Swedish Data Protection Authority Fines Avanza Bank 15 Million SEK for Data Breach

The Swedish Data Protection Authority (IMY) has imposed a fine of 15 million Swedish kronor (approximately 1.3 million EUR) on Avanza Bank AB for violating data protection regulations. The decision comes after a thorough investigation into a data breach that occurred between November 15, 2019, and June 2, 2021.

During this period, Avanza Bank unintentionally transferred personal data of between 500,000 and 1 million customers to Meta (formerly Facebook) through the improper use of Meta's pixel tracking tool. The transferred data included sensitive information such as personal identification numbers, loan amounts, account numbers, securities holdings, and credit limits.

The breach occurred when Avanza accidentally activated two functions within the Meta pixel: Automatic Advanced Matching (AAM) and Automatic Events (AE). These features allowed Meta to collect and match personal data with website visitors' behavior for profiling purposes. In many cases, the data was transferred in clear text.

IMY found that Avanza Bank had failed to implement appropriate technical and organizational measures to ensure an adequate level of security for personal data, violating Articles 5.1(f) and 32.1 of the General Data Protection Regulation (GDPR). The authority noted that while Avanza had procedures in place for implementing new functions on its website, these measures proved insufficient in preventing the unintended activation of the Meta pixel's advanced features.

The IMY highlighted the severity of the breach, given that:

1. It affected a large number of individuals
2. It involved sensitive financial data subject to banking secrecy laws
3. The unauthorized transfer continued for over 18 months
4. Avanza lacked the ability to detect the ongoing transfer of personal data to Meta

In determining the fine, the IMY considered Avanza's global annual turnover for 2023, which was approximately 4,716,000,000 SEK. The maximum possible fine in this case was set at 20 million euros.

Avanza Bank has since taken corrective actions, including:

1. Immediately deactivating the pixel functions upon discovery
2. Confirming with Meta that all transferred personal data has been deleted
3. Implementing new processes for evaluating third-party scripts
4. Updating internal guidelines and implementing additional policies to ensure proper handling of personal data

This case highlights the importance of robust data protection measures and the potential consequences of mishandling personal information in the digital age. It also serves as a reminder for companies to remain vigilant when implementing third-party tools that may access or process customer data, especially in sectors dealing with sensitive financial information.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.