Background information
Date of final decision: 28 March 2022
Cross-border case or national case: One-Stop-Shop procedure, the decision was taken by the national supervisory authority following the One-Stop-Shop cooperation procedure (OSS).
LSA: The Swedish Authority for Privacy Protection
and CSAs: Germany: Rhineland-Palatinate, Bavaria, Mecklenburg-Western Pomerania, Berlin, Saarland, Austria, Italy, Netherlands, Norway, Finland and Danmark
Controller: Klarna Bank AB
Legal Reference: principles relating to processing of personal data (Articles 5.1a, 5.2), rights of the data subject (Articles 12.1, 13.1 c, e-f, 13.2 a-b, f, 14.2 g)
Decision: Administrative fine of SEK 7,5 million
Key words: Rights of the data subject
Summary of the Decision
Origin of the case
Klarna is a financial company that processes personal data about many people and in many different ways. It is important that the information that Klarna provides about how the company processes personal data is correct and as complete as possible.
During the investigation, Klarna has continuously changed the information provided on how the company handles personal data. The Swedish Authority for Privacy Protection (IMY)'s decision concerns the information provided in the spring of 2020.
Key Findings
Klarna did not provide information on the purpose and the legal basis for which personal data was processed in one of the company's services. The company also provided incomplete and misleading information about who were the recipients of different categories of personal data when data was shared with Swedish and foreign credit information companies.
Klarna also did not provide information on to which countries outside the EU/EEA personal data were transferred or on where and how individuals could obtain information on the safeguards that applied to the transfer to third countries. IMY also notes that the company provided incomplete information about the data subjects' rights, including the right to delete data, the right to data portability and the right to object to how one's personal data is processed.
Klarna has not fulfilled the basic principle of transparency and the data subjects’ right to information. Klarna has violated Articles 5 (1) (a), 5.2, 12.1, 13.1 c, e-f and 13.2 a-b, f and 14.2 g in the General Data Protection Regulation. IMY does not consider these to be minor infringements. Klarna must therefore be subject to administrative fines for the said infringements. IMY issues an administrative fine against Klarna of approximately EUR 724 000 for the deficiencies discovered during the investigation.
For further information: decision in national language
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.