IMY (Sweden) - DI-2019-4062: Difference between revisions
From GDPRhub
(I reworked this decision substantially, with regards to the facts and holding structure, and added relevant information which was missing or incomplete on both, including hyperlinks to GDPR provisions.) |
|||
| Line 85: | Line 85: | ||
Furthermore, the IMY also held that Klarna provided incomplete information about the periods for which personal data would be retained and the criteria used to determine those periods, in violation of [[Article 13 GDPR#2a|Article 13(2)(a) GDPR]]. | Furthermore, the IMY also held that Klarna provided incomplete information about the periods for which personal data would be retained and the criteria used to determine those periods, in violation of [[Article 13 GDPR#2a|Article 13(2)(a) GDPR]]. | ||
Regarding data subject rights, the IMY held that Klarna did not provide | Regarding data subject rights, the IMY held that Klarna did not provide them with adequate information related to the right to erasure of personal data under [[Article 17 GDPR]], restriction of processing concerning the data subject under [[Article 18 GDPR]], the right to object under [[Article 20 GDPR]] as well as the right to data portability under [[Article 21 GDPR]], in violation of [[Article 13 GDPR#2b|Article 13(2)(b) GDPR]]. | ||
As to automated decision-making, including profiling under [[Article 22 GDPR#1|Articles 22(1)]] and [[Article 22 GDPR#4|(4) GDPR]], the IMY noted that it was not clear whether Klarna used its own internal scoring model based on, among other things, both internal and external financial information, or what types of data are included in the financial information, such as information on liabilities with other creditors. The IMY also observed that no information was provided regarding the logic behind these processes, their significance, the types of personal data that played a decisive role when subject to a negative decision, or the foreseeable consequences for data subjects, in breach of [[Article 13 GDPR#2f|Articles 13(2)(f)]] and [[Article 14 GDPR#2g|14(2)(g) GDPR]]. | As to automated decision-making, including profiling under [[Article 22 GDPR#1|Articles 22(1)]] and [[Article 22 GDPR#4|(4) GDPR]], the IMY noted that it was not clear whether Klarna used its own internal scoring model based on, among other things, both internal and external financial information, or what types of data are included in the financial information, such as information on liabilities with other creditors. The IMY also observed that no information was provided regarding the logic behind these processes, their significance, the types of personal data that played a decisive role when subject to a negative decision, or the foreseeable consequences for data subjects, in breach of [[Article 13 GDPR#2f|Articles 13(2)(f)]] and [[Article 14 GDPR#2g|14(2)(g) GDPR]]. | ||
Latest revision as of 16:24, 6 April 2022
| IMY (Sweden) - DI-2019-4062 | |
|---|---|
 | |
| Authority: | IMY (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 5(1)(a) GDPR Article 5(2) GDPR Article 12(1) GDPR Article 13(1)(f) GDPR Article 13(1)(c) GDPR Article 13(1)(e) GDPR Article 13(2)(a) GDPR Article 13(2)(b) GDPR Article 13(2)(f) GDPR Article 14(2)(g) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 27.03.2019 |
| Decided: | 28.03.2022 |
| Published: | 28.03.2022 |
| Fine: | 7500000 SEK |
| Parties: | Klarna Bank AB |
| National Case Number/Name: | DI-2019-4062 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Swedish |
| Original Source: | IMY's website (in SV) |
| Initial Contributor: | Elisavet Dravalou |
The Swedish DPA conducted an investigation and issued a fine of approximately €730,000 against Klarna Bank for not providing data subjects with adequate information related to their processing activities, in violation of various provisions under Articles 5, 12,13 and 14 GDPR.
English Summary
Facts
Klarna Bank AB is a company which provides both credit and non-credit payment solutions to approximately 90 million consumers and more than 200,000 merchants in 17 countries through a variety of financial services, such as direct payment, various forms of "try first and pay later" services and payment through installments, as well as account information services. In order to provide these services, Klarna needs to process large amounts of personal data. The Swedish DPA (IMY) initially examined Klarna's privacy policy, and noted that there was a lack of clarity regarding many aspects, and therefore decided to launch an ex officio investigation to determine Klarna's compliance with the provisions on clear information and communication to data subjects. During the investigation, Klarna continuously changed the information provided on how the company handled personal data. IMY's decision concerns the information as it stood from 17 March to 26 June 2020.
Holding
After conducting their investigation, the IMY held that Klarna had violated various GDPR provisions related to information on the purpose and legal basis for the processing of personal data, the recipients of various categories of personal data, international data transfers, retention periods, data subject rights and automated decision-making, including profiling. As a common thread, the IMY held that each one of these breaches also entailed a violation of Articles 12(1) GDPR, 5(1)(a) GDPR and 5(2) GDPR.
Regarding the information provided by Klarna on the purpose and legal basis for the processing of personal data related to the "My Finance" and "My Economy" services, the IMY held that this information was not concise, clear and easily accessible, and did not meet the requirements of Article 13(1)(c) GDPR.
With regards to the recipients, the IMY held that Klarna provided incomplete and misleading information on who were the recipients of different categories of personal data when such data were shared with Swedish and foreign credit reference agencies, in violation of Article 13(1)(e) GDPR.
Specifically on the topic of international data transfers, the IMY noted that a mere statement that personal data will be transferred to third countries, without naming these countries, was not adequate information for data subjects in this sense. Moreover, the IMY held that Klarna not only failed to provide information about the countries outside the EU/EEA to which personal data was transferred, but also as to where and how data subjects could access documents regarding the safeguards applicable to the data transfers where no adequacy decision exists between the EU and these countries, in breach of Article 13(1)(f) GDPR.
Furthermore, the IMY also held that Klarna provided incomplete information about the periods for which personal data would be retained and the criteria used to determine those periods, in violation of Article 13(2)(a) GDPR.
Regarding data subject rights, the IMY held that Klarna did not provide them with adequate information related to the right to erasure of personal data under Article 17 GDPR, restriction of processing concerning the data subject under Article 18 GDPR, the right to object under Article 20 GDPR as well as the right to data portability under Article 21 GDPR, in violation of Article 13(2)(b) GDPR.
As to automated decision-making, including profiling under Articles 22(1) and (4) GDPR, the IMY noted that it was not clear whether Klarna used its own internal scoring model based on, among other things, both internal and external financial information, or what types of data are included in the financial information, such as information on liabilities with other creditors. The IMY also observed that no information was provided regarding the logic behind these processes, their significance, the types of personal data that played a decisive role when subject to a negative decision, or the foreseeable consequences for data subjects, in breach of Articles 13(2)(f) and 14(2)(g) GDPR.
In order to determine their administrative fine, the IMY took into account that Klarna is a multinational company that processes many different categories of personal data on a large number of data subjects, including privacy-sensitive data such as financial data and creditworthiness, and that these breaches were ongoing for a long period of time. Based on these considerations, the IMY issued a fine of approximately €730,000 (SEK 7,500,000) against Klarna Bank AB.
Comment
Klarna stated that they will appeal the decision. IMY cited the A29WP guidelines on transparency many times in their decision, and if you follow these guidelines by the book, a data controller that is involved in complex processing activities will end up with a complex, lengthy and non-reader friendly privacy notice, which is the exact opposite of what the GDPR requires. The question raised here is where does the balance lie between too little or too much information?
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
1 (25)
Klarna Bank AB
Record number:
DI-2019-4062 Decision after supervision according to
Data Protection Regulation - Klarna
Date: Bank AB
2022-03-28
Content
The decision of the Integrity Protection Authority ................................................ ........................... 2
1 Report on the supervisory matter .............................................. ..................................... 3
2 Motivation for decision .............................................. .................................................. .... 4
2.1 Applicable provisions ............................................... ............................... 4
2.2 IMY's assessment of whether Klarnas Data Protection Information meets the requirements in
Articles 5 (1) (a), 5 (2), 12, 13 and 14 of the Data Protection Regulation ............................ 7
2.2.1 IMY's assessment of Klarna's information pursuant to Article 13 (1) (c) ......... 7
2.2.2 IMY's assessment of Klarna's information pursuant to Article 13 (1) (e) ......... 9
2.2.3. IMY's assessment of Klarna's information pursuant to Article 13 (1) (f) ........ 11
2.2.4. IMY's assessment of Klarna's information pursuant to Article 13 (2) (a) ....... 12
2.2.5. IMY's assessment of Klarna's information pursuant to Article 13 (2) (b) ....... 14
2.2.6 IMY's assessment of Klarna's information pursuant to Article 13 (2) (f) and
14.2 g ................................................ .................................................. .... 18
3 Choice of intervention .............................................. .................................................. ....... 22
3.1 Legal regulation ............................................... ........................................... 22
3.2 Penalty fee ................................................ ........................................... 23
How to appeal............................................... .................................................. ..... 25
Postal address:
Box 8114
104 20 Stockholm
Website:
www.imy.se
E-mail:
imy@imy.se
Phone:
08-657 61 00, Integrity Protection Authority Record number: DI-2019-4062 2 (25)
Date: 2022-03-28
The decision of the Integrity Protection Authority
The Privacy Protection Authority (IMY) states that Klarna Bank AB (Klarna) during
the period from 17 March 2020 to 26 June 2020 did not provide information on for which
purpose and on the basis of the legal basis for the processing of personal data
regarding the service "My Finance" took place. Klarna thus processed personal data
in violation of Articles 5 (1) (a), 5 (2), 12 (1) and 13 (1) (c) of the Data Protection Regulation.
IMY notes that Klarna left during the period March 17 to June 26, 2020
incomplete and misleading information about who were the recipients of various
categories of personal data when such were shared with Swedish and foreign respectively
credit reporting companies. Klarna thus processed personal data in violation of
Articles 5 (1) (a), 5 (2), 12 (1) and 13 (1) (e) of the Data Protection Regulation.
IMY notes that Klarna during the period March 17 to June 26, 2020 will not
provided information on to which countries outside the EU / EEA personal data
transferred and where and how the individual could access or obtain documents
concerning the safeguard measures applicable to the transfer to a third country. Klarna
thereby processed personal data in breach of Articles 5 (1) (a), 5 (2), 12 (1) and 13 (1) (f)
the Data Protection Regulation.
IMY notes that Klarna left during the period March 17 to June 26, 2020
incomplete information about the periods during which personal data would be
stored and the criteria used to determine these periods. Klarna
thereby processed personal data in breach of Articles 5 (1) (a), 5 (2), 12 (1) and 13 (2) (a) i
the Data Protection Regulation.
IMY notes that Klarna left during the period March 17 to June 26, 2020
insufficient information regarding the data subjects' rights as follows.
the information provided about the right of the personal data controller
request the deletion of personal data in accordance with Article 17 of the Data Protection Regulation
did not comply with the requirement of transparency
the information provided about the right of the personal data controller
request a limitation of the processing of the data subject under Article 18 i
the Data Protection Regulation did not comply with the requirement of transparency
the information provided on the right to data portability in accordance with Article 20 i
the Data Protection Regulation did not comply with the requirement of transparency
information provided on the right to object to the processing of
personal data under Article 21 of the Data Protection Regulation did not comply with the requirement
on transparency.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with
concerning the processing of personal data and on the free movement of such data and on the repeal of
Directive 95/46 / EC (General Data Protection Regulation)., Integrity Protection Authority Registration number: DI-2019-4062 3 (25)
Date: 2022-03-28
Klarna thus processed personal data in violation of Articles 5.1 a, 5.2, 12.1 and
13.2 b of the Data Protection Regulation.
IMY states that Klarnas Data Protection Information during the period March 17 to
on June 26, 2020 lacked meaningful information about the logic behind and the meaning
and the foreseeable consequences of automated decision-making, including profiling,
pursuant to Article 22 (1) of the Data Protection Regulation. Klarna thus treated
personal data in breach of Articles 5.1 (a), 5 (2), 12 (1), 13 (2) (f) and 14 (2) (g) i
the Data Protection Regulation.
IMY decides on the basis of Articles 58 (2) and 83 of the Data Protection Regulation that Klarna
Bank AB must pay an administrative penalty fee of 7,500,000
(seven million five hundred thousand) kroner.
1 Report on the supervisory matter
Klarna provides services that involve lending, as well as payment services such as
does not include lending, including payment initiation services and
account information services. IMY has read Klarnas Dataskyddsinformation som
is published on the company's Swedish website (https://www.klarna.com/se/). IMY has
in connection with this, it has been established that there is uncertainty about, among other things, for whom
purpose personal data is collected and processed and how the data thereafter
gallras.
Article 5 (1) (a) of the Data Protection Regulation states, inter alia, that personal data shall:
treated in an open manner in relation to the data subject (the principle of transparency).
It further follows from Article 5 (2) that the data controller shall be responsible for and
be able to show that the principles set out in 5.1 are complied with (the principle of liability).
IMY has initiated supervision of Klarna to investigate the extent to which Klarnas
Data protection information meets these requirements. Within the framework of supervision, IMY has audited
how Klarna complies with the provisions on clear and unambiguous information and
communication under Article 12 (1) and the right to information of personal data under
Articles 13 and 14 and the right to information on the right to object under
Article 21.4. IMY has not taken a position on Klarna's personal data processing in
otherwise complies with the Data Protection Regulation.
Supervision has taken place through correspondence. The inspection began on March 27, 2019 through
that IMY sent a letter to Klarna with questions about the company
personal data processing. The questions were based on the information provided by Klarna
provided about its processing of personal data in the one published at that time
The data protection information on the company's Swedish website. Klarna came in with one
opinion on 26 April 2019. An annex with a summary was attached to the opinion
over the purposes for which each category of personal data was processed
indication of the applicable retention period. Klarna then revised his
Data protection information as of 19 July 2019. Due to Klarna's opinion and
the company's revised Data Protection Information asked IMY supplementary questions
the company in a letter dated 1 August 2019. Klarna subsequently submitted an opinion on
September 27, 2019. Klarna subsequently revised its Data Protection Information as of the 17th
March 2020. Klarna again revised its Data Protection Information on 26 June 2020.
IMY has also obtained the terms of service for the account information service "My Finances"
as Klarna in its first statement to the IMY stated that the consumer accepts
"Special conditions" for this service. IMY's assessment refers to Klarnas
Data protection information as it was designed from 17 March 2020 to 26 June, Privacy Protection Agency Record number: DI-2019-4062 4 (25)
Date: 2022-03-28
2020, Appendix 1, and Klarnas Terms of Use as they were drafted on April 2, 2020,
Appendix 2. IMY describes what Klarna has stated in its opinions in relevant parts below
the reasons for the decision below.
2 Grounds for the decision
2.1 Applicable provisions
Article 5 (1) (a) of the Data Protection Regulation states, inter alia, that the data shall:
processed in a legal, correct and transparent manner in relation to the data subject
(legality, correctness and transparency).
It further follows from Article 5 (2) that the data controller shall be responsible for and
be able to show that the principles listed in 5.1 are complied with (liability).
It follows from Article 12 (1) of the Data Protection Regulation that the controller shall:
take appropriate measures to provide the data subject with all information that:
referred to in Articles 13 and 14 and all communications pursuant to Articles 15 to 22 and 34
which refers to treatment in a concise, clear and distinct, comprehensible and easily accessible form,
using clear and unambiguous language, in particular for information that is specific
aimed at children. The information must be provided in writing, or in some other form,
including, where appropriate, in electronic form. If the data subject requests it may
the information is provided orally, provided that the identity of the data subject has been proven
in other ways.
Article 13 of the Data Protection Regulation stipulates the information to be provided
if the personal data is collected from the data subject. Article 13 (1) states this
that if personal data concerning a registered person is collected from the data subject,
the person responsible for personal data shall, when the personal data is obtained, to the data subject
provide information as set out in Article 13 (1) (a) to (f). It follows from Article 13 (2) that it
person responsible for personal data in the collection of personal data, in addition to the information
referred to in paragraph 1, shall provide the data subject with additional information in accordance with 13.2 a-f,
which is required to ensure fair and transparent treatment. According to Article 13 (3)
in addition, the person responsible for personal data, if he intends to process
personal data for a purpose other than that for which they were collected, before that
further processing provide the registered information about this second purpose as well
additional relevant information pursuant to paragraph 2. Article 13 (4) states that paragraphs 1, 2
and 3 shall not apply if and to the extent that the data subject already has
the information.
It follows from recital 39 that any processing of personal data must be lawful and fair.
It should be clear to natural persons how personal data concerns them
collected, used, consulted or otherwise treated and in which
the extent to which personal data is processed or will be processed.
The principle of openness requires that all information and communication in connection with
the processing of this personal data is easily accessible and easy to understand and that a
clear language is used. This principle applies above all to the information to
registered about the identity of the data controller and the purpose of the processing
as well as additional information to ensure fair and open treatment for those concerned
natural persons and their right to receive confirmation and notification of which
personal data concerning those processed. Natural people should be made aware
on risks, rules, protective measures and rights in connection with the processing of, The Swedish Data Protection Agency Record number: DI-2019-4062 5 (25)
Date: 2022-03-28
personal data and how they can exercise their rights with respect to
the treatment.
Recital 60 states that the principles of fair and transparent treatment require that
data subjects are informed that treatment is taking place and the purpose of it. The
personal data controller should provide the data subject with all additional information such as
required to ensure fair and transparent treatment, taking into account
the specific circumstances and context of personal data processing. In addition
the data subject should be informed of the existence of profiling and of
the consequences of such profiling. If the personal data is collected from it
registered, he should also be informed if he or she is obliged to provide
personal data and the consequences if he or she does not provide them. This
information may be provided combined with standardized symbols to provide one
clear, comprehensible, easy-to-read and meaningful overview of the planned
the treatment. If such symbols are displayed electronically, they should be machine-readable.
It follows from recital 61, inter alia, that information on the processing of personal data concerning
the data subject should be provided to him or her at that time
the personal data is collected from the data subject or, if the personal data is obtained
directly from another source, within a reasonable period, depending on the circumstances of
the case. If personal data can be legitimately disclosed to another recipient, they should
registered persons are informed the first time the personal data is disclosed to this
receiver.
As regards the concept of profiling, this is defined in Article 4 (4) as any form of profiling
automatic processing of personal data consisting of that personal data
used to assess certain personal characteristics of a natural person, in particular
to analyze or predict the work performance of this natural person, financial
situation, health, personal preferences, interests, reliability, behavior, whereabouts
or transfers,
Article 22 regulates automated individual decision-making, including profiling. Of
the provision states that the data subject shall have the right not to be the subject of a decision
based solely on automated processing, including profiling, which has
legal consequences for him or her or similarly significantly affect
him or her. Examples of such decisions are given in recital 71, among others
automated rejection of an online credit application. Exceptions to this prohibition apply if
the decision is necessary for the conclusion or performance of an agreement between it
registered and the data controller, such decisions are permitted under Union law
or the national law of a Member State to which the controller is subject
and which lays down appropriate measures to protect the data subject's rights, freedoms
and legitimate interests, or is based on the express consent of the data subject.
If an exception may be made in connection with an agreement or due to consent, it shall
personal data controllers implement appropriate measures to ensure this
registered rights, freedoms and legal interests, at least the right to personal
contact with the personal data controller to be able to express their opinion and dispute
the decision.
Finally, the former so-called Article 29 Working Party has developed guidelines on
partly openness, WP260 rev.01 (WP260), partly about automated individually
decision-making and profiling, WP251 rev.01 (WP251), which are described in relevant
parts under the IMY assessments below. The European Data Protection Board, EDPB, has
endorsed these guidelines. Initially, however, the following can be highlighted. Article, Integrity Protection Authority Record number: DI-2019-4062 6 (25)
Date: 2022-03-28
The 29 Working Group emphasizes in WP260 that transparency is an overarching obligation
according to the Data Protection Regulation which applies to three key areas; i) how they
data subjects may be informed about fair processing; ii) how the data controllers
communicate with the data subjects in relation to their rights under
the Data Protection Regulation, and (iii) how the data controllers facilitate the
exercised their rights. Openness is also an expression of it
principle of fairness in the processing of personal data set out in Article 8 of the EU Charter
on fundamental rights.
Article 12 stipulates the form of information provided to the data subject;
namely, in a concise, clear and distinct, comprehensible and easily accessible form, with use
of clear and distinct language, in particular for information specifically aimed at children.
The information shall be provided in writing, or in some other form, including, where applicable
is appropriate, in electronic form. If the data subject requests it, he will receive the information
provided orally, provided that the identity of the data subject has been proven in other ways.
Article 13 of the Data Protection Regulation sets requirements for what information it contains
the person responsible for personal data must provide the data subject if the personal data is collected
from the data subject and when the information is to be provided, namely when
the personal data is obtained from the data subject.
However, neither Article 12 nor 13 regulates in detail the form or location of the information
submitted to the data subject. WP260 states that the information should be published in
for example, a data protection information made available on it
website of the data controller. Furthermore, it appears that on each side of
the website should have a clearly visible direct link to the data protection information that should
have been provided with an appropriate heading (eg "Privacy", "Privacy Policy" or
"Data protection message"). The Article 29 Working Party therefore recommends a
best practice which means that a link to the data protection information is provided or that such
information is provided on the same page as the personal data is obtained from, when
personal data is collected online. Furthermore, the Article 29 Working Party considers that a stratified
data protection information should be used if the data controller has one
website so that visitors to the website can navigate to specific parts of
the data protection information that is of greatest interest to them. All the information that
addressed to the data subjects should, however, also be available to them on one and the same
place or in a complete document (in digital or paper format), as they
Registered users can easily access if they want to read all the information addressed to them.
The following also appears from the above-mentioned guideline, pp. 7-9:
“The requirement that information provided or communicated to the data subjects shall
being in a "concise, clear and distinct" form means that those responsible for personal data should
present the information / communicate in an effective and concise way to avoid
information exhaustion. The information should be clearly distinguished from other information such as
does not relate to privacy, such as contractual terms or general terms of use. IN
Internet contexts, layered privacy policies / privacy notices can do that
possible for the data subjects to go directly to a certain part of
the privacy policy / privacy statement they want to read, instead of scrolling through
large amounts of text to find the part in question.
The requirement that the information must be "comprehensible" means that it should be understandable by one
average member of the intended target group. Comprehensibility is closely linked to
the requirement of a clear and distinct language. A person responsible for personal data will receive knowledge, The Swedish Data Protection Agency Record number: DI-2019-4062 7 (25)
Date: 2022-03-28
about the persons about whom they collect information and can use it to
determine what would probably be understandable to the target group […]
An important aspect of the principle of transparency described in these provisions is that they
registered in advance should be able to determine the purpose and consequences of
treatment and that it should not come as a surprise to them at a later date
stage how their personal data has been used. This is also an important aspect of
the principle of fairness under Article 5 (1) of the Data Protection Regulation, where there is in fact a
linked to recital 39, which states that natural persons “should be made aware of risks,
rules, safeguards and rights in connection with the processing of
personal data ”. In the case of complex, technical or unexpected data processing
In particular, the Article 29 Working Party considers that data controllers are not the only ones
should provide the information set out in Articles 13 and 14 (which
dealt with later in these guidelines), without them even having to specify, in a separate section and
in an unambiguous language, the most significant consequences of the treatment, with
in other words, how the special treatment specified in a privacy policy / one
privacy notice will actually affect the data subjects. In line with
the principle of liability and recital 39, the data controllers should assess whether
there are special risks for natural persons whose personal data are processed in one
in such a way that the data subjects should be given attention. That way you can get one
an overview of the types of treatments that could have the greatest impact on them
registered fundamental rights and freedoms with regard to their protection
personal data.
"Easily accessible" means that the data subjects do not have to look for the information;
it should be immediately clear to them where and how they can access the information;
for example by giving the information directly or linking to the data subjects, by
clear guidance or in response to a question from a natural person (eg in a
privacy policy / a privacy statement in several layers online, in "Frequently asked questions", via
contextual pop-ups that are activated when the registrants fill in one
online form or in an interactive digital context via a chatbot interface etc [...]
The requirement for a clear and distinct language means that the information should be provided in such a simple way
as possible and that complicated sentences and language structures should be avoided.
The information should be concrete and accurate, and it should not be abstract or ambiguous
or can be interpreted in different ways. Above all, the purposes and legal bases should
for the processing of personal data be clear. "
In the following, the IMY assesses whether the requirements for transparency and information are met in different ways
parts through Klarnas Data Protection Information as it was designed during the period 17
March to 26 June 2020.
2.2 IMY's assessment of Klarnas Data Protection Information
meets the requirements of Articles 5 (1) (a), 5, 2, 12, 13 and 14 (i)
the Data Protection Regulation
2.2.1 IMY's assessment of Klarna's information pursuant to Article 13 (1) (c)
Pursuant to Article 13 (1) (c) of the Data Protection Regulation, information on the purposes must be provided
with the processing for which the personal data is intended as well as the legal
basis for the treatment., Integrity Protection Authority Record number: DI-2019-4062 8 (25)
Date: 2022-03-28
Klarnas Data Protection Information
Section 2 of Klarnas Data Protection Information is entitled “What personal data
do we use? ”. Section 2.2 is entitled "Information we collect about you" and of it
the introductory paragraph follows “Depending on which Services you choose to use, we can
will collect the following information about you, either yourself or through third parties
(for example, credit bureaus, anti-fraud agencies, shops or
public databases) ”. This is followed by an enumeration of what information it "can"
move about. The last point in the list shows “Service-specific
personal data - within the framework of some of our Services, we may collect and process
additional personal data not covered by the categories above. See Section 4 below for
to find out what these additional personal data are for each Service. ”.
Section 3 of the Data Protection Information is entitled “What personal data do we process,
for what purpose, and on what legal basis? " and of the introductory paragraph
states “Depending on which Services you use, Klarna may process your
personal data for the purposes listed below, based on the legal bases
which is accounted for at each purpose. You can see more specific information about how your
personal data is processed in some of our Services in Section 4 below. ”. Thereafter follows
a table with three columns, where the first column indicates the purpose of the treatment,
the second column the personal data processed and the third column legal
basis for the treatment.
Section 4 of the Data Protection Information is entitled “In particular
processing of personal data in some of Klarnas Tjänster ”and of the introductory paragraph
appears “This section describes certain processing of your personal data that is
specific to a particular Service. To get more information about our Services and theirs
functionality, see the terms of use for each Service. ”.
IMY's assessment
IMY notes that the Data Protection Information Section 4 regarding the service “Min
economy ”lacks clear information about the purposes of the treatments for which
the personal data are intended as well as the legal basis for the processing in violation
with the requirement of Article 13 (1) (c) of the Data Protection Regulation. The service "My Finance" is mentioned in
Section 4.4 of the Data Protection Information, which is entitled “Clear
user experience provided in accordance with Klarna's Terms of Use ”. It appears below
the subheading “Klarna app” that “If you use the Klarna app, will
personal data to be processed in order to provide the Services you choose to use
inside the App, such as: […] ”, followed by a list of different services in a bulleted list.
One of these services is the "My Finances" service:
“Your affiliated bank accounts (My Finance Service): Through this Service get
you an overview of your entire finances, not just your transactions with Klarna,
but also over connected accounts. When you choose to use this Service comes
Able to process information about the bank accounts and other accounts (such as
card accounts) you choose to connect, and collect information such as account number, bank,
historical transactions from connected accounts, as well as balances and assets. Based on
that information will Klarna visualize and give you tools to control your
finances, using offers tailored to your specific situation (which
may involve profiling as described in Section 6). This is done by comparing yours
expenses with expenses from other users of the Service. Based on the comparison, we can ,, The Swedish Data Protection Agency Record number: DI-2019-4062 9 (25)
Date: 2022-03-28
together with partners to us, offer ways to minimize your fasting and
variable costs."
There is no information regarding the legal basis
the processing of personal data regarding the service "My Finances" takes place. In addition
it is not clear from the information contained in the enumeration in Section
4.4 in the Data Protection Information above, which specific personal data is processed
within the framework of the service or the specific purposes of the treatment for which
the personal data is intended. IMY further states that the service "My Finance" does not
is mentioned in Klarnas' terms of use, which are generally available on Klarnas
Swedish website, see Appendix 2 (Klarna's terms of use updated on 2 April
2020). Some separate terms or separate data protection information regarding the service,
is also not generally available on Klarna's Swedish website. This notwithstanding that
Klarna, on page 9 in its first statement to IMY, dated 26 April 2019, has stated that
The "My Finances" service is an account information service that is available in the Klarna app
after acceptance of "Klarnas Terms of Use" and that the consumer also
accepts "special terms" for the service.
The special conditions, "Terms of service for the My Finance service", may be taken by the consumer
part of when the service is accepted. Regarding information about personal data processing
according to the data protection regulation, the special conditions only refer back to
The data protection information. The additional information provided in Section 4 of the
The data protection information must appear in the special conditions is thus missing.
IMY believes that the information that Klarna provides about the purposes of the treatment
and the legal basis for the treatment does not meet the requirements of Article 13 (1) (c) (i)
the Data Protection Regulation. The information is not concise, clear and distinct nor
easily accessible. It therefore does not meet the requirements of Article 12 (1).
The IMY considers that the infringement of Article 13 (1) (c) of the Data Protection Regulation, with
account has also been taken of other infringements of Articles 13 and 14 set out in
this decision, is so serious that it also infringes Articles 5 (1)
a and 5.2.
IMY therefore finds that Klarna violates Articles 5 (1) (a), 5 (2), 12 (1) and 13 (1) (c) i
the Data Protection Regulation.
2.2.2. IMY's assessment of Klarna's information pursuant to Article 13 (1) (e)
Pursuant to Article 13 (1) (e), information shall be provided on the recipients or categories of
recipients who are to access the personal data, where applicable.
Klarnas Data Protection Information
In section 7 The data protection information informs Klarna about which stakeholders it is
data subjects' personal data may be shared with. Section 7.4 describes
how information is shared with credit reporting companies. Paragraph one states the following:
7.4 Credit Information Agencies
If you are applying to use a Service that involves providing credit (see Section
4.1 above regarding which Services include credit), your personal data may come, Privacy Protection Agency Record number: DI-2019-4062 10 (25)
Date: 2022-03-28
to be shared with credit bureaus, for the following purposes: To assess your
creditworthiness in connection with your application for one of Klarna's payment methods, that
confirm your identity and contact information, as well as protect you and other customers from
fraud. Your phone number and address may also be shared
credit bureaus to enable them to send a notification to a
credit report performed on you. Depending on the rules of the country where you live will be sent
a physical letter with information that a credit report has been made on you to you,
or the letter is sent electronically. Your payment behavior may
reported back to the credit bureaus by Klarna, which may
affect your future credit rating. When a credit bureau receives an inquiry
credit information from us, they may place a listing on your profile, which may
seen by other companies providing credit. Credit bureaus may
share your information with other organizations. The credit bureaus we
collaborates with in Sweden you see here.
On pages 21-22 in their second statement to IMY, Klarna dated 27 September
2019 specified the meaning of the information.
Klarna states, regarding information relating to identification, which information is shared
with credit reporting companies for the purposes set out in paragraph one varies depending on
whether the consumer is shopping in a country that has a social security number or not. In countries there
social security numbers are available parts Klarna only the consumer's social security number with
credit reporting companies for the purposes requested (identification). Klarna does not have to
share personal information such as address and phone number with credit reporting companies in
Sweden to identify the registered person. In countries where social security numbers do not exist
Klarna usually needs to share the consumer's name, address, date of birth and
telephone numbers with credit reporting companies for specified purposes.
With regard to the disclosure of information about the data subject's payment behavior states
Clear that information about payment behavior is not reported in Swedish
credit reporting companies. If, and to what extent, Klarna reports back
payment behaviors to credit reporting companies in other countries where Klarna offers
their services vary depending on each country's legislation and the agreement as Klarna
has with the respective credit information company.
IMY's assessment
IMY states that the information in the Data Protection Information refers to the disclosure of
personal data to both Swedish and foreign credit information companies. Which type
of information provided to Swedish and foreign
credit reporting companies are not listed.
IMY believes that the information that Klarna provides about how information is shared
credit reporting companies do not meet the requirement of transparency. The information is
incomplete and does not explain what information is provided to Swedish respectively
foreign credit reporting companies. The registered person may, among other things, be led to believe that
information on payment behavior at Klarna is disclosed to, and registered by, Swedish
credit reporting companies. This is directly misleading.
IMY considers that the information that Klarna provides about the categories of recipients that
shall not have access to the personal data does not meet the requirements of Article 13 (1) (e) (i)
the Data Protection Regulation. The information is not concise, clear and distinct nor
easily accessible. It therefore does not meet the requirements of Article 12 (1), the Privacy Protection Authority Record number: DI-2019-4062 11 (25)
Date: 2022-03-28
The IMY considers that the infringement of Article 13 (1) (e) of the Data Protection Regulation, with
account has also been taken of other infringements of Articles 13 and 14 set out in
this decision, is so serious that it also constitutes a breach of 5.1 a and 5.2.
IMY therefore finds that Klarna violates Articles 5 (1) (a), 5 (2), 12 (1) and 13 (1) (e) i
the Data Protection Regulation.
2.2.3. IMY's assessment of Klarna's information pursuant to Article 13 (1) (f)
According to Article 13 (1) (f), information must be provided that the data controller refers to
to transfer personal data to a third country or an international organization; and
whether or not a decision by the Commission on the adequate level of protection exists
or, in the case of the transfers referred to in Article 46, 47 or other Article 49 (1)
paragraph, reference to appropriate or appropriate protective measures and how a copy of
they can be obtained or where these have been made available.
Klarnas Data Protection Information
Section 8 of the Data Protection Information is entitled “Where do we process yours
personal data? ” and from this it follows:
“We always strive to process your personal data within the EU / EEA. In some
situations, such as when we share your information within the Klarna Group or with one
supplier or subcontractor with operations outside the EU / EEA, can your
personal data will, however, be processed outside the EU / EEA. About the store you shop
at are outside the EU / EEA, our sharing with the store will also mean that yours
data are transferred outside the EU / EEA.
We ensure that an adequate level of protection exists, and that appropriate
safeguards are taken in accordance with applicable data protection requirements, such as the GDPR,
when we transfer your data outside the EU / EEA. These protective measures consist of ensuring
that the third country to which the data is transmitted is the subject of a
the Commission that there is an adequate level of protection, that the European Commission
standard clauses have been entered into between Klarna and the recipient, or that the recipient is
registered under the so-called US Privacy Shield procedure. "
IMY's assessment
Of the comments of the Article 29 Working Party on the information requirement in the Guideline on
transparency, pages 39-40 of WP260, states the following regarding Article 13 (1) (f):
"Information should be provided on the relevant article of the Data Protection Regulation for transmission and
associated mechanism (eg decision on adequate level of protection under Article 45 / binding
company rules in accordance with Article 47 / standardized data protection rules
pursuant to Article 46 (2) / derogations and safeguard measures pursuant to Article 49, etc.). Furthermore,
information is provided on where and how to access or obtain the document in question,
for example by linking to the mechanism used. According to the principle of justice, it should
information provided on transfers to third countries be as meaningful as possible
the registered. This generally means that the names of third countries must be indicated. "
IMY states that Klarnas Data Protection Information lacks information on where and how
the individual can access or receive documents regarding the protection measures for, The Privacy Protection Agency Record number: DI-2019-4062 12 (25)
Date: 2022-03-28
transmission as described in the Data Protection Information. Furthermore, information on
countries outside the EU / EEA to which personal data are transferred, in accordance with Article 29
working group recommendation above.
IMY considers that the information that Klarna provides about the personal data controller
intends to transfer personal data to a third country and whether a decision of
the Commission whether or not there is an adequate level of protection or, in the case of
transfers referred to in Article 46, 47 or the second subparagraph of Article 49 (1),
appropriate or appropriate safeguards and how a copy of them can be obtained or where
these have been made available do not meet the requirements of Article 13 (1) (e) (i)
the Data Protection Regulation. The information is not concise, clear and distinct nor
easily accessible. It therefore does not meet the requirements of Article 12 (1).
The IMY considers that the infringement of Article 13 (1) (f) of the Data Protection Regulation, taking into account
also taken to other infringements of Articles 13 and 14 set out therein
decision, is so serious that it also infringes Articles 5 (1) (a) and
5.2.
IMY therefore finds that Klarna violates Articles 5 (1) (a), 5 (2), 12 (1) and 13 (1) (f) i
the Data Protection Regulation.
2.2.4. IMY's assessment of Klarna's information pursuant to Article 13 (2) (a)
According to Article 13 (2) (a), information shall be provided on the period during which
personal data will be stored or, if this is not possible, the criteria set by
used to determine this period.
Klarnas Data Protection Information
Section 9 of the Data Protection Information is entitled “How long do we save yours
personal data? ” and this shows the following:
“We will process your personal data for the period of time needed to
pursue the respective purpose of our treatment. These purposes are presented in this
Data protection information. This means that when we stop processing your personal data
for a specific purpose, we may still retain the data for as long as
the data are needed for other purposes, but then only for processing in accordance with the
remaining purposes. Especially:
As long as you have accepted Klarna's Terms of Use and until you have resigned
these (by contacting us or by instructing us to remove
your personal data through a request to be deleted) we will
process the personal data we need to provide our Services
to you, which includes information about your previous purchases.
We process personal data in credit information for the purpose of re-processing
Assess your credit rating for up to 90 days from that
the credit report was taken.
We process information about debts for the purpose of assessing yours
creditworthiness for a period of three (3) years after the debt has been settled -
which takes place either through payment of the debt or that the debt is written off
of or sold., Integrity Protection Authority Record number: DI-2019-4062 13 (25)
Date: 2022-03-28
We process recorded telephone calls to Klarna's customer service for up to 90
days from the day of recording.
We process personal data for the purpose of complying with applicable
legislation, such as consumer law, banking and
money laundering legislation, and accounting rules. Depending on which
applicable law, your personal data may be stored in
up to ten years after the termination of the customer relationship. "
IMY's assessment
Of the comments of the Article 29 Working Party on the information requirement in the Guideline on
transparency, page 40 of WP260, states the following regarding Article 13 (2) (a):
"This is related to the requirement for data minimization in Article 5 (1) (c) and on
storage limitation in Article 5 (1) (e). The shelf life (or the criteria used to:
determine this) may be governed by factors such as statutory requirements or guidelines within
industry, but it should be stated in such a way that it registered, based on its own
situation, can assess the storage time for specific tasks / purposes. It is not enough that
the person responsible for personal data generally states that the personal data is retained for that long
necessary for the legitimate purposes of the treatment. In relevant cases
different storage times should be specified for different categories of personal data and / or different
processing purposes, including filing time where appropriate. "
Klarna has, on page 13 in its first statement to IMY, dated April 26, 2019, stated
that the purposes for which each category of personal data is processed, with
applicable storage period, is reported in an appendix that has been submitted to IMY. The appendix consists of
a table with three columns, where the left column shows the purposes of
the treatment based on the (at the current time) description in
The data protection information, the column in the middle reports the time for which Klarna
processes the current category of personal data for the current purpose, ie.
storage time, and the right-hand column reports comments aimed at whether
special conditions for the treatment for more specific purposes or more specific
personal data is available. Here it appears that Klarna processes and stores
personal data for more purposes than what appears from section 9 of Klarnas
data protection information. It appears, among other things, that personal data is processed and
stored for research purposes for two years.
Furthermore, Klarna has, on pages 13-14 in the above-mentioned opinion, stated that, in addition
the purposes set out in the said appendix, Klarna processes personal data
within the framework of Klarna's customer service as follows:
“Incoming telephone calls are recorded for quality and security reasons.
The recordings are saved for this purpose for 3 months, after which they are deleted.
Incoming and outgoing e-mails are retained for 7 years from
the time the message was received or sent.
Information that an individual consumer has chosen to block himself from using
Klarna's credit products are saved to handle the block until
the consumer himself announces that he wishes to lift the block (ie.
as a starting point for the time being)., The Swedish Data Protection Agency Record number: DI-2019-4062 14 (25)
Date: 2022-03-28
Notes relating to a dispute or other types of disputes are kept in
10 years from the time of closing the case. The reason for this is that one
consumer at a later stage may contact Klarna in the same
or similar matters. The time period is based on the limitation period
according to the statute of limitations (1981: 130).
Notes of other kinds than above are preserved for 5 years from the time of
the registration, ie. from the time the note was made. The reason for this is that one
consumer at a later stage may contact Klarna in the same
or similar matters. "
Of these purposes and retention periods, only the preservation information of
incoming phone calls for quality and safety reasons for three months that are found
in section 9 of Klarnas Data Protection Information.
In light of the above, IMY considers the information in Klarnas
Data protection information does not comply with the requirement of Article 13 (2) (a) of the Data Protection Regulation
that information must be provided about the period during which the personal data comes
to be stored or the criteria used to determine this period when Klarnas
opinion and appendix mentioned above clearly show that Klarna processes personal data
for more purposes and has more detailed storage times, and in addition criteria such as
used to determine these periods, which are not set out in section 9 of
The data protection information.
IMY considers that the information that Klarna provides about the period during which
personal data will be stored or, if this is not possible, the criteria set by
used to determine this period does not meet the requirements of Article 13 (2) (a).
The information is not concise, clear and distinct, nor is it easily accessible. It meets
thus not the requirements of Article 12 (1).
The IMY considers that the infringement of Article 13 (2) (a) of the Data Protection Regulation, with
account has also been taken of other infringements of Articles 13 and 14 set out in
this decision, is so serious that it also infringes Articles 5 (1)
a and 5.2.
IMY therefore finds that Klarna violates Articles 5 (1) (a), 5 (2), 12 (1) and 13 (2) (a) i
the Data Protection Regulation.
2.2.5. IMY's assessment of Klarna's information pursuant to Article 13 (2) (b)
Pursuant to Article 13 (2) (b), information shall be provided that there is a right to it
personal data controller request access to and correction or deletion of
personal data or restriction of processing concerning the data subject or that
object to processing and the right to data portability.
It follows from the Article 29 Working Party's Guideline on Transparency WP260 (pp. 27-28) that
Transparency entails three obligations for the person responsible for personal data regarding them
data subjects' rights:
"• To inform data subjects of their rights (in accordance with the requirements of Article 13 (2) (b)
and 14.2 c)., Integrity Protection Authority Record number: DI-2019-4062 15 (25)
Date: 2022-03-28
• To observe the principle of transparency (ie in terms of the quality of communication according to the article
12.1) in communicating with data subjects about their rights under Articles 15 to
22 and Article 34.
• To facilitate the exercise of data subjects' rights in accordance with Articles 15 to
22.
The requirements of the Data Protection Regulation regarding the exercise of these rights and the
type of information required is intended to give the data subjects a significant opportunity
to assert their rights and hold the data controllers accountable
the processing of their personal data. Recital 59 emphasizes that procedures should:
"which makes it easier for data subjects to exercise their rights" and that it
personal data controllers should also “provide aids for electronically submitted
requests, especially in cases where personal data are processed electronically '. That procedure
which a personal data controller determines for the data subjects to be able to exercise their
rights should be appropriate to the scope and type of the relationship and the
interaction that exists between the data controller and the data subject. One
The controller may therefore wish to establish one or more different procedures for
the exercise of rights which reflect the different ways in which they registered
interacts with the personal data controller. "
In addition, the Article 29 Working Party makes the following comments on the information requirement in
Guideline WP260 (pp.40-41), concerning Article 13 (2) (b):
"This information should be specific to the treatment in question and include one
summary of what the right entails, how the data subject can proceed to
exercise it and the limitations to which the right may be subject (see paragraph 68)
above). In particular, the right to object to treatment must be expressly notified to it
registered at the latest at the first communication with the registered and
be reported clearly, clearly and separately from any other information. […] "
IMY notes that there is a special section in the Data Protection Information, Section 10,
which is entitled "Your rights in relation to your personal data", which in turn
to some extent refers to other sections of the Data Protection Information. However, IMY believes that
The data protection information provides incomplete information regarding the data subjects
rights, in violation of Article 13 (2) (b) of the Data Protection Regulation, as follows.
The right to delete
Regarding the right to deletion (Article 17), follows from Section 10 of the Data Protection Information
“The right to be deleted. You have the right to request deletion of your personal data
example when it is no longer necessary to process the data for the purpose they
were collected, or if you withdraw your consent. As described in Sections 3 and 9
above, however, Klarna needs to follow certain laws that prevent us from deleting immediately
certain information. "
IMY considers that this wording does not summarize the meaning of the right in an open manner
way. According to Article 17 of the Data Protection Regulation, the data subject has the right to receive his
personal data deleted by the personal data controller, which, however, is not one
absolute right. On the one hand, there is an enumeration in the mentioned article regarding in which
case the personal data controller is obliged to delete personal data without unnecessary
delay, and there are certain exceptions to this obligation for necessary
treatment in some cases. It is not clear how this right relates to the right to, Integrity Protection Authority Record number: DI-2019-4062 16 (25)
Date: 2022-03-28
object in accordance with Article 21. As the information is worded in
The data protection information regarding this right gives it a difficult picture
of what the right entails and in which cases it applies. That it refers to the general ones
Sections 3 and 9 of the Data Protection Information make it even less clear. IMY assesses
that the infringement of Article 13 (2) (b) with regard to the requirement to provide information on the right to
deletion, taking into account also other infringements of Articles 13 and 14 which
is apparent from this decision, is so serious that it also constitutes a breach of
Articles 5.1 (a) and 5.2. IMY further believes that Klarna also does not meet the requirements for completion
and clear information as set out in Article 12 (1).
IMY therefore considers that the information in this part of the Data Protection Information does not
complies with the requirement of transparency, in particular in the light of the above statements in the guidelines
on transparency and thus finds that Klarna violates Articles 5.1 a, 5.2, 12.1
and 13.2 b of the Data Protection Regulation.
The right to restriction
Regarding the right of restriction (Article 18), the IMY finds that it is missing
information about this right in the Data Protection Information. In Section 10 i
However, the data protection information contains the following information “Right to oppose you
processing of your personal data or objecting to our processing. If you
considers that your personal data is incorrect or has been processed in violation of applicable law
you have the right to ask us to stop the treatment. You can also object to ours
treatment when you consider that there are circumstances that prevent the treatment
carried out in accordance with applicable rules. Furthermore, you can always object to us using
your marketing information. "
IMY considers that the information provided is both incorrect and incomplete in relation
how the right is reflected in Article 18 of the Data Protection Regulation. It summarizes
thus not the right in a way that enables the data subjects to understand what
it means. This in turn makes it difficult for data subjects to exercise their rights.
In addition to the information being incomplete, it also involves the right to object
certain treatment (marketing), without further developing what this right entails
or in which situations it may be invoked (cf. Article 18 (1) (d) and
the reference to Article 21 (1)). The IMY considers that the infringement of Article 13 (2) (b) what
applies to the requirement for information on the right to restriction, taking into account also
other infringements of Articles 13 and 14 set out in this Decision are as follows
serious that it also infringes Articles 5 (1) (a) and 5 (2). IMY consider
further that Klarna also does not meet the requirements for clear and distinct information that appear
of Article 12.1.
IMY therefore considers that the information on the right to restriction does not comply with the requirement
transparency, in particular in the light of the statements made by the Article 29 Working Party above, and
thus finds that Klarna violates Articles 5.1 a, 5.2, 12.1 and 13.2 b i
the Data Protection Regulation.
The right to data portability
Regarding the right to data portability (Article 20), follows from Section 10 of the
Data protection information “Right to access your data. You can request a copy of
your personal information if you want to know what information we have about you. This copy can
also transmitted in a machine-readable format (so-called “data portability”). ”., the Swedish Data Protection Authority.
Date: 2022-03-28
IMY does not consider that information about the right has been provided in a transparent manner, then it partly
has been included under the right of access even though data portability is a separate right
under Article 20 of the Data Protection Regulation, partly because it has not been summarized in one
clear way that enables the data subjects to understand what the right entails.
According to Article 20, the right is aimed at the data subject being entitled to receive them
personal data relating to him or her in a structured, widely used and
machine-readable format, and has the right to transfer these to another
personal data controller under certain conditions. IMY assesses that the violation of
Article 13 (2) (b) as regards the requirement for information on the right to data portability, with
account has also been taken of other infringements of Articles 13 and 14 set out in
this decision, is so serious that it also infringes Articles 5 (1)
a and 5.2. IMY further believes that Klarna also does not meet the requirements for clear and distinct
information provided for in Article 12 (1).
IMY therefore considers that the information regarding the right to data portability does not
complies with the requirement of transparency, in particular in the light of the Article 29 Working Party
statements above, and notes that Klarna violates Articles 5.1 a, 5.2, 12.1 and
13.2 b of the Data Protection Regulation.
The right to object
With regard to the right to object (Article 21), the IMY states that it is missing
complete information about this right in the Data Protection Information. In Section 10 i
The data protection information contains the following information inserted in the above
the information on “Right to oppose the processing of your personal data or
object to our treatment ”:“ You can also object to our treatment when you
considers that there are circumstances which mean that the treatment is not carried out in accordance with
applicable rules.". The following information is also available in Section 10 of
Data protection information “Right to object to an automated decision. You are right
to object to an automated decision made by Klarna if this decision entails
legal consequences or constitutes a decision which in a similar way significantly affects
you. See Section 6 above on how Klarna uses this form of automatic decision. ”.
In addition, the following information is available in Section 3 of the Data Protection Information,
for the purpose of processing personal data for the purpose of performing
customer satisfaction surveys about Klarna's services, “You can object to this at any time
preferably. You will also receive information on how to unsubscribe from this each
once you are contacted for this purpose. ". The following information is also available in Section 6,
regarding Klarna's profiling and automated decision-making, “Predict which
marketing that may be of interest to you. You can always object to this and
unsubscribe from marketing and this profiling, by contacting us.
For more information about our processing of personal data to provide
marketing see Section 3 above; ”, and“ You always have the right to object to one
automated decisions with legal consequences or decisions that are similarly significant
degree affects you (along with the coherent profiling) by
contact us at the e-mail address in Section 13. An employee at Klarna will come in
such cases to look at your case. ”.
Under Article 21, the data subject has the right to object in several different situations.
It follows from Article 21 (1) that the data subject has the right to object at any time
against the processing of personal data relating to him or her on which it is based
Article 6 (1) (e) (public interest) or f (legitimate interest / balancing of interests), including
profiling based on these provisions. The person responsible for personal data receives, The Swedish Data Protection Agency Record number: DI-2019-4062 18 (25)
Date: 2022-03-28
then no longer process the personal data, unless he can prove compelling
legitimate reasons for the processing which outweigh the interests of the data subject;
rights and freedoms, or whether it is for the determination, exercise or defense of
legal claims.
IMY states that the Data Protection Information in its entirety lacks information about the law
to object to the processing of personal data based on article
6.1 (f) of the Data Protection Regulation, including profiling based on it
provision, despite the fact that Klarna for several different treatments, which are described in i
Section 3 of the Data Protection Information, states that this is one of the legal bases that
applied and that profiling takes place. The profiling is developed in more detail in Section 6 in
The data protection information, but even there there is no information about the right to object
pursuant to Article 21 (1). The IMY considers that the infringement of Article 13 (2) (b) with regard to the requirement of
information on the right to object, taking into account others as well
infringements of Articles 13 and 14 set out in this Decision are so serious
that it also infringes Articles 5 (1) (a) and 5 (2). IMY further considers that
Klarna also does not meet the requirements for clear and unambiguous information set out in the article
12.1.
IMY therefore considers that the information regarding the right to object in
The data protection information does not comply with the requirement of transparency and thus states
that Klarna violates Articles 5.1 a, 5.2, 12.1 and 13.2 b of the Data Protection Regulation.
2.2.6. IMY's assessment of Klarna's information pursuant to Article 13 (2) (f) and (2) (g)
According to Articles 13 (2) (f) and 14 (2) (g), information shall be provided on the existence of
automated decision-making, including profiling in accordance with Article 22 (1) and (4), whereby
at least in these cases, meaningful information about the logic behind it should be provided as well
the significance and the foreseeable consequences of such processing for the data subject.
Applicable regulation
The Article 29 Working Party's guide WP260 (pp. 22-23) states that information on
the existence of automated decision-making, including profiling, in accordance with Article 22 (1)
and 22.4, as well as meaningful information about the logic behind and the meaning and those
the foreseeable consequences of the processing for the data subject, form part of it
mandatory information that must be provided to the data subject in accordance with Article 13 (2) (f)
and 14.2 g. The Article 29 Working Party has in the guidelines WP251 on automated
individual decision-making and profiling described how openness should be applied precisely in
question about profiling. WP251 (p. 10) emphasizes the following:
The profiling process is usually not visible to the registered person. The process is done in this way
that derived or derived data is created about individuals. These are "new"
personal data that has not been provided directly by the data subjects. Individuals have different degrees
of understanding how the process goes and can have a hard time understanding the complex techniques
used in profiling and automated decision making.
According to Article 12 (1), the controller shall provide the data subjects
concise, clear and unambiguous, comprehensible and easily accessible information on the treatment of
their personal data., Integrity Protection Authority Record number: DI-2019-4062 19 (25)
Date: 2022-03-28
According to Article 22 (1), the data subject shall have the right not to be the subject of a decision which:
based solely on automated processing, including profiling which has legal
consequences for him or her or similarly significantly affect him or her
or her. Such automated decision-making is only allowed if one of them
exceptions provided for in Article 22 (2) exist. Exceptions are made in that case
decision-making is necessary for the conclusion or performance of an agreement between it
registered and the data controller or permitted under Union law or a
national law of the Member State to which the controller is subject and which
lays down appropriate measures to protect the data subject's rights, freedoms and
legitimate interests or is based on the express consent of the data subject.
The following is emphasized in WP251 (p. 17):
Given that the central principle behind the Data Protection Regulation is transparency
personal data controllers must ensure that they explain in a clear and unambiguous manner
individual how profiling or automated decision making works.
Especially if the treatment involves decision-making based on profiling
(whether or not the treatment is subject to the provisions of Article 22)
clarify to the data subject that the processing concerns both a) profiling and b)
decision-making based on the profile created.
Recital 60 states that the provision of profiling information is included in it
the transparency obligations of the controller pursuant to Article 5 (1) (a). The data subject
has the right to information from the personal data controller about "profiling", and in some
case the right to object to "profiling", regardless of whether it is only automated
individual decision-making based on profiling.
The data subject's right to information under Articles 13 (2) (f) and 14 (2) (g) is dealt with in
WP251 (p. 26):
Given the potential risks to data subjects' rights and the conclusions
which can be deduced from the profiling covered by Article 22 should
personal data controllers pay special attention to their obligation to ensure
transparency in treatment. According to Articles 13 (2) (f) and 14 (2) (g), personal data controllers shall:
provide readily available information on established automated decision-making
only on automated processing, including profiling, which has legal or on
similarly significant consequences. If the person responsible for personal data understands
automated decisions under Article 22 (1), he must
tell the data subject that they apply this method;
provide meaningful information about the underlying logic and
explain the significance and the foreseen consequences of the treatment.
The provision of this information also helps data controllers to
ensure that they comply with some of the mandatory safeguards set out in
Article 22 (3) and recital 71.
If the automated decision-making and profiling is not covered by the definition
in Article 22 (1), it is nevertheless good practice to provide the above information. In which
In any case, the controller must provide sufficient information
to the data subject so that the processing is considered fair and fulfills all others
information requirements in Articles 13 and 14., Integrity Protection Authority Record number: DI-2019-4062 20 (25)
Date: 2022-03-28
…
The data controller should try to explain in a simple way the logic behind,
or the criteria for arriving at, the decision. In the Data Protection Ordinance, it is imposed
personal data controller to provide meaningful information about the logic behind
processing, not necessarily a complex explanation of the algorithms used
or to disclose the complete algorithm. The information provided should
however, be comprehensive enough for the data subject to understand the reasons for
the decision.
Klarnas Data Protection Information
Section 6 of Klarnas Data Protection Information states the following:
Decisions with legal consequences or decisions that in a similar way significantly affect
you
Automated decisions with legal consequences or automated decisions as on
similar ways significantly affect you means that certain decisions in our Services
exclusively taken automatically, without the involvement of our employees, and may have
significant effect on you as a customer, comparable to legal consequences. By grasping
such decisions automatically increase Klarna objectivity and transparency in decisions when we
offers these Services.
We use this type of automated decision making when we:
Decides to approve your application to use a Service such as
includes credit;
Decides not to approve your application to use a Service as
includes credit;
Decides whether you pose a fraud or money laundering risk, if ours
treatment shows that your behavior indicates money laundering or fraudulent
behavior, that your behavior is not consistent with previous use
of our Services, or that you have attempted to conceal your true identity. IN
relevant cases, Klarna also investigates whether specific customers are listed on
sanction lists.
See Section 3 for more information on which categories of personal data are processed
for these purposes.
Section 3 provides the following information regarding the data protection information
credit assessment (purpose, categories of data, basis for personal data processing):
Perform credit check before credit Follow the law, when the credit
Contact and in question are regulated by law.
granted (See Section 4.1 on Klarna's identification information, For those cases the credit
Services that involve credit
provided and Section 7.4 on how we financial information and is not regulated by law
information on how to perform the treatment
collaborates with interacts with Klarna. to be able to fulfill
credit bureaus).
credit agreement., Integrity Protection Authority Record number: DI-2019-4062 21 (25)
Date: 2022-03-28
In its reply to IMY on 26 April 2019, Klarna has specified which categories of information
processed in connection with automated decisions, including profiling for
credit review purposes:
Information collected from the consumer himself or generated by Klarna
Personal and contact information (such as name, address,
social security number / date of birth and e-mail address) Source: provided
consumer when buying.
Information about how the consumer has interacted with Klarna (for example
outstanding debt, if the consumer has chosen to block himself from Klarnas
services or have been suspended due to abuse). Source: Consumer
previous relationship with Klarna.
Klarna's internal credit score (which is reported in answer 4 above).
Confirmation from Klarna's internal fraud check (i.e. "yes", "no" or
"Additional verification required"). Source: The consumer's previous relationship with
Clear, information provided by consumers at the time of purchase, or collected by
Clear in connection with these.
Data collected from external suppliers
Personal and contact information (external verification of the consumer and
his address, as well as external information about the owner of the telephone number as
provided). Source: External supplier
Financial information (external credit information, such as income,
payment remarks or debt restructuring) Source: External supplier.
Confirmation from Klarna's internal fraud check (i.e. "yes", "no" or
"Additional verification required"). Source: External supplier.
IMY's assessment
IMY states that Klarnas Dataskyddsinformation lacks meaningful information about
the logic behind as well as the significance and the anticipated consequences of such treatment for
the registered. The Data Protection Information only shows that certain types of
information is used in connection with the automated decision (Contact and
identification information, financial information and information on how to interact
with Klarna).
It is not clear that Klarna uses its own internal scoring model based on
other on both internal and external financial information or the types of information
included in the financial information, for example information on debts of others
lender. No information is given about what circumstances may be of
crucial for a negative credit decision.
IMY believes that the requirement to provide meaningful information about the logic behind one
automated credit decision includes information about which categories of information are of
crucial in the context of an internal scoring model and the possible existence of
conditions that always lead to a rejection decision within the framework of the decision support it
personal data controller uses., Integrity Protection Authority Record number: DI-2019-4062 22 (25)
Date: 2022-03-28
IMY does not consider that the information on automated credit decisions is provided in one
easily accessible way. The individual consumer should be provided with this type of
difficult-to-understand information in one context instead of disseminated in different places in
The data protection information.
IMY believes that the information that Klarna provides about the existence of automated
decision-making, including profiling in accordance with Article 22 (1) and (4) (i)
the Data Protection Regulation, making it meaningful at least in these cases
information about the logic behind it and the significance and the anticipated consequences of such
processing for the data subject does not meet the requirements of Articles 13 (2) (f) and 14 (2) (g).
The information is not concise, clear and distinct, nor is it easily accessible. It meets
thus not the requirements of Article 12 (1).
The IMY considers that the infringement of Articles 13 (2) (f) and 14 (2) (g), taking into account
to other infringements of Articles 13 and 14 set out in this Decision, is so
serious that it also infringes Articles 5 (1) (a) and 5 (2).
IMY therefore finds that Klarna violates Articles 5.1 a, 5.2, 12.1, 13.2 f and 14.2
g of the Data Protection Regulation.
3 Choice of intervention
3.1 Legal regulation
In the event of violations of the Data Protection Regulation, the IMY has a number of corrections
powers, including reprimand, injunction and penalty fees. It follows
Article 58 (2) (a) to (j) of the Data Protection Regulation.
IMY shall impose penalty fees in addition to or in lieu of other corrective actions
referred to in Article 58 (2), depending on the circumstances of each case.
If a personal data controller or a personal data assistant, with respect to a
and the same or interconnected data processing, intentionally or by
negligence violates several of the provisions of this Regulation may it
the total amount of the administrative penalty fee does not exceed the amount determined
for the most serious infringement. It is clear from Article 83 (3) (i)
the Data Protection Regulation.
Each supervisory authority shall ensure that the imposition of administrative
penalty fees in each individual case are effective, proportionate and dissuasive. The
provided for in Article 83 (1) of the Data Protection Regulation.
Article 83 (2) sets out the factors to be taken into account when deciding on an administrative
penalty fee shall be imposed, but also what shall affect the penalty fee
size.
3.2 Penalty fee
Klarna provides payment solutions to about 90 million consumers and more than
200,000 stores in 17 countries. Klarna provides several different services that are important for
the financial system, such as direct payment, various forms of “try first and pay
later ”services and installments. To be able to provide these services must
Ready to process a very large amount of personal data. IMY has above assessed that, The Swedish Privacy Protection Agency Record number: DI-2019-4062 23 (25)
Date: 2022-03-28
Klarna has not fulfilled the basic principle of openness and they
data rights of data subjects. Klarna has violated Articles 5 (1) (a),
5.2, 12.1, 13.1 c, e-f and 13.2 a-b, f and 14.2 g in the Data Protection Regulation. IMY consider
not that it is a question of less serious infringements. Klarna must therefore be applied
administrative penalty fees for the said infringements.
IMY believes that the disclosure of information takes place via Klarnas
Data protection information is one and the same data processing and that a common
sanction amounts shall be determined for these. IMY states that Klarna has violated several
articles covered by Article 83 (5), which means that a higher penalty amount can
applied.
As regards the calculation of the amount, Article 83 (5) of the Data Protection Regulation states
that companies that commit infringements on which the relevant ones can be fined
up to twenty million euros or four percent of total global annual sales
during the previous financial year, whichever is higher.
When determining the maximum amount for a penalty fee to be imposed on a company
the definition of the term company used by the European Court of Justice should be used
application of Articles 101 and 102 of the TFEU (see recital 150 i
the Data Protection Regulation). It is clear from the case - law of the Court that this covers every unit
engaging in economic activities, regardless of the legal form of the entity and the manner in which it operates
financing and even if the entity in the legal sense consists of several physical or
legal entities.
IMY assesses that the company's turnover is to be used as a basis for calculating the
administrative sanction fees that can be imposed on Klarna are Klarna's parent company
Klarna Holding AB. Klarna Holding AB's annual report for the year 2020 states that
annual sales in 2020 were approximately SEK 10,093,659,000. The highest penalty amount
which can be determined in the case is four percent of this amount, that is to say approx
SEK 404,000,000.
In determining the size of the penalty fee, IMY takes into account that Klarna is one
multinational company that processes personal data of a large number of registrants.
Klarna processes many different categories of personal data where the data in some cases
refers to financial circumstances and the creditworthiness of the data subject. IMY believes that
high demands must be placed on a large company with such a comprehensive and privacy-sensitive
personal data processing to provide information that is concise, clear and distinct,
comprehensible and in easily accessible form.
In aggravating direction speaks that there have been violations concerning articles that are
central so that the data subject has the opportunity to exercise his or her rights
under the Data Protection Regulation and that the information provided in
The data protection information concerns a very large number of registered and that
the infringement has been going on for a long time.
As a mitigating circumstance, it is taken into account that Klarna has changed during the supervision
and improved the information in the Data Protection Information.
In view of the seriousness of the infringements and the administrative penalty fee
shall be effective, proportionate and dissuasive, the IMY determines the administrative
the sanction fee for Klarna Bank AB to SEK 7,500,000., The Swedish Data Protection Agency Record number: DI-2019-4062 24 (25)
Date: 2022-03-28
This decision was made by Director General Lena Lindgren Schelin after the presentation
by the department director Hans Kärnlöf. At the final processing has also
Chief Justice David Törngren and Head of Unit Catharina Fernquist participated.
Lena Lindgren Schelin, 2022-03-28 (This is an electronic signature)
Appendices
Appendix 1 - Klarnas Data Protection Information
Appendix 2 - Klarnas Terms of Use, Integrity Protection Authority Registration number: DI-2019-4062 25 (25)
Date: 2022-03-28
How to appeal
If you want to appeal the decision, you must write to the Privacy Protection Authority. Enter i
the letter which decision you are appealing and the change you are requesting. The appeal shall
have been received by the Privacy Protection Authority no later than three weeks from the day you received
part of the decision. If the appeal has been received in time, send
The Integrity Protection Authority forwards it to the Administrative Court in Stockholm
examination.
You can e-mail the appeal to the Privacy Protection Authority if it does not contain
any privacy-sensitive personal data or data that may be covered by
secrecy. The authority's contact information can be found on the first page of the decision.
You can e-mail the appeal to the Privacy Protection Authority if it does not contain
any privacy-sensitive personal data or data that may be covered by
secrecy. The authority's contact information can be found on the first page of the decision.
