Sweden: Issued Swedish Data Protection Authority ruling in investigation into Apoteket and Apohem for unlawful transfer of personal data to Meta

On 30 August 2024, the Swedish Data Protection Authority (IMY) issued a ruling in its investigation into local pharmacies Apoteket and Apohem for unlawful transfer of personal information to Meta. In particular, the IMY found that the companies breached Article 32(1) of the GDPR for failing to adopt adequate measures to ensure an appropriate level of security for the personal information of their customers when using the Meta pixel analysis tool on their websites. The tool was used by the companies to improve their marketing on Facebook and Instagram and resulted in the transfer of information of customers to Meta on purchase of over-the-counter medicines and other sensitive data to Meta. Apotek was fined with SEK 37 million and Apohem was fined with SEK 8 million.