Administrative fines against Apoteket and Apohem for transferring personal data to Meta

Under the General Data Protection Regulation (GDPR), there is an obligation to report certain personal data breaches to IMY. IMY has received such notifications from Apoteket and Apohem, indicating that each company, over an extended period, had transferred more personal data to Meta than intended.

Apoteket and Apohem used Meta’s analytics tool, Meta Pixel, on their websites to improve marketing on Facebook and Instagram. The incorrect data transfer occurred after the companies enabled a new sub-feature within the Meta Pixel.

Sensitive personal data

By activating this sub-feature, the companies transferred sensitive personal data to Meta concerning a large number of customers. The data included information about purchases of over-the-counter medicines used to treat specific health conditions, self-testing kits, treatments for sexually transmitted infections, and sex toys. Prescription medications were not included in the transfers.

“Processing this type of sensitive personal data involves high risks, which require a high level of protection. The companies were obligated to take appropriate measures to safeguard the data from, for example, being shared with unauthorized parties,” says Shirin Daneshgari Nejad, legal advisor at IMY.

The pharmacies failed to take appropriate protective measures

A fundamental requirement in protecting personal data is a systematic approach to security, which includes ongoing monitoring of data processing activities.

“Our supervisions shows that the companies did not have the necessary procedures in place to detect these deficiencies themselves. As a result, the transfer of personal data continued for a long period and was only stopped after the companies were informed of the issue by external parties,” says Maja Welander, legal advisor at IMY.

The companies violated the GDPR by failing to implement appropriate technical and organizational measures to ensure an adequate level of security for their customers’ personal data.

Due to these shortcomings, IMY has decided to impose administrative fines of SEK 37 million on Apoteket and SEK 8 million on Apohem.

After discovering the improper transfer of data to Meta, the companies have improved their internal procedures to ensure the proper and secure processing of personal data. The incidents were reported to IMY in 2022.