Swedish pharmacies penalized for sharing personal data with Meta
The Integritetsskyddsmyndigheten (IMY), the Swedish data protection authority (DPA), has imposed a fine on Apoteket AB and Apohem AB for transferring personal data of clients to Meta.
Both pharmacies use the so-called Meta pixel on their websites to transfer private and sensitive information of its clients to Meta.
Apoteket AB and Apohem AB used Meta’s analysis tool to improve their marketing activities in Facebook and Instagram. However, they accidently activated a new sub-function in the Meta pixel, causing it to collect and transfer personal information from a large number of customers for an extended period of time to Meta.
Personal information that was shared with Meta included purchase history of non-prescription drugs for specific health problems, like self-tests and treatments of sexually transmitted infections (STIs) and sex toys. Drugs and medications prescribed by a general practitioner weren’t transferred to Meta.
“Processing of this type of privacy-sensitive personal data involves high risks that entail demands for a high level of protection. The companies have had an obligation to take appropriate measures to protect the data from, for example, being shared with unauthorized persons,” Shirin Daneshgari Nejad, lawyer at IMY, says in a statement.
Maja Welander, also a lawyer at IMY, points out that the pharmacies didn’t have the means to detect the illegal data transfer themselves. The violation only came to an end after the companies were alerted of the incident by outsiders.
Both Apoteket AB and Apohem AB have violated the General Data Protection Regulation (GDPR) by failing to implement appropriate technical and organizational measures to protect personal information of its clients. Therefore they receive a fine of respectively 37 million and 8 million Swedish krona (approximately € 3.2 million and € 700,000).
After discovering that personal information was transferred to Meta, the pharmacies took measures to make sure it wouldn’t happen again. The incidents were reported to IMY in 2022, but were made public just recently.
In June, Stockholm-based Avanza Bank received a fine for exactly the same GDPR violation of 15 million Swedish krona, roughly € 1.3 million.
Your email address will not be published. Required fields are marked