Changeflow GovPing Privacy Enforcement Apoteket and Apohem Fined for GDPR Violations
Urgent Enforcement Amended Final

Apoteket and Apohem Fined for GDPR Violations

Favicon for www.imy.se IMY News (Sweden DPA)
Filed July 3rd, 2025
Detected February 11th, 2026
Email

Summary

The Swedish Authority for Privacy Protection (IMY) has fined Apoteket AB SEK 37 million and Apohem AB SEK 8 million for GDPR violations. The companies improperly transferred sensitive personal data to Meta via the Meta Pixel tool, failing to implement adequate protective measures.

View original document View source feed page

What changed

The Swedish Authority for Privacy Protection (IMY) has imposed administrative fines totaling SEK 45 million on Apoteket AB (SEK 37 million) and Apohem AB (SEK 8 million) for violations of the General Data Protection Regulation (GDPR). The fines stem from the companies' use of Meta Pixel on their websites, which resulted in the transfer of sensitive personal data, including information about purchases of over-the-counter medicines, to Meta. IMY found that both companies failed to implement necessary procedures and monitoring to detect and prevent these improper data transfers, which continued for an extended period.

These enforcement actions highlight the critical need for regulated entities to ensure robust data protection measures, particularly when utilizing third-party analytics tools that handle sensitive personal information. Companies must have systematic approaches to security, including ongoing monitoring of data processing activities, to comply with GDPR. Failure to do so can result in significant financial penalties. While the specific compliance deadline for rectifying the issues is not stated, the fines underscore the importance of immediate review and remediation of data transfer practices to avoid further sanctions.

What to do next

  1. Review data transfer practices involving third-party analytics tools.
  2. Ensure implementation of robust technical and organizational measures for data protection.
  3. Verify that sensitive personal data is not transferred without adequate safeguards.

Penalties

SEK 37 million fine for Apoteket AB and SEK 8 million fine for Apohem AB.

Source document (simplified)

Svensk version Listen

Administrative fines against Apoteket and Apohem for transferring personal data to Meta

Published: 3 July 2025 The Swedish Authority for Privacy Protection (IMY) has decided to impose administrative fines of SEK 37 million on Apoteket AB and SEK 8 million on Apohem AB. This comes after the companies used the so-called Meta Pixel on their websites and transferred sensitive personal data to Meta. Under the General Data Protection Regulation (GDPR), there is an obligation to report certain personal data breaches to IMY. IMY has received such notifications from Apoteket and Apohem, indicating that each company, over an extended period, had transferred more personal data to Meta than intended.

Apoteket and Apohem used Meta’s analytics tool, Meta Pixel, on their websites to improve marketing on Facebook and Instagram. The incorrect data transfer occurred after the companies enabled a new sub-feature within the Meta Pixel.

Sensitive personal data

By activating this sub-feature, the companies transferred sensitive personal data to Meta concerning a large number of customers. The data included information about purchases of over-the-counter medicines used to treat specific health conditions, self-testing kits, treatments for sexually transmitted infections, and sex toys. Prescription medications were not included in the transfers.

“Processing this type of sensitive personal data involves high risks, which require a high level of protection. The companies were obligated to take appropriate measures to safeguard the data from, for example, being shared with unauthorized parties,” says Shirin Daneshgari Nejad, legal advisor at IMY.

The pharmacies failed to take appropriate protective measures

A fundamental requirement in protecting personal data is a systematic approach to security, which includes ongoing monitoring of data processing activities.

“Our supervisions shows that the companies did not have the necessary procedures in place to detect these deficiencies themselves. As a result, the transfer of personal data continued for a long period and was only stopped after the companies were informed of the issue by external parties,” says Maja Welander, legal advisor at IMY.

The companies violated the GDPR by failing to implement appropriate technical and organizational measures to ensure an adequate level of security for their customers’ personal data.

Due to these shortcomings, IMY has decided to impose administrative fines of SEK 37 million on Apoteket and SEK 8 million on Apohem.

After discovering the improper transfer of data to Meta, the companies have improved their internal procedures to ensure the proper and secure processing of personal data. The incidents were reported to IMY in 2022.

Latest update: 3 July 2025 Print Page labels Data protection, Internet och appar, Tillsyn

More news on this topic

28 January 2026
- ### Administrative fines against two companies in the SL Group

3 July 2025
- ### Administrative fine against the Equality Ombudsman when personal data was collected via a web form

12 May 2025
- ### The Hospital Board has failed in its security measures when handling e-mail

12 May 2025
See more news

More news on this topic

28 January 2026
- ### Administrative fines against two companies in the SL Group

3 July 2025
- ### Administrative fine against the Equality Ombudsman when personal data was collected via a web form

12 May 2025
- ### The Hospital Board has failed in its security measures when handling e-mail

12 May 2025
See more news Latest update: 3 July 2025 Print Page labels Data protection, Internet och appar, Tillsyn

Related changes

Favicon for iapp.org NJ Scrap Tire Act Privacy Concerns
Priority review Mar 14, 2026 IAPP Privacy News Privacy Guidance
Favicon for taxfoundation.org Trump Tariffs Impact on US Households and Trade
Priority review Mar 14, 2026 Tax Foundation Research & Analysis Trade Policy
Favicon for www.ukri.org Clean Maritime Technology Funding Opportunity
Priority review Mar 14, 2026 UKRI Funding Opportunities (All Councils) Trade Procurement
Favicon for www.priv.gc.ca Privacy Commissioner concludes Loblaw loyalty program investigation
Priority review Mar 13, 2026 Canada OPC News & Actions Government
Favicon for www.priv.gc.ca Global Data Protection Authorities Statement on AI Imagery Privacy
Priority review Mar 13, 2026 Canada OPC News & Actions Government
Favicon for www.priv.gc.ca Privacy Commissioner Recommends Bill C-4 Amendments for Political Party Privacy
Priority review Mar 13, 2026 Canada OPC News & Actions Government

Source

Favicon for www.imy.se
IMY News (Sweden DPA) imy.se/en/news
Privacy Enforcement
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
Various
Filed
July 3rd, 2025
Instrument
Enforcement
Legal weight
Binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Retailers Technology companies
Geographic scope
Sweden

Taxonomy

Primary area
Data Privacy
Operational domain
Compliance
Topics
GDPR Online Marketing Data Transfer

Browse Categories

Federal Courts 26 State Courts 91 Securities Regulation 6 Financial Regulation 43 Consumer Protection 5 Drug Safety 45 Data Protection 21 Competition 2 Attorneys General 3 Insurance Regulation 5 Trade & Export 36 Legislation 42 Energy Regulation 13 Environment 3 Labor & Employment 2 Tax 1

Get Privacy Enforcement alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when IMY News (Sweden DPA) publishes new changes.

Free. Unsubscribe anytime.