IMY (Sweden) - IMY 2023-8336
IMY - IMY 2023-8336 | |
---|---|
Authority: | IMY (Sweden) |
Jurisdiction: | Sweden |
Relevant Law: | Article 5(1)(d) GDPR Article 12(2) GDPR Article 16 GDPR Article 25 GDPR Article 56 GDPR Article 58(2)(b) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 09.01.2024 |
Published: | 09.01.2024 |
Fine: | n/a |
Parties: | Klarna Bank AB |
National Case Number/Name: | IMY 2023-8336 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Swedish |
Original Source: | IMY (in SV) |
Initial Contributor: | Maximilien Hjortland |
The Swedish DPA reprimanded Klarna Bank for not enabling a data subject in Germany to rectify their email address linked to their payment card.
English Summary
Facts
The controller, Klarna Bank AB, commonly referred to as Klarna, is a Swedish fintech company that provides online financial services. The company provides payment processing services for the e-commerce industry, managing store claims and customer payments. The company is a "buy now, pay later" service provider.[1]
A Klarna Bank AB customer in Germany contacted the controller in June and Juli 2020 to rectify their registered email address as per Article 16 GDPR.
The customer (data subject) held a Klarna card and in June 2020 requested the controller rectify the email address associated with their payment card.
Klarna’s customer service initially replied to the customer that changing the email address was technically impossible as it was associated with the claimant’s card, and encouraged them to order a new card to change their email address.
A new Klarna card would however influence the claimant’s credit standing.
In July 2020, the claimant requested the deletion of their personal data including the destruction of the Klarna card. A customer service employee informed the data subject that their email address had been changed for their unsettled invoices.
Klarna stated that email addresses were used as personal identifiers, and as part of a verification process, which is why the controller needed to issue a new payment card to update the email address.
The data subject complained to a German supervisory authority (SA) about the inadequate fulfilment of their right to rectification in Article 16 GDPR. On the basis of Article 56 GDPR, and this case concerning 13 European SAs, the complaint was passed on to IMY as the lead SA.
Holding
The Swedish DPA held that the controller processed personal data in violation of:
1) Article 12(2) GDPR, by not enabling the data subject to exercise their right to rectification stated in Article 16 GDPR
2) and Article 16 GDPR, by not enabling the data subject to change their email address as requested.
Based on Article 25 GDPR, the lead SA argued that the controller had design flaws in its product resulting in the unnecessary complication of rectification. It also emphasised the infringement of the principle of accuracy in Article 5(1)(d) GDPR, because process information was inaccurate and rectification delayed.
The Swedish DPA decided to reprimand Klarna Bank AB based on Article 58(2)(b) and Recital 148 for a minor infringement.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
- ↑ See Wikipedia for more information.