Apoteket leaked sensitive personal information to Facebook — must pay millions

0
0

Published 30 August 2024 at 15.22

Domestic. The Integrity Protection Authority (IMY) has decided on penalty fees of SEK 37 million against Apoteket AB and SEK 8 million against Apohem AB. This after the companies used the so-called Meta pixel on their websites and transferred privacy-sensitive personal data to Meta, which owns Facebook and Instagram.

Share the article

TwittraShare

In the data protection regulation, GDPR, there is an obligation to report certain personal data incidents to IMY. IMY has received such notifications from Apoteket and Apohem that the respective companies over a longer period of time transferred more personal data than intended to Meta.

Apoteket and Apohem have used Meta's analysis tool Meta-pixel on their websites to improve their marketing on Facebook and Instagram. The transfer of personal data has been caused by the companies activating a new sub-function in the Meta pixel.

By activating the partial function, the companies have transferred privacy-sensitive personal data to Meta about a large number of customers. Among other things, the companies have transferred information about the purchase of over-the-counter medicines for the treatment of, for example, specific health problems, self-tests and treatment of venereal diseases and sex toys. However, the transfer has not included prescription medications.

— Processing this type of privacy-sensitive personal data entails high risks that entail requirements for a high level of protection. The companies have had an obligation to take appropriate measures to protect the data from, for example, being shared with unauthorized persons, says Shirin Daneshgari Nejad, a lawyer at IMY, in a statement.

A fundamental prerequisite in the work to protect personal data is systematic security work that includes ongoing monitoring of ongoing treatments.

— Our review shows that the companies have not had the routines required to discover the deficiencies themselves. The transfer of the personal data has therefore been going on for a long time and was only stopped after the companies became aware of the incident from outsiders, says Maja Welander, lawyer at IMY.

The companies have violated the data protection regulation, GDPR, by not having has taken appropriate technical and organizational measures to ensure an appropriate level of security for its customers' personal data.

The shortcomings cause IMY to decide on sanction fees of SEK 37 million against Apoteket and SEK 8 million against Apohem.

After they discovered the incorrect transfer of data to Meta, the companies have developed their internal procedures to ensure correct and secure processing of personal data. The incidents were reported to IMY 2022.