IMY (Sweden) - DI-2020-10518

From GDPRhub
Revision as of 15:22, 6 December 2023 by Ar (talk | contribs) (Ar moved page IMY - DI-2020-10518 to IMY (Sweden) - DI-2020-10518)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
IMY - DI-2020-10518
Authority: IMY (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 12(3) GDPR
Article 15 GDPR
Article 56 GDPR
Article 58(2)(b) GDPR
Type: Complaint
Outcome: Partly Upheld
Decided: 31.03.2021
Fine: None
Parties: Klarna Bank AB
National Case Number/Name: DI-2020-10518
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Swedish
Original Source: Original decision (in SV)
Inofficial English version of decision (in EN)
Initial Contributor: Kave Noori

The Swedish DPA reprimanded a Swedish bank for not responding to an access request for 5 months following complaints filed with DPAs in Germany and Austria.


The DPA opened an investigation into Klarna Bank following complaints filed with DPAs in Germany and Austria. The IMY assumed the role of lead supervisory authority under Article 56, as Klarna is based in Sweden. These cross-border cases were handled through the consistency and cooperation procedure under Chapter VII of the GDPR.

Complaint 1 from Austria concerned the fact that Klarna took more than 5 months to process a request for access to personal data under Article 15. The complainant's access request was sent to a different email than the one Klarna intended for data protection matters. Therefore, the request was not processed according to Klarna's internal procedures.

Complaint 2 from Germany concerned a data subject access request under Article 15, initially initiated by chat and resubmitted by email two days later. Klarna complied with the request within 14 days and shortly thereafter sent more detailed information about its automated decision making for purchases. A month later, the complainant contacted Klarna again. Another month passed until Klarna asked the complainant to provide a new address but received no reply.


Did Klarna violate Article 15 of the GDPR?


Complaint 1 (Austria)

The DPA considered that Klarna failed to process the request within the timeframe required by Article 12(3) and without the required notice of delay. The DPA did not consider that the fact that Klarna receives a high volume of requests related to the GDPR or Klarna's quick responses to the complainant's follow-up questions should influence this decision.

Complaint 2

The DPA considered that Klarna did what could be expected of a company in dealing with the Complaint 2. In the DPA's view, Klarna provided the requested information within 14 days, although it did not reach the recipient. When the complainant informed Klarna that he/she had not received the mailing, Klarna asked for a new address. Klarna never received an alternative address. The DPA concluded that Klarna was not obliged to take further action and therefore did not breach the law.

Corrective action

The DPA considered Klarna's handling of complaint 1 to be a minor infringement and issued a reprimand on the basis of Article 58(2)(b).


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

                                                                                                             1 (5)

                                                                Klarna Bank AB
                                                                Sveavägen 46
                                                                113 35 Stockholm

Record number:
DI-2020-10518 Decision after supervision according to

                             Data Protection Regulation - Klarna

2021-03-31 Bank AB

                             The decision of the Integrity Protection Authority

                             The Privacy Protection Authority states that Klarna Bank AB has processed
                             personal data in breach of Article 12 (3) of the Data Protection Regulation by

                                   regarding complaint 1: not without undue delay, at the request of the 5
                                      January 2019, give the complainant access to his personal data in accordance with

                                      Article 15.

                             The Privacy Protection Authority gives Klarna Bank a reprimand in accordance with Article 58 (2) (b) i

                             the Data Protection Regulation.

                             Report on the supervisory matter

                             The Privacy Protection Authority (IMY) has initiated supervision regarding Klarna Bank AB
                             (the company) due to two complaints. Respective complaints have been submitted to
                             IMY, as the supervisory authority responsible for the company's operations under Article 56

                             in the Data Protection Regulation, from the supervisory authority of the country where the complainant has left
                             lodged their complaint (Austria and Germany) in accordance with the provisions of the Regulation
                             on cooperation in cross-border matters.

                             The complainants have indicated that they have requested access to their personal data under Article 15 of the
                             the Data Protection Regulation. In response to the complaints, IMY has initiated supervision with a view to:

                             investigate whether the complainants' requests for access under Article 15 have been complied with
                             and if done within the time limit specified in Article 12 (3).

                             Klarna Bank AB states that they are responsible for personal data for it
                             personal data processing to which the complaints relate. The company also states that they handle
Postal address: a large number of requests in accordance with the Data Protection Regulation.
Box 8114

104 20 Stockholm Complaint 1 (Appendix 1 from Austria with national reference number: D130.247)

E-mail: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of
Telephone: natural persons with regard to the processing of personal data and on the free movement of such data and on
08-657 61 00 Repeal of Directive 95/46 / EC (General Data Protection Regulation).

                                                         Page 1 of 5Integritetsskyddsmyndigheten Record number: DI-2020-10518 2 (5)
                              Date: 2021-03-31

                              With regard to the first complaint, the company states that the complainant's request for access

                              was received by the company via e-mail on 5, 10 and 29 January 2019. Since the request was received by
                              an e-mail address other than the one the company refers to for data protection issues
                              The request was not processed in accordance with the company's internal processing routines. The

                              caused a longer processing time and that information as well as a copy of
                              the complainant's personal data pursuant to Article 15 was not sent until 18 June 2019. The company
                              has promptly answered the complainant's follow-up questions about the company's personal data processing

                              which the complainant was satisfied with.

                              Complaint 2 (Annex 2 from Germany with national reference number: LDA-1085.1-

                              With regard to the second complaint, the company states that the complainant's request for access
                              joined the company's chat on October 28, 2019. The complainant repeated his request
                              via e-mail on October 30, 2019. The company contacted the complainant on November 6

                              2019 to request further information. These were provided the same day. The
                              On November 11, 2019, the company sent out information and a copy of the personal data

                              to the complainant under Article 15, ie within 14 days of receiving the company
                              request. On November 14, 2019, the company sent more detailed information about
                              the company's automatic decision-making when purchasing. The complainant contacted the company again on

                              December 13, 2019 due to the fact that he has not received the company's mailing. The company
                              requested a new address on January 7, 2020 and has not received a response.

                              The processing has taken place through correspondence. Given that there are two
                              cross-border complaints, the IMY has used the mechanisms of cooperation
                              and uniformity contained in Chapter VII of the Data Protection Regulation. Affected

                              regulators have been the data protection authorities of Austria, Germany, the Czech Republic,
                              Denmark and Norway.

                              Justification of decision

                              Applicable regulations

                              The person responsible for personal data is obliged to provide information to anyone who requests it
                              information on personal data concerning the applicant is processed or not. treated

                              such data, the controller shall, in accordance with Article 15 i
                              the Data Protection Regulation, provide the applicant with additional information and a
                              a copy of the personal data processed by the data controller.

                              According to Article 12 (3), a request for access shall be dealt with without undue delay and

                              in any case no later than one month after receipt of the request. The deadline for
                              one month may be extended by a further two months if the request is special
                              complicated or the number of requests received is high.

                              If the time limit is extended by one month, the person responsible for personal data shall notify it
                              registered about the extension. The extension of the time limit shall be notified

                              within one month of receipt of the request. The person responsible for personal data must also
                              state the reasons for the delay.

                              According to Article 12 (6), the controller may, if he has reasonable grounds for:
                              question the identity of the natural person submitting a request under Article 15;

                              request additional information necessary to confirm the data subject's
                              identity is provided.

                                                            Page 2 of 5Integritetsskyddsmyndigheten Record number: DI-2020-10518 3 (5)
                               Date: 2021-03-31

                               IMY's assessment

                               Has there been a breach of the Data Protection Regulation?

                               Complaint 1 (Annex 1 from Austria with national reference number: D130.247)

                               With regard to the first complaint, the IMY notes that the complainant, in accordance with
                               Article 15 of the Data Protection Regulation, provided with information and a copy of the

                               personal data processed. However, the right of access was only satisfied after more than
                               five months from the submission of the first request. The request thus does not have
                               handled without undue delay and within the stipulated time limit in Article 12 (3) and

                               the complainant has also not been informed of the delay.

                               What the company has stated that they handle a large number of inquiry matters according to
                               the Data Protection Regulation and that prompt questions are answered promptly does not cause anyone
                               another assessment regarding the delay and that it was thus a question of one

                               infringement of Article 12 (3) concerning complaints 1.

                               Complaint 2 (Annex 2 from Germany with national reference number: LDA-1085.1-


                               With regard to the second complaint, the IMY notes that the complainant, in accordance with
                               Article 15, provided with information and a copy of the personal data provided
                               treated. The information was provided without undue delay. After the complainant

                               pointed out that he had not received the mailing, the company requested alternative contact information.
                               Against this background, IMY considers that the company has not been obliged to take any

                               further action in response to that request.

                               Choice of intervention

                               Article 58 (2) (i) and Article 83 (2) state that the IMY has the power to impose
                               administrative penalty fees in accordance with Article 83.
                               the circumstances of the individual case, administrative penalty fees shall be imposed

                               in addition to or in place of the other measures referred to in Article 58 (2), such as:
                               injunctions and prohibitions. Furthermore, Article 83 (2) sets out the factors to be taken into account

                               taken into account when deciding whether to impose administrative penalty fees and at
                               determining the amount of the fee. In the case of a minor infringement, IMY
                               as stated in recital 148 instead of imposing a penalty fee issue one

                               reprimand under Article 58 (2) (b). Account shall be taken of aggravating and mitigating circumstances
                               circumstances of the case, such as the nature, severity and duration of the infringement

                               as well as previous violations of relevance.

                               In an overall assessment of the circumstances, the IMY finds that, with regard to complaints

                               1, is a minor infringement within the meaning of recital 148 and that
                               Klarna Bank AB must therefore be reprimanded in accordance with Article 58 (2) (b) for the person found
                               the infringement.


                               This decision has been made by Catharina Fernquist, Head of Unit, after a presentation by
                               jurist Murat Vrana.

                               Catharina Fernquist, 2021-03-31 (This is an electronic signature)

                                                             Page 3 of 5Integritetsskyddsmyndigheten Record number: DI-2020-10518 4 (5)

                                 Date: 2021-03-31

                                 Copy to

                                 The Data Protection Officer,

                                                                Page 4 of 5Integritetsskyddsmyndigheten Record number: DI-2020-10518 5 (5)
                              Date: 2021-03-31

                              How to appeal

                              If you want to appeal the decision, you must write to the Privacy Protection Authority. Enter i

                              the letter which decision you are appealing and the change you are requesting. The appeal shall
                              have been received by the Privacy Protection Authority no later than three weeks from the day you received
                              part of the decision. If the appeal has been received in time, send

                              The Integrity Protection Authority forwards it to the Administrative Court in Stockholm

                              You can e-mail the appeal to the Privacy Protection Authority if it does not contain
                              any privacy-sensitive personal data or data that may be covered by
                              secrecy. The authority's contact information appears on the first page of the decision.

                                                           Page 5 of 5