IMY (Sweden) - DI-2019-4062

From GDPRhub
IMY (Sweden) - DI-2019-4062
LogoSE.png
Authority: IMY (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 12(1) GDPR
Article 13(1)(f) GDPR
Article 13(1)(c) GDPR
Article 13(1)(e) GDPR
Article 13(2)(a) GDPR
Article 13(2)(b) GDPR
Article 13(2)(f) GDPR
Article 14(2)(g) GDPR
Type: Investigation
Outcome: Violation Found
Started: 27.03.2019
Decided: 28.03.2022
Published: 28.03.2022
Fine: 7500000 SEK
Parties: Klarna Bank AB
National Case Number/Name: DI-2019-4062
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Swedish
Original Source: IMY's website (in SV)
Initial Contributor: Elisavet Dravalou

The Swedish DPA conducted an investigation and issued a fine of approximately €730,000 against Klarna Bank for not providing data subjects with adequate information related to their processing activities, in violation of various provisions under Articles 5, 12,13 and 14 GDPR.

English Summary

Facts

Klarna Bank AB is a company which provides both credit and non-credit payment solutions to approximately 90 million consumers and more than 200,000 merchants in 17 countries through a variety of financial services, such as direct payment, various forms of "try first and pay later" services and payment through installments, as well as account information services. In order to provide these services, Klarna needs to process large amounts of personal data. The Swedish DPA (IMY) initially examined Klarna's privacy policy, and noted that there was a lack of clarity regarding many aspects, and therefore decided to launch an ex officio investigation to determine Klarna's compliance with the provisions on clear information and communication to data subjects. During the investigation, Klarna continuously changed the information provided on how the company handled personal data. IMY's decision concerns the information as it stood from 17 March to 26 June 2020.

Holding

After conducting their investigation, the IMY held that Klarna had violated various GDPR provisions related to information on the purpose and legal basis for the processing of personal data, the recipients of various categories of personal data, international data transfers, retention periods, data subject rights and automated decision-making, including profiling. As a common thread, the IMY held that each one of these breaches also entailed a violation of Articles 12(1) GDPR, 5(1)(a) GDPR and 5(2) GDPR.

Regarding the information provided by Klarna on the purpose and legal basis for the processing of personal data related to the "My Finance" and "My Economy" services, the IMY held that this information was not concise, clear and easily accessible, and did not meet the requirements of Article 13(1)(c) GDPR.

With regards to the recipients, the IMY held that Klarna provided incomplete and misleading information on who were the recipients of different categories of personal data when such data were shared with Swedish and foreign credit reference agencies, in violation of Article 13(1)(e) GDPR.

Specifically on the topic of international data transfers, the IMY noted that a mere statement that personal data will be transferred to third countries, without naming these countries, was not adequate information for data subjects in this sense. Moreover, the IMY held that Klarna not only failed to provide information about the countries outside the EU/EEA to which personal data was transferred, but also as to where and how data subjects could access documents regarding the safeguards applicable to the data transfers where no adequacy decision exists between the EU and these countries, in breach of Article 13(1)(f) GDPR.

Furthermore, the IMY also held that Klarna provided incomplete information about the periods for which personal data would be retained and the criteria used to determine those periods, in violation of Article 13(2)(a) GDPR.

Regarding data subject rights, the IMY held that Klarna did not provide them with adequate information related to the right to erasure of personal data under Article 17 GDPR, restriction of processing concerning the data subject under Article 18 GDPR, the right to object under Article 20 GDPR as well as the right to data portability under Article 21 GDPR, in violation of Article 13(2)(b) GDPR.

As to automated decision-making, including profiling under Articles 22(1) and (4) GDPR, the IMY noted that it was not clear whether Klarna used its own internal scoring model based on, among other things, both internal and external financial information, or what types of data are included in the financial information, such as information on liabilities with other creditors. The IMY also observed that no information was provided regarding the logic behind these processes, their significance, the types of personal data that played a decisive role when subject to a negative decision, or the foreseeable consequences for data subjects, in breach of Articles 13(2)(f) and 14(2)(g) GDPR.

In order to determine their administrative fine, the IMY took into account that Klarna is a multinational company that processes many different categories of personal data on a large number of data subjects, including privacy-sensitive data such as financial data and creditworthiness, and that these breaches were ongoing for a long period of time. Based on these considerations, the IMY issued a fine of approximately €730,000 (SEK 7,500,000) against Klarna Bank AB.

Comment

Klarna stated that they will appeal the decision. IMY cited the A29WP guidelines on transparency many times in their decision, and if you follow these guidelines by the book, a data controller that is involved in complex processing activities will end up with a complex, lengthy and non-reader friendly privacy notice, which is the exact opposite of what the GDPR requires. The question raised here is where does the balance lie between too little or too much information?

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

                                                                                                               1 (25)






                                                                  Klarna Bank AB









Record number:
DI-2019-4062 Decision after supervision according to

                              Data Protection Regulation - Klarna

Date: Bank AB
2022-03-28




                              Content


                              The decision of the Integrity Protection Authority ................................................ ........................... 2

                              1 Report on the supervisory matter .............................................. ..................................... 3

                              2 Motivation for decision .............................................. .................................................. .... 4
                                     2.1 Applicable provisions ............................................... ............................... 4

                                     2.2 IMY's assessment of whether Klarnas Data Protection Information meets the requirements in
                                     Articles 5 (1) (a), 5 (2), 12, 13 and 14 of the Data Protection Regulation ............................ 7

                                           2.2.1 IMY's assessment of Klarna's information pursuant to Article 13 (1) (c) ......... 7

                                           2.2.2 IMY's assessment of Klarna's information pursuant to Article 13 (1) (e) ......... 9

                                           2.2.3. IMY's assessment of Klarna's information pursuant to Article 13 (1) (f) ........ 11

                                           2.2.4. IMY's assessment of Klarna's information pursuant to Article 13 (2) (a) ....... 12
                                           2.2.5. IMY's assessment of Klarna's information pursuant to Article 13 (2) (b) ....... 14

                                           2.2.6 IMY's assessment of Klarna's information pursuant to Article 13 (2) (f) and
                                           14.2 g ................................................ .................................................. .... 18

                              3 Choice of intervention .............................................. .................................................. ....... 22

                                     3.1 Legal regulation ............................................... ........................................... 22

                                     3.2 Penalty fee ................................................ ........................................... 23

                              How to appeal............................................... .................................................. ..... 25





Postal address:
Box 8114
104 20 Stockholm

Website:
www.imy.se
E-mail:
imy@imy.se

Phone:
08-657 61 00, Integrity Protection Authority Record number: DI-2019-4062 2 (25)
                                Date: 2022-03-28







                                The decision of the Integrity Protection Authority


                                The Privacy Protection Authority (IMY) states that Klarna Bank AB (Klarna) during

                                the period from 17 March 2020 to 26 June 2020 did not provide information on for which
                                purpose and on the basis of the legal basis for the processing of personal data
                                regarding the service "My Finance" took place. Klarna thus processed personal data

                                in violation of Articles 5 (1) (a), 5 (2), 12 (1) and 13 (1) (c) of the Data Protection Regulation.


                                IMY notes that Klarna left during the period March 17 to June 26, 2020
                                incomplete and misleading information about who were the recipients of various

                                categories of personal data when such were shared with Swedish and foreign respectively
                                credit reporting companies. Klarna thus processed personal data in violation of
                                Articles 5 (1) (a), 5 (2), 12 (1) and 13 (1) (e) of the Data Protection Regulation.


                                IMY notes that Klarna during the period March 17 to June 26, 2020 will not

                                provided information on to which countries outside the EU / EEA personal data
                                transferred and where and how the individual could access or obtain documents
                                concerning the safeguard measures applicable to the transfer to a third country. Klarna

                                thereby processed personal data in breach of Articles 5 (1) (a), 5 (2), 12 (1) and 13 (1) (f)
                                the Data Protection Regulation.


                                IMY notes that Klarna left during the period March 17 to June 26, 2020
                                incomplete information about the periods during which personal data would be

                                stored and the criteria used to determine these periods. Klarna
                                thereby processed personal data in breach of Articles 5 (1) (a), 5 (2), 12 (1) and 13 (2) (a) i

                                the Data Protection Regulation.

                                IMY notes that Klarna left during the period March 17 to June 26, 2020

                                insufficient information regarding the data subjects' rights as follows.


                                    the information provided about the right of the personal data controller

                                       request the deletion of personal data in accordance with Article 17 of the Data Protection Regulation

                                       did not comply with the requirement of transparency


                                    the information provided about the right of the personal data controller

                                       request a limitation of the processing of the data subject under Article 18 i
                                       the Data Protection Regulation did not comply with the requirement of transparency



                                    the information provided on the right to data portability in accordance with Article 20 i

                                       the Data Protection Regulation did not comply with the requirement of transparency


                                    information provided on the right to object to the processing of

                                       personal data under Article 21 of the Data Protection Regulation did not comply with the requirement

                                       on transparency.





                                Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with
                                concerning the processing of personal data and on the free movement of such data and on the repeal of
                                Directive 95/46 / EC (General Data Protection Regulation)., Integrity Protection Authority Registration number: DI-2019-4062 3 (25)
                               Date: 2022-03-28






                               Klarna thus processed personal data in violation of Articles 5.1 a, 5.2, 12.1 and

                               13.2 b of the Data Protection Regulation.

                               IMY states that Klarnas Data Protection Information during the period March 17 to

                               on June 26, 2020 lacked meaningful information about the logic behind and the meaning
                               and the foreseeable consequences of automated decision-making, including profiling,
                               pursuant to Article 22 (1) of the Data Protection Regulation. Klarna thus treated

                               personal data in breach of Articles 5.1 (a), 5 (2), 12 (1), 13 (2) (f) and 14 (2) (g) i
                               the Data Protection Regulation.


                               IMY decides on the basis of Articles 58 (2) and 83 of the Data Protection Regulation that Klarna
                               Bank AB must pay an administrative penalty fee of 7,500,000

                               (seven million five hundred thousand) kroner.


                               1 Report on the supervisory matter


                               Klarna provides services that involve lending, as well as payment services such as
                               does not include lending, including payment initiation services and

                               account information services. IMY has read Klarnas Dataskyddsinformation som
                               is published on the company's Swedish website (https://www.klarna.com/se/). IMY has
                               in connection with this, it has been established that there is uncertainty about, among other things, for whom

                               purpose personal data is collected and processed and how the data thereafter
                               gallras.


                               Article 5 (1) (a) of the Data Protection Regulation states, inter alia, that personal data shall:
                               treated in an open manner in relation to the data subject (the principle of transparency).
                               It further follows from Article 5 (2) that the data controller shall be responsible for and

                               be able to show that the principles set out in 5.1 are complied with (the principle of liability).
                               IMY has initiated supervision of Klarna to investigate the extent to which Klarnas

                               Data protection information meets these requirements. Within the framework of supervision, IMY has audited
                               how Klarna complies with the provisions on clear and unambiguous information and
                               communication under Article 12 (1) and the right to information of personal data under

                               Articles 13 and 14 and the right to information on the right to object under
                               Article 21.4. IMY has not taken a position on Klarna's personal data processing in
                               otherwise complies with the Data Protection Regulation.


                               Supervision has taken place through correspondence. The inspection began on March 27, 2019 through
                               that IMY sent a letter to Klarna with questions about the company

                               personal data processing. The questions were based on the information provided by Klarna
                               provided about its processing of personal data in the one published at that time

                               The data protection information on the company's Swedish website. Klarna came in with one
                               opinion on 26 April 2019. An annex with a summary was attached to the opinion
                               over the purposes for which each category of personal data was processed

                               indication of the applicable retention period. Klarna then revised his
                               Data protection information as of 19 July 2019. Due to Klarna's opinion and
                               the company's revised Data Protection Information asked IMY supplementary questions

                               the company in a letter dated 1 August 2019. Klarna subsequently submitted an opinion on
                               September 27, 2019. Klarna subsequently revised its Data Protection Information as of the 17th
                               March 2020. Klarna again revised its Data Protection Information on 26 June 2020.

                               IMY has also obtained the terms of service for the account information service "My Finances"
                               as Klarna in its first statement to the IMY stated that the consumer accepts

                               "Special conditions" for this service. IMY's assessment refers to Klarnas
                               Data protection information as it was designed from 17 March 2020 to 26 June, Privacy Protection Agency Record number: DI-2019-4062 4 (25)
                               Date: 2022-03-28






                               2020, Appendix 1, and Klarnas Terms of Use as they were drafted on April 2, 2020,

                               Appendix 2. IMY describes what Klarna has stated in its opinions in relevant parts below
                               the reasons for the decision below.


                               2 Grounds for the decision


                               2.1 Applicable provisions


                               Article 5 (1) (a) of the Data Protection Regulation states, inter alia, that the data shall:
                               processed in a legal, correct and transparent manner in relation to the data subject

                               (legality, correctness and transparency).

                               It further follows from Article 5 (2) that the data controller shall be responsible for and

                               be able to show that the principles listed in 5.1 are complied with (liability).

                               It follows from Article 12 (1) of the Data Protection Regulation that the controller shall:

                               take appropriate measures to provide the data subject with all information that:
                               referred to in Articles 13 and 14 and all communications pursuant to Articles 15 to 22 and 34

                               which refers to treatment in a concise, clear and distinct, comprehensible and easily accessible form,
                               using clear and unambiguous language, in particular for information that is specific
                               aimed at children. The information must be provided in writing, or in some other form,

                               including, where appropriate, in electronic form. If the data subject requests it may
                               the information is provided orally, provided that the identity of the data subject has been proven
                               in other ways.


                               Article 13 of the Data Protection Regulation stipulates the information to be provided
                               if the personal data is collected from the data subject. Article 13 (1) states this

                               that if personal data concerning a registered person is collected from the data subject,
                               the person responsible for personal data shall, when the personal data is obtained, to the data subject

                               provide information as set out in Article 13 (1) (a) to (f). It follows from Article 13 (2) that it
                               person responsible for personal data in the collection of personal data, in addition to the information
                               referred to in paragraph 1, shall provide the data subject with additional information in accordance with 13.2 a-f,

                               which is required to ensure fair and transparent treatment. According to Article 13 (3)
                               in addition, the person responsible for personal data, if he intends to process
                               personal data for a purpose other than that for which they were collected, before that

                               further processing provide the registered information about this second purpose as well
                               additional relevant information pursuant to paragraph 2. Article 13 (4) states that paragraphs 1, 2
                               and 3 shall not apply if and to the extent that the data subject already has

                               the information.


                               It follows from recital 39 that any processing of personal data must be lawful and fair.
                               It should be clear to natural persons how personal data concerns them
                               collected, used, consulted or otherwise treated and in which

                               the extent to which personal data is processed or will be processed.
                               The principle of openness requires that all information and communication in connection with
                               the processing of this personal data is easily accessible and easy to understand and that a

                               clear language is used. This principle applies above all to the information to
                               registered about the identity of the data controller and the purpose of the processing

                               as well as additional information to ensure fair and open treatment for those concerned
                               natural persons and their right to receive confirmation and notification of which
                               personal data concerning those processed. Natural people should be made aware

                               on risks, rules, protective measures and rights in connection with the processing of, The Swedish Data Protection Agency Record number: DI-2019-4062 5 (25)
                                Date: 2022-03-28







                                personal data and how they can exercise their rights with respect to
                                the treatment.


                                Recital 60 states that the principles of fair and transparent treatment require that
                                data subjects are informed that treatment is taking place and the purpose of it. The

                                personal data controller should provide the data subject with all additional information such as
                                required to ensure fair and transparent treatment, taking into account
                                the specific circumstances and context of personal data processing. In addition

                                the data subject should be informed of the existence of profiling and of
                                the consequences of such profiling. If the personal data is collected from it

                                registered, he should also be informed if he or she is obliged to provide
                                personal data and the consequences if he or she does not provide them. This
                                information may be provided combined with standardized symbols to provide one

                                clear, comprehensible, easy-to-read and meaningful overview of the planned
                                the treatment. If such symbols are displayed electronically, they should be machine-readable.


                                It follows from recital 61, inter alia, that information on the processing of personal data concerning
                                the data subject should be provided to him or her at that time

                                the personal data is collected from the data subject or, if the personal data is obtained
                                directly from another source, within a reasonable period, depending on the circumstances of

                                the case. If personal data can be legitimately disclosed to another recipient, they should
                                registered persons are informed the first time the personal data is disclosed to this
                                receiver.


                                As regards the concept of profiling, this is defined in Article 4 (4) as any form of profiling
                                automatic processing of personal data consisting of that personal data

                                used to assess certain personal characteristics of a natural person, in particular
                                to analyze or predict the work performance of this natural person, financial

                                situation, health, personal preferences, interests, reliability, behavior, whereabouts
                                or transfers,


                                Article 22 regulates automated individual decision-making, including profiling. Of
                                the provision states that the data subject shall have the right not to be the subject of a decision

                                based solely on automated processing, including profiling, which has
                                legal consequences for him or her or similarly significantly affect
                                him or her. Examples of such decisions are given in recital 71, among others

                                automated rejection of an online credit application. Exceptions to this prohibition apply if
                                the decision is necessary for the conclusion or performance of an agreement between it

                                registered and the data controller, such decisions are permitted under Union law
                                or the national law of a Member State to which the controller is subject
                                and which lays down appropriate measures to protect the data subject's rights, freedoms

                                and legitimate interests, or is based on the express consent of the data subject.
                                If an exception may be made in connection with an agreement or due to consent, it shall

                                personal data controllers implement appropriate measures to ensure this
                                registered rights, freedoms and legal interests, at least the right to personal
                                contact with the personal data controller to be able to express their opinion and dispute

                                the decision.


                                Finally, the former so-called Article 29 Working Party has developed guidelines on
                                partly openness, WP260 rev.01 (WP260), partly about automated individually
                                decision-making and profiling, WP251 rev.01 (WP251), which are described in relevant

                                parts under the IMY assessments below. The European Data Protection Board, EDPB, has
                                endorsed these guidelines. Initially, however, the following can be highlighted. Article, Integrity Protection Authority Record number: DI-2019-4062 6 (25)
                                Date: 2022-03-28







                                The 29 Working Group emphasizes in WP260 that transparency is an overarching obligation
                                according to the Data Protection Regulation which applies to three key areas; i) how they
                                data subjects may be informed about fair processing; ii) how the data controllers

                                communicate with the data subjects in relation to their rights under
                                the Data Protection Regulation, and (iii) how the data controllers facilitate the

                                exercised their rights. Openness is also an expression of it
                                principle of fairness in the processing of personal data set out in Article 8 of the EU Charter
                                on fundamental rights.


                                Article 12 stipulates the form of information provided to the data subject;

                                namely, in a concise, clear and distinct, comprehensible and easily accessible form, with use
                                of clear and distinct language, in particular for information specifically aimed at children.
                                The information shall be provided in writing, or in some other form, including, where applicable

                                is appropriate, in electronic form. If the data subject requests it, he will receive the information
                                provided orally, provided that the identity of the data subject has been proven in other ways.


                                Article 13 of the Data Protection Regulation sets requirements for what information it contains
                                the person responsible for personal data must provide the data subject if the personal data is collected

                                from the data subject and when the information is to be provided, namely when
                                the personal data is obtained from the data subject.


                                However, neither Article 12 nor 13 regulates in detail the form or location of the information
                                submitted to the data subject. WP260 states that the information should be published in

                                for example, a data protection information made available on it
                                website of the data controller. Furthermore, it appears that on each side of
                                the website should have a clearly visible direct link to the data protection information that should

                                have been provided with an appropriate heading (eg "Privacy", "Privacy Policy" or
                                "Data protection message"). The Article 29 Working Party therefore recommends a

                                best practice which means that a link to the data protection information is provided or that such
                                information is provided on the same page as the personal data is obtained from, when
                                personal data is collected online. Furthermore, the Article 29 Working Party considers that a stratified

                                data protection information should be used if the data controller has one
                                website so that visitors to the website can navigate to specific parts of

                                the data protection information that is of greatest interest to them. All the information that
                                addressed to the data subjects should, however, also be available to them on one and the same
                                place or in a complete document (in digital or paper format), as they

                                Registered users can easily access if they want to read all the information addressed to them.


                                The following also appears from the above-mentioned guideline, pp. 7-9:

                                “The requirement that information provided or communicated to the data subjects shall

                                being in a "concise, clear and distinct" form means that those responsible for personal data should
                                present the information / communicate in an effective and concise way to avoid

                                information exhaustion. The information should be clearly distinguished from other information such as
                                does not relate to privacy, such as contractual terms or general terms of use. IN
                                Internet contexts, layered privacy policies / privacy notices can do that

                                possible for the data subjects to go directly to a certain part of
                                the privacy policy / privacy statement they want to read, instead of scrolling through

                                large amounts of text to find the part in question.

                                The requirement that the information must be "comprehensible" means that it should be understandable by one

                                average member of the intended target group. Comprehensibility is closely linked to
                                the requirement of a clear and distinct language. A person responsible for personal data will receive knowledge, The Swedish Data Protection Agency Record number: DI-2019-4062 7 (25)
                               Date: 2022-03-28






                               about the persons about whom they collect information and can use it to

                               determine what would probably be understandable to the target group […]

                               An important aspect of the principle of transparency described in these provisions is that they

                               registered in advance should be able to determine the purpose and consequences of
                               treatment and that it should not come as a surprise to them at a later date
                               stage how their personal data has been used. This is also an important aspect of

                               the principle of fairness under Article 5 (1) of the Data Protection Regulation, where there is in fact a
                               linked to recital 39, which states that natural persons “should be made aware of risks,

                               rules, safeguards and rights in connection with the processing of
                               personal data ”. In the case of complex, technical or unexpected data processing
                               In particular, the Article 29 Working Party considers that data controllers are not the only ones

                               should provide the information set out in Articles 13 and 14 (which
                               dealt with later in these guidelines), without them even having to specify, in a separate section and
                               in an unambiguous language, the most significant consequences of the treatment, with

                               in other words, how the special treatment specified in a privacy policy / one
                               privacy notice will actually affect the data subjects. In line with

                               the principle of liability and recital 39, the data controllers should assess whether
                               there are special risks for natural persons whose personal data are processed in one
                               in such a way that the data subjects should be given attention. That way you can get one

                               an overview of the types of treatments that could have the greatest impact on them
                               registered fundamental rights and freedoms with regard to their protection
                               personal data.


                               "Easily accessible" means that the data subjects do not have to look for the information;
                               it should be immediately clear to them where and how they can access the information;

                               for example by giving the information directly or linking to the data subjects, by
                               clear guidance or in response to a question from a natural person (eg in a

                               privacy policy / a privacy statement in several layers online, in "Frequently asked questions", via
                               contextual pop-ups that are activated when the registrants fill in one
                               online form or in an interactive digital context via a chatbot interface etc [...]


                               The requirement for a clear and distinct language means that the information should be provided in such a simple way
                               as possible and that complicated sentences and language structures should be avoided.

                               The information should be concrete and accurate, and it should not be abstract or ambiguous
                               or can be interpreted in different ways. Above all, the purposes and legal bases should
                               for the processing of personal data be clear. "


                               In the following, the IMY assesses whether the requirements for transparency and information are met in different ways

                               parts through Klarnas Data Protection Information as it was designed during the period 17
                               March to 26 June 2020.


                               2.2 IMY's assessment of Klarnas Data Protection Information
                               meets the requirements of Articles 5 (1) (a), 5, 2, 12, 13 and 14 (i)

                               the Data Protection Regulation


                               2.2.1 IMY's assessment of Klarna's information pursuant to Article 13 (1) (c)



                               Pursuant to Article 13 (1) (c) of the Data Protection Regulation, information on the purposes must be provided
                               with the processing for which the personal data is intended as well as the legal
                               basis for the treatment., Integrity Protection Authority Record number: DI-2019-4062 8 (25)
                               Date: 2022-03-28







                               Klarnas Data Protection Information

                               Section 2 of Klarnas Data Protection Information is entitled “What personal data

                               do we use? ”. Section 2.2 is entitled "Information we collect about you" and of it
                               the introductory paragraph follows “Depending on which Services you choose to use, we can

                               will collect the following information about you, either yourself or through third parties
                               (for example, credit bureaus, anti-fraud agencies, shops or
                               public databases) ”. This is followed by an enumeration of what information it "can"

                               move about. The last point in the list shows “Service-specific
                               personal data - within the framework of some of our Services, we may collect and process

                               additional personal data not covered by the categories above. See Section 4 below for
                               to find out what these additional personal data are for each Service. ”.


                               Section 3 of the Data Protection Information is entitled “What personal data do we process,
                               for what purpose, and on what legal basis? " and of the introductory paragraph

                               states “Depending on which Services you use, Klarna may process your
                               personal data for the purposes listed below, based on the legal bases
                               which is accounted for at each purpose. You can see more specific information about how your

                               personal data is processed in some of our Services in Section 4 below. ”. Thereafter follows
                               a table with three columns, where the first column indicates the purpose of the treatment,

                               the second column the personal data processed and the third column legal
                               basis for the treatment.


                               Section 4 of the Data Protection Information is entitled “In particular
                               processing of personal data in some of Klarnas Tjänster ”and of the introductory paragraph
                               appears “This section describes certain processing of your personal data that is

                               specific to a particular Service. To get more information about our Services and theirs
                               functionality, see the terms of use for each Service. ”.


                               IMY's assessment


                               IMY notes that the Data Protection Information Section 4 regarding the service “Min
                               economy ”lacks clear information about the purposes of the treatments for which

                               the personal data are intended as well as the legal basis for the processing in violation
                               with the requirement of Article 13 (1) (c) of the Data Protection Regulation. The service "My Finance" is mentioned in
                               Section 4.4 of the Data Protection Information, which is entitled “Clear

                               user experience provided in accordance with Klarna's Terms of Use ”. It appears below
                               the subheading “Klarna app” that “If you use the Klarna app, will

                               personal data to be processed in order to provide the Services you choose to use
                               inside the App, such as: […] ”, followed by a list of different services in a bulleted list.
                               One of these services is the "My Finances" service:


                               “Your affiliated bank accounts (My Finance Service): Through this Service get

                               you an overview of your entire finances, not just your transactions with Klarna,
                               but also over connected accounts. When you choose to use this Service comes
                               Able to process information about the bank accounts and other accounts (such as

                               card accounts) you choose to connect, and collect information such as account number, bank,
                               historical transactions from connected accounts, as well as balances and assets. Based on

                               that information will Klarna visualize and give you tools to control your
                               finances, using offers tailored to your specific situation (which
                               may involve profiling as described in Section 6). This is done by comparing yours

                               expenses with expenses from other users of the Service. Based on the comparison, we can ,, The Swedish Data Protection Agency Record number: DI-2019-4062 9 (25)
                                Date: 2022-03-28







                                together with partners to us, offer ways to minimize your fasting and
                                variable costs."


                                There is no information regarding the legal basis
                                the processing of personal data regarding the service "My Finances" takes place. In addition

                                it is not clear from the information contained in the enumeration in Section
                                4.4 in the Data Protection Information above, which specific personal data is processed
                                within the framework of the service or the specific purposes of the treatment for which

                                the personal data is intended. IMY further states that the service "My Finance" does not
                                is mentioned in Klarnas' terms of use, which are generally available on Klarnas

                                Swedish website, see Appendix 2 (Klarna's terms of use updated on 2 April
                                2020). Some separate terms or separate data protection information regarding the service,
                                is also not generally available on Klarna's Swedish website. This notwithstanding that

                                Klarna, on page 9 in its first statement to IMY, dated 26 April 2019, has stated that
                                The "My Finances" service is an account information service that is available in the Klarna app

                                after acceptance of "Klarnas Terms of Use" and that the consumer also
                                accepts "special terms" for the service.


                                The special conditions, "Terms of service for the My Finance service", may be taken by the consumer
                                part of when the service is accepted. Regarding information about personal data processing

                                according to the data protection regulation, the special conditions only refer back to
                                The data protection information. The additional information provided in Section 4 of the
                                The data protection information must appear in the special conditions is thus missing.


                                IMY believes that the information that Klarna provides about the purposes of the treatment
                                and the legal basis for the treatment does not meet the requirements of Article 13 (1) (c) (i)

                                the Data Protection Regulation. The information is not concise, clear and distinct nor
                                easily accessible. It therefore does not meet the requirements of Article 12 (1).


                                The IMY considers that the infringement of Article 13 (1) (c) of the Data Protection Regulation, with
                                account has also been taken of other infringements of Articles 13 and 14 set out in

                                this decision, is so serious that it also infringes Articles 5 (1)
                                a and 5.2.


                                IMY therefore finds that Klarna violates Articles 5 (1) (a), 5 (2), 12 (1) and 13 (1) (c) i
                                the Data Protection Regulation.


                                2.2.2. IMY's assessment of Klarna's information pursuant to Article 13 (1) (e)



                                Pursuant to Article 13 (1) (e), information shall be provided on the recipients or categories of

                                recipients who are to access the personal data, where applicable.


                                Klarnas Data Protection Information

                                In section 7 The data protection information informs Klarna about which stakeholders it is

                                data subjects' personal data may be shared with. Section 7.4 describes
                                how information is shared with credit reporting companies. Paragraph one states the following:


                                7.4 Credit Information Agencies


                                If you are applying to use a Service that involves providing credit (see Section
                                4.1 above regarding which Services include credit), your personal data may come, Privacy Protection Agency Record number: DI-2019-4062 10 (25)
                               Date: 2022-03-28







                               to be shared with credit bureaus, for the following purposes: To assess your
                               creditworthiness in connection with your application for one of Klarna's payment methods, that
                               confirm your identity and contact information, as well as protect you and other customers from

                               fraud. Your phone number and address may also be shared
                               credit bureaus to enable them to send a notification to a

                               credit report performed on you. Depending on the rules of the country where you live will be sent
                               a physical letter with information that a credit report has been made on you to you,
                               or the letter is sent electronically. Your payment behavior may

                               reported back to the credit bureaus by Klarna, which may
                               affect your future credit rating. When a credit bureau receives an inquiry

                               credit information from us, they may place a listing on your profile, which may
                               seen by other companies providing credit. Credit bureaus may
                               share your information with other organizations. The credit bureaus we

                               collaborates with in Sweden you see here.


                               On pages 21-22 in their second statement to IMY, Klarna dated 27 September
                               2019 specified the meaning of the information.


                               Klarna states, regarding information relating to identification, which information is shared
                               with credit reporting companies for the purposes set out in paragraph one varies depending on

                               whether the consumer is shopping in a country that has a social security number or not. In countries there
                               social security numbers are available parts Klarna only the consumer's social security number with
                               credit reporting companies for the purposes requested (identification). Klarna does not have to

                               share personal information such as address and phone number with credit reporting companies in
                               Sweden to identify the registered person. In countries where social security numbers do not exist
                               Klarna usually needs to share the consumer's name, address, date of birth and

                               telephone numbers with credit reporting companies for specified purposes.


                               With regard to the disclosure of information about the data subject's payment behavior states
                               Clear that information about payment behavior is not reported in Swedish
                               credit reporting companies. If, and to what extent, Klarna reports back

                               payment behaviors to credit reporting companies in other countries where Klarna offers
                               their services vary depending on each country's legislation and the agreement as Klarna

                               has with the respective credit information company.

                               IMY's assessment


                               IMY states that the information in the Data Protection Information refers to the disclosure of

                               personal data to both Swedish and foreign credit information companies. Which type
                               of information provided to Swedish and foreign
                               credit reporting companies are not listed.


                               IMY believes that the information that Klarna provides about how information is shared

                               credit reporting companies do not meet the requirement of transparency. The information is
                               incomplete and does not explain what information is provided to Swedish respectively
                               foreign credit reporting companies. The registered person may, among other things, be led to believe that

                               information on payment behavior at Klarna is disclosed to, and registered by, Swedish
                               credit reporting companies. This is directly misleading.


                               IMY considers that the information that Klarna provides about the categories of recipients that
                               shall not have access to the personal data does not meet the requirements of Article 13 (1) (e) (i)

                               the Data Protection Regulation. The information is not concise, clear and distinct nor
                               easily accessible. It therefore does not meet the requirements of Article 12 (1), the Privacy Protection Authority Record number: DI-2019-4062 11 (25)
                                Date: 2022-03-28







                                The IMY considers that the infringement of Article 13 (1) (e) of the Data Protection Regulation, with
                                account has also been taken of other infringements of Articles 13 and 14 set out in
                                this decision, is so serious that it also constitutes a breach of 5.1 a and 5.2.


                                IMY therefore finds that Klarna violates Articles 5 (1) (a), 5 (2), 12 (1) and 13 (1) (e) i

                                the Data Protection Regulation.

                                2.2.3. IMY's assessment of Klarna's information pursuant to Article 13 (1) (f)




                                According to Article 13 (1) (f), information must be provided that the data controller refers to
                                to transfer personal data to a third country or an international organization; and
                                whether or not a decision by the Commission on the adequate level of protection exists

                                or, in the case of the transfers referred to in Article 46, 47 or other Article 49 (1)
                                paragraph, reference to appropriate or appropriate protective measures and how a copy of

                                they can be obtained or where these have been made available.

                                Klarnas Data Protection Information


                                Section 8 of the Data Protection Information is entitled “Where do we process yours

                                personal data? ” and from this it follows:

                                “We always strive to process your personal data within the EU / EEA. In some

                                situations, such as when we share your information within the Klarna Group or with one
                                supplier or subcontractor with operations outside the EU / EEA, can your

                                personal data will, however, be processed outside the EU / EEA. About the store you shop
                                at are outside the EU / EEA, our sharing with the store will also mean that yours
                                data are transferred outside the EU / EEA.


                                We ensure that an adequate level of protection exists, and that appropriate

                                safeguards are taken in accordance with applicable data protection requirements, such as the GDPR,
                                when we transfer your data outside the EU / EEA. These protective measures consist of ensuring
                                that the third country to which the data is transmitted is the subject of a

                                the Commission that there is an adequate level of protection, that the European Commission
                                standard clauses have been entered into between Klarna and the recipient, or that the recipient is
                                registered under the so-called US Privacy Shield procedure. "


                                IMY's assessment


                                Of the comments of the Article 29 Working Party on the information requirement in the Guideline on
                                transparency, pages 39-40 of WP260, states the following regarding Article 13 (1) (f):


                                "Information should be provided on the relevant article of the Data Protection Regulation for transmission and

                                associated mechanism (eg decision on adequate level of protection under Article 45 / binding
                                company rules in accordance with Article 47 / standardized data protection rules
                                pursuant to Article 46 (2) / derogations and safeguard measures pursuant to Article 49, etc.). Furthermore,

                                information is provided on where and how to access or obtain the document in question,
                                for example by linking to the mechanism used. According to the principle of justice, it should

                                information provided on transfers to third countries be as meaningful as possible
                                the registered. This generally means that the names of third countries must be indicated. "


                                IMY states that Klarnas Data Protection Information lacks information on where and how
                                the individual can access or receive documents regarding the protection measures for, The Privacy Protection Agency Record number: DI-2019-4062 12 (25)
                               Date: 2022-03-28






                               transmission as described in the Data Protection Information. Furthermore, information on
                               countries outside the EU / EEA to which personal data are transferred, in accordance with Article 29

                               working group recommendation above.


                               IMY considers that the information that Klarna provides about the personal data controller
                               intends to transfer personal data to a third country and whether a decision of
                               the Commission whether or not there is an adequate level of protection or, in the case of

                               transfers referred to in Article 46, 47 or the second subparagraph of Article 49 (1),
                               appropriate or appropriate safeguards and how a copy of them can be obtained or where
                               these have been made available do not meet the requirements of Article 13 (1) (e) (i)

                               the Data Protection Regulation. The information is not concise, clear and distinct nor
                               easily accessible. It therefore does not meet the requirements of Article 12 (1).


                               The IMY considers that the infringement of Article 13 (1) (f) of the Data Protection Regulation, taking into account
                               also taken to other infringements of Articles 13 and 14 set out therein
                               decision, is so serious that it also infringes Articles 5 (1) (a) and

                               5.2.

                               IMY therefore finds that Klarna violates Articles 5 (1) (a), 5 (2), 12 (1) and 13 (1) (f) i

                               the Data Protection Regulation.


                               2.2.4. IMY's assessment of Klarna's information pursuant to Article 13 (2) (a)



                               According to Article 13 (2) (a), information shall be provided on the period during which
                               personal data will be stored or, if this is not possible, the criteria set by
                               used to determine this period.


                               Klarnas Data Protection Information


                               Section 9 of the Data Protection Information is entitled “How long do we save yours
                               personal data? ” and this shows the following:


                               “We will process your personal data for the period of time needed to
                               pursue the respective purpose of our treatment. These purposes are presented in this
                               Data protection information. This means that when we stop processing your personal data

                               for a specific purpose, we may still retain the data for as long as
                               the data are needed for other purposes, but then only for processing in accordance with the

                               remaining purposes. Especially:

                                     As long as you have accepted Klarna's Terms of Use and until you have resigned

                                        these (by contacting us or by instructing us to remove
                                        your personal data through a request to be deleted) we will

                                        process the personal data we need to provide our Services
                                        to you, which includes information about your previous purchases.

                                     We process personal data in credit information for the purpose of re-processing
                                        Assess your credit rating for up to 90 days from that

                                        the credit report was taken.
                                     We process information about debts for the purpose of assessing yours

                                        creditworthiness for a period of three (3) years after the debt has been settled -
                                        which takes place either through payment of the debt or that the debt is written off

                                        of or sold., Integrity Protection Authority Record number: DI-2019-4062 13 (25)
                               Date: 2022-03-28






                                    We process recorded telephone calls to Klarna's customer service for up to 90
                                        days from the day of recording.

                                    We process personal data for the purpose of complying with applicable
                                        legislation, such as consumer law, banking and

                                        money laundering legislation, and accounting rules. Depending on which
                                        applicable law, your personal data may be stored in

                                        up to ten years after the termination of the customer relationship. "



                               IMY's assessment


                               Of the comments of the Article 29 Working Party on the information requirement in the Guideline on
                               transparency, page 40 of WP260, states the following regarding Article 13 (2) (a):


                               "This is related to the requirement for data minimization in Article 5 (1) (c) and on
                               storage limitation in Article 5 (1) (e). The shelf life (or the criteria used to:
                               determine this) may be governed by factors such as statutory requirements or guidelines within

                               industry, but it should be stated in such a way that it registered, based on its own
                               situation, can assess the storage time for specific tasks / purposes. It is not enough that
                               the person responsible for personal data generally states that the personal data is retained for that long

                               necessary for the legitimate purposes of the treatment. In relevant cases
                               different storage times should be specified for different categories of personal data and / or different
                               processing purposes, including filing time where appropriate. "


                               Klarna has, on page 13 in its first statement to IMY, dated April 26, 2019, stated
                               that the purposes for which each category of personal data is processed, with

                               applicable storage period, is reported in an appendix that has been submitted to IMY. The appendix consists of
                               a table with three columns, where the left column shows the purposes of

                               the treatment based on the (at the current time) description in
                               The data protection information, the column in the middle reports the time for which Klarna
                               processes the current category of personal data for the current purpose, ie.

                               storage time, and the right-hand column reports comments aimed at whether
                               special conditions for the treatment for more specific purposes or more specific
                               personal data is available. Here it appears that Klarna processes and stores

                               personal data for more purposes than what appears from section 9 of Klarnas
                               data protection information. It appears, among other things, that personal data is processed and
                               stored for research purposes for two years.


                               Furthermore, Klarna has, on pages 13-14 in the above-mentioned opinion, stated that, in addition
                               the purposes set out in the said appendix, Klarna processes personal data

                               within the framework of Klarna's customer service as follows:

                                    “Incoming telephone calls are recorded for quality and security reasons.

                                        The recordings are saved for this purpose for 3 months, after which they are deleted.
                                   Incoming and outgoing e-mails are retained for 7 years from

                                        the time the message was received or sent.
                                    Information that an individual consumer has chosen to block himself from using

                                        Klarna's credit products are saved to handle the block until
                                        the consumer himself announces that he wishes to lift the block (ie.

                                        as a starting point for the time being)., The Swedish Data Protection Agency Record number: DI-2019-4062 14 (25)
                               Date: 2022-03-28






                                     Notes relating to a dispute or other types of disputes are kept in

                                        10 years from the time of closing the case. The reason for this is that one
                                        consumer at a later stage may contact Klarna in the same

                                        or similar matters. The time period is based on the limitation period
                                        according to the statute of limitations (1981: 130).

                                     Notes of other kinds than above are preserved for 5 years from the time of
                                        the registration, ie. from the time the note was made. The reason for this is that one

                                        consumer at a later stage may contact Klarna in the same
                                        or similar matters. "




                               Of these purposes and retention periods, only the preservation information of
                               incoming phone calls for quality and safety reasons for three months that are found
                               in section 9 of Klarnas Data Protection Information.


                               In light of the above, IMY considers the information in Klarnas

                               Data protection information does not comply with the requirement of Article 13 (2) (a) of the Data Protection Regulation
                               that information must be provided about the period during which the personal data comes
                               to be stored or the criteria used to determine this period when Klarnas

                               opinion and appendix mentioned above clearly show that Klarna processes personal data
                               for more purposes and has more detailed storage times, and in addition criteria such as
                               used to determine these periods, which are not set out in section 9 of

                               The data protection information.

                               IMY considers that the information that Klarna provides about the period during which

                               personal data will be stored or, if this is not possible, the criteria set by
                               used to determine this period does not meet the requirements of Article 13 (2) (a).

                               The information is not concise, clear and distinct, nor is it easily accessible. It meets
                               thus not the requirements of Article 12 (1).


                               The IMY considers that the infringement of Article 13 (2) (a) of the Data Protection Regulation, with
                               account has also been taken of other infringements of Articles 13 and 14 set out in
                               this decision, is so serious that it also infringes Articles 5 (1)

                               a and 5.2.


                               IMY therefore finds that Klarna violates Articles 5 (1) (a), 5 (2), 12 (1) and 13 (2) (a) i
                               the Data Protection Regulation.


                               2.2.5. IMY's assessment of Klarna's information pursuant to Article 13 (2) (b)



                               Pursuant to Article 13 (2) (b), information shall be provided that there is a right to it
                               personal data controller request access to and correction or deletion of
                               personal data or restriction of processing concerning the data subject or that

                               object to processing and the right to data portability.


                               It follows from the Article 29 Working Party's Guideline on Transparency WP260 (pp. 27-28) that
                               Transparency entails three obligations for the person responsible for personal data regarding them
                               data subjects' rights:


                               "• To inform data subjects of their rights (in accordance with the requirements of Article 13 (2) (b)
                               and 14.2 c)., Integrity Protection Authority Record number: DI-2019-4062 15 (25)
                                 Date: 2022-03-28







                                 • To observe the principle of transparency (ie in terms of the quality of communication according to the article
                                 12.1) in communicating with data subjects about their rights under Articles 15 to
                                 22 and Article 34.


                                 • To facilitate the exercise of data subjects' rights in accordance with Articles 15 to

                                 22.

                                 The requirements of the Data Protection Regulation regarding the exercise of these rights and the

                                 type of information required is intended to give the data subjects a significant opportunity
                                 to assert their rights and hold the data controllers accountable

                                 the processing of their personal data. Recital 59 emphasizes that procedures should:
                                 "which makes it easier for data subjects to exercise their rights" and that it
                                 personal data controllers should also “provide aids for electronically submitted

                                 requests, especially in cases where personal data are processed electronically '. That procedure
                                 which a personal data controller determines for the data subjects to be able to exercise their

                                 rights should be appropriate to the scope and type of the relationship and the
                                 interaction that exists between the data controller and the data subject. One
                                 The controller may therefore wish to establish one or more different procedures for

                                 the exercise of rights which reflect the different ways in which they registered
                                 interacts with the personal data controller. "


                                 In addition, the Article 29 Working Party makes the following comments on the information requirement in
                                 Guideline WP260 (pp.40-41), concerning Article 13 (2) (b):


                                 "This information should be specific to the treatment in question and include one
                                 summary of what the right entails, how the data subject can proceed to

                                 exercise it and the limitations to which the right may be subject (see paragraph 68)
                                 above). In particular, the right to object to treatment must be expressly notified to it

                                 registered at the latest at the first communication with the registered and
                                 be reported clearly, clearly and separately from any other information. […] "


                                 IMY notes that there is a special section in the Data Protection Information, Section 10,
                                 which is entitled "Your rights in relation to your personal data", which in turn

                                 to some extent refers to other sections of the Data Protection Information. However, IMY believes that
                                 The data protection information provides incomplete information regarding the data subjects
                                 rights, in violation of Article 13 (2) (b) of the Data Protection Regulation, as follows.


                                 The right to delete


                                 Regarding the right to deletion (Article 17), follows from Section 10 of the Data Protection Information
                                 “The right to be deleted. You have the right to request deletion of your personal data

                                 example when it is no longer necessary to process the data for the purpose they
                                 were collected, or if you withdraw your consent. As described in Sections 3 and 9

                                 above, however, Klarna needs to follow certain laws that prevent us from deleting immediately
                                 certain information. "


                                 IMY considers that this wording does not summarize the meaning of the right in an open manner
                                 way. According to Article 17 of the Data Protection Regulation, the data subject has the right to receive his

                                 personal data deleted by the personal data controller, which, however, is not one
                                 absolute right. On the one hand, there is an enumeration in the mentioned article regarding in which
                                 case the personal data controller is obliged to delete personal data without unnecessary

                                 delay, and there are certain exceptions to this obligation for necessary
                                 treatment in some cases. It is not clear how this right relates to the right to, Integrity Protection Authority Record number: DI-2019-4062 16 (25)
                                Date: 2022-03-28







                                object in accordance with Article 21. As the information is worded in
                                The data protection information regarding this right gives it a difficult picture
                                of what the right entails and in which cases it applies. That it refers to the general ones

                                Sections 3 and 9 of the Data Protection Information make it even less clear. IMY assesses
                                that the infringement of Article 13 (2) (b) with regard to the requirement to provide information on the right to

                                deletion, taking into account also other infringements of Articles 13 and 14 which
                                is apparent from this decision, is so serious that it also constitutes a breach of
                                Articles 5.1 (a) and 5.2. IMY further believes that Klarna also does not meet the requirements for completion

                                and clear information as set out in Article 12 (1).


                                IMY therefore considers that the information in this part of the Data Protection Information does not
                                complies with the requirement of transparency, in particular in the light of the above statements in the guidelines
                                on transparency and thus finds that Klarna violates Articles 5.1 a, 5.2, 12.1

                                and 13.2 b of the Data Protection Regulation.


                                The right to restriction

                                Regarding the right of restriction (Article 18), the IMY finds that it is missing

                                information about this right in the Data Protection Information. In Section 10 i
                                However, the data protection information contains the following information “Right to oppose you

                                processing of your personal data or objecting to our processing. If you
                                considers that your personal data is incorrect or has been processed in violation of applicable law
                                you have the right to ask us to stop the treatment. You can also object to ours

                                treatment when you consider that there are circumstances that prevent the treatment
                                carried out in accordance with applicable rules. Furthermore, you can always object to us using
                                your marketing information. "


                                IMY considers that the information provided is both incorrect and incomplete in relation

                                how the right is reflected in Article 18 of the Data Protection Regulation. It summarizes
                                thus not the right in a way that enables the data subjects to understand what
                                it means. This in turn makes it difficult for data subjects to exercise their rights.

                                In addition to the information being incomplete, it also involves the right to object
                                certain treatment (marketing), without further developing what this right entails

                                or in which situations it may be invoked (cf. Article 18 (1) (d) and
                                the reference to Article 21 (1)). The IMY considers that the infringement of Article 13 (2) (b) what
                                applies to the requirement for information on the right to restriction, taking into account also

                                other infringements of Articles 13 and 14 set out in this Decision are as follows
                                serious that it also infringes Articles 5 (1) (a) and 5 (2). IMY consider

                                further that Klarna also does not meet the requirements for clear and distinct information that appear
                                of Article 12.1.


                                IMY therefore considers that the information on the right to restriction does not comply with the requirement
                                transparency, in particular in the light of the statements made by the Article 29 Working Party above, and

                                thus finds that Klarna violates Articles 5.1 a, 5.2, 12.1 and 13.2 b i
                                the Data Protection Regulation.


                                The right to data portability


                                Regarding the right to data portability (Article 20), follows from Section 10 of the
                                Data protection information “Right to access your data. You can request a copy of
                                your personal information if you want to know what information we have about you. This copy can

                                also transmitted in a machine-readable format (so-called “data portability”). ”., the Swedish Data Protection Authority.
                                Date: 2022-03-28







                                IMY does not consider that information about the right has been provided in a transparent manner, then it partly
                                has been included under the right of access even though data portability is a separate right
                                under Article 20 of the Data Protection Regulation, partly because it has not been summarized in one

                                clear way that enables the data subjects to understand what the right entails.
                                According to Article 20, the right is aimed at the data subject being entitled to receive them

                                personal data relating to him or her in a structured, widely used and
                                machine-readable format, and has the right to transfer these to another
                                personal data controller under certain conditions. IMY assesses that the violation of

                                Article 13 (2) (b) as regards the requirement for information on the right to data portability, with
                                account has also been taken of other infringements of Articles 13 and 14 set out in

                                this decision, is so serious that it also infringes Articles 5 (1)
                                a and 5.2. IMY further believes that Klarna also does not meet the requirements for clear and distinct
                                information provided for in Article 12 (1).


                                IMY therefore considers that the information regarding the right to data portability does not

                                complies with the requirement of transparency, in particular in the light of the Article 29 Working Party
                                statements above, and notes that Klarna violates Articles 5.1 a, 5.2, 12.1 and
                                13.2 b of the Data Protection Regulation.


                                The right to object


                                With regard to the right to object (Article 21), the IMY states that it is missing
                                complete information about this right in the Data Protection Information. In Section 10 i

                                The data protection information contains the following information inserted in the above
                                the information on “Right to oppose the processing of your personal data or
                                object to our treatment ”:“ You can also object to our treatment when you

                                considers that there are circumstances which mean that the treatment is not carried out in accordance with
                                applicable rules.". The following information is also available in Section 10 of

                                Data protection information “Right to object to an automated decision. You are right
                                to object to an automated decision made by Klarna if this decision entails
                                legal consequences or constitutes a decision which in a similar way significantly affects

                                you. See Section 6 above on how Klarna uses this form of automatic decision. ”.


                                In addition, the following information is available in Section 3 of the Data Protection Information,
                                for the purpose of processing personal data for the purpose of performing
                                customer satisfaction surveys about Klarna's services, “You can object to this at any time

                                preferably. You will also receive information on how to unsubscribe from this each
                                once you are contacted for this purpose. ". The following information is also available in Section 6,

                                regarding Klarna's profiling and automated decision-making, “Predict which
                                marketing that may be of interest to you. You can always object to this and
                                unsubscribe from marketing and this profiling, by contacting us.

                                For more information about our processing of personal data to provide
                                marketing see Section 3 above; ”, and“ You always have the right to object to one

                                automated decisions with legal consequences or decisions that are similarly significant
                                degree affects you (along with the coherent profiling) by
                                contact us at the e-mail address in Section 13. An employee at Klarna will come in

                                such cases to look at your case. ”.


                                Under Article 21, the data subject has the right to object in several different situations.
                                It follows from Article 21 (1) that the data subject has the right to object at any time
                                against the processing of personal data relating to him or her on which it is based

                                Article 6 (1) (e) (public interest) or f (legitimate interest / balancing of interests), including
                                profiling based on these provisions. The person responsible for personal data receives, The Swedish Data Protection Agency Record number: DI-2019-4062 18 (25)
                                Date: 2022-03-28







                                then no longer process the personal data, unless he can prove compelling
                                legitimate reasons for the processing which outweigh the interests of the data subject;
                                rights and freedoms, or whether it is for the determination, exercise or defense of

                                legal claims.


                                IMY states that the Data Protection Information in its entirety lacks information about the law
                                to object to the processing of personal data based on article
                                6.1 (f) of the Data Protection Regulation, including profiling based on it

                                provision, despite the fact that Klarna for several different treatments, which are described in i
                                Section 3 of the Data Protection Information, states that this is one of the legal bases that

                                applied and that profiling takes place. The profiling is developed in more detail in Section 6 in
                                The data protection information, but even there there is no information about the right to object
                                pursuant to Article 21 (1). The IMY considers that the infringement of Article 13 (2) (b) with regard to the requirement of

                                information on the right to object, taking into account others as well
                                infringements of Articles 13 and 14 set out in this Decision are so serious

                                that it also infringes Articles 5 (1) (a) and 5 (2). IMY further considers that
                                Klarna also does not meet the requirements for clear and unambiguous information set out in the article
                                12.1.


                                IMY therefore considers that the information regarding the right to object in

                                The data protection information does not comply with the requirement of transparency and thus states
                                that Klarna violates Articles 5.1 a, 5.2, 12.1 and 13.2 b of the Data Protection Regulation.


                                2.2.6. IMY's assessment of Klarna's information pursuant to Article 13 (2) (f) and (2) (g)



                                According to Articles 13 (2) (f) and 14 (2) (g), information shall be provided on the existence of
                                automated decision-making, including profiling in accordance with Article 22 (1) and (4), whereby

                                at least in these cases, meaningful information about the logic behind it should be provided as well
                                the significance and the foreseeable consequences of such processing for the data subject.


                                Applicable regulation


                                The Article 29 Working Party's guide WP260 (pp. 22-23) states that information on
                                the existence of automated decision-making, including profiling, in accordance with Article 22 (1)
                                and 22.4, as well as meaningful information about the logic behind and the meaning and those

                                the foreseeable consequences of the processing for the data subject, form part of it
                                mandatory information that must be provided to the data subject in accordance with Article 13 (2) (f)

                                and 14.2 g. The Article 29 Working Party has in the guidelines WP251 on automated
                                individual decision-making and profiling described how openness should be applied precisely in
                                question about profiling. WP251 (p. 10) emphasizes the following:


                                The profiling process is usually not visible to the registered person. The process is done in this way

                                that derived or derived data is created about individuals. These are "new"
                                personal data that has not been provided directly by the data subjects. Individuals have different degrees
                                of understanding how the process goes and can have a hard time understanding the complex techniques

                                used in profiling and automated decision making.


                                According to Article 12 (1), the controller shall provide the data subjects
                                concise, clear and unambiguous, comprehensible and easily accessible information on the treatment of
                                their personal data., Integrity Protection Authority Record number: DI-2019-4062 19 (25)
                                Date: 2022-03-28







                                According to Article 22 (1), the data subject shall have the right not to be the subject of a decision which:
                                based solely on automated processing, including profiling which has legal
                                consequences for him or her or similarly significantly affect him or her

                                or her. Such automated decision-making is only allowed if one of them
                                exceptions provided for in Article 22 (2) exist. Exceptions are made in that case

                                decision-making is necessary for the conclusion or performance of an agreement between it
                                registered and the data controller or permitted under Union law or a
                                national law of the Member State to which the controller is subject and which

                                lays down appropriate measures to protect the data subject's rights, freedoms and
                                legitimate interests or is based on the express consent of the data subject.


                                The following is emphasized in WP251 (p. 17):


                                Given that the central principle behind the Data Protection Regulation is transparency
                                personal data controllers must ensure that they explain in a clear and unambiguous manner

                                individual how profiling or automated decision making works.

                                Especially if the treatment involves decision-making based on profiling

                                (whether or not the treatment is subject to the provisions of Article 22)
                                clarify to the data subject that the processing concerns both a) profiling and b)

                                decision-making based on the profile created.

                                Recital 60 states that the provision of profiling information is included in it

                                the transparency obligations of the controller pursuant to Article 5 (1) (a). The data subject
                                has the right to information from the personal data controller about "profiling", and in some
                                case the right to object to "profiling", regardless of whether it is only automated

                                individual decision-making based on profiling.


                                The data subject's right to information under Articles 13 (2) (f) and 14 (2) (g) is dealt with in
                                WP251 (p. 26):


                                Given the potential risks to data subjects' rights and the conclusions
                                which can be deduced from the profiling covered by Article 22 should

                                personal data controllers pay special attention to their obligation to ensure
                                transparency in treatment. According to Articles 13 (2) (f) and 14 (2) (g), personal data controllers shall:
                                provide readily available information on established automated decision-making

                                only on automated processing, including profiling, which has legal or on
                                similarly significant consequences. If the person responsible for personal data understands

                                automated decisions under Article 22 (1), he must

                                     tell the data subject that they apply this method;

                                     provide meaningful information about the underlying logic and
                                     explain the significance and the foreseen consequences of the treatment.


                                The provision of this information also helps data controllers to
                                ensure that they comply with some of the mandatory safeguards set out in
                                Article 22 (3) and recital 71.


                                If the automated decision-making and profiling is not covered by the definition

                                in Article 22 (1), it is nevertheless good practice to provide the above information. In which
                                In any case, the controller must provide sufficient information
                                to the data subject so that the processing is considered fair and fulfills all others

                                information requirements in Articles 13 and 14., Integrity Protection Authority Record number: DI-2019-4062 20 (25)
                               Date: 2022-03-28






                               …


                               The data controller should try to explain in a simple way the logic behind,
                               or the criteria for arriving at, the decision. In the Data Protection Ordinance, it is imposed

                               personal data controller to provide meaningful information about the logic behind
                               processing, not necessarily a complex explanation of the algorithms used
                               or to disclose the complete algorithm. The information provided should

                               however, be comprehensive enough for the data subject to understand the reasons for
                               the decision.


                               Klarnas Data Protection Information

                               Section 6 of Klarnas Data Protection Information states the following:


                               Decisions with legal consequences or decisions that in a similar way significantly affect
                               you


                               Automated decisions with legal consequences or automated decisions as on
                               similar ways significantly affect you means that certain decisions in our Services

                               exclusively taken automatically, without the involvement of our employees, and may have
                               significant effect on you as a customer, comparable to legal consequences. By grasping
                               such decisions automatically increase Klarna objectivity and transparency in decisions when we

                               offers these Services.


                               We use this type of automated decision making when we:

                                    Decides to approve your application to use a Service such as

                                        includes credit;
                                    Decides not to approve your application to use a Service as

                                        includes credit;
                                    Decides whether you pose a fraud or money laundering risk, if ours

                                        treatment shows that your behavior indicates money laundering or fraudulent
                                        behavior, that your behavior is not consistent with previous use

                                        of our Services, or that you have attempted to conceal your true identity. IN
                                        relevant cases, Klarna also investigates whether specific customers are listed on

                                        sanction lists.


                               See Section 3 for more information on which categories of personal data are processed

                               for these purposes.

                               Section 3 provides the following information regarding the data protection information

                               credit assessment (purpose, categories of data, basis for personal data processing):


                               Perform credit check before credit Follow the law, when the credit
                                                                   Contact and in question are regulated by law.
                               granted (See Section 4.1 on Klarna's identification information, For those cases the credit
                               Services that involve credit
                               provided and Section 7.4 on how we financial information and is not regulated by law
                                                                   information on how to perform the treatment
                               collaborates with interacts with Klarna. to be able to fulfill
                               credit bureaus).
                                                                                                 credit agreement., Integrity Protection Authority Record number: DI-2019-4062 21 (25)
                              Date: 2022-03-28






                              In its reply to IMY on 26 April 2019, Klarna has specified which categories of information
                              processed in connection with automated decisions, including profiling for
                              credit review purposes:


                              Information collected from the consumer himself or generated by Klarna


                                    Personal and contact information (such as name, address,
                                       social security number / date of birth and e-mail address) Source: provided

                                       consumer when buying.
                                    Information about how the consumer has interacted with Klarna (for example

                                       outstanding debt, if the consumer has chosen to block himself from Klarnas
                                       services or have been suspended due to abuse). Source: Consumer

                                       previous relationship with Klarna.
                                    Klarna's internal credit score (which is reported in answer 4 above).

                                    Confirmation from Klarna's internal fraud check (i.e. "yes", "no" or
                                       "Additional verification required"). Source: The consumer's previous relationship with
                                       Clear, information provided by consumers at the time of purchase, or collected by

                                       Clear in connection with these.



                              Data collected from external suppliers


                                    Personal and contact information (external verification of the consumer and
                                       his address, as well as external information about the owner of the telephone number as

                                       provided). Source: External supplier
                                    Financial information (external credit information, such as income,

                                       payment remarks or debt restructuring) Source: External supplier.
                                    Confirmation from Klarna's internal fraud check (i.e. "yes", "no" or

                                       "Additional verification required"). Source: External supplier.



                              IMY's assessment


                              IMY states that Klarnas Dataskyddsinformation lacks meaningful information about
                              the logic behind as well as the significance and the anticipated consequences of such treatment for
                              the registered. The Data Protection Information only shows that certain types of
                              information is used in connection with the automated decision (Contact and

                              identification information, financial information and information on how to interact
                              with Klarna).


                              It is not clear that Klarna uses its own internal scoring model based on
                              other on both internal and external financial information or the types of information
                              included in the financial information, for example information on debts of others

                              lender. No information is given about what circumstances may be of
                              crucial for a negative credit decision.


                              IMY believes that the requirement to provide meaningful information about the logic behind one
                              automated credit decision includes information about which categories of information are of
                              crucial in the context of an internal scoring model and the possible existence of

                              conditions that always lead to a rejection decision within the framework of the decision support it
                              personal data controller uses., Integrity Protection Authority Record number: DI-2019-4062 22 (25)
                               Date: 2022-03-28






                               IMY does not consider that the information on automated credit decisions is provided in one
                               easily accessible way. The individual consumer should be provided with this type of

                               difficult-to-understand information in one context instead of disseminated in different places in
                               The data protection information.


                               IMY believes that the information that Klarna provides about the existence of automated
                               decision-making, including profiling in accordance with Article 22 (1) and (4) (i)

                               the Data Protection Regulation, making it meaningful at least in these cases
                               information about the logic behind it and the significance and the anticipated consequences of such
                               processing for the data subject does not meet the requirements of Articles 13 (2) (f) and 14 (2) (g).

                               The information is not concise, clear and distinct, nor is it easily accessible. It meets
                               thus not the requirements of Article 12 (1).


                               The IMY considers that the infringement of Articles 13 (2) (f) and 14 (2) (g), taking into account
                               to other infringements of Articles 13 and 14 set out in this Decision, is so
                               serious that it also infringes Articles 5 (1) (a) and 5 (2).


                               IMY therefore finds that Klarna violates Articles 5.1 a, 5.2, 12.1, 13.2 f and 14.2
                               g of the Data Protection Regulation.



                               3 Choice of intervention


                               3.1 Legal regulation

                               In the event of violations of the Data Protection Regulation, the IMY has a number of corrections

                               powers, including reprimand, injunction and penalty fees. It follows
                               Article 58 (2) (a) to (j) of the Data Protection Regulation.


                               IMY shall impose penalty fees in addition to or in lieu of other corrective actions
                               referred to in Article 58 (2), depending on the circumstances of each case.


                               If a personal data controller or a personal data assistant, with respect to a
                               and the same or interconnected data processing, intentionally or by
                               negligence violates several of the provisions of this Regulation may it

                               the total amount of the administrative penalty fee does not exceed the amount determined
                               for the most serious infringement. It is clear from Article 83 (3) (i)
                               the Data Protection Regulation.


                               Each supervisory authority shall ensure that the imposition of administrative
                               penalty fees in each individual case are effective, proportionate and dissuasive. The

                               provided for in Article 83 (1) of the Data Protection Regulation.


                               Article 83 (2) sets out the factors to be taken into account when deciding on an administrative
                               penalty fee shall be imposed, but also what shall affect the penalty fee
                               size.


                               3.2 Penalty fee


                               Klarna provides payment solutions to about 90 million consumers and more than
                               200,000 stores in 17 countries. Klarna provides several different services that are important for
                               the financial system, such as direct payment, various forms of “try first and pay

                               later ”services and installments. To be able to provide these services must
                               Ready to process a very large amount of personal data. IMY has above assessed that, The Swedish Privacy Protection Agency Record number: DI-2019-4062 23 (25)
                                Date: 2022-03-28







                                Klarna has not fulfilled the basic principle of openness and they
                                data rights of data subjects. Klarna has violated Articles 5 (1) (a),
                                5.2, 12.1, 13.1 c, e-f and 13.2 a-b, f and 14.2 g in the Data Protection Regulation. IMY consider

                                not that it is a question of less serious infringements. Klarna must therefore be applied
                                administrative penalty fees for the said infringements.


                                IMY believes that the disclosure of information takes place via Klarnas
                                Data protection information is one and the same data processing and that a common

                                sanction amounts shall be determined for these. IMY states that Klarna has violated several
                                articles covered by Article 83 (5), which means that a higher penalty amount can

                                applied.

                                As regards the calculation of the amount, Article 83 (5) of the Data Protection Regulation states

                                that companies that commit infringements on which the relevant ones can be fined
                                up to twenty million euros or four percent of total global annual sales

                                during the previous financial year, whichever is higher.

                                When determining the maximum amount for a penalty fee to be imposed on a company

                                the definition of the term company used by the European Court of Justice should be used
                                application of Articles 101 and 102 of the TFEU (see recital 150 i

                                the Data Protection Regulation). It is clear from the case - law of the Court that this covers every unit
                                engaging in economic activities, regardless of the legal form of the entity and the manner in which it operates
                                financing and even if the entity in the legal sense consists of several physical or

                                legal entities.

                                IMY assesses that the company's turnover is to be used as a basis for calculating the

                                administrative sanction fees that can be imposed on Klarna are Klarna's parent company
                                Klarna Holding AB. Klarna Holding AB's annual report for the year 2020 states that

                                annual sales in 2020 were approximately SEK 10,093,659,000. The highest penalty amount
                                which can be determined in the case is four percent of this amount, that is to say approx
                                SEK 404,000,000.


                                In determining the size of the penalty fee, IMY takes into account that Klarna is one

                                multinational company that processes personal data of a large number of registrants.
                                Klarna processes many different categories of personal data where the data in some cases
                                refers to financial circumstances and the creditworthiness of the data subject. IMY believes that

                                high demands must be placed on a large company with such a comprehensive and privacy-sensitive
                                personal data processing to provide information that is concise, clear and distinct,

                                comprehensible and in easily accessible form.

                                In aggravating direction speaks that there have been violations concerning articles that are

                                central so that the data subject has the opportunity to exercise his or her rights
                                under the Data Protection Regulation and that the information provided in

                                The data protection information concerns a very large number of registered and that
                                the infringement has been going on for a long time.


                                As a mitigating circumstance, it is taken into account that Klarna has changed during the supervision
                                and improved the information in the Data Protection Information.


                                In view of the seriousness of the infringements and the administrative penalty fee
                                shall be effective, proportionate and dissuasive, the IMY determines the administrative

                                the sanction fee for Klarna Bank AB to SEK 7,500,000., The Swedish Data Protection Agency Record number: DI-2019-4062 24 (25)

                                Date: 2022-03-28









                                This decision was made by Director General Lena Lindgren Schelin after the presentation
                                by the department director Hans Kärnlöf. At the final processing has also

                                Chief Justice David Törngren and Head of Unit Catharina Fernquist participated.





                                Lena Lindgren Schelin, 2022-03-28 (This is an electronic signature)

                                Appendices

                                Appendix 1 - Klarnas Data Protection Information
                                Appendix 2 - Klarnas Terms of Use, Integrity Protection Authority Registration number: DI-2019-4062 25 (25)
                               Date: 2022-03-28







                               How to appeal

                               If you want to appeal the decision, you must write to the Privacy Protection Authority. Enter i

                               the letter which decision you are appealing and the change you are requesting. The appeal shall
                               have been received by the Privacy Protection Authority no later than three weeks from the day you received

                               part of the decision. If the appeal has been received in time, send
                               The Integrity Protection Authority forwards it to the Administrative Court in Stockholm
                               examination.


                               You can e-mail the appeal to the Privacy Protection Authority if it does not contain
                               any privacy-sensitive personal data or data that may be covered by

                               secrecy. The authority's contact information can be found on the first page of the decision.

                               You can e-mail the appeal to the Privacy Protection Authority if it does not contain

                               any privacy-sensitive personal data or data that may be covered by
                               secrecy. The authority's contact information can be found on the first page of the decision.