Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Sweden: IMY fines Apoteket SEK 37M and Apohem SEK 8M for unlawful transfer of personal data

On August 30, 2024, the Swedish data protection authority (IMY) issued decision no. IMY-2022-3270 in which it imposed a fine of SEK 37 million (approx. $3.6 million) on Apoteket AB, and decision no. IMY-2022-3272 in which it imposed a fine of SEK 8 million (approx. $780,000) on Apohem AB for violations of the General Data Protection Regulation (GDPR) following their use of Meta pixel on their websites.

Background to the decisions

The IMY noted that on April 25, 2022, it received a notification from Apoteket that the personal data of its customers and visitors to its website was wrongly transferred to Meta. The personal data affected included names, social security numbers, and email addresses. The transfer of data was caused by incorrect settings being in place while Apoteket used Meta pixel to optimize its marketing and as soon as it became aware of the transfer of personal data, it deactivated Meta pixel.

Similarly, the IMY explained that on May 14, 2022, it received a notification from Apohem that the personal data of its customers and visitors to its website was wrongly transferred to Meta. The personal data affected included names, IP addresses, and phone numbers. The transfer of data was caused by incorrect settings being in place while Apohem used Meta pixel to optimize its marketing and as soon as it became aware of the transfer of personal data, it deactivated Meta pixel.

Findings of the IMY

The IMY found that both Apoteket and Apohem had violated Article 32(1) of the GDPR for failing to take appropriate technical and organizational measures to ensure an appropriate level of security for personal data when using the Meta pixel analysis tool.

Outcomes

In light of the above, the IMY imposed a fine of SEK 37 million (approx. $3.6 million) on Apoteket, and a fine of SEK 8 million (approx. $780,000) on Apohem.

You can read the press release here, the Apoteket decision here, and the Apohem decision here, all only available in Swedish.