Südameapteegi e-apteek – €100,000 Fine (Estonia, 2020)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Südameapteegi e-apteek was fined EUR 100,000 in Estonia for allowing unauthorized access to prescription data. This case shows the importance of having strong consent procedures to protect customer privacy. Online pharmacies must ensure they have clear consent from users before sharing their data.
What happened
Südameapteegi e-apteek permitted third parties to view prescription data without obtaining user consent.
Who was affected
People whose prescription details were accessed by unauthorized individuals.
What the authority found
The Estonian authority determined that Südameapteegi e-apteek lacked a valid legal basis for processing personal data, breaching GDPR consent requirements.
Why this matters
This ruling highlights the critical need for businesses to establish robust consent mechanisms to protect user data. It serves as a reminder that failing to do so can result in significant penalties.
GDPR Articles Cited
The Estonian DPA (Andmekaitse Inspektsioon) fined three online pharmacies EUR 100,000 each for processing personal data without the consent of the data subjects. The data in question are prescriptions for medicines of the data subjects. Third parties were able to view another person's current prescriptions in the e-pharmacy environment without their consent, based only on access to their personal identification code. The DPA highlighted that while it must be possible to purchase prescription drugs for other people, it is the responsibility of the company to ensure that the processing of the personal data required for this purpose only takes place with the consent of the data subjects. The confirmation of another person that they may access the data, however, does not correspond to the voluntary consent of the prescription holder, since the e-pharmacy cannot check whether and for what purpose the consent was given and whether it was given voluntarily.
Related Enforcement Actions (0)
No other enforcement actions found for Südameapteegi e-apteek in EE
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
1 December 2020
Authority
Andmekaitse Inspektsioon
Fine Amount
€100,000
Enforcement Tracker ID
ETid-517
About this data
Cite as: Cookie Fines. Südameapteegi e-apteek - Estonia (2020). Retrieved from cookiefines.eu
Last updated: