In a nutshell
Swedish company in advertently transfers data of up to a million people to Meta. Significant fine imposed.
The background
Swedish banking and trading provider, Avanza, was using a so-called Meta pixel on its website and mobile app. This resulted in a transfer of information to Meta, which included amongst other things customer’s securities holdings and values, loan amounts, account numbers and personal identification numbers. When discovered, Avanza reported this incident to the Swedish Authority for Privacy Protection (hereinafter “IMY”). However this was not a one-time occurrence, Avanza had been transferring this information to Meta for a long period of time due to incorrect settings. According to Avanza’s report, personal data up to one million individuals were incorrectly transferred to Meta between November 2019 and June 2021.
IMY’s investigation of the incident reveals that Avanza used Meta’s analytics tool, the Facebook pixel (now Meta pixel) on both its website and on the mobile app in order to optimize the company’s marketing on Facebook. The incorrect transfer of personal data was caused by the company mistakenly activating new sub-functions in the Meta pixel. When Avanza became aware of the incident, the company deactivated the Meta pixel and Meta confirmed that the personal data collected had been deleted.
According to IMY, Avanza had violated the GDPR by failing to implement appropriate technical and organisational measures to ensure an adequate level of security for the personal data of its website visitors and mobile app users.
Avanza was given an administrative fine of around 1,5 million Euros.
The takeaways
Read more: Brott mot banksekretessen gav 15 miljoner i sanktionsavgift - Forum för Dataskydd (dpforum.se)
Questions?
For any questions about this case or data protection queries generally, please contact My Mattson or Frida Holmer.
