Relevant privacy headlines

Swedish online pharmacies have sent their customers' personal data to Facebook

Swedish media “SR Ekot” has investigated online pharmacies and their investigation reveals that several pharmacies have sent detailed information about their customers and their online purchases to Facebook. Some of the revealed information was considered as sensitive personal data in accordance with article 9 GDPR. The background to sending this data to Facebook is that the pharmacies have been using “Facebook pixels” in their e-commerce to improve their marketing. The leaked data included the web customers’ items in the shopping basket as well as their email addresses and telephone numbers. Only personal data belonging to customers who have approved cookies for marketing on the website have been sent to Facebook.

A several pharmacies have decided to report themselves to the Swedish DPA (IMY), while other have concluded that they are not obliged to report the events as a data breaches under the GDPR.

As a response to the data breaches, IMY has now decided to initiate an investigation of three pharmacies. IMYs press release is available here.

The European Commission launches a secure network for sharing patient data

A new bill from the EU Commission was published on 3 May 2022. The bill contains rules that establish a European ecosystem (computer network) for health data. The proposal would make it possible to temporarily share patient records and data between member states.

The background to the bill is that the outbreak of COVID-19 according to the European Commission has shown that correct health data is important in order to be able to take well-founded public health measures and crisis management.

However, the Commission emphasizes that health information is considered very sensitive and subject to strict confidentiality and data protection rules. In addition, patients want control over how their data is used. The European Commission proposes this law and believes that society can benefit as much as possible from health information while safeguarding the confidentiality of data subjects and patients.

The system shall therefore be transparent and facilitate the transfer of health data across borders, in accordance with Article 20 of the General Data Protection Regulation (GDPR), and ensure that data are protected.

The next step is that the proposal will now be discussed by the Council and the European Parliament. Read more by clicking here.

IMY has started to investigate the Swedish bank Klarna

IMY has received several complaints concerning the bank Klarna’s digital Checkout service. The complaints concern how Klarna collects and fills in personal data (auto-filling) after the buyer has only filled in certain personal data. Complaints against the bank have been received from users in both Sweden, Germany and Finland.

Since the beginning of 2021, IMY has had a strong focus on investigating complaints from individuals. IMY will now proceed with questions towards the bank to investigate whether the processing of personal data in connection with auto-filling of personal data in the Checkout service is compatible with the provisions of the GDPR. Read more by clicking here.

IMY publishes report aimed to highlight complaints received during 2021

In June 2022, IMY published a report aimed to highlight the complaints received during 2021. According to the report, IMY received 2600 complaints last year. The most common type of complaints concerns data subject rights, such as the right to access. Moreover, the report lists recommendations for businesses to ensure compliance with data protection law. For example, it is stated that businesses must be aware of data subjects’ rights and have procedures in place to ensure such rights. The report is available here.

Questions?

The Deloitte Privacy Team has extensive experience in the privacy field and regularly advices on data protection and information security matters. You are very welcome to contact us if you need our help or if you have any questions.