Swedish SA: Administrative Fine Against Bank for Transferring Customer Data to Meta

Data Protection Law

On September 2, 2024, the European Data Protection Board ("EDPB") published on its official website the news that a Swedish bank has reported a personal data breach to the Swedish Supervisory Authority (“SA”).

The notification states that the bank has used the Facebook pixel (now the Meta Pixel) on its web site and in its app to optimize the banks marketing on Facebook. An incorrect setting of the Meta Pixel has meant that personal data has been transferred to Meta over a longer period of time. The bank’s notification states that during November 15, 2019 to June 2, 2021 personal data of up to one million customers was wrongly transferred to Meta.

According to the announcement;

  • Swedish SA’s supervision of the breach shows that the incorrect transfer of personal data was caused by the bank activating new functions in the Meta pixel by mistake.
  • The faulty settings of the Meta pixel has caused data relating to the bank's customers to be transferred to Meta, such as data on securities holdings and value, loan amount, account number and social security number.When the bank became aware of the incident, the Meta pixel was deactivated.
  • The bank states that Meta has confirmed that the personal data collected via the pixel has been deleted by Meta.
  • After discovering the incorrect transfer of data to Meta, the bank has revised its internal procedures to ensure correct and secure processing of personal data.

As a result;

  • The bank has violated the GDPR, by not having taken appropriate technical and organisational measures to ensure an appropriate level of security for the personal data of website visitors and app users. Swedish SA issues an administrative fine of approx. € 1 300 000 against the bank.

You can reach further information here.

You can reach the Swedish SA’s press release (in Swedish) here.

 

Kind regards,

Zumbul Attorneys-at-Law

info@zumbul.av.tr