Skip to main content

Multiple online pharmacies under investigation for the use of Facebook Pixel

|

The Swedish Authority for Privacy Protection (“the Swedish DPA”) is currently investigating four online pharmacies in Sweden for their use of Facebook Pixels on their websites which has resulted in the transfer of personal data to Facebook. The investigations were initiated this summer when the pharmacies reported themselves to the authority for personal data incidents.

The General Data Protection Regulation (“GDPR”) includes an obligation to report personal data incidents to the Swedish DPA in certain cases. All four pharmacies have reported the use of Facebook Pixels on their websites as personal data incidents, as this use has resulted in the transfer of personal data to Facebook in a way that may not be in compliance with the requirements of the GDPR. The investigation by the Swedish DPA is now aiming to unravel (a) what personal data, including health data, has been transferred, (b) how many data subjects are likely to be affected, and (c) what level of technical and organisational safety measures have been implememted by the pharmacies to safeguard the transfer. The investigation will also seek to determine whether the pharmacies should be regarded as data controllers or data processors for the transfer.

This is not the first time that the use of Facebook Pixel is under the radar of investigation by the Swedish DPA. Earlier this year, the Swedish DPA issued a reprimand for a company’s use of Facebook Pixel which was in breach of the transparency principle in the GDPR. In this case, the Swedish DPA assessed some of the same criteria as is currently done for the online pharmacies, e.g., (a) what personal data was transferred to Facebook, and (b) whether the operator of the website should be regarded as a data controller or a data processor for the transfer. In this decision, the Swedish DPA stated that the company had collected online identifiers relating to the website visitors through the use of the Facebook Pixel. The Swedish DPA also considered the company to be a data controller for the collection and transfer of this personal data to Facebook. The company tried to argue that they were not aware that the Facebook Pixel had collected personal data from being integrated on their website where their products were advertised. The fact that the company, with or without intention, was unaware that the tool collected and transferred personal data did however not change the Swedish DPA’s assessment. The company oversaw their routines and stopped using Facebook Pixel following the Swedish DPA’s investigation, and the collection and transfer had only affected few data subjects, which led to the Swedish DPA considering the breach to be less material.

It will be interesting to see the outcome of the Swedish DPA’s investigation of the online pharmacies, and whether the authority will reach the same conclusions as in previous, similar decisions.

 

Article provided by INPLP member: Fredrik Roos and Astrid Svensson (Setterwalls , Sweden)

 

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

VIEW STREAM

About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.

{$page.footerData}