Deceptive Patterns
‹ All enforcement EU & UK

Swedish DPA's Investigation of Klarna Bank AB

Jurisdiction
EU & UK
Authority
Swedish DPA (IMY)
Date
28 Mar 2022
Case number
DI-2019-4062
Outcome
€730,000 in fines

Case summary

Klarna Bank was fined by the Swedish DPA for insufficiently informing data subjects about its processing activities, including international data transfers, retention periods, data subject rights, and automated decision-making, such as profiling.

Our analysis

Klarna Bank AB is a multinational company that provides credit and non-credit payment solutions to over 90 million consumers and 200,000 merchants in 17 countries through various financial services, such as direct payment, "try first and pay later" services, payment through installments, and account information services. To provide these services, Klarna processes large amounts of personal data, including privacy-sensitive data such as financial data and creditworthiness information. The Swedish Data Protection Authority (IMY) conducted an investigation and found that Klarna violated various provisions of the General Data Protection Regulation (GDPR) related to information on purpose and legal basis for processing personal data, recipients of personal data, international data transfers, retention periods, data subject rights, and automated decision-making, including profiling. The IMY also noted a common thread among these violations, which was a failure to comply with Articles 12(1) GDPR, 5(1)(a) GDPR and 5(2) GDPR.

Klarna provided incomplete and misleading information on who the recipients of different categories of personal data were when shared with Swedish and foreign credit reference agencies. This violated Article 13(1)(e) GDPR. Regarding retention periods for personal data, the IMY found that Klarna provided incomplete information about the periods for which personal data would be retained and the criteria used to determine those periods, in violation of Article 13(2)(a) GDPR. Klarna did not provide adequate information related to the right to erasure of personal data under Article 17 GDPR, restriction of processing concerning the data subject under Article 18 GDPR, the right to object under Article 20 GDPR, and the right to data portability under Article 21 GDPR, in violation of Article 13(2)(b) GDPR.

Outcome

The IMY considered Klarna's status as a multinational company handling diverse categories of personal data on a large scale, including sensitive data like financial and creditworthiness information. The breaches were found to be long-standing, prompting the IMY to impose a fine of roughly €730,000 (SEK 7,500,000) on Klarna Bank AB.

Parties

Swedish DPA (IMY) and Klarna Bank AB

View the decision

Related deceptive patterns

SneakingThe user is drawn into a transaction on false pretences, because pertinent information is hidden or delayed from being presented to them.

Related laws

GDPR - Article 05Requires personal data to be processed lawfully, fairly, and transparently.GDPR - Article 12Ensures transparent information and easy access for individuals to their personal data processing, with the right to obtain a copy in a clear and common format.GDPR - Article 13Controllers must provide identity, contact details, processing purposes and legal basis, recipient information, retention period, and data subject rights when collecting personal data.GDPR - Article 14Specifies required information for data subjects when collecting personal data from other sources, including controller identity, processing purposes, personal data categories, recipients, and retention period.