The Sanctions Board of the Finnish Office of the Data Protection Ombudsman has issued an administrative fine of EUR 1.1 million to Yliopiston Apteekki, the largest pharmacy chain in Finland, due to deficiencies in its cookie practices and the use of other tracking technologies on its online pharmacy website (case number TSV/108/2022). The case serves as a reminder that deploying cookies and other tracking technologies on a company’s website – without a proper understanding of which personal data may be disclosed to third parties, and without implementing appropriate safeguards – can result in significant administrative fines.
About the case – disclosing health data to providers of tracking technologies led to administrative fines
The data protection shortcomings related to Yliopiston Apteekki’s online pharmacy were initially brought to the attention of the Office of the Data Protection Ombudsman by a PhD researcher at the University of Turku. In the course of conducting research on web analytics, the researcher had identified certain data protection concerns concerning the use of tracking technologies on the websites of Finnish online pharmacies and certain other healthcare entities. The Office of the Data Protection Ombudsman is also currently investigating similar data protection shortcomings involving other Finnish online pharmacies.
Personal data of the visitors of Yliopiston Apteekki’s online pharmacy, who had given their consent to the use of cookies, had been disclosed to the service providers of tracking technologies (Google, Meta and New Relic). The tracking technologies used included, among others, Google Analytics, Facebook pixel and a tool to monitor website performance. The data disclosed included information about self-care medicines as well as prescription medicines that the website visitor had viewed, information on which medicines the website visitor had added to their shopping cart, and information on whether the website visitor had proceeded to the order confirmation page. In addition, other unique identifiers, such as IP addresses, were disclosed to the tracking tool service providers. By combining this data, third-party service providers had the ability to infer which specific medications an identifiable individual had viewed or ordered from the online pharmacy.
In its decision, the Sanctions Board of the Office of the Data Protection Ombudsman concluded that the data controller had failed to appropriately ensure that information contained in HTTP requests sent by the visitor’s browser during their interaction with the website was masked or otherwise rendered unidentifiable before being disclosed to the tracking tool service providers.
Attention was also paid to the fact that information about medicines included in online messages was not covered by the ordinary mechanisms for protecting communications and therefore also posed a risk that the information could be disclosed to unknown intermediaries. Accordingly, disclosure of personal data was not necessarily limited to the tracking technology service providers used by the data controller, but it was possible that the personal data had also been disclosed to the service providers’ sub-processors.
The investigation of the Office of the Data Protection Ombudsman covered the practices in place at Yliopiston Apteekki from May 2018 to September 2022. Yliopiston Apteekki has since updated its practices to prevent the disclosure of data to third parties.
The Office of the Data Protection Ombudsman also issued guidance to Yliopiston Apteekki concerning its current cookie practices. The guidance stated, among other things, that if tracking of visitors in connection with medicinal products is necessary, it must be done in a way that ensures the controller retains actual control over the processing of personal data. It also emphasized the need to pay attention to the continuous evolution of technology and the emergence of new methods of accessing data. Furthermore, it was stated that a situation where the content of the URL was linked to the content of the webpage associated with the URL (e.g. product name, product description or product code) should be avoided, and that URLs should not include data considered special category personal data, such as health data, or otherwise sensitive data, where such data is disclosed to third parties.
The decision is not yet final, and Yliopiston Apteekki has announced its intention to appeal to the Administrative Court.
Ensuring compliance: Reevaluate your company’s cookie and other tracking technology policies
The case serves as an important reminder that companies should have a clear understanding of how personal data they process is disclosed to service providers involved in the processing of personal data – and to their sub-processors. It is also important to recognize that the transfer of data from tracking technologies to service providers is not limited to cookies, but also occurs through other web-based tracking technologies. These include, for example, tracking pixels, web beacons and various tags.
When tracking technologies are used, the principle of data minimization should be followed. Only personal data that is necessary for the purposes of processing personal data should be disclosed to the tracking technology service providers.
Companies that process special categories of personal data, as defined in Article 9 of the General Data Protection Regulation (GDPR), or other sensitive personal data, should pay particular attention to ensuring that appropriate safeguards are in place to protect personal data in the context of analytics tools, for example in relation to company websites and email newsletters. The processing of special categories of personal data within the tracking tools may easily occur, for example, in the case of various health service providers and medical device manufacturers.
Sonja Laamanen
- Press release from the Office of the Data Protection Ombudsman: Yliopiston Apteekki fined for online shop data protection shortcomings
- Link to the decisions of the Deputy Data Protection Ombudsman and the Sanctions Board: TSV/108/2022 (only in Finnish)
HH Partners offers a wide range of data protection services: we help our clients with compliance with data protection regulations, GDPR assessments, impact assessments, and other data protection documentation.
Author:
This article was written by our Associate Lawyer Sonja Laamanen who specialises in data protection, technology and intellectual property law. Her work covers all aspects of data protection law, for example, assisting clients with drafting data protection documentation, negotiating and drafting data processing agreements, as well as GDPR compliance questions. Sonja has assisted organizations across various industries with data protection matters, including technology, media, retail, consumer goods, and pharmaceutical sectors.
