purchases made by data subjects who did not use ad blockers or
denied to marketing cookies, in any case it can be established that the incident has affected one
large number of registrants.
In summary, IMY assesses that the processing with regard to its nature, scope
and context have meant high risks which entailed a requirement for a high level of protection for
the personal data. The measures would, among other things, ensure that the personal data
was protected against unauthorized disclosure and loss of control.
The pharmacy has not taken sufficient security measures
IMY must then assess whether Apoteket has ensured the high level of protection that was required
for the personal data.
Apoteket has stated that the company had proactive processes in place before the incident
to ensure correct handling of personal data. In the present case, however,
established routines for IT development and risk assessment, which include, among other things
review and update of information analyzes for all changes to systems and
tools, not followed by individual employees. The investigation shows that Apoteket
has therefore not analyzed the risks and consequences that the personal data
treatment as the introduction of the Meta pixel and the activation of the AAM function would
imply, before the treatment began. Apoteket has also not made a selection and
categorization of which products would be processed. It has led to
that, in addition to the exclusion of prescription goods, there was no technical
limitation of which data would be covered by the processing and that privacy
sensitive information about, for example, the purchase of non-prescription drugs and medical technology
products have been transferred to Meta.
A fundamental prerequisite for Apoteket to be able to fulfill its obligations
according to the data protection regulation is that the company is aware of which processing
takes place under its responsibility. The pharmacy has for a long period from 19 January 2020,
when the AAM feature was activated, through April 25, 2022, when the Meta pixel was taken
away, transferred more data than intended to Meta without discovering it themselves.
Apoteket has stated that the activation of the Meta-pixel's AAM function has not followed
The pharmacy's regular routines and that some desirable routines for review and follow-up
therefore not set up. Because Apoteket has only had routines to follow up
Apoteket has lacked documented changes, which were carried out according to set routines
ability to detect and remedy other changes actually implemented or
arose in another way. Against this background, IMY states that Apoteket has lacked
organizational routines to systematically follow up on unintended changes in their
system. The Swedish Privacy Agency Diary number: IMY-2022-3270 12(16)
Date: 2024-08-29
IMY therefore assesses that Apoteket, also taking into account what has been stated about them
procedures that existed at the time of the violation, cannot be considered to have taken appropriate steps
technical and organizational measures in relation to the high risks which
the treatment has entailed. Apoteket has therefore processed personal data in violation of
article 32.1 of the data protection regulation.
Choice of intervention
Applicable regulations, etc.
In the event of violations of the data protection regulation, IMY has a number of corrective measures
powers to be available according to article 58.2 of the data protection regulation. Of Article 58.2 i
the data protection regulation follows that IMY in accordance with article 83 must impose
penalty fees in addition to or in lieu of other corrective measures referred to in
Article 58(2), depending on the circumstances of each individual case.
Each supervisory authority must ensure that the imposition of administrative
penalty charges in each individual case are effective, proportionate and dissuasive. The
stated in Article 83.1 of the Data Protection Regulation.
Article 83(2) states the factors to be taken into account in deciding whether an administrative
penalty fee must be imposed, but also what will affect the penalty fee
size. Of importance for the assessment of the seriousness of the violation is, among other things, its
nature, severity and duration. The EDPB has adopted guidelines on the calculation of
administrative penalty charges according to the data protection regulation aimed at creating
10
a harmonized method and principles for calculating penalty fees.
According to Article 83.4, in the event of violations of, among other things, Article 32, it must be imposed
administrative penalty fees of up to EUR 10,000,000 or, if one applies
companies, of up to 2 percent of the total global annual turnover in the previous year
budget year, depending on which value is the highest.
If it is a question of a minor violation, IMY receives according to what is stated in reason 148 i
instead of imposing a penalty charge, issue a reprimand in accordance with Article 58.2 b i
the regulation.
IMY's assessment
A penalty fee must be imposed
IMY has made the assessment that Apoteket processed personal data in violation of article
32.1 of the data protection regulation.
The violation has occurred through Apoteket processing personal data with a
insufficient level of security, which has resulted in privacy-sensitive personal data
and protectable character if a large number of data subjects have been inadvertently transferred to
Meta. Unauthorized access to this type of data poses a high risk to them
rights and freedoms were registered. The transfer has been going on for a long time and has not
detected and remedied until Apoteket was informed of the deficiency by an outside party.
IMY considers that it is not a question of such a less serious violation that can
result in a reprimand being issued instead of a penalty fee.
10 EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR. Data Protection Agency Diary number: IMY-2022-3270 13(16)
Date: 2024-08-29
The European Court of Justice has clarified that it is required that the person in charge of personal data has committed a
Violation intentionally or negligently to administrative penalty fees
must be enforceable according to the data protection regulation. The European Court of Justice has stated that
controllers may be subject to penalty fees for actions if they cannot
are deemed to have been ignorant that the conduct constituted a breach, regardless of whether they
11
were aware that they violated the provisions of the data protection regulation.
According to the principle of responsibility which is expressed, among other things, in Article 5.2 i
the data protection regulation shall the person responsible for the processing of personal data
ensure and be able to demonstrate that the processing is compatible with the data protection regulation.
IMY thus states that Apoteket is responsible for the personal data that
processed in the business, processed in a way that ensures a suitable
security level. In its examination, IMY has found that Apoteket did not live up to them
requirements set by the data protection regulation in this regard. The pharmacy cannot be considered to have
was unaware that its actions entailed a breach of the regulation. 12
IMY therefore assesses that the conditions for imposing an administrative on Apoteket
penalty fee for the violations are met. When determining sanction-
the size of the fee, IMY must take into account the circumstances stated in article 83.2 as well as
ensure that the administrative penalty fee is effective, proportionate and
deterrent.
Starting points for the calculation of the penalty fee
IMY assesses that it is the annual turnover for Apoteket that should be used as a basis for
the calculation of the administrative penalty fees in the current case. The maximum
the penalty fee applicable to companies for violations of Article 32 amounts to that
amount which is the higher of EUR 10,000,000 or 2 percent of the total global
the annual turnover during the previous budget year.
Apoteket's annual report for the year 2023 shows that the annual turnover for that year was
SEK 23,270,000,000. The highest sanction amount that can be determined in the case
thus amounts to 2 percent of that amount, which is SEK 465,400,000. IMY
notes that there is a lack of support in the applicable legislation for calculating the penalty fee
based on a different amount in the manner that Apoteket presented is done when applying
other EU legal legislation.
The seriousness of the violation
It appears from the EDPB's guidelines that the supervisory authority must assess whether the violation is
of low, medium or high severity according to Article 83.2 a, b and g of the data protection
14
the regulation.
The breach in question has involved a large number of registered users and has been ongoing
for a long time. The data that has been transferred has included social security numbers and
information that directly identifiable persons have purchased privacy-sensitive products. The
1 Court of Justice of the European Union judgment of 5 December 2023, Nacionalinis södertätsää centras, C-683/21, EU:C:2023:949,
p. 81 and the judgment of the European Court of Justice of 5 December 2023, Deutsche Wohnen SE C-807/21, EU:C:2023:950, p. 76.
1For the assessment of negligence, see also the Court of Appeal in Stockholm's judgment of 11 March 2024 in case 2829-23 p.12.
13
Apoteket is the parent company of a group. If the company is subject to the obligation to prepare consolidated accounts is
these consolidated accounts for the group's parent company relevant to reflect the company's total
turnover, see EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR, point
130.
1EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR, point 60. The Data Protection Authority Diary number: IMY-2022-3270 14(16)
Date: 2024-08-29
the unauthorized transfer has therefore meant a high risk for the data subjects' freedom and
rights in the form of risk of loss of confidentiality for data worthy of protection. Further
the violation has occurred in a pharmacy operation where the registrants must be considered to have had
a legitimate expectation of high confidentiality and that their personal data will not be disseminated
to unauthorized persons. Sales of non-prescription and other health-related products must
in addition, is considered to be part of Apoteket's core business, which means that the violation must
considered more serious than if this had not been the case. 15
In assessing the degree of seriousness, IMY also takes into account that Apoteket at the time of
the breach had taken a number of appropriate technical and organizational security
actions. Furthermore, the personal data has been transferred in hashed, i.e. unreadable, format
to a single recipient and it is therefore not an uncontrolled disclosure there
the information has, for example, been shared with many unauthorized persons or has been publicly available on
the web.
In the light of the above circumstances, IMY assesses that, in total, it concerns
about a violation of Article 32.1 of the Data Protection Regulation of low seriousness
degree.
In its assessment of the size of the penalty fee, IMY must also take these into account
aggravating and mitigating factors listed in Article 83.2 of the data protection
the regulation. After the breach, Apoteket has, among other things, conducted a dialogue with Meta
about deletion, provided information to the registered and took measures to
reduce the risk of similar incidents in the long term. IMY notes, however, that the measures
has only been taken after Apoteket has been alerted to the present deficiencies by a
third parties and that they cannot be considered to go beyond what is expected of Apoteket in that regard
current case. The measures taken are therefore not influencing factors
IMY's assessment of the size of the sanction fee in a mitigating direction. The same
applies to the fact that Apoteket submitted a notification about a personal data incident and
cooperated with IMY in the investigation of the violation in question because it constitutes
circumstances that must be considered neutral when determining the penalty fee. 16
IMY notes that there were also no other circumstances that emerged that
affects IMY's assessment of the amount of the penalty fee in aggravating or
mitigating direction.
The penalty fee must be effective, proportionate and dissuasive
The administrative penalty fee must be effective, proportionate and
deterrent. This means that the amount must be determined so that the administrative
the penalty fee leads to correction, that it provides a preventive effect and that it
is also proportionate in relation to both the current infringement and to
the supervised entity's ability to pay.
IMY decides based on an overall assessment that Apoteket must pay an administrative fee
penalty fee of SEK 37,000,000. IMY considers this amount to be effective,
proportionate and dissuasive.
15 The more central a treatment is to the activity of the personal data controller, the more serious the irregularities in
the treatment. See the EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR,
point 53.
16 EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR, paragraphs 95–98. Data Protection Agency Diary number: IMY-2022-3270 15(16)
Date: 2024-08-29
This decision has been made by acting general manager David Törngren after
presentation by lawyer Maja Welander. In the final processing also has
Acting Head of Justice Cecilia Agnehall, Head of Unit Nidia Nordenström, the lawyer
Shirin Daneshgari Nejad and IT and information security specialist Petter Flink
participated.
David Törngren, 2024-08-29 (This is an electronic signature)
Appendix
Information on payment of penalty fee
Copy to
Data protection officer for the ApoteketIntegrityskyddsmyndigheten Diary number: IMY-2022-3270 16(16)
Date: 2024-08-29
How to appeal
If you want to appeal the decision, you must write to IMY. State in the letter which decision you made
appeals and the change you request. The appeal must have been received by IMY
no later than three weeks from the day you received the decision. If you are a representing party
however, the general appeal must have been received within three weeks from that day
the decision was announced. If the appeal has arrived in time, IMY forwards it to
The administrative court in Stockholm for examination.
You can e-mail the appeal to IMY if it does not contain any privacy-sensitive information
personal data or information that may be subject to confidentiality. The authority's
contact details appear on the first page of the decision.
