Swedish insurance group Folksam reports that they voluntarily, but illegally, have shared personal data concerning more than 1 million data subjects with American companies such as  Facebook, Google, Microsoft, Linkedin and Adobe.

The illegal data transfers where found during an internal audit during this autumn.

Folksam, as many others, is suspected to have used analytics tools, such as Google Analytics and Facebook Pixel on their homepage, and by including these third party tools also on check out pages, also personal data on bought insurances has been transferred.

Furthermore, Folksam acknowledges that substantial sensitive personal data automatically has been transferred to third parties to improve targeting of potential customers. Such services are for instance Facebook Custom Audience.

The personal data transferred includes everything from IP-adresses, over social security numbers, to union membership and pregnancy. The later of these being special categories of personal data.

We applaud that Folksam indeed have performed an audit of their personal data and flows but are surprised to see to what extent Folksam historically have lacked control of their personal data, especially with the huge potential financial impacts of GDPR.

Folksam has a global turnover of more than €6 000M and more than €70 000M as assets under management. Their potential maximum fine therefor is between €240M and €2 800M.

Apart from this, Folksam should expect a class action from the more than one million people effected. As Folksam have reported this as an identified breach of GDPR, these people are entitled to damages under article 82.

We strongly urge all companies to perform an inventory of their personal data, and make sure all transfers are reviewed and under control.