Estonia’s Data Protection Inspectorate has issued a record €3 million fine against Allium UPI OÜ, the company operating Apotheka’s loyalty program, for what regulators described as serious failures to protect customer data. The penalty follows a security breach that compromised the personal details of more than 750,000 people, including sensitive health-related purchase histories, Estonian Public Broadcasting (ERR) reported.
The inspectorate concluded that Allium UPI neglected basic cyber hygiene and data protection safeguards, allowing unauthorized individuals to repeatedly access the program’s information system and database backups in early 2024. The stolen files contained names, identification codes, contact information, addresses, and detailed purchase records of customers who joined the loyalty program between 2014 and 2020. Among the exposed data were records of purchases such as pregnancy and ovulation tests, blood pressure monitors, intimate hygiene products, and skin care items.
Officials said the company’s “negligent attitude” put the privacy of hundreds of thousands of Estonians—including children and other vulnerable groups—at risk. The incident is among the most significant data breaches in Estonia’s recent history.
Allium UPI, however, rejected the inspectorate’s findings and announced it would appeal in court. In a press release, the company expressed regret that a backup copy of the database had been stolen but insisted the regulator’s decision was based on “incorrect facts.” The company said that, according to information from prosecutors and law enforcement, the stolen data has not appeared on the dark web or been used for criminal purposes.
Allium UPI also emphasized that no passwords or banking details were compromised and that only a tiny fraction—0.01 percent—of the records related to over-the-counter medicines. The firm argued that the loyalty program does not collect information on state-subsidized medicines.
The case highlights growing scrutiny of corporate responsibility for safeguarding sensitive personal data in Estonia and across the EU.
Need Help?
If you have questions or concerns about any global guidelines, regulations and laws, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight, and ensure you’re informed and compliant.
