IMY (Sweden) - DI-2019-4062: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Sweden |DPA-BG-Color= |DPAlogo=LogoSE.png |DPA_Abbrevation=IMY (Sweden) |DPA_With_Country=IMY (Sweden) |Case_Number_Name=DI-2019-4062 |ECLI=...") |
|||
(2 intermediate revisions by one other user not shown) | |||
Line 67: | Line 67: | ||
}} | }} | ||
The Swedish DPA | The Swedish DPA conducted an investigation and issued a fine of approximately €730,000 against Klarna Bank for not providing data subjects with adequate information related to their processing activities, in violation of various provisions under [[Article 5 GDPR|Articles 5]], [[Article 12 GDPR|12]],[[Article 13 GDPR|13]] and [[Article 14 GDPR|14 GDPR]]. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
Klarna Bank AB is a company which provides both credit and non-credit payment solutions to approximately 90 million consumers and more than 200,000 merchants in 17 countries through a variety of financial services, such as direct payment, various forms of "try first and pay later" services and payment through installments, as well as account information services. In order to provide these services, Klarna needs to process large amounts of personal data. The Swedish DPA (IMY) initially examined Klarna's privacy policy, and noted that there was a lack of clarity regarding many aspects, and therefore decided to launch an ex officio investigation to determine Klarna's compliance with the provisions on clear information and communication to data subjects. During the investigation, Klarna continuously changed the information provided on how the company handled personal data. IMY's decision concerns the information as it stood from 17 March to 26 June 2020. | |||
=== Holding === | === Holding === | ||
After conducting their investigation, the IMY held that Klarna had violated various GDPR provisions related to information on the purpose and legal basis for the processing of personal data, the recipients of various categories of personal data, international data transfers, retention periods, data subject rights and automated decision-making, including profiling. As a common thread, the IMY held that each one of these breaches also entailed a violation of [[Article 12 GDPR#1|Articles 12(1) GDPR]], [[Article 5 GDPR#1a|5(1)(a) GDPR]] and [[Article 5 GDPR#2|5(2) GDPR]]. | |||
5 | |||
Regarding the information provided by Klarna on the purpose and legal basis for the processing of personal data related to the "My Finance" and "My Economy" services, the IMY held that this information was not concise, clear and easily accessible, and did not meet the requirements of [[Article 13 GDPR#1c|Article 13(1)(c) GDPR]]. | |||
With regards to the recipients, the IMY held that Klarna provided incomplete and misleading information on who were the recipients of different categories of personal data when such data were shared with Swedish and foreign credit reference agencies, in violation of [[Article 13 GDPR#1e|Article 13(1)(e) GDPR]]. | |||
Specifically on the topic of international data transfers, the IMY noted that a mere statement that personal data will be transferred to third countries, without naming these countries, was not adequate information for data subjects in this sense. Moreover, the IMY held that Klarna not only failed to provide information about the countries outside the EU/EEA to which personal data was transferred, but also as to where and how data subjects could access documents regarding the safeguards applicable to the data transfers where no adequacy decision exists between the EU and these countries, in breach of [[Article 13 GDPR#1f|Article 13(1)(f) GDPR]]. | |||
Furthermore, the IMY also held that Klarna provided incomplete information about the periods for which personal data would be retained and the criteria used to determine those periods, in violation of [[Article 13 GDPR#2a|Article 13(2)(a) GDPR]]. | |||
Regarding data subject rights, the IMY held that Klarna did not provide them with adequate information related to the right to erasure of personal data under [[Article 17 GDPR]], restriction of processing concerning the data subject under [[Article 18 GDPR]], the right to object under [[Article 20 GDPR]] as well as the right to data portability under [[Article 21 GDPR]], in violation of [[Article 13 GDPR#2b|Article 13(2)(b) GDPR]]. | |||
As to automated decision-making, including profiling under [[Article 22 GDPR#1|Articles 22(1)]] and [[Article 22 GDPR#4|(4) GDPR]], the IMY noted that it was not clear whether Klarna used its own internal scoring model based on, among other things, both internal and external financial information, or what types of data are included in the financial information, such as information on liabilities with other creditors. The IMY also observed that no information was provided regarding the logic behind these processes, their significance, the types of personal data that played a decisive role when subject to a negative decision, or the foreseeable consequences for data subjects, in breach of [[Article 13 GDPR#2f|Articles 13(2)(f)]] and [[Article 14 GDPR#2g|14(2)(g) GDPR]]. | |||
In order to determine their administrative fine, the IMY took into account that Klarna is a multinational company that processes many different categories of personal data on a large number of data subjects, including privacy-sensitive data such as financial data and creditworthiness, and that these breaches were ongoing for a long period of time. Based on these considerations, the IMY issued a fine of approximately €730,000 (SEK 7,500,000) against Klarna Bank AB. | |||
== Comment == | == Comment == | ||
Klarna stated that they will appeal the decision. IMY cited the A29WP guidelines on transparency many times in their decision and if you follow these guidelines by | Klarna stated that they will appeal the decision. IMY cited the A29WP guidelines on transparency many times in their decision, and if you follow these guidelines by the book, a data controller that is involved in complex processing activities will end up with a complex, lengthy and non-reader friendly privacy notice, which is the exact opposite of what the GDPR requires. The question raised here is where does the balance lie between too little or too much information? | ||
== Further Resources == | == Further Resources == |
Latest revision as of 16:24, 6 April 2022
IMY (Sweden) - DI-2019-4062 | |
---|---|
Authority: | IMY (Sweden) |
Jurisdiction: | Sweden |
Relevant Law: | Article 5(1)(a) GDPR Article 5(2) GDPR Article 12(1) GDPR Article 13(1)(f) GDPR Article 13(1)(c) GDPR Article 13(1)(e) GDPR Article 13(2)(a) GDPR Article 13(2)(b) GDPR Article 13(2)(f) GDPR Article 14(2)(g) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 27.03.2019 |
Decided: | 28.03.2022 |
Published: | 28.03.2022 |
Fine: | 7500000 SEK |
Parties: | Klarna Bank AB |
National Case Number/Name: | DI-2019-4062 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Swedish |
Original Source: | IMY's website (in SV) |
Initial Contributor: | Elisavet Dravalou |
The Swedish DPA conducted an investigation and issued a fine of approximately €730,000 against Klarna Bank for not providing data subjects with adequate information related to their processing activities, in violation of various provisions under Articles 5, 12,13 and 14 GDPR.
English Summary
Facts
Klarna Bank AB is a company which provides both credit and non-credit payment solutions to approximately 90 million consumers and more than 200,000 merchants in 17 countries through a variety of financial services, such as direct payment, various forms of "try first and pay later" services and payment through installments, as well as account information services. In order to provide these services, Klarna needs to process large amounts of personal data. The Swedish DPA (IMY) initially examined Klarna's privacy policy, and noted that there was a lack of clarity regarding many aspects, and therefore decided to launch an ex officio investigation to determine Klarna's compliance with the provisions on clear information and communication to data subjects. During the investigation, Klarna continuously changed the information provided on how the company handled personal data. IMY's decision concerns the information as it stood from 17 March to 26 June 2020.
Holding
After conducting their investigation, the IMY held that Klarna had violated various GDPR provisions related to information on the purpose and legal basis for the processing of personal data, the recipients of various categories of personal data, international data transfers, retention periods, data subject rights and automated decision-making, including profiling. As a common thread, the IMY held that each one of these breaches also entailed a violation of Articles 12(1) GDPR, 5(1)(a) GDPR and 5(2) GDPR.
Regarding the information provided by Klarna on the purpose and legal basis for the processing of personal data related to the "My Finance" and "My Economy" services, the IMY held that this information was not concise, clear and easily accessible, and did not meet the requirements of Article 13(1)(c) GDPR.
With regards to the recipients, the IMY held that Klarna provided incomplete and misleading information on who were the recipients of different categories of personal data when such data were shared with Swedish and foreign credit reference agencies, in violation of Article 13(1)(e) GDPR.
Specifically on the topic of international data transfers, the IMY noted that a mere statement that personal data will be transferred to third countries, without naming these countries, was not adequate information for data subjects in this sense. Moreover, the IMY held that Klarna not only failed to provide information about the countries outside the EU/EEA to which personal data was transferred, but also as to where and how data subjects could access documents regarding the safeguards applicable to the data transfers where no adequacy decision exists between the EU and these countries, in breach of Article 13(1)(f) GDPR.
Furthermore, the IMY also held that Klarna provided incomplete information about the periods for which personal data would be retained and the criteria used to determine those periods, in violation of Article 13(2)(a) GDPR.
Regarding data subject rights, the IMY held that Klarna did not provide them with adequate information related to the right to erasure of personal data under Article 17 GDPR, restriction of processing concerning the data subject under Article 18 GDPR, the right to object under Article 20 GDPR as well as the right to data portability under Article 21 GDPR, in violation of Article 13(2)(b) GDPR.
As to automated decision-making, including profiling under Articles 22(1) and (4) GDPR, the IMY noted that it was not clear whether Klarna used its own internal scoring model based on, among other things, both internal and external financial information, or what types of data are included in the financial information, such as information on liabilities with other creditors. The IMY also observed that no information was provided regarding the logic behind these processes, their significance, the types of personal data that played a decisive role when subject to a negative decision, or the foreseeable consequences for data subjects, in breach of Articles 13(2)(f) and 14(2)(g) GDPR.
In order to determine their administrative fine, the IMY took into account that Klarna is a multinational company that processes many different categories of personal data on a large number of data subjects, including privacy-sensitive data such as financial data and creditworthiness, and that these breaches were ongoing for a long period of time. Based on these considerations, the IMY issued a fine of approximately €730,000 (SEK 7,500,000) against Klarna Bank AB.
Comment
Klarna stated that they will appeal the decision. IMY cited the A29WP guidelines on transparency many times in their decision, and if you follow these guidelines by the book, a data controller that is involved in complex processing activities will end up with a complex, lengthy and non-reader friendly privacy notice, which is the exact opposite of what the GDPR requires. The question raised here is where does the balance lie between too little or too much information?
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
1 (25) Klarna Bank AB Record number: DI-2019-4062 Decision after supervision according to Data Protection Regulation - Klarna Date: Bank AB 2022-03-28 Content The decision of the Integrity Protection Authority ................................................ ........................... 2 1 Report on the supervisory matter .............................................. ..................................... 3 2 Motivation for decision .............................................. .................................................. .... 4 2.1 Applicable provisions ............................................... ............................... 4 2.2 IMY's assessment of whether Klarnas Data Protection Information meets the requirements in Articles 5 (1) (a), 5 (2), 12, 13 and 14 of the Data Protection Regulation ............................ 7 2.2.1 IMY's assessment of Klarna's information pursuant to Article 13 (1) (c) ......... 7 2.2.2 IMY's assessment of Klarna's information pursuant to Article 13 (1) (e) ......... 9 2.2.3. IMY's assessment of Klarna's information pursuant to Article 13 (1) (f) ........ 11 2.2.4. IMY's assessment of Klarna's information pursuant to Article 13 (2) (a) ....... 12 2.2.5. IMY's assessment of Klarna's information pursuant to Article 13 (2) (b) ....... 14 2.2.6 IMY's assessment of Klarna's information pursuant to Article 13 (2) (f) and 14.2 g ................................................ .................................................. .... 18 3 Choice of intervention .............................................. .................................................. ....... 22 3.1 Legal regulation ............................................... ........................................... 22 3.2 Penalty fee ................................................ ........................................... 23 How to appeal............................................... .................................................. ..... 25 Postal address: Box 8114 104 20 Stockholm Website: www.imy.se E-mail: imy@imy.se Phone: 08-657 61 00, Integrity Protection Authority Record number: DI-2019-4062 2 (25) Date: 2022-03-28 The decision of the Integrity Protection Authority The Privacy Protection Authority (IMY) states that Klarna Bank AB (Klarna) during the period from 17 March 2020 to 26 June 2020 did not provide information on for which purpose and on the basis of the legal basis for the processing of personal data regarding the service "My Finance" took place. Klarna thus processed personal data in violation of Articles 5 (1) (a), 5 (2), 12 (1) and 13 (1) (c) of the Data Protection Regulation. IMY notes that Klarna left during the period March 17 to June 26, 2020 incomplete and misleading information about who were the recipients of various categories of personal data when such were shared with Swedish and foreign respectively credit reporting companies. Klarna thus processed personal data in violation of Articles 5 (1) (a), 5 (2), 12 (1) and 13 (1) (e) of the Data Protection Regulation. IMY notes that Klarna during the period March 17 to June 26, 2020 will not provided information on to which countries outside the EU / EEA personal data transferred and where and how the individual could access or obtain documents concerning the safeguard measures applicable to the transfer to a third country. Klarna thereby processed personal data in breach of Articles 5 (1) (a), 5 (2), 12 (1) and 13 (1) (f) the Data Protection Regulation. IMY notes that Klarna left during the period March 17 to June 26, 2020 incomplete information about the periods during which personal data would be stored and the criteria used to determine these periods. Klarna thereby processed personal data in breach of Articles 5 (1) (a), 5 (2), 12 (1) and 13 (2) (a) i the Data Protection Regulation. IMY notes that Klarna left during the period March 17 to June 26, 2020 insufficient information regarding the data subjects' rights as follows. the information provided about the right of the personal data controller request the deletion of personal data in accordance with Article 17 of the Data Protection Regulation did not comply with the requirement of transparency the information provided about the right of the personal data controller request a limitation of the processing of the data subject under Article 18 i the Data Protection Regulation did not comply with the requirement of transparency the information provided on the right to data portability in accordance with Article 20 i the Data Protection Regulation did not comply with the requirement of transparency information provided on the right to object to the processing of personal data under Article 21 of the Data Protection Regulation did not comply with the requirement on transparency. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with concerning the processing of personal data and on the free movement of such data and on the repeal of Directive 95/46 / EC (General Data Protection Regulation)., Integrity Protection Authority Registration number: DI-2019-4062 3 (25) Date: 2022-03-28 Klarna thus processed personal data in violation of Articles 5.1 a, 5.2, 12.1 and 13.2 b of the Data Protection Regulation. IMY states that Klarnas Data Protection Information during the period March 17 to on June 26, 2020 lacked meaningful information about the logic behind and the meaning and the foreseeable consequences of automated decision-making, including profiling, pursuant to Article 22 (1) of the Data Protection Regulation. Klarna thus treated personal data in breach of Articles 5.1 (a), 5 (2), 12 (1), 13 (2) (f) and 14 (2) (g) i the Data Protection Regulation. IMY decides on the basis of Articles 58 (2) and 83 of the Data Protection Regulation that Klarna Bank AB must pay an administrative penalty fee of 7,500,000 (seven million five hundred thousand) kroner. 1 Report on the supervisory matter Klarna provides services that involve lending, as well as payment services such as does not include lending, including payment initiation services and account information services. IMY has read Klarnas Dataskyddsinformation som is published on the company's Swedish website (https://www.klarna.com/se/). IMY has in connection with this, it has been established that there is uncertainty about, among other things, for whom purpose personal data is collected and processed and how the data thereafter gallras. Article 5 (1) (a) of the Data Protection Regulation states, inter alia, that personal data shall: treated in an open manner in relation to the data subject (the principle of transparency). It further follows from Article 5 (2) that the data controller shall be responsible for and be able to show that the principles set out in 5.1 are complied with (the principle of liability). IMY has initiated supervision of Klarna to investigate the extent to which Klarnas Data protection information meets these requirements. Within the framework of supervision, IMY has audited how Klarna complies with the provisions on clear and unambiguous information and communication under Article 12 (1) and the right to information of personal data under Articles 13 and 14 and the right to information on the right to object under Article 21.4. IMY has not taken a position on Klarna's personal data processing in otherwise complies with the Data Protection Regulation. Supervision has taken place through correspondence. The inspection began on March 27, 2019 through that IMY sent a letter to Klarna with questions about the company personal data processing. The questions were based on the information provided by Klarna provided about its processing of personal data in the one published at that time The data protection information on the company's Swedish website. Klarna came in with one opinion on 26 April 2019. An annex with a summary was attached to the opinion over the purposes for which each category of personal data was processed indication of the applicable retention period. Klarna then revised his Data protection information as of 19 July 2019. Due to Klarna's opinion and the company's revised Data Protection Information asked IMY supplementary questions the company in a letter dated 1 August 2019. Klarna subsequently submitted an opinion on September 27, 2019. Klarna subsequently revised its Data Protection Information as of the 17th March 2020. Klarna again revised its Data Protection Information on 26 June 2020. IMY has also obtained the terms of service for the account information service "My Finances" as Klarna in its first statement to the IMY stated that the consumer accepts "Special conditions" for this service. IMY's assessment refers to Klarnas Data protection information as it was designed from 17 March 2020 to 26 June, Privacy Protection Agency Record number: DI-2019-4062 4 (25) Date: 2022-03-28 2020, Appendix 1, and Klarnas Terms of Use as they were drafted on April 2, 2020, Appendix 2. IMY describes what Klarna has stated in its opinions in relevant parts below the reasons for the decision below. 2 Grounds for the decision 2.1 Applicable provisions Article 5 (1) (a) of the Data Protection Regulation states, inter alia, that the data shall: processed in a legal, correct and transparent manner in relation to the data subject (legality, correctness and transparency). It further follows from Article 5 (2) that the data controller shall be responsible for and be able to show that the principles listed in 5.1 are complied with (liability). It follows from Article 12 (1) of the Data Protection Regulation that the controller shall: take appropriate measures to provide the data subject with all information that: referred to in Articles 13 and 14 and all communications pursuant to Articles 15 to 22 and 34 which refers to treatment in a concise, clear and distinct, comprehensible and easily accessible form, using clear and unambiguous language, in particular for information that is specific aimed at children. The information must be provided in writing, or in some other form, including, where appropriate, in electronic form. If the data subject requests it may the information is provided orally, provided that the identity of the data subject has been proven in other ways. Article 13 of the Data Protection Regulation stipulates the information to be provided if the personal data is collected from the data subject. Article 13 (1) states this that if personal data concerning a registered person is collected from the data subject, the person responsible for personal data shall, when the personal data is obtained, to the data subject provide information as set out in Article 13 (1) (a) to (f). It follows from Article 13 (2) that it person responsible for personal data in the collection of personal data, in addition to the information referred to in paragraph 1, shall provide the data subject with additional information in accordance with 13.2 a-f, which is required to ensure fair and transparent treatment. According to Article 13 (3) in addition, the person responsible for personal data, if he intends to process personal data for a purpose other than that for which they were collected, before that further processing provide the registered information about this second purpose as well additional relevant information pursuant to paragraph 2. Article 13 (4) states that paragraphs 1, 2 and 3 shall not apply if and to the extent that the data subject already has the information. It follows from recital 39 that any processing of personal data must be lawful and fair. It should be clear to natural persons how personal data concerns them collected, used, consulted or otherwise treated and in which the extent to which personal data is processed or will be processed. The principle of openness requires that all information and communication in connection with the processing of this personal data is easily accessible and easy to understand and that a clear language is used. This principle applies above all to the information to registered about the identity of the data controller and the purpose of the processing as well as additional information to ensure fair and open treatment for those concerned natural persons and their right to receive confirmation and notification of which personal data concerning those processed. Natural people should be made aware on risks, rules, protective measures and rights in connection with the processing of, The Swedish Data Protection Agency Record number: DI-2019-4062 5 (25) Date: 2022-03-28 personal data and how they can exercise their rights with respect to the treatment. Recital 60 states that the principles of fair and transparent treatment require that data subjects are informed that treatment is taking place and the purpose of it. The personal data controller should provide the data subject with all additional information such as required to ensure fair and transparent treatment, taking into account the specific circumstances and context of personal data processing. In addition the data subject should be informed of the existence of profiling and of the consequences of such profiling. If the personal data is collected from it registered, he should also be informed if he or she is obliged to provide personal data and the consequences if he or she does not provide them. This information may be provided combined with standardized symbols to provide one clear, comprehensible, easy-to-read and meaningful overview of the planned the treatment. If such symbols are displayed electronically, they should be machine-readable. It follows from recital 61, inter alia, that information on the processing of personal data concerning the data subject should be provided to him or her at that time the personal data is collected from the data subject or, if the personal data is obtained directly from another source, within a reasonable period, depending on the circumstances of the case. If personal data can be legitimately disclosed to another recipient, they should registered persons are informed the first time the personal data is disclosed to this receiver. As regards the concept of profiling, this is defined in Article 4 (4) as any form of profiling automatic processing of personal data consisting of that personal data used to assess certain personal characteristics of a natural person, in particular to analyze or predict the work performance of this natural person, financial situation, health, personal preferences, interests, reliability, behavior, whereabouts or transfers, Article 22 regulates automated individual decision-making, including profiling. Of the provision states that the data subject shall have the right not to be the subject of a decision based solely on automated processing, including profiling, which has legal consequences for him or her or similarly significantly affect him or her. Examples of such decisions are given in recital 71, among others automated rejection of an online credit application. Exceptions to this prohibition apply if the decision is necessary for the conclusion or performance of an agreement between it registered and the data controller, such decisions are permitted under Union law or the national law of a Member State to which the controller is subject and which lays down appropriate measures to protect the data subject's rights, freedoms and legitimate interests, or is based on the express consent of the data subject. If an exception may be made in connection with an agreement or due to consent, it shall personal data controllers implement appropriate measures to ensure this registered rights, freedoms and legal interests, at least the right to personal contact with the personal data controller to be able to express their opinion and dispute the decision. Finally, the former so-called Article 29 Working Party has developed guidelines on partly openness, WP260 rev.01 (WP260), partly about automated individually decision-making and profiling, WP251 rev.01 (WP251), which are described in relevant parts under the IMY assessments below. The European Data Protection Board, EDPB, has endorsed these guidelines. Initially, however, the following can be highlighted. Article, Integrity Protection Authority Record number: DI-2019-4062 6 (25) Date: 2022-03-28 The 29 Working Group emphasizes in WP260 that transparency is an overarching obligation according to the Data Protection Regulation which applies to three key areas; i) how they data subjects may be informed about fair processing; ii) how the data controllers communicate with the data subjects in relation to their rights under the Data Protection Regulation, and (iii) how the data controllers facilitate the exercised their rights. Openness is also an expression of it principle of fairness in the processing of personal data set out in Article 8 of the EU Charter on fundamental rights. Article 12 stipulates the form of information provided to the data subject; namely, in a concise, clear and distinct, comprehensible and easily accessible form, with use of clear and distinct language, in particular for information specifically aimed at children. The information shall be provided in writing, or in some other form, including, where applicable is appropriate, in electronic form. If the data subject requests it, he will receive the information provided orally, provided that the identity of the data subject has been proven in other ways. Article 13 of the Data Protection Regulation sets requirements for what information it contains the person responsible for personal data must provide the data subject if the personal data is collected from the data subject and when the information is to be provided, namely when the personal data is obtained from the data subject. However, neither Article 12 nor 13 regulates in detail the form or location of the information submitted to the data subject. WP260 states that the information should be published in for example, a data protection information made available on it website of the data controller. Furthermore, it appears that on each side of the website should have a clearly visible direct link to the data protection information that should have been provided with an appropriate heading (eg "Privacy", "Privacy Policy" or "Data protection message"). The Article 29 Working Party therefore recommends a best practice which means that a link to the data protection information is provided or that such information is provided on the same page as the personal data is obtained from, when personal data is collected online. Furthermore, the Article 29 Working Party considers that a stratified data protection information should be used if the data controller has one website so that visitors to the website can navigate to specific parts of the data protection information that is of greatest interest to them. All the information that addressed to the data subjects should, however, also be available to them on one and the same place or in a complete document (in digital or paper format), as they Registered users can easily access if they want to read all the information addressed to them. The following also appears from the above-mentioned guideline, pp. 7-9: “The requirement that information provided or communicated to the data subjects shall being in a "concise, clear and distinct" form means that those responsible for personal data should present the information / communicate in an effective and concise way to avoid information exhaustion. The information should be clearly distinguished from other information such as does not relate to privacy, such as contractual terms or general terms of use. IN Internet contexts, layered privacy policies / privacy notices can do that possible for the data subjects to go directly to a certain part of the privacy policy / privacy statement they want to read, instead of scrolling through large amounts of text to find the part in question. The requirement that the information must be "comprehensible" means that it should be understandable by one average member of the intended target group. Comprehensibility is closely linked to the requirement of a clear and distinct language. A person responsible for personal data will receive knowledge, The Swedish Data Protection Agency Record number: DI-2019-4062 7 (25) Date: 2022-03-28 about the persons about whom they collect information and can use it to determine what would probably be understandable to the target group […] An important aspect of the principle of transparency described in these provisions is that they registered in advance should be able to determine the purpose and consequences of treatment and that it should not come as a surprise to them at a later date stage how their personal data has been used. This is also an important aspect of the principle of fairness under Article 5 (1) of the Data Protection Regulation, where there is in fact a linked to recital 39, which states that natural persons “should be made aware of risks, rules, safeguards and rights in connection with the processing of personal data ”. In the case of complex, technical or unexpected data processing In particular, the Article 29 Working Party considers that data controllers are not the only ones should provide the information set out in Articles 13 and 14 (which dealt with later in these guidelines), without them even having to specify, in a separate section and in an unambiguous language, the most significant consequences of the treatment, with in other words, how the special treatment specified in a privacy policy / one privacy notice will actually affect the data subjects. In line with the principle of liability and recital 39, the data controllers should assess whether there are special risks for natural persons whose personal data are processed in one in such a way that the data subjects should be given attention. That way you can get one an overview of the types of treatments that could have the greatest impact on them registered fundamental rights and freedoms with regard to their protection personal data. "Easily accessible" means that the data subjects do not have to look for the information; it should be immediately clear to them where and how they can access the information; for example by giving the information directly or linking to the data subjects, by clear guidance or in response to a question from a natural person (eg in a privacy policy / a privacy statement in several layers online, in "Frequently asked questions", via contextual pop-ups that are activated when the registrants fill in one online form or in an interactive digital context via a chatbot interface etc [...] The requirement for a clear and distinct language means that the information should be provided in such a simple way as possible and that complicated sentences and language structures should be avoided. The information should be concrete and accurate, and it should not be abstract or ambiguous or can be interpreted in different ways. Above all, the purposes and legal bases should for the processing of personal data be clear. " In the following, the IMY assesses whether the requirements for transparency and information are met in different ways parts through Klarnas Data Protection Information as it was designed during the period 17 March to 26 June 2020. 2.2 IMY's assessment of Klarnas Data Protection Information meets the requirements of Articles 5 (1) (a), 5, 2, 12, 13 and 14 (i) the Data Protection Regulation 2.2.1 IMY's assessment of Klarna's information pursuant to Article 13 (1) (c) Pursuant to Article 13 (1) (c) of the Data Protection Regulation, information on the purposes must be provided with the processing for which the personal data is intended as well as the legal basis for the treatment., Integrity Protection Authority Record number: DI-2019-4062 8 (25) Date: 2022-03-28 Klarnas Data Protection Information Section 2 of Klarnas Data Protection Information is entitled “What personal data do we use? ”. Section 2.2 is entitled "Information we collect about you" and of it the introductory paragraph follows “Depending on which Services you choose to use, we can will collect the following information about you, either yourself or through third parties (for example, credit bureaus, anti-fraud agencies, shops or public databases) ”. This is followed by an enumeration of what information it "can" move about. The last point in the list shows “Service-specific personal data - within the framework of some of our Services, we may collect and process additional personal data not covered by the categories above. See Section 4 below for to find out what these additional personal data are for each Service. ”. Section 3 of the Data Protection Information is entitled “What personal data do we process, for what purpose, and on what legal basis? " and of the introductory paragraph states “Depending on which Services you use, Klarna may process your personal data for the purposes listed below, based on the legal bases which is accounted for at each purpose. You can see more specific information about how your personal data is processed in some of our Services in Section 4 below. ”. Thereafter follows a table with three columns, where the first column indicates the purpose of the treatment, the second column the personal data processed and the third column legal basis for the treatment. Section 4 of the Data Protection Information is entitled “In particular processing of personal data in some of Klarnas Tjänster ”and of the introductory paragraph appears “This section describes certain processing of your personal data that is specific to a particular Service. To get more information about our Services and theirs functionality, see the terms of use for each Service. ”. IMY's assessment IMY notes that the Data Protection Information Section 4 regarding the service “Min economy ”lacks clear information about the purposes of the treatments for which the personal data are intended as well as the legal basis for the processing in violation with the requirement of Article 13 (1) (c) of the Data Protection Regulation. The service "My Finance" is mentioned in Section 4.4 of the Data Protection Information, which is entitled “Clear user experience provided in accordance with Klarna's Terms of Use ”. It appears below the subheading “Klarna app” that “If you use the Klarna app, will personal data to be processed in order to provide the Services you choose to use inside the App, such as: […] ”, followed by a list of different services in a bulleted list. One of these services is the "My Finances" service: “Your affiliated bank accounts (My Finance Service): Through this Service get you an overview of your entire finances, not just your transactions with Klarna, but also over connected accounts. When you choose to use this Service comes Able to process information about the bank accounts and other accounts (such as card accounts) you choose to connect, and collect information such as account number, bank, historical transactions from connected accounts, as well as balances and assets. Based on that information will Klarna visualize and give you tools to control your finances, using offers tailored to your specific situation (which may involve profiling as described in Section 6). This is done by comparing yours expenses with expenses from other users of the Service. Based on the comparison, we can ,, The Swedish Data Protection Agency Record number: DI-2019-4062 9 (25) Date: 2022-03-28 together with partners to us, offer ways to minimize your fasting and variable costs." There is no information regarding the legal basis the processing of personal data regarding the service "My Finances" takes place. In addition it is not clear from the information contained in the enumeration in Section 4.4 in the Data Protection Information above, which specific personal data is processed within the framework of the service or the specific purposes of the treatment for which the personal data is intended. IMY further states that the service "My Finance" does not is mentioned in Klarnas' terms of use, which are generally available on Klarnas Swedish website, see Appendix 2 (Klarna's terms of use updated on 2 April 2020). Some separate terms or separate data protection information regarding the service, is also not generally available on Klarna's Swedish website. This notwithstanding that Klarna, on page 9 in its first statement to IMY, dated 26 April 2019, has stated that The "My Finances" service is an account information service that is available in the Klarna app after acceptance of "Klarnas Terms of Use" and that the consumer also accepts "special terms" for the service. The special conditions, "Terms of service for the My Finance service", may be taken by the consumer part of when the service is accepted. Regarding information about personal data processing according to the data protection regulation, the special conditions only refer back to The data protection information. The additional information provided in Section 4 of the The data protection information must appear in the special conditions is thus missing. IMY believes that the information that Klarna provides about the purposes of the treatment and the legal basis for the treatment does not meet the requirements of Article 13 (1) (c) (i) the Data Protection Regulation. The information is not concise, clear and distinct nor easily accessible. It therefore does not meet the requirements of Article 12 (1). The IMY considers that the infringement of Article 13 (1) (c) of the Data Protection Regulation, with account has also been taken of other infringements of Articles 13 and 14 set out in this decision, is so serious that it also infringes Articles 5 (1) a and 5.2. IMY therefore finds that Klarna violates Articles 5 (1) (a), 5 (2), 12 (1) and 13 (1) (c) i the Data Protection Regulation. 2.2.2. IMY's assessment of Klarna's information pursuant to Article 13 (1) (e) Pursuant to Article 13 (1) (e), information shall be provided on the recipients or categories of recipients who are to access the personal data, where applicable. Klarnas Data Protection Information In section 7 The data protection information informs Klarna about which stakeholders it is data subjects' personal data may be shared with. Section 7.4 describes how information is shared with credit reporting companies. Paragraph one states the following: 7.4 Credit Information Agencies If you are applying to use a Service that involves providing credit (see Section 4.1 above regarding which Services include credit), your personal data may come, Privacy Protection Agency Record number: DI-2019-4062 10 (25) Date: 2022-03-28 to be shared with credit bureaus, for the following purposes: To assess your creditworthiness in connection with your application for one of Klarna's payment methods, that confirm your identity and contact information, as well as protect you and other customers from fraud. Your phone number and address may also be shared credit bureaus to enable them to send a notification to a credit report performed on you. Depending on the rules of the country where you live will be sent a physical letter with information that a credit report has been made on you to you, or the letter is sent electronically. Your payment behavior may reported back to the credit bureaus by Klarna, which may affect your future credit rating. When a credit bureau receives an inquiry credit information from us, they may place a listing on your profile, which may seen by other companies providing credit. Credit bureaus may share your information with other organizations. The credit bureaus we collaborates with in Sweden you see here. On pages 21-22 in their second statement to IMY, Klarna dated 27 September 2019 specified the meaning of the information. Klarna states, regarding information relating to identification, which information is shared with credit reporting companies for the purposes set out in paragraph one varies depending on whether the consumer is shopping in a country that has a social security number or not. In countries there social security numbers are available parts Klarna only the consumer's social security number with credit reporting companies for the purposes requested (identification). Klarna does not have to share personal information such as address and phone number with credit reporting companies in Sweden to identify the registered person. In countries where social security numbers do not exist Klarna usually needs to share the consumer's name, address, date of birth and telephone numbers with credit reporting companies for specified purposes. With regard to the disclosure of information about the data subject's payment behavior states Clear that information about payment behavior is not reported in Swedish credit reporting companies. If, and to what extent, Klarna reports back payment behaviors to credit reporting companies in other countries where Klarna offers their services vary depending on each country's legislation and the agreement as Klarna has with the respective credit information company. IMY's assessment IMY states that the information in the Data Protection Information refers to the disclosure of personal data to both Swedish and foreign credit information companies. Which type of information provided to Swedish and foreign credit reporting companies are not listed. IMY believes that the information that Klarna provides about how information is shared credit reporting companies do not meet the requirement of transparency. The information is incomplete and does not explain what information is provided to Swedish respectively foreign credit reporting companies. The registered person may, among other things, be led to believe that information on payment behavior at Klarna is disclosed to, and registered by, Swedish credit reporting companies. This is directly misleading. IMY considers that the information that Klarna provides about the categories of recipients that shall not have access to the personal data does not meet the requirements of Article 13 (1) (e) (i) the Data Protection Regulation. The information is not concise, clear and distinct nor easily accessible. It therefore does not meet the requirements of Article 12 (1), the Privacy Protection Authority Record number: DI-2019-4062 11 (25) Date: 2022-03-28 The IMY considers that the infringement of Article 13 (1) (e) of the Data Protection Regulation, with account has also been taken of other infringements of Articles 13 and 14 set out in this decision, is so serious that it also constitutes a breach of 5.1 a and 5.2. IMY therefore finds that Klarna violates Articles 5 (1) (a), 5 (2), 12 (1) and 13 (1) (e) i the Data Protection Regulation. 2.2.3. IMY's assessment of Klarna's information pursuant to Article 13 (1) (f) According to Article 13 (1) (f), information must be provided that the data controller refers to to transfer personal data to a third country or an international organization; and whether or not a decision by the Commission on the adequate level of protection exists or, in the case of the transfers referred to in Article 46, 47 or other Article 49 (1) paragraph, reference to appropriate or appropriate protective measures and how a copy of they can be obtained or where these have been made available. Klarnas Data Protection Information Section 8 of the Data Protection Information is entitled “Where do we process yours personal data? ” and from this it follows: “We always strive to process your personal data within the EU / EEA. In some situations, such as when we share your information within the Klarna Group or with one supplier or subcontractor with operations outside the EU / EEA, can your personal data will, however, be processed outside the EU / EEA. About the store you shop at are outside the EU / EEA, our sharing with the store will also mean that yours data are transferred outside the EU / EEA. We ensure that an adequate level of protection exists, and that appropriate safeguards are taken in accordance with applicable data protection requirements, such as the GDPR, when we transfer your data outside the EU / EEA. These protective measures consist of ensuring that the third country to which the data is transmitted is the subject of a the Commission that there is an adequate level of protection, that the European Commission standard clauses have been entered into between Klarna and the recipient, or that the recipient is registered under the so-called US Privacy Shield procedure. " IMY's assessment Of the comments of the Article 29 Working Party on the information requirement in the Guideline on transparency, pages 39-40 of WP260, states the following regarding Article 13 (1) (f): "Information should be provided on the relevant article of the Data Protection Regulation for transmission and associated mechanism (eg decision on adequate level of protection under Article 45 / binding company rules in accordance with Article 47 / standardized data protection rules pursuant to Article 46 (2) / derogations and safeguard measures pursuant to Article 49, etc.). Furthermore, information is provided on where and how to access or obtain the document in question, for example by linking to the mechanism used. According to the principle of justice, it should information provided on transfers to third countries be as meaningful as possible the registered. This generally means that the names of third countries must be indicated. " IMY states that Klarnas Data Protection Information lacks information on where and how the individual can access or receive documents regarding the protection measures for, The Privacy Protection Agency Record number: DI-2019-4062 12 (25) Date: 2022-03-28 transmission as described in the Data Protection Information. Furthermore, information on countries outside the EU / EEA to which personal data are transferred, in accordance with Article 29 working group recommendation above. IMY considers that the information that Klarna provides about the personal data controller intends to transfer personal data to a third country and whether a decision of the Commission whether or not there is an adequate level of protection or, in the case of transfers referred to in Article 46, 47 or the second subparagraph of Article 49 (1), appropriate or appropriate safeguards and how a copy of them can be obtained or where these have been made available do not meet the requirements of Article 13 (1) (e) (i) the Data Protection Regulation. The information is not concise, clear and distinct nor easily accessible. It therefore does not meet the requirements of Article 12 (1). The IMY considers that the infringement of Article 13 (1) (f) of the Data Protection Regulation, taking into account also taken to other infringements of Articles 13 and 14 set out therein decision, is so serious that it also infringes Articles 5 (1) (a) and 5.2. IMY therefore finds that Klarna violates Articles 5 (1) (a), 5 (2), 12 (1) and 13 (1) (f) i the Data Protection Regulation. 2.2.4. IMY's assessment of Klarna's information pursuant to Article 13 (2) (a) According to Article 13 (2) (a), information shall be provided on the period during which personal data will be stored or, if this is not possible, the criteria set by used to determine this period. Klarnas Data Protection Information Section 9 of the Data Protection Information is entitled “How long do we save yours personal data? ” and this shows the following: “We will process your personal data for the period of time needed to pursue the respective purpose of our treatment. These purposes are presented in this Data protection information. This means that when we stop processing your personal data for a specific purpose, we may still retain the data for as long as the data are needed for other purposes, but then only for processing in accordance with the remaining purposes. Especially: As long as you have accepted Klarna's Terms of Use and until you have resigned these (by contacting us or by instructing us to remove your personal data through a request to be deleted) we will process the personal data we need to provide our Services to you, which includes information about your previous purchases. We process personal data in credit information for the purpose of re-processing Assess your credit rating for up to 90 days from that the credit report was taken. We process information about debts for the purpose of assessing yours creditworthiness for a period of three (3) years after the debt has been settled - which takes place either through payment of the debt or that the debt is written off of or sold., Integrity Protection Authority Record number: DI-2019-4062 13 (25) Date: 2022-03-28 We process recorded telephone calls to Klarna's customer service for up to 90 days from the day of recording. We process personal data for the purpose of complying with applicable legislation, such as consumer law, banking and money laundering legislation, and accounting rules. Depending on which applicable law, your personal data may be stored in up to ten years after the termination of the customer relationship. " IMY's assessment Of the comments of the Article 29 Working Party on the information requirement in the Guideline on transparency, page 40 of WP260, states the following regarding Article 13 (2) (a): "This is related to the requirement for data minimization in Article 5 (1) (c) and on storage limitation in Article 5 (1) (e). The shelf life (or the criteria used to: determine this) may be governed by factors such as statutory requirements or guidelines within industry, but it should be stated in such a way that it registered, based on its own situation, can assess the storage time for specific tasks / purposes. It is not enough that the person responsible for personal data generally states that the personal data is retained for that long necessary for the legitimate purposes of the treatment. In relevant cases different storage times should be specified for different categories of personal data and / or different processing purposes, including filing time where appropriate. " Klarna has, on page 13 in its first statement to IMY, dated April 26, 2019, stated that the purposes for which each category of personal data is processed, with applicable storage period, is reported in an appendix that has been submitted to IMY. The appendix consists of a table with three columns, where the left column shows the purposes of the treatment based on the (at the current time) description in The data protection information, the column in the middle reports the time for which Klarna processes the current category of personal data for the current purpose, ie. storage time, and the right-hand column reports comments aimed at whether special conditions for the treatment for more specific purposes or more specific personal data is available. Here it appears that Klarna processes and stores personal data for more purposes than what appears from section 9 of Klarnas data protection information. It appears, among other things, that personal data is processed and stored for research purposes for two years. Furthermore, Klarna has, on pages 13-14 in the above-mentioned opinion, stated that, in addition the purposes set out in the said appendix, Klarna processes personal data within the framework of Klarna's customer service as follows: “Incoming telephone calls are recorded for quality and security reasons. The recordings are saved for this purpose for 3 months, after which they are deleted. Incoming and outgoing e-mails are retained for 7 years from the time the message was received or sent. Information that an individual consumer has chosen to block himself from using Klarna's credit products are saved to handle the block until the consumer himself announces that he wishes to lift the block (ie. as a starting point for the time being)., The Swedish Data Protection Agency Record number: DI-2019-4062 14 (25) Date: 2022-03-28 Notes relating to a dispute or other types of disputes are kept in 10 years from the time of closing the case. The reason for this is that one consumer at a later stage may contact Klarna in the same or similar matters. The time period is based on the limitation period according to the statute of limitations (1981: 130). Notes of other kinds than above are preserved for 5 years from the time of the registration, ie. from the time the note was made. The reason for this is that one consumer at a later stage may contact Klarna in the same or similar matters. " Of these purposes and retention periods, only the preservation information of incoming phone calls for quality and safety reasons for three months that are found in section 9 of Klarnas Data Protection Information. In light of the above, IMY considers the information in Klarnas Data protection information does not comply with the requirement of Article 13 (2) (a) of the Data Protection Regulation that information must be provided about the period during which the personal data comes to be stored or the criteria used to determine this period when Klarnas opinion and appendix mentioned above clearly show that Klarna processes personal data for more purposes and has more detailed storage times, and in addition criteria such as used to determine these periods, which are not set out in section 9 of The data protection information. IMY considers that the information that Klarna provides about the period during which personal data will be stored or, if this is not possible, the criteria set by used to determine this period does not meet the requirements of Article 13 (2) (a). The information is not concise, clear and distinct, nor is it easily accessible. It meets thus not the requirements of Article 12 (1). The IMY considers that the infringement of Article 13 (2) (a) of the Data Protection Regulation, with account has also been taken of other infringements of Articles 13 and 14 set out in this decision, is so serious that it also infringes Articles 5 (1) a and 5.2. IMY therefore finds that Klarna violates Articles 5 (1) (a), 5 (2), 12 (1) and 13 (2) (a) i the Data Protection Regulation. 2.2.5. IMY's assessment of Klarna's information pursuant to Article 13 (2) (b) Pursuant to Article 13 (2) (b), information shall be provided that there is a right to it personal data controller request access to and correction or deletion of personal data or restriction of processing concerning the data subject or that object to processing and the right to data portability. It follows from the Article 29 Working Party's Guideline on Transparency WP260 (pp. 27-28) that Transparency entails three obligations for the person responsible for personal data regarding them data subjects' rights: "• To inform data subjects of their rights (in accordance with the requirements of Article 13 (2) (b) and 14.2 c)., Integrity Protection Authority Record number: DI-2019-4062 15 (25) Date: 2022-03-28 • To observe the principle of transparency (ie in terms of the quality of communication according to the article 12.1) in communicating with data subjects about their rights under Articles 15 to 22 and Article 34. • To facilitate the exercise of data subjects' rights in accordance with Articles 15 to 22. The requirements of the Data Protection Regulation regarding the exercise of these rights and the type of information required is intended to give the data subjects a significant opportunity to assert their rights and hold the data controllers accountable the processing of their personal data. Recital 59 emphasizes that procedures should: "which makes it easier for data subjects to exercise their rights" and that it personal data controllers should also “provide aids for electronically submitted requests, especially in cases where personal data are processed electronically '. That procedure which a personal data controller determines for the data subjects to be able to exercise their rights should be appropriate to the scope and type of the relationship and the interaction that exists between the data controller and the data subject. One The controller may therefore wish to establish one or more different procedures for the exercise of rights which reflect the different ways in which they registered interacts with the personal data controller. " In addition, the Article 29 Working Party makes the following comments on the information requirement in Guideline WP260 (pp.40-41), concerning Article 13 (2) (b): "This information should be specific to the treatment in question and include one summary of what the right entails, how the data subject can proceed to exercise it and the limitations to which the right may be subject (see paragraph 68) above). In particular, the right to object to treatment must be expressly notified to it registered at the latest at the first communication with the registered and be reported clearly, clearly and separately from any other information. […] " IMY notes that there is a special section in the Data Protection Information, Section 10, which is entitled "Your rights in relation to your personal data", which in turn to some extent refers to other sections of the Data Protection Information. However, IMY believes that The data protection information provides incomplete information regarding the data subjects rights, in violation of Article 13 (2) (b) of the Data Protection Regulation, as follows. The right to delete Regarding the right to deletion (Article 17), follows from Section 10 of the Data Protection Information “The right to be deleted. You have the right to request deletion of your personal data example when it is no longer necessary to process the data for the purpose they were collected, or if you withdraw your consent. As described in Sections 3 and 9 above, however, Klarna needs to follow certain laws that prevent us from deleting immediately certain information. " IMY considers that this wording does not summarize the meaning of the right in an open manner way. According to Article 17 of the Data Protection Regulation, the data subject has the right to receive his personal data deleted by the personal data controller, which, however, is not one absolute right. On the one hand, there is an enumeration in the mentioned article regarding in which case the personal data controller is obliged to delete personal data without unnecessary delay, and there are certain exceptions to this obligation for necessary treatment in some cases. It is not clear how this right relates to the right to, Integrity Protection Authority Record number: DI-2019-4062 16 (25) Date: 2022-03-28 object in accordance with Article 21. As the information is worded in The data protection information regarding this right gives it a difficult picture of what the right entails and in which cases it applies. That it refers to the general ones Sections 3 and 9 of the Data Protection Information make it even less clear. IMY assesses that the infringement of Article 13 (2) (b) with regard to the requirement to provide information on the right to deletion, taking into account also other infringements of Articles 13 and 14 which is apparent from this decision, is so serious that it also constitutes a breach of Articles 5.1 (a) and 5.2. IMY further believes that Klarna also does not meet the requirements for completion and clear information as set out in Article 12 (1). IMY therefore considers that the information in this part of the Data Protection Information does not complies with the requirement of transparency, in particular in the light of the above statements in the guidelines on transparency and thus finds that Klarna violates Articles 5.1 a, 5.2, 12.1 and 13.2 b of the Data Protection Regulation. The right to restriction Regarding the right of restriction (Article 18), the IMY finds that it is missing information about this right in the Data Protection Information. In Section 10 i However, the data protection information contains the following information “Right to oppose you processing of your personal data or objecting to our processing. If you considers that your personal data is incorrect or has been processed in violation of applicable law you have the right to ask us to stop the treatment. You can also object to ours treatment when you consider that there are circumstances that prevent the treatment carried out in accordance with applicable rules. Furthermore, you can always object to us using your marketing information. " IMY considers that the information provided is both incorrect and incomplete in relation how the right is reflected in Article 18 of the Data Protection Regulation. It summarizes thus not the right in a way that enables the data subjects to understand what it means. This in turn makes it difficult for data subjects to exercise their rights. In addition to the information being incomplete, it also involves the right to object certain treatment (marketing), without further developing what this right entails or in which situations it may be invoked (cf. Article 18 (1) (d) and the reference to Article 21 (1)). The IMY considers that the infringement of Article 13 (2) (b) what applies to the requirement for information on the right to restriction, taking into account also other infringements of Articles 13 and 14 set out in this Decision are as follows serious that it also infringes Articles 5 (1) (a) and 5 (2). IMY consider further that Klarna also does not meet the requirements for clear and distinct information that appear of Article 12.1. IMY therefore considers that the information on the right to restriction does not comply with the requirement transparency, in particular in the light of the statements made by the Article 29 Working Party above, and thus finds that Klarna violates Articles 5.1 a, 5.2, 12.1 and 13.2 b i the Data Protection Regulation. The right to data portability Regarding the right to data portability (Article 20), follows from Section 10 of the Data protection information “Right to access your data. You can request a copy of your personal information if you want to know what information we have about you. This copy can also transmitted in a machine-readable format (so-called “data portability”). ”., the Swedish Data Protection Authority. Date: 2022-03-28 IMY does not consider that information about the right has been provided in a transparent manner, then it partly has been included under the right of access even though data portability is a separate right under Article 20 of the Data Protection Regulation, partly because it has not been summarized in one clear way that enables the data subjects to understand what the right entails. According to Article 20, the right is aimed at the data subject being entitled to receive them personal data relating to him or her in a structured, widely used and machine-readable format, and has the right to transfer these to another personal data controller under certain conditions. IMY assesses that the violation of Article 13 (2) (b) as regards the requirement for information on the right to data portability, with account has also been taken of other infringements of Articles 13 and 14 set out in this decision, is so serious that it also infringes Articles 5 (1) a and 5.2. IMY further believes that Klarna also does not meet the requirements for clear and distinct information provided for in Article 12 (1). IMY therefore considers that the information regarding the right to data portability does not complies with the requirement of transparency, in particular in the light of the Article 29 Working Party statements above, and notes that Klarna violates Articles 5.1 a, 5.2, 12.1 and 13.2 b of the Data Protection Regulation. The right to object With regard to the right to object (Article 21), the IMY states that it is missing complete information about this right in the Data Protection Information. In Section 10 i The data protection information contains the following information inserted in the above the information on “Right to oppose the processing of your personal data or object to our treatment ”:“ You can also object to our treatment when you considers that there are circumstances which mean that the treatment is not carried out in accordance with applicable rules.". The following information is also available in Section 10 of Data protection information “Right to object to an automated decision. You are right to object to an automated decision made by Klarna if this decision entails legal consequences or constitutes a decision which in a similar way significantly affects you. See Section 6 above on how Klarna uses this form of automatic decision. ”. In addition, the following information is available in Section 3 of the Data Protection Information, for the purpose of processing personal data for the purpose of performing customer satisfaction surveys about Klarna's services, “You can object to this at any time preferably. You will also receive information on how to unsubscribe from this each once you are contacted for this purpose. ". The following information is also available in Section 6, regarding Klarna's profiling and automated decision-making, “Predict which marketing that may be of interest to you. You can always object to this and unsubscribe from marketing and this profiling, by contacting us. For more information about our processing of personal data to provide marketing see Section 3 above; ”, and“ You always have the right to object to one automated decisions with legal consequences or decisions that are similarly significant degree affects you (along with the coherent profiling) by contact us at the e-mail address in Section 13. An employee at Klarna will come in such cases to look at your case. ”. Under Article 21, the data subject has the right to object in several different situations. It follows from Article 21 (1) that the data subject has the right to object at any time against the processing of personal data relating to him or her on which it is based Article 6 (1) (e) (public interest) or f (legitimate interest / balancing of interests), including profiling based on these provisions. The person responsible for personal data receives, The Swedish Data Protection Agency Record number: DI-2019-4062 18 (25) Date: 2022-03-28 then no longer process the personal data, unless he can prove compelling legitimate reasons for the processing which outweigh the interests of the data subject; rights and freedoms, or whether it is for the determination, exercise or defense of legal claims. IMY states that the Data Protection Information in its entirety lacks information about the law to object to the processing of personal data based on article 6.1 (f) of the Data Protection Regulation, including profiling based on it provision, despite the fact that Klarna for several different treatments, which are described in i Section 3 of the Data Protection Information, states that this is one of the legal bases that applied and that profiling takes place. The profiling is developed in more detail in Section 6 in The data protection information, but even there there is no information about the right to object pursuant to Article 21 (1). The IMY considers that the infringement of Article 13 (2) (b) with regard to the requirement of information on the right to object, taking into account others as well infringements of Articles 13 and 14 set out in this Decision are so serious that it also infringes Articles 5 (1) (a) and 5 (2). IMY further considers that Klarna also does not meet the requirements for clear and unambiguous information set out in the article 12.1. IMY therefore considers that the information regarding the right to object in The data protection information does not comply with the requirement of transparency and thus states that Klarna violates Articles 5.1 a, 5.2, 12.1 and 13.2 b of the Data Protection Regulation. 2.2.6. IMY's assessment of Klarna's information pursuant to Article 13 (2) (f) and (2) (g) According to Articles 13 (2) (f) and 14 (2) (g), information shall be provided on the existence of automated decision-making, including profiling in accordance with Article 22 (1) and (4), whereby at least in these cases, meaningful information about the logic behind it should be provided as well the significance and the foreseeable consequences of such processing for the data subject. Applicable regulation The Article 29 Working Party's guide WP260 (pp. 22-23) states that information on the existence of automated decision-making, including profiling, in accordance with Article 22 (1) and 22.4, as well as meaningful information about the logic behind and the meaning and those the foreseeable consequences of the processing for the data subject, form part of it mandatory information that must be provided to the data subject in accordance with Article 13 (2) (f) and 14.2 g. The Article 29 Working Party has in the guidelines WP251 on automated individual decision-making and profiling described how openness should be applied precisely in question about profiling. WP251 (p. 10) emphasizes the following: The profiling process is usually not visible to the registered person. The process is done in this way that derived or derived data is created about individuals. These are "new" personal data that has not been provided directly by the data subjects. Individuals have different degrees of understanding how the process goes and can have a hard time understanding the complex techniques used in profiling and automated decision making. According to Article 12 (1), the controller shall provide the data subjects concise, clear and unambiguous, comprehensible and easily accessible information on the treatment of their personal data., Integrity Protection Authority Record number: DI-2019-4062 19 (25) Date: 2022-03-28 According to Article 22 (1), the data subject shall have the right not to be the subject of a decision which: based solely on automated processing, including profiling which has legal consequences for him or her or similarly significantly affect him or her or her. Such automated decision-making is only allowed if one of them exceptions provided for in Article 22 (2) exist. Exceptions are made in that case decision-making is necessary for the conclusion or performance of an agreement between it registered and the data controller or permitted under Union law or a national law of the Member State to which the controller is subject and which lays down appropriate measures to protect the data subject's rights, freedoms and legitimate interests or is based on the express consent of the data subject. The following is emphasized in WP251 (p. 17): Given that the central principle behind the Data Protection Regulation is transparency personal data controllers must ensure that they explain in a clear and unambiguous manner individual how profiling or automated decision making works. Especially if the treatment involves decision-making based on profiling (whether or not the treatment is subject to the provisions of Article 22) clarify to the data subject that the processing concerns both a) profiling and b) decision-making based on the profile created. Recital 60 states that the provision of profiling information is included in it the transparency obligations of the controller pursuant to Article 5 (1) (a). The data subject has the right to information from the personal data controller about "profiling", and in some case the right to object to "profiling", regardless of whether it is only automated individual decision-making based on profiling. The data subject's right to information under Articles 13 (2) (f) and 14 (2) (g) is dealt with in WP251 (p. 26): Given the potential risks to data subjects' rights and the conclusions which can be deduced from the profiling covered by Article 22 should personal data controllers pay special attention to their obligation to ensure transparency in treatment. According to Articles 13 (2) (f) and 14 (2) (g), personal data controllers shall: provide readily available information on established automated decision-making only on automated processing, including profiling, which has legal or on similarly significant consequences. If the person responsible for personal data understands automated decisions under Article 22 (1), he must tell the data subject that they apply this method; provide meaningful information about the underlying logic and explain the significance and the foreseen consequences of the treatment. The provision of this information also helps data controllers to ensure that they comply with some of the mandatory safeguards set out in Article 22 (3) and recital 71. If the automated decision-making and profiling is not covered by the definition in Article 22 (1), it is nevertheless good practice to provide the above information. In which In any case, the controller must provide sufficient information to the data subject so that the processing is considered fair and fulfills all others information requirements in Articles 13 and 14., Integrity Protection Authority Record number: DI-2019-4062 20 (25) Date: 2022-03-28 … The data controller should try to explain in a simple way the logic behind, or the criteria for arriving at, the decision. In the Data Protection Ordinance, it is imposed personal data controller to provide meaningful information about the logic behind processing, not necessarily a complex explanation of the algorithms used or to disclose the complete algorithm. The information provided should however, be comprehensive enough for the data subject to understand the reasons for the decision. Klarnas Data Protection Information Section 6 of Klarnas Data Protection Information states the following: Decisions with legal consequences or decisions that in a similar way significantly affect you Automated decisions with legal consequences or automated decisions as on similar ways significantly affect you means that certain decisions in our Services exclusively taken automatically, without the involvement of our employees, and may have significant effect on you as a customer, comparable to legal consequences. By grasping such decisions automatically increase Klarna objectivity and transparency in decisions when we offers these Services. We use this type of automated decision making when we: Decides to approve your application to use a Service such as includes credit; Decides not to approve your application to use a Service as includes credit; Decides whether you pose a fraud or money laundering risk, if ours treatment shows that your behavior indicates money laundering or fraudulent behavior, that your behavior is not consistent with previous use of our Services, or that you have attempted to conceal your true identity. IN relevant cases, Klarna also investigates whether specific customers are listed on sanction lists. See Section 3 for more information on which categories of personal data are processed for these purposes. Section 3 provides the following information regarding the data protection information credit assessment (purpose, categories of data, basis for personal data processing): Perform credit check before credit Follow the law, when the credit Contact and in question are regulated by law. granted (See Section 4.1 on Klarna's identification information, For those cases the credit Services that involve credit provided and Section 7.4 on how we financial information and is not regulated by law information on how to perform the treatment collaborates with interacts with Klarna. to be able to fulfill credit bureaus). credit agreement., Integrity Protection Authority Record number: DI-2019-4062 21 (25) Date: 2022-03-28 In its reply to IMY on 26 April 2019, Klarna has specified which categories of information processed in connection with automated decisions, including profiling for credit review purposes: Information collected from the consumer himself or generated by Klarna Personal and contact information (such as name, address, social security number / date of birth and e-mail address) Source: provided consumer when buying. Information about how the consumer has interacted with Klarna (for example outstanding debt, if the consumer has chosen to block himself from Klarnas services or have been suspended due to abuse). Source: Consumer previous relationship with Klarna. Klarna's internal credit score (which is reported in answer 4 above). Confirmation from Klarna's internal fraud check (i.e. "yes", "no" or "Additional verification required"). Source: The consumer's previous relationship with Clear, information provided by consumers at the time of purchase, or collected by Clear in connection with these. Data collected from external suppliers Personal and contact information (external verification of the consumer and his address, as well as external information about the owner of the telephone number as provided). Source: External supplier Financial information (external credit information, such as income, payment remarks or debt restructuring) Source: External supplier. Confirmation from Klarna's internal fraud check (i.e. "yes", "no" or "Additional verification required"). Source: External supplier. IMY's assessment IMY states that Klarnas Dataskyddsinformation lacks meaningful information about the logic behind as well as the significance and the anticipated consequences of such treatment for the registered. The Data Protection Information only shows that certain types of information is used in connection with the automated decision (Contact and identification information, financial information and information on how to interact with Klarna). It is not clear that Klarna uses its own internal scoring model based on other on both internal and external financial information or the types of information included in the financial information, for example information on debts of others lender. No information is given about what circumstances may be of crucial for a negative credit decision. IMY believes that the requirement to provide meaningful information about the logic behind one automated credit decision includes information about which categories of information are of crucial in the context of an internal scoring model and the possible existence of conditions that always lead to a rejection decision within the framework of the decision support it personal data controller uses., Integrity Protection Authority Record number: DI-2019-4062 22 (25) Date: 2022-03-28 IMY does not consider that the information on automated credit decisions is provided in one easily accessible way. The individual consumer should be provided with this type of difficult-to-understand information in one context instead of disseminated in different places in The data protection information. IMY believes that the information that Klarna provides about the existence of automated decision-making, including profiling in accordance with Article 22 (1) and (4) (i) the Data Protection Regulation, making it meaningful at least in these cases information about the logic behind it and the significance and the anticipated consequences of such processing for the data subject does not meet the requirements of Articles 13 (2) (f) and 14 (2) (g). The information is not concise, clear and distinct, nor is it easily accessible. It meets thus not the requirements of Article 12 (1). The IMY considers that the infringement of Articles 13 (2) (f) and 14 (2) (g), taking into account to other infringements of Articles 13 and 14 set out in this Decision, is so serious that it also infringes Articles 5 (1) (a) and 5 (2). IMY therefore finds that Klarna violates Articles 5.1 a, 5.2, 12.1, 13.2 f and 14.2 g of the Data Protection Regulation. 3 Choice of intervention 3.1 Legal regulation In the event of violations of the Data Protection Regulation, the IMY has a number of corrections powers, including reprimand, injunction and penalty fees. It follows Article 58 (2) (a) to (j) of the Data Protection Regulation. IMY shall impose penalty fees in addition to or in lieu of other corrective actions referred to in Article 58 (2), depending on the circumstances of each case. If a personal data controller or a personal data assistant, with respect to a and the same or interconnected data processing, intentionally or by negligence violates several of the provisions of this Regulation may it the total amount of the administrative penalty fee does not exceed the amount determined for the most serious infringement. It is clear from Article 83 (3) (i) the Data Protection Regulation. Each supervisory authority shall ensure that the imposition of administrative penalty fees in each individual case are effective, proportionate and dissuasive. The provided for in Article 83 (1) of the Data Protection Regulation. Article 83 (2) sets out the factors to be taken into account when deciding on an administrative penalty fee shall be imposed, but also what shall affect the penalty fee size. 3.2 Penalty fee Klarna provides payment solutions to about 90 million consumers and more than 200,000 stores in 17 countries. Klarna provides several different services that are important for the financial system, such as direct payment, various forms of “try first and pay later ”services and installments. To be able to provide these services must Ready to process a very large amount of personal data. IMY has above assessed that, The Swedish Privacy Protection Agency Record number: DI-2019-4062 23 (25) Date: 2022-03-28 Klarna has not fulfilled the basic principle of openness and they data rights of data subjects. Klarna has violated Articles 5 (1) (a), 5.2, 12.1, 13.1 c, e-f and 13.2 a-b, f and 14.2 g in the Data Protection Regulation. IMY consider not that it is a question of less serious infringements. Klarna must therefore be applied administrative penalty fees for the said infringements. IMY believes that the disclosure of information takes place via Klarnas Data protection information is one and the same data processing and that a common sanction amounts shall be determined for these. IMY states that Klarna has violated several articles covered by Article 83 (5), which means that a higher penalty amount can applied. As regards the calculation of the amount, Article 83 (5) of the Data Protection Regulation states that companies that commit infringements on which the relevant ones can be fined up to twenty million euros or four percent of total global annual sales during the previous financial year, whichever is higher. When determining the maximum amount for a penalty fee to be imposed on a company the definition of the term company used by the European Court of Justice should be used application of Articles 101 and 102 of the TFEU (see recital 150 i the Data Protection Regulation). It is clear from the case - law of the Court that this covers every unit engaging in economic activities, regardless of the legal form of the entity and the manner in which it operates financing and even if the entity in the legal sense consists of several physical or legal entities. IMY assesses that the company's turnover is to be used as a basis for calculating the administrative sanction fees that can be imposed on Klarna are Klarna's parent company Klarna Holding AB. Klarna Holding AB's annual report for the year 2020 states that annual sales in 2020 were approximately SEK 10,093,659,000. The highest penalty amount which can be determined in the case is four percent of this amount, that is to say approx SEK 404,000,000. In determining the size of the penalty fee, IMY takes into account that Klarna is one multinational company that processes personal data of a large number of registrants. Klarna processes many different categories of personal data where the data in some cases refers to financial circumstances and the creditworthiness of the data subject. IMY believes that high demands must be placed on a large company with such a comprehensive and privacy-sensitive personal data processing to provide information that is concise, clear and distinct, comprehensible and in easily accessible form. In aggravating direction speaks that there have been violations concerning articles that are central so that the data subject has the opportunity to exercise his or her rights under the Data Protection Regulation and that the information provided in The data protection information concerns a very large number of registered and that the infringement has been going on for a long time. As a mitigating circumstance, it is taken into account that Klarna has changed during the supervision and improved the information in the Data Protection Information. In view of the seriousness of the infringements and the administrative penalty fee shall be effective, proportionate and dissuasive, the IMY determines the administrative the sanction fee for Klarna Bank AB to SEK 7,500,000., The Swedish Data Protection Agency Record number: DI-2019-4062 24 (25) Date: 2022-03-28 This decision was made by Director General Lena Lindgren Schelin after the presentation by the department director Hans Kärnlöf. At the final processing has also Chief Justice David Törngren and Head of Unit Catharina Fernquist participated. Lena Lindgren Schelin, 2022-03-28 (This is an electronic signature) Appendices Appendix 1 - Klarnas Data Protection Information Appendix 2 - Klarnas Terms of Use, Integrity Protection Authority Registration number: DI-2019-4062 25 (25) Date: 2022-03-28 How to appeal If you want to appeal the decision, you must write to the Privacy Protection Authority. Enter i the letter which decision you are appealing and the change you are requesting. The appeal shall have been received by the Privacy Protection Authority no later than three weeks from the day you received part of the decision. If the appeal has been received in time, send The Integrity Protection Authority forwards it to the Administrative Court in Stockholm examination. You can e-mail the appeal to the Privacy Protection Authority if it does not contain any privacy-sensitive personal data or data that may be covered by secrecy. The authority's contact information can be found on the first page of the decision. You can e-mail the appeal to the Privacy Protection Authority if it does not contain any privacy-sensitive personal data or data that may be covered by secrecy. The authority's contact information can be found on the first page of the decision.