Industry - Enforcement
Executive Summary
A Finnish court overturned a €1.1 million fine against pharmacy chain Yliopiston Apteekki for using Google and Meta tracking technologies on customers between 2018-2022, despite confirming the company violated GDPR. The court ruled that the university-owned pharmacy, as an independent public law institution, cannot be subject to administrative penalties under data protection regulations. The pharmacy discontinued the tracking technologies in September 2022.
What Happened
The Helsinki Administrative Court overturned a €1.1 million fine against Yliopiston Apteekki, a pharmacy chain owned by the University of Helsinki, which had been imposed by Finland's Data Protection Ombudsman in 2023. The ombudsman had penalized the pharmacy for using Google and Meta tracking technologies including cookies in its online store between 2018 and 2022, finding violations of GDPR. While the court confirmed the pharmacy had indeed violated GDPR, it ruled that as an independent public law institution connected to a university, the pharmacy cannot be subject to administrative penalties under Finland's Data Protection Act. The pharmacy discontinued the tracking technologies in September 2022.
Who Is Affected
Customers who used Yliopiston Apteekki's online pharmacy services between 2018 and 2022 were subject to tracking by Google and Meta technologies without proper GDPR compliance. These customers had their browsing behavior and potentially sensitive health-related purchase information collected through tracking mechanisms. The ruling affects all Finnish residents who may have shopped at this university-owned pharmacy chain during the violation period.
Why It Matters
This case creates a significant enforcement gap in European data protection law by establishing that university-owned entities in Finland can violate GDPR without facing financial penalties due to their public law status. The precedent means that confirmed privacy violations affecting potentially sensitive health data resulted in no meaningful enforcement consequence, undermining the deterrent effect of GDPR fines. This ruling may embolden other public institutions to deprioritize privacy compliance and raises questions about accountability when government-affiliated organizations mishandle citizen data.
What You Should Do
If you used Yliopiston Apteekki's online store between 2018 and 2022, review your privacy settings on Google and Meta platforms and consider opting out of personalized advertising, as your pharmacy browsing data may have been shared with these companies. Request a copy of your personal data from Yliopiston Apteekki under GDPR Article 15 to understand what information was collected and how it was used. Going forward, when shopping at any online pharmacy, carefully review their privacy policies and cookie consent mechanisms before making purchases to ensure your health-related data is properly protected.
Summary generated from verified sources and reviewed before publication. How we summarize.