Lessons from Apoteket’s GDPR Fine: Why did Apoteket receive a Sek 37 Million fine
On August 29, 2024, Sweden’s Data Protection Authority, IMY, fined Apoteket AB (a major Swedish pharmacy chain) with a SEK 37 million fine for a GDPR violation that led to the unintentional transfer of sensitive customer data to Meta. What started as a routine use of the widely trusted Meta Pixel for advertising spiraled into a significant data breach, affecting nearly 930,000 customers and involving sensitive personal information. This case emphasizes the importance of privacy by design and the due diligence required when partnering with third-party vendors.
Apoteket’s GDPR Breach: A Cautionary example for businesses
In 2020, Apoteket AB, began using Meta Pixel to track customer behavior on its website. The tool, commonly employed for measuring ad effectiveness, collected basic browsing data like product views and page interactions. However, when Apoteket activated Pixel’s advanced matching feature in January 2020, the scope of data processing escalated without proper legal grounds for disclosure, and without the necessary risk assessments or security measures in place.
The result? Sensitive customer information, such as names, emails, phone numbers, and even health-related product purchases (think diabetes medication, sexual health products, etc.), was unknowingly sent to Meta. For over two years, Apoteket transferred this personal data without realizing it, impacting up to 930,000 customers. It wasn’t until media reports surfaced in April 2022 that the pharmacy chain realized the extent of the breach.
The Cost of Ignoring Privacy by Design
At the core of Apoteket’s misstep was a failure to integrate privacy by design into its data processes. Privacy by design means embedding data protection principles from the outset of the project management processes, considering privacy at every stage of data collection, processing, and sharing. In Apoteket’s case, this mistake could have been avoided with proper due diligence of using the third-party service, or when conducting a data protection impact assessment (DPIA) before activating new features that would affect sensitive customer data.
Embedding Privacy by Design into organizations processes and projects:
At ART25 Consulting, we help businesses build strong tailored privacy by design frameworks by integrating data protection compliance processes into areas such as system development life cycle, project initiation, and development within organizations, the process consists of comprehensive steps/controls at the various stages of project management and development including for example, in-depth supplier due diligence and review system design, data protection impact assessments, and transfer risk assessments, run-phase governance controls, etc.
Do not hesitate to reach out to learn more.