Background information
- Date of final decision: 24 June 2024
- national case
- Controller: Avanza Bank AB
- Legal Reference (s): Article 5 (Principles relating to processing of personal data), Article 32 (Security of processing), Article 83 (General conditions for imposing administrative fines)
- Decision: Administrative fine
- Key words: Finance, Personal data breach, Administrative fine
Summary of the Decision
Origin of the case
A Swedish bank has reported a personal data breach to the Swedish Supervisory Authority (SA). The notification states that the bank has used the Facebook pixel (now the Meta Pixel) on its web site and in its app to optimize the banks marketing on Facebook. An incorrect setting of the Meta Pixel has meant that personal data has been transferred to Meta over a longer period of time. The bank’s notification states that during November 15, 2019 to June 2, 2021 personal data of up to one million customers was wrongly transferred to Meta.
Key Findings
Swedish SA’s supervision of the breach shows that the incorrect transfer of personal data was caused by the bank activating new functions in the Meta pixel by mistake. The faulty settings of the Meta pixel has caused data relating to the bank's customers to be transferred to Meta, such as data on securities holdings and value, loan amount, account number and social security number.
When the bank became aware of the incident, the Meta pixel was deactivated. The bank states that Meta has confirmed that the personal data collected via the pixel has been deleted by Meta.
After discovering the incorrect transfer of data to Meta, the bank has revised its internal procedures to ensure correct and secure processing of personal data.
Decision
The bank has violated the general data protection regulation, GDPR, by not having taken appropriate technical and organisational measures to ensure an appropriate level of security for the personal data of website visitors and app users. Swedish SA issues an administrative fine of approx. € 1 300 000 against the bank.
For further information: national decision Beslut efter tillsyn enligt dataskyddsförordningen mot Avanza Bank AB
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.