Klarna Bank was fined by the Swedish DPA for insufficiently informing data subjects about its processing activities, including international data transfers, retention periods, data subject rights, and automated decision-making, such as profiling.
Excerpt
Our analysis
Klarna Bank AB is a multinational company that provides credit and non-credit payment solutions to over 90 million consumers and 200,000 merchants in 17 countries through various financial services, such as direct payment, "try first and pay later" services, payment through installments, and account information services. To provide these services, Klarna processes large amounts of personal data, including privacy-sensitive data such as financial data and creditworthiness information. The Swedish Data Protection Authority (IMY) conducted an investigation and found that Klarna violated various provisions of the General Data Protection Regulation (GDPR) related to information on purpose and legal basis for processing personal data, recipients of personal data, international data transfers, retention periods, data subject rights, and automated decision-making, including profiling. The IMY also noted a common thread among these violations, which was a failure to comply with Articles 12(1) GDPR, 5(1)(a) GDPR and 5(2) GDPR.
Klarna provided incomplete and misleading information on who the recipients of different categories of personal data were when shared with Swedish and foreign credit reference agencies. This violated Article 13(1)(e) GDPR. Regarding retention periods for personal data, the IMY found that Klarna provided incomplete information about the periods for which personal data would be retained and the criteria used to determine those periods, in violation of Article 13(2)(a) GDPR. Klarna did not provide adequate information related to the right to erasure of personal data under Article 17 GDPR, restriction of processing concerning the data subject under Article 18 GDPR, the right to object under Article 20 GDPR, and the right to data portability under Article 21 GDPR, in violation of Article 13(2)(b) GDPR.
Outcome
The IMY considered Klarna's status as a multinational company handling diverse categories of personal data on a large scale, including sensitive data like financial and creditworthiness information. The breaches were found to be long-standing, prompting the IMY to impose a fine of roughly €730,000 (SEK 7,500,000) on Klarna Bank AB.
Parties
Swedish DPA (IMY) and Klarna Bank AB
Case number
DI-2019-4062
Decision
Related deceptive patterns
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Related laws
Requires personal data to be processed lawfully, fairly, and transparently.
Ensures transparent information and easy access for individuals to their personal data processing, with the right to obtain a copy in a clear and common format.
Controllers must provide identity, contact details, processing purposes and legal basis, recipient information, retention period, and data subject rights when collecting personal data.
Specifies required information for data subjects when collecting personal data from other sources, including controller identity, processing purposes, personal data categories, recipients, and retention period.