Avanza Bank fined 1.34M EUR in Sweden for misconfiguration of Meta pixel

Major Swedish online financial services company Avanza Bank was just fined 15 million SEK (approx. 1.34 million EUR) for unlawful disclosure of personal data to Meta, through a misconfigured Meta pixel. This breached GDPR Articles 5(1)(f) and 32(1) as Avanza failed to implement adequate technical and organizational measures to secure personal data which led to unauthorized data disclosure.

Context

1. • On 8 June 2021 IMY received a breach notification from Avanza Bank regarding the transfer of personal data (including identity numbers, loan amounts, and account numbers) to Meta between 15 November 2019 and 2 June 2021.
   • The unauthorized transfer was due to the inadvertent activation of Meta’s Automatic Advanced Matching (AAM) and Automatic Events (AH) functions by the bank.
   • Approximately 500,000 to 1,000,000 individuals were affected, with their data transferred without authorization.
   • Upon discovery, Avanza deactivated the Meta-pixel tool and confirmed data deletion by Meta.
   • Avanza implemented new policies and guidelines to prevent future breaches.

Key points in the decision:

1. GDPR Article 5(1)(f) Violation:
   • Personal data must be processed securely to prevent unauthorized access and accidental loss.
   • Avanza Bank transferred sensitive personal data to Meta without adequate security measures, compromising data confidentiality and integrity.
2. GDPR Article 32(1) Violation:
   • Controllers must implement security measures appropriate to the risks involved in processing personal data.
   • Avanza’s failure to detect and prevent the unauthorized disclosure of personal data indicated a lack of sufficient security measures.
3. Assessment
   • IMY concluded that the breach involved high-risk data, including the financial information mentioned as well as personal identification numbers, all of which would have required stringent security measures. Due to this, the breach constituted a significant risk to data subjects’ rights and freedoms.
   • Avanza’s inability to detect and rectify the unauthorized data transfer further underscored the deficiency in its security measures.
   • The fine was determined based on the gravity, duration, and nature of the infringement.

Avanza can appeal.

A similar investigation had been initiated in 2021 also with regard to Länsförsäkringar, a major insurer in Sweden. That procedure is not yet finalised but we can expect a similar decision soon.

👉 You can read the original decision here in Swedish, and I made a translation into English available here.