Background information
- Date of final decision: 27 May 2025
- National case
- Legal Reference (s): Article 5 (Principles relating to processing of personal data), Article 25 (Data protection by design and by default), Article 32 (Security of processing)
- Decision: Administrative fine, Reprimand
- Key words: Third party access to personal data, Administrative fine, E-Commerce, Cookies, Sensitive data
Summary of the Decision
Origin of the case
The Finnish Supervisory Authority (SA) started investigating the practices of the pharmacy company Yliopiston Apteekki after a doctoral researcher from the University of Turku contacted the Office. Using network traffic analysis, the doctoral researcher found data protection deficiencies in Finnish online pharmacies as part of research focused on the functioning of health-related online services. The Finnish SA is currently investigating similar deficiencies found in the online shops of several other pharmacies as well.
Key Findings
Yliopiston Apteekki had used cookies and other tracking technologies for its online pharmacy in a manner that transmitted data on users’ interactions with the shop related to prescription medicines and over-the-counter medicines directly to Google and Meta, among others. For example, the tracking service providers received data on when a customer added a product to their basket and clicked the purchase button.
The transmitted data also included users’ IP addresses and other identifying data that could be used to identify individual users. If a user was logged in to their Google or Facebook account when they used the online pharmacy, Google and Meta could have directly identified them.
Decision
The company was found to have infringed Articles 32 and 5.1.f of the GDPR. An administrative fine was imposed on Yliopiston Apteekki, and the company was also cautioned because it had not taken sufficient care to ensure that the personal data generated and collected in connection with using its online pharmacy was kept secure. The Finnish SA’s investigation pertained to the pharmacy’s practices between May 2018 and September 2022. The pharmacy has stated that it discontinued using Google’s and Meta’s tracking technologies in September 2022. The Finnish SA also provided guidance to the pharmacy on the tracking technologies it still uses.
For further information:
- Yliopiston Apteekki fined for online shop data protection shortcomings (English)
- Decisions of the Finnish SA, Finlex database (Finnish)
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.