The General Data Protection Regulation (“GDPR”) includes an obligation to report personal data incidents to the Swedish DPA in certain cases. All four pharmacies have reported the use of Facebook Pixels on their websites as personal data incidents, as this use has resulted in the transfer of personal data to Facebook in a way that may not be in compliance with the requirements of the GDPR. The investigation by the Swedish DPA is now aiming to unravel (a) what personal data, including health data, has been transferred, (b) how many data subjects are likely to be affected, and (c) what level of technical and organisational safety measures have been implememted by the pharmacies to safeguard the transfer. The investigation will also seek to determine whether the pharmacies should be regarded as data controllers or data processors for the transfer.
This is not the first time that the use of Facebook Pixel is under the radar of investigation by the Swedish DPA. Earlier this year, the Swedish DPA issued a reprimand for a company’s use of Facebook Pixel which was in breach of the transparency principle in the GDPR. In this case, the Swedish DPA assessed some of the same criteria as is currently done for the online pharmacies, e.g., (a) what personal data was transferred to Facebook, and (b) whether the operator of the website should be regarded as a data controller or a data processor for the transfer. In this decision, the Swedish DPA stated that the company had collected online identifiers relating to the website visitors through the use of the Facebook Pixel. The Swedish DPA also considered the company to be a data controller for the collection and transfer of this personal data to Facebook. The company tried to argue that they were not aware that the Facebook Pixel had collected personal data from being integrated on their website where their products were advertised. The fact that the company, with or without intention, was unaware that the tool collected and transferred personal data did however not change the Swedish DPA’s assessment. The company oversaw their routines and stopped using Facebook Pixel following the Swedish DPA’s investigation, and the collection and transfer had only affected few data subjects, which led to the Swedish DPA considering the breach to be less material.
It will be interesting to see the outcome of the Swedish DPA’s investigation of the online pharmacies, and whether the authority will reach the same conclusions as in previous, similar decisions.
Article provided by INPLP member: Fredrik Roos and Astrid Svensson (Setterwalls , Sweden)
Dr. Tobias Höllwarth (Managing Director INPLP)