Sweden: Issued Data Protection Authority ruling in investigation into Avanza Bank’s use of Meta-pixel analysis tool compliance with GDPR

On 24 June 2024, the Data Protection Authority (IMY) announced its decision to impose an administrative sanction fee of SEK 15 million against Avanza Bank AB for violating articles 5.1(f) and 32.1 of the General Data Protection Regulation (GDPR) due to inadequate security measures while using the Meta-pixel analysis tool from 15 November 2019 to 2 June 2021. Article 5.1f of GDPR requires that personal data must be processed securely, employing appropriate technical and organisational measures to prevent unauthorised processing, accidental loss, destruction, or damage. Article 32.1 of GDPR provides that controllers and processors must implement appropriate security measures, including pseudonymisation and encryption of personal data. The IMY determined that Avanza Bank AB failed to implement sufficient technical and organisational measures to protect personal data processed during that period, highlighting breaches in data security obligations mandated by the GDPR.