On June 25, 2024, the Swedish data protection authority (IMY) issued its decision DI-2021-5544, in which it imposed a fine of SEK 15 million (approx $1.4 million) on Avanza Bank AB (Avanza Bank) for violation of the General Data Protection Regulation (GDPR) following its use of Meta pixel on its website and app.

Background to the decision

The IMY noted that on June 8, 2021, it received a notification from Avanza Bank that the personal data of up to one million users was wrongly transferred to Meta between the period of November 15, 2019, to June 2, 2021. The personal data affected included social security numbers, account numbers, and loan amounts. The transfer of data was caused by incorrect settings being in place while Avanza Bank used Meta pixel to optimize its marketing and as soon as the bank became aware of the transfer of personal data, it deactivated Meta pixel.

Findings of the IMY

The IMY found that Avanza Bank violated Articles 5(1)(f) and 32(1) of the GDPR. The IMY determined that the breach involved high-risk data, including financial information and social security numbers and as such, the breach constituted a significant risk to data subjects' rights and freedoms. Additionally, the IMY held that Avanza Bank did not have sufficient technical and security measures in place to ensure the protection of personal data for website visitors and app users.

Outcomes

In light of the above, the IMY imposed the abovementioned fine on Avanza Bank for violating the GDPR.

You can read the press release here and the decision here, both only available in Swedish.