FiS - 7679-22: Difference between revisions

From GDPRhub
Line 91: Line 91:
Klarna appealed the decision to the administrative court challenging, among others, that IMY relied heavily on non-binding guidelines. Klarna argued that both Swedish and European administrative law fundamentally require that an intervention (especially fines) against an individual may only take place if there is clear support in binding statute. Despite this, Klarna claimed that it has been fined heavily for violating non-binding guidelines.
Klarna appealed the decision to the administrative court challenging, among others, that IMY relied heavily on non-binding guidelines. Klarna argued that both Swedish and European administrative law fundamentally require that an intervention (especially fines) against an individual may only take place if there is clear support in binding statute. Despite this, Klarna claimed that it has been fined heavily for violating non-binding guidelines.


=== Holding The Administrative Court upheld Klarna Bank AB's appeal in part and lowered the administrative fine to €600,000 (SEK 6,000,000). The administrative court firstly reminded that Article 29 WP's Guidelines on transparency, which was formally endorsed by EDPB, have the purpose to promote an efficient and uniform application of GDPR. It also stated that the guidelines are not binding, but may have some significance for guidance. It held that there is no possibility to impose sanctions based on guidelines without any support in GDPR. - "My economy" service Klarna informed the data subjects at the time of registration that they collect and use data based on consent and for the purpose of provision of the service. Some additional purposes are listed only in the privacy notice. However, while the information provided during registration included the legal basis for data processing, Klarna's privacy notice only mentioned the processing purposes, not the legal basis. The Court therefore concluded that Klarna did not provide the legal basis for all purposes of processing activities and the information provided was therefore insufficient and did not meet the requirements of [[Article 13 GPDR#1c|Article 13 GPDR1c]] - The recipients of personal data The court found that Klarna did not breach [[Article 13 GDPR#1e|Article 13 GDPR1e]], contrary to IMY's assertion. While acknowledging the Article 29 WP's guidelines on transparency, which state that controllers must provide data subjects with information about recipients based on the fairness principle, including the recipients' locations, the court determined that the GDPR requires only the naming of recipients or categories of recipients, not whether the recipient is a Swedish or a foreign credit agency. - Transfers to third countries The court found that Klarna violated [[Article 13 GDPR#1f|Article 13 GDPR1f]] by not providing data subjects with necessary information regarding transfers of their personal data to third countries, including whether an EU Commission adequacy decision exists. The Court ruled that naming the specific third countries is required for the information to be meaningful and to comply with the GDPR and Article 29 WP's transparency guidelines. - Retention of personal data The Court ruled that Klarna's practice of stating that personal data will be stored as long as necessary for each respective purpose, while providing examples of retention periods for some processing activities, failed to meet the transparency requirements of [[Article 13 GDPR#2a|Article 13 GDPR2a]]. It noted the Article 29 WP's transparency guidelines, which call for information to be specified in a way to enable data subjects to assess, based on their own situations, the retention periods for specific data or purpose. - Information about data subjects' rights The court stated that it is the controller's responsibility to provide information about the specific rights that allow the data subject to understand the meaning of their rights. The court found that Klarna has failed to provide sufficient information about data subjects' rights and thereby violated [[Article 13 GDPR#2b|Article 13 GDPR2b]]. Specifically, Klarna did not adequately describe the rights to request erasure, restriction, and data portability, nor did they provide information about the right to object to certain processing. -Profiling and automated decision-making The court found that Klarna's privacy notice did not include details about the use of its own internal scoring model based on internal and external financial information, or the specific types of data included in the financial information such as debts to other lenders. It also lacked information about which circumstances could be crucial for a negative credit decision.  The court disagreed with the Swedish DPA, stating that Klarna does not have to disclose all the specific circumstances that always lead to a rejection as this is not explicitly required by GDPR. However, the Court ruled that Klarna breached [[Article 13 GDPR#2f|Article 13 GDPR2f]] and [[Article 14 GDPR#2g|Article 14 GDPR2g]] for not disclosing its use of a scoring model and the information it processes. - How the information has been provided The court reminded that [[Article 13 GDPR]] and [[Article 14 GDPR]] detail the information that needs to be disclosed to data subjects. while [[Article 12 GDPR#1]] outlines the manner in which this information should be delivered. Therefore, a breach of [[Article 13 GDPR]] and [[Article 14 GDPR]] does not inherently result in a breach of  [[Article 12 GDPR#1]] . The court ruled in favor of Klarna, stating that the Swedish DPA did not sufficiently prove that Klarna had violated [[Article 12 GDPR#1|Article 12 GDPR1]]. - Fundamental principles The Court ruled that Klarna's information regarding the legal basis for personal data processing in the service "My Economy", data retention period, transfer of personal data to third countries, as well as information about the logic behind the company's profiling and automated decision-making, has been incomplete. As a result, Klarna violated the obligations on transparency and information provision, as outlined in [[Article 13 GDPR]] and [[Article 14 GDPR]]. The court found that this breach significantly impacted the company's processing of personal data and therefore Klarna breached the principle of transparency in [[Article 5 GDPR#1a]]. However, the court did not agree with the Swedish DPA's claim that Klarna also violated principles of lawfulness and fairness in the GDPR. - The size of the sanction The court considered that the violation cannot be considered as serious as Swedish DPA has assessed as the court found that, there was no deficiencies in information provided about the recipients of personal data, and that the Swedish DPA failed to prove how  [[Article 12 GDPR#1]] was violated. The court considered that the central deficiencies in providing information to data subjects, violation of principle of transparency [[Article 5 GDPR#1a]], the extensive data processing, the importance of violated provisions for data subjects to exercise their rights, led to a violation that cannot be considered to cause limited harm. The court also took into account that Klarna has continuously improved the information. The court therefore lowered the sanction to €600,000 (SEK 6,000,000). ===
== Holding ==
The Administrative Court upheld Klarna Bank AB's appeal in part and lowered the administrative fine to €600,000 (SEK 6,000,000). The administrative court firstly reminded that Article 29 WP's Guidelines on transparency, which was formally endorsed by EDPB, have the purpose to promote an efficient and uniform application of GDPR. It also stated that the guidelines are not binding, but may have some significance for guidance. It held that there is no possibility to impose sanctions based on guidelines without any support in GDPR.  
 
- "My economy" service  
 
Klarna informed the data subjects at the time of registration that they collect and use data based on consent and for the purpose of provision of the service. Some additional purposes are listed only in the privacy notice. However, while the information provided during registration included the legal basis for data processing, Klarna's privacy notice only mentioned the processing purposes, not the legal basis. The Court therefore concluded that Klarna did not provide the legal basis for all purposes of processing activities and the information provided was therefore insufficient and did not meet the requirements of [[Article 13 GPDR#1c|Article 13 GPDR1c]]  
 
- The recipients of personal data  
 
The court found that Klarna did not breach [[Article 13 GDPR#1e|Article 13 GDPR1e]], contrary to IMY's assertion. While acknowledging the Article 29 WP's guidelines on transparency, which state that controllers must provide data subjects with information about recipients based on the fairness principle, including the recipients' locations, the court determined that the GDPR requires only the naming of recipients or categories of recipients, not whether the recipient is a Swedish or a foreign credit agency.  
 
- Transfers to third countries  
 
The court found that Klarna violated [[Article 13 GDPR#1f|Article 13 GDPR1f]] by not providing data subjects with necessary information regarding transfers of their personal data to third countries, including whether an EU Commission adequacy decision exists. The Court ruled that naming the specific third countries is required for the information to be meaningful and to comply with the GDPR and Article 29 WP's transparency guidelines.  
 
- Retention of personal data  
 
The Court ruled that Klarna's practice of stating that personal data will be stored as long as necessary for each respective purpose, while providing examples of retention periods for some processing activities, failed to meet the transparency requirements of [[Article 13 GDPR#2a|Article 13 GDPR2a]]. It noted the Article 29 WP's transparency guidelines, which call for information to be specified in a way to enable data subjects to assess, based on their own situations, the retention periods for specific data or purpose.  
 
- Information about data subjects' rights  
 
The court stated that it is the controller's responsibility to provide information about the specific rights that allow the data subject to understand the meaning of their rights. The court found that Klarna has failed to provide sufficient information about data subjects' rights and thereby violated [[Article 13 GDPR#2b|Article 13 GDPR2b]]. Specifically, Klarna did not adequately describe the rights to request erasure, restriction, and data portability, nor did they provide information about the right to object to certain processing.  
 
-Profiling and automated decision-making  
 
The court found that Klarna's privacy notice did not include details about the use of its own internal scoring model based on internal and external financial information, or the specific types of data included in the financial information such as debts to other lenders. It also lacked information about which circumstances could be crucial for a negative credit decision.  The court disagreed with the Swedish DPA, stating that Klarna does not have to disclose all the specific circumstances that always lead to a rejection as this is not explicitly required by GDPR. However, the Court ruled that Klarna breached [[Article 13 GDPR#2f|Article 13 GDPR2f]] and [[Article 14 GDPR#2g|Article 14 GDPR2g]] for not disclosing its use of a scoring model and the information it processes.  
 
- How the information has been provided  
 
The court reminded that [[Article 13 GDPR]] and [[Article 14 GDPR]] detail the information that needs to be disclosed to data subjects. while [[Article 12 GDPR#1]] outlines the manner in which this information should be delivered. Therefore, a breach of [[Article 13 GDPR]] and [[Article 14 GDPR]] does not inherently result in a breach of  [[Article 12 GDPR#1]] . The court ruled in favor of Klarna, stating that the Swedish DPA did not sufficiently prove that Klarna had violated [[Article 12 GDPR#1|Article 12 GDPR1]].  
 
- Fundamental principles  
 
The Court ruled that Klarna's information regarding the legal basis for personal data processing in the service "My Economy", data retention period, transfer of personal data to third countries, as well as information about the logic behind the company's profiling and automated decision-making, has been incomplete. As a result, Klarna violated the obligations on transparency and information provision, as outlined in [[Article 13 GDPR]] and [[Article 14 GDPR]]. The court found that this breach significantly impacted the company's processing of personal data and therefore Klarna breached the principle of transparency in [[Article 5 GDPR#1a]]. However, the court did not agree with the Swedish DPA's claim that Klarna also violated principles of lawfulness and fairness in the GDPR.  
 
- The size of the sanction  
 
The court considered that the violation cannot be considered as serious as Swedish DPA has assessed as the court found that, there was no deficiencies in information provided about the recipients of personal data, and that the Swedish DPA failed to prove how  [[Article 12 GDPR#1]] was violated. The court considered that the central deficiencies in providing information to data subjects, violation of principle of transparency [[Article 5 GDPR#1a]], the extensive data processing, the importance of violated provisions for data subjects to exercise their rights, led to a violation that cannot be considered to cause limited harm. The court also took into account that Klarna has continuously improved the information. The court therefore lowered the sanction to €600,000 (SEK 6,000,000).
 
== Comment ==
== Comment ==
''Share your comments here!''
''Share your comments here!''

Revision as of 22:37, 11 April 2024

FiS - 7679-22
Courts logo1.png
Court: FiS (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 13(1)(c) GDPR
Article 17 GDPR
Article 18 GDPR
Article 20 GDPR
Article 21 GDPR
Article 22(1) GDPR
Decided: 14.04.2023
Published:
Parties: Klarna Bank AB
National Case Number/Name: 7679-22
European Case Law Identifier:
Appeal from: Swedish DPA (IMY)
DI-2019-4062
Appeal to: Appealed - Overturned
Kammarrätten i Stockholm
2829-23
Original Language(s): Swedish
Original Source: Sveriges Domstolar (in Swedish)
Initial Contributor: Izel

The Swedish Administrative Court reduced Klarna's fine to €600,000, finding fewer GDPR breaches than initially assessed by the Swedish DPA, while taking Klarna's continuous improvement in information provision into account

English Summary

Facts

On 28 March 2022, IMY fined Klarna AB (the controller) €730,000 (SEK 7,300,000) for not providing data subjects with adequate information related to their processing activities. IMY found that Klarna violated GDPR in the following respects: a) Klarna did not provide information about the purpose and the legal basis for data processing relating to service "My economy", b) Klarna provided incomplete and misleading information about who were the recipients of different categories of personal data when they were shared with Swedish and foreign credit reference agencies. c) Klarna did not provide information about which countries outside the EU/EEA personal data was transferred, and where and how data subjects can access or obtain documents regarding safeguards that applied to the applicable transfer. d) Klarna provided incomplete information about retention periods and the criteria to determine these periods. c) Klarna provided inadequate information about the below data subjects' rights which did not comply with the principle of transparency: - right to request from the controller the erasure of personal data under Article 17 GDPR - right to restrict the processing of personal data Article 18 GDPR - right to data portability under Article 20 GDPR - right to object to the processing under Article 21 GDPR d) Klarna's privacy policy lacked meaningful information about the logic, significance and foreseen consequences of automated decision-making, including profiling, under Article 22 GDPR#1 Klarna appealed the decision to the administrative court challenging, among others, that IMY relied heavily on non-binding guidelines. Klarna argued that both Swedish and European administrative law fundamentally require that an intervention (especially fines) against an individual may only take place if there is clear support in binding statute. Despite this, Klarna claimed that it has been fined heavily for violating non-binding guidelines.

Holding

The Administrative Court upheld Klarna Bank AB's appeal in part and lowered the administrative fine to €600,000 (SEK 6,000,000). The administrative court firstly reminded that Article 29 WP's Guidelines on transparency, which was formally endorsed by EDPB, have the purpose to promote an efficient and uniform application of GDPR. It also stated that the guidelines are not binding, but may have some significance for guidance. It held that there is no possibility to impose sanctions based on guidelines without any support in GDPR.

- "My economy" service

Klarna informed the data subjects at the time of registration that they collect and use data based on consent and for the purpose of provision of the service. Some additional purposes are listed only in the privacy notice. However, while the information provided during registration included the legal basis for data processing, Klarna's privacy notice only mentioned the processing purposes, not the legal basis. The Court therefore concluded that Klarna did not provide the legal basis for all purposes of processing activities and the information provided was therefore insufficient and did not meet the requirements of Article 13 GPDR1c

- The recipients of personal data

The court found that Klarna did not breach Article 13 GDPR1e, contrary to IMY's assertion. While acknowledging the Article 29 WP's guidelines on transparency, which state that controllers must provide data subjects with information about recipients based on the fairness principle, including the recipients' locations, the court determined that the GDPR requires only the naming of recipients or categories of recipients, not whether the recipient is a Swedish or a foreign credit agency.

- Transfers to third countries

The court found that Klarna violated Article 13 GDPR1f by not providing data subjects with necessary information regarding transfers of their personal data to third countries, including whether an EU Commission adequacy decision exists. The Court ruled that naming the specific third countries is required for the information to be meaningful and to comply with the GDPR and Article 29 WP's transparency guidelines.

- Retention of personal data

The Court ruled that Klarna's practice of stating that personal data will be stored as long as necessary for each respective purpose, while providing examples of retention periods for some processing activities, failed to meet the transparency requirements of Article 13 GDPR2a. It noted the Article 29 WP's transparency guidelines, which call for information to be specified in a way to enable data subjects to assess, based on their own situations, the retention periods for specific data or purpose.

- Information about data subjects' rights

The court stated that it is the controller's responsibility to provide information about the specific rights that allow the data subject to understand the meaning of their rights. The court found that Klarna has failed to provide sufficient information about data subjects' rights and thereby violated Article 13 GDPR2b. Specifically, Klarna did not adequately describe the rights to request erasure, restriction, and data portability, nor did they provide information about the right to object to certain processing.

-Profiling and automated decision-making

The court found that Klarna's privacy notice did not include details about the use of its own internal scoring model based on internal and external financial information, or the specific types of data included in the financial information such as debts to other lenders. It also lacked information about which circumstances could be crucial for a negative credit decision. The court disagreed with the Swedish DPA, stating that Klarna does not have to disclose all the specific circumstances that always lead to a rejection as this is not explicitly required by GDPR. However, the Court ruled that Klarna breached Article 13 GDPR2f and Article 14 GDPR2g for not disclosing its use of a scoring model and the information it processes.

- How the information has been provided

The court reminded that Article 13 GDPR and Article 14 GDPR detail the information that needs to be disclosed to data subjects. while Article 12 GDPR#1 outlines the manner in which this information should be delivered. Therefore, a breach of Article 13 GDPR and Article 14 GDPR does not inherently result in a breach of Article 12 GDPR#1 . The court ruled in favor of Klarna, stating that the Swedish DPA did not sufficiently prove that Klarna had violated Article 12 GDPR1.

- Fundamental principles

The Court ruled that Klarna's information regarding the legal basis for personal data processing in the service "My Economy", data retention period, transfer of personal data to third countries, as well as information about the logic behind the company's profiling and automated decision-making, has been incomplete. As a result, Klarna violated the obligations on transparency and information provision, as outlined in Article 13 GDPR and Article 14 GDPR. The court found that this breach significantly impacted the company's processing of personal data and therefore Klarna breached the principle of transparency in Article 5 GDPR#1a. However, the court did not agree with the Swedish DPA's claim that Klarna also violated principles of lawfulness and fairness in the GDPR.

- The size of the sanction

The court considered that the violation cannot be considered as serious as Swedish DPA has assessed as the court found that, there was no deficiencies in information provided about the recipients of personal data, and that the Swedish DPA failed to prove how Article 12 GDPR#1 was violated. The court considered that the central deficiencies in providing information to data subjects, violation of principle of transparency Article 5 GDPR#1a, the extensive data processing, the importance of violated provisions for data subjects to exercise their rights, led to a violation that cannot be considered to cause limited harm. The court also took into account that Klarna has continuously improved the information. The court therefore lowered the sanction to €600,000 (SEK 6,000,000).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

The administrative court in Stockholm assesses that Klarna Bank AB has not violated the data protection regulation to the extent claimed by the Privacy Protection Authority. The court has therefore decided that the penalty fee should be reduced.

The Privacy Protection Authority (IMY) decided on March 28, 2022 to impose a penalty fee of SEK 7.5 million on Klarna Bank AB because the company has breached its information obligation. Klarna Bank AB has appealed the decision and believes, among other things, that the company has been notified of a penalty fee for violating non-binding guidelines and that it is in violation of basic Swedish and European law. According to the company, there is therefore no support for imposing a penalty fee.
Judgment of the court
The administrative court in Stockholm shares IMY's assessment that the registered did not receive sufficient information about how and for what purposes certain personal data is processed. Those registered have also not received sufficient information about their rights. Support for imposing a penalty fee on Klarna Bank AB due to this can be found in the data protection regulation. However, there is not sufficient support that Klarna Bank AB has breached its obligation to provide information to the same extent as IMY claims.
- The court considers that Klarna Bank AB has violated the data protection regulation. However, the violation is not as serious as IMY has assessed in the appealed decision and the penalty fee must therefore be reduced from SEK 7.5 million to SEK 6 million, says councilor Gustav Forsberg.