CopilotWeb performance agent
GDPR monitorServer-side trackerData monitorCampaign attribution
Pricing
About us
Webinars
Agents
CopilotWeb performance agent
Tools
GDPR monitorServer-side trackerData monitorCampaign attribution
Pricing
About us
Webinars
Article

Avanza, Apohem and Apoteket Fined Millions by IMY: Insights and Lessons for Other Companies

by Tom Ström
September 5, 2024
Avanza, Apohem and Apoteket Fined Millions by IMY: Insights and Lessons for Other Companies
The Swedish Authority for Privacy Protection (IMY) recently imposed a significant administrative fine of 15 million SEK on Avanza Bank for violating GDPR. The violation involved the unauthorized transfer of personal data concerning hundreds of thousands of users to Meta (formerly Facebook) through the Meta pixel without adequate protection. This case underscores the importance of safeguarding personal data, particularly when employing third-party solutions for marketing and tracking.

Companies

The Swedish Authority for Privacy Protection (IMY) recently imposed a significant administrative fine of 15 million SEK on Avanza Bank for violating GDPR. The violation involved the unauthorized transfer of personal data concerning hundreds of thousands of users to Meta (formerly Facebook) through the Meta pixel without adequate protection. This case underscores the importance of safeguarding personal data, particularly when employing third-party solutions for marketing and tracking.

IMY's Ruling and Its Broader Implications

IMY's investigation revealed that Avanza Bank failed to ensure a sufficiently high level of security for the personal data transferred via the Meta pixel. Two features within the Meta pixel, Automatic Advanced Matching (AAM) and Automatic Events (AH), were unintentionally activated, leading to sensitive information such as personal identification numbers and financial details being transferred to Meta in plain text. Avanza only became aware of this issue after external information brought it to their attention. This situation is not isolated. Other companies, such as Apohem AB and Apoteket AB, have faced similar scrutiny from IMY. Both companies were found to have violated GDPR by transferring personal data to Meta without adequate safeguards, leading to substantial fines. For instance, Apohem was fined 8 million SEK for transferring data through the Meta pixel, including customer names, addresses, and purchase details, which were at risk of exposing sensitive health-related information

How Companies Can Avoid Similar Fines: The Role of Server-Side Tracking

To prevent such violations, companies should consider adopting server-side tracking, particularly when hosted by a reliable service provider like Cogny.com. Server-side tracking processes all data on a hosted server before it is forwarded to third-party platforms, allowing for greater control over what data is shared and ensuring it is adequately protected.

Examples from IMY Investigations: Apohem AB and Apoteket AB

In the case of Apohem, IMY found that the company had not implemented sufficient technical and organizational measures to ensure the security of personal data when using the Meta pixel. The data transferred included information on sensitive products like self-tests and treatments for various health conditions, which could indirectly reveal sensitive personal information. Despite the presence of a filtering mechanism by Meta, it was insufficient to prevent the unintentional transfer of potentially sensitive data. As a result, Apohem was fined 8 million SEK Similarly, Apoteket AB was found to have violated GDPR by failing to ensure appropriate safeguards when transferring personal data through the Meta pixel. Like in Apohem's case, the data transferred included information that could be used to infer sensitive health conditions, leading to a fine of 6.5 million SEK

Enhancing Data Protection with Server-Side Tracking

By adopting server-side tracking, companies can:

  1. Enhance Data Protection: Ensure that only necessary and anonymized information is shared with third-party providers, minimizing the risk of inadvertently transferring sensitive data.
  2. Increase Monitoring: Retain control over data processing, enabling closer monitoring and logging of all data transfers, which helps in detecting and preventing errors early.
  3. Comply with Legal Requirements: Tailor data processing solutions to comply strictly with GDPR and other data protection laws, including implementing encryption, pseudonymization, and other security measures before data is transferred to external platforms.

Conclusion

The fines imposed on Avanza, Apohem, and Apoteket highlight the serious consequences of inadequate data protection. Implementing server-side tracking, especially with services hosted by providers like Cogny.com, offers a secure and controllable environment for handling personal data, helping companies avoid costly fines and protect their customers' privacy. For more information on how your company can benefit from server-side tracking and other data protection solutions, please visit our website at Cogny SST.

Are you ready?

Revolutionize Your Revenue Operations, Get Started with Cogny RevOps Now.

Book a demo
There's more to read
Keep up with the latest on our RevOps blog
The Crucial Role of Emerging RegTech in Enterprise Compliance
January 17, 2024
The Crucial Role of Emerging RegTech in Enterprise Compliance
Cogny.com vs. Stape.io: A Comprehensive Comparison
December 14, 2023
Cogny.com vs. Stape.io: A Comprehensive Comparison
Why Using a Standalone UTM Builder Without GA4 Integration Can Lead to Confusion and Duplicate Data
October 16, 2024
Why Using a Standalone UTM Builder Without GA4 Integration Can Lead to Confusion and Duplicate Data
Navigating Schrems III: Leveraging Server-Side Tracking for Data Privacy Assurance
January 16, 2024
Navigating Schrems III: Leveraging Server-Side Tracking for Data Privacy Assurance