Privacy Violations Cost Swedish Pharmacies & Public Transport Firms Millions

Key Takeaways

• Pharmacies Fined for Meta Pixel Data Leak: Apoteket AB and Apohem AB were fined SEK 37 million ($3.44 million) and SEK 8 million ($744,000) respectively for transferring sensitive customer data to Meta through the Meta Pixel.
• Sensitive Health Data Exposed: The data included purchases of STI treatments, self-testing kits, and adult toys, information classified as sensitive under the GDPR.
• Lack of Internal Controls: Both companies failed to detect the issue internally and only stopped the data transfer after being alerted by external parties.
• Public Transport Entities Fined for Over-Retaining Sobriety Tests: SL and WÅAB each received SEK 75,000 ($6,975) fines for storing employee alcohol test results longer than necessary, violating employees' privacy rights.
• Stronger Safeguards Urged: IMY emphasized the need for systematic monitoring, appropriate technical and organizational measures, and stricter protection when processing high-risk or sensitive data.

Deep Dive

Sweden’s privacy regulator had a busy week, slapping some of the country’s most recognizable public and private names with fines over mishandling personal data, ranging from intimate health purchases to employees’ sobriety test results.

On July 3, the Swedish Authority for Privacy Protection (IMY) announced it had fined two major online pharmacies (Apoteket AB and Apohem AB) a combined SEK 45 million (roughly $4.18 million) for improperly funneling sensitive personal data to Meta via the now-infamous Meta Pixel.

Both companies had installed Meta’s analytics tool on their websites to sharpen their marketing game on Facebook and Instagram. But when they enabled a new sub-feature within the pixel, they unknowingly exposed a lot more than intended. The data in question wasn’t just generic browsing behavior, it included purchases of over-the-counter medications, self-testing kits for STIs, and even sex toys. Prescription meds weren’t part of the leak, but that’s hardly comforting.

“Processing this type of sensitive personal data involves high risks,” said Shirin Daneshgari Nejad, legal advisor at IMY, noting that stronger safeguards should have been in place. The companies only became aware of the issue after being tipped off by external parties—highlighting what IMY called a lack of internal controls and monitoring procedures.

In short: no one was watching the watchers. And that silence cost Apoteket SEK 37 million ($3.44 million) and Apohem SEK 8 million ($744,000).

Public Transport, Private Data

Meanwhile, on the other end of the spectrum (literally and figuratively) two public transport companies under the SL Group umbrella were also dinged by IMY. Aktiebolaget Storstockholms Lokaltrafik (SL) and Waxholms Ångfartygs AB (WÅAB) each received SEK 75,000 fines ($6,975) for improperly storing employee sobriety test results.

It started with complaints from ship captains who were subjected to alcohol tests as part of safety protocols. IMY doesn’t object to the testing itself, but storing those results for months on end? That’s where the trouble starts.

“Our review shows that it is not necessary to collect and store employees’ sobriety tests to the extent SL and WÅAB have done,” said legal advisor Maja Welander. “The data was kept long after it served its purpose and without clear justification.”

That’s not just an overstep. Because alcohol tests can reveal whether someone is alcohol dependent, they fall under the category of sensitive health data. And under the GDPR, that kind of information comes with a big red “handle with care” sticker.

Whether you’re running a pharmacy or piloting a ferry, handling sensitive data comes with serious responsibilities. From tracking pixels that quietly whisper customer habits to back-office systems that forget to forget, it all adds up to a growing call for organizations to get their data governance houses in order.

The silver lining? All four companies have reportedly made improvements to their internal procedures since the violations came to light. But for the rest of the market, these fines serve as a not-so-gentle reminder that “we didn’t know” isn’t going to cut it.

Not in 2025. Not with this much data at stake.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.