Yliopiston Apteekki fined for online shop data protection shortcomings
The Sanctions Board of the Office of the Data Protection Ombudsman issued a EUR 1,100,000 administrative fine against the pharmacy company Yliopiston Apteekki because of data protection shortcomings found in the pharmacy’s online shop related to the use of tracking services. Data on the customers’ use of the online shop was leaked to tracking service companies through the website’s analytics tools and tracking technology.
The Office of the Data Protection Ombudsman started investigating the practices of the company after a doctoral researcher from the University of Turku contacted the Office. Using network traffic analysis, the doctoral researcher found data protection deficiencies in Finnish online pharmacies as part of research focused on the functioning of health-related online services. The Office of the Data Protection Ombudsman is currently investigating similar deficiencies found in the online shops of several other pharmacies as well.
In its investigation, the Office of the Data Protection Ombudsman discovered that Yliopiston Apteekki had used cookies and other tracking technologies for its online pharmacy in a manner that transmitted data on users’ interactions with the shop related to prescription medicines and over-the-counter medicines directly to Google and Meta, among others. For example, the tracking service providers received data on when a customer added a product to their basket and clicked the purchase button.
The transmitted data also included users’ IP addresses and other identifying data that could be used to identify individual users. If a user was logged in to their Google or Facebook account when they used the online pharmacy, Google and Meta could have directly identified them.
‘Personal data related to purchasing medicines is highly sensitive data and its protection is vital. When the appropriate safeguards are chosen, attention must be paid to the risk caused by personal data processing. Personal data protection also helps ensure that customers can trust that using online pharmacies is secure’, says Deputy Data Protection Ombudsman Annina Hautala.
An administrative fine was imposed on Yliopiston Apteekki, and the company was also cautioned because it had not taken sufficient care to ensure that the personal data generated and collected in connection with using its online pharmacy was kept secure. The Office of the Data Protection Ombudsman’s investigation pertained to the pharmacy’s practices between May 2018 and September 2022. The pharmacy has stated that it discontinued using Google’s and Meta’s tracking technologies in September 2022.
The Deputy Data Protection Ombudsman also provided guidance to the pharmacy on the tracking technologies it still uses. ‘Website tracking technologies can be implemented in a manner that also allows appropriate protection of personal data. For example, organisations can choose services that allow them to genuinely control the personal data processing or that do not transmit personal data at all’, says Hautala.
The decisions of the Sanctions Board and the Deputy Data Protection Ombudsman are not final, as they can be appealed to the Administrative Court.
More information:
Decisions of the Deputy Data Protection Ombudsman and the Sanctions Board in the Finlex service (in Finnish only)
Deputy Data Protection Ombudsman Annina Hautala, annina.hautala(at)om.fi, tel. +358 29 566 6776
Press release of the University of Turku on the University’s website (only in Finnish): Väitöstutkimuksessa löydettiin vakavia puutteita terveysalan verkkopalveluiden tietosuojassa (30 April 2025)