A few weeks ago Folksam, one of the largest insurance companies in Sweden, published an announcement reporting a personal data breach affecting on million customers. Folksam had disclosed personal data, including special categories of its customers to Facebook, Google and others.
The data breach arised from the use of 3rd party tracking scripts on Folksam’s websites in combination of ‘personally identifiable information’ in the website URL’s. Folksam believes it is not alone with this problem, as it is common for the industry to use multiple third party scripts on their websites without ‘properly protecting the personal data’. Folksam recommends other organisations to pay attention to their agreements with these third parties.
Further, Folksam admits that the recent CJEU Schrems II judgement does not make things easier as the personal data has been transferred to countries outside European Economic Area.
Last year Finnish YLE wrote how the Finnish Social Insurance Institution of Finland (“KELA”) had similar issues on their website. To our knowledge, the case was not inspected by the Finnish Data Protection authority nor the Telecoms regulator who both commented the case to the media.