| A Swedish pharmaceutical company had been using the Meta Pixel for personalised advertising and audience measurement on its website since 2017. In 2020, an employee activated the ‘advanced matching’ functionality within the service without the knowledge and authorisation of the controller, whereby hashed customer data (first and last name, contact details, social security data, address data) that was not required for merely running the service was transmitted to Meta as soon as the customer purchased a product on the website. Meta used this data to compare it to its existing Facebook user IDs – in up to 930,000 cases. After two years, the controller discovered this fact, deactivated the functionality of the Meta Pixel, and reported the data breach to the Swedish data protection authority IMY. IMY saw the above as a breach of the controller’s obligation to implement appropriate technical and organisational measures considering the potentially sensitive nature of the data processed through the pixel and the associated high risk to the rights and freedoms of the data subjects (art. 32 (1) GDPR). Although the controller had, among other things, established a review of new services, this was not followed by the employee in question. The existing compliance monitoring processes were also not triggered, as the incorrect setting was not detected for two years. The obligation for data controllers (and processors) to implement adequate technical and organisational measures is an issue that data protection authorities frequently examine in the course of their audits. It is not uncommon for them to routinely request the relevant documentation and – if deficiencies are identified – on-site audits may even be carried out. It is therefore not enough keep data security measures only ‘on paper’. Instead, businesses must ensure that the entire staff body receives sufficient training to minimise the occurrence of investigations such as the one described above, which may lead to hefty fines. (Dr. Lukas Mezger, UNVERZAGT Rechtanwälte) |