Administrative fine of €1 300 000 imposed by the Swedish Data Protection Authority on a bank for transferring customer data to Meta

The National Center for Personal Data Protection (NCPDP), for information and enforcement purposes, communicates about the administrative fine of 1 300 000 euro imposed by the Swedish Data Protection Authority (SA) on Avanza Bank AB for breach of Article 5 Principles relating to processing of personal data, Article 32 Security of processing and Article 83 General conditions for imposing administrative fines of the GDPR.

A Swedish bank has reported a personal data breach to the Swedish SA. The notification states that the bank has used the Facebook pixel (now the Meta Pixel) on its website and in its app to optimize the bank’s marketing on Facebook. An incorrect setting of the Meta Pixel meant that personal data was transferred to Meta over a longer period of time. The bank’s notification states that during November 15, 2019 and to June 2, 2021, personal data of up to one million customers was wrongly transferred to Meta.

When the bank became aware of the incident, the Meta pixel was deactivated and the personal data collected through the pixel was deleted by Meta. The bank also revised its internal procedures to ensure correct and secure processing of personal data.

Avanza Bank AB has violated the legal provisions stipulated in the GDPR by failing to implement appropriate technical and organizational measures to ensure an adequate level of security for the personal data of website visitors and app users.

In this context the Swedish SA has imposed an administrative fine of approx. 1 300 000 euro on Avanza Bank AB.

As the national supervisory authority for the processing of personal data, the NCPDP emphasizes the responsibility of personal data controllers to comply with the provisions of the legal framework for the protection of personal data and to ensure that personal data processing operations comply with the legislation in force.