IMY (Sweden) - IMY 2023-8336: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Sweden |DPA-BG-Color= |DPAlogo=LogoSE.png |DPA_Abbrevation=IMY |DPA_With_Country=IMY (Sweden) |Case_Number_Name=IMY 2023-8336 |ECLI= |Original_Source_Name_1=IMY |Original_Source_Link_1=https://www.imy.se/globalassets/dokument/beslut/2024/beslut-klarna-bank-imy-2023-8336.pdf |Original_Source_Language_1=Swedish |Original_Source_Language__Code_1=SV |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Sour...")
 
mNo edit summary
 
(6 intermediate revisions by 4 users not shown)
Line 71: Line 71:
}}
}}


As the lead supervisory authority, Swedish IMY, reprimanded Klarna Bank AB for infringing Articles 16 and 12(2) GDPR by not enabling a data subject in Germany to rectify their email address linked to their payment card.
The DPA reprimanded Klarna Bank for refusing to rectify an email address linked to the data subject’s payment card unless the latter accepted to create a new account


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The controller, Klarna Bank AB, commonly referred to as Klarna, is a Swedish fintech company that provides online financial services. The company provides payment processing services for the e-commerce industry, managing store claims and customer payments. The company is a "buy now, pay later" service provider (Wikipedia).
The controller, Klarna Bank AB, commonly referred to as Klarna, is a Swedish fintech company that provides online financial services. The company provides payment processing services for the e-commerce industry, managing store claims and customer payments. The company is a "buy now, pay later" service provider.<ref>See Wikipedia for more information.</ref>


A Klarna Bank AB customer in Germany contacted the controller in June and Juli 2020 to rectify their registered email address as per [[Article 16 GDPR|Article 16 GDPR]].
A Klarna Bank AB customer in Germany contacted the controller in June 2020 to rectify their registered email address as per [[Article 16 GDPR|Article 16 GDPR]].


The customer (data subject) held a Klarna card and in June 2020 requested the controller rectify the email address associated with their payment card.
The controller’s customer service initially replied to the data subject that changing the email address was technically impossible as it was associated with the their credit card. The controller encouraged them to create a new Klarna account to change their email address. A new Klarna account would however influence the claimant’s credit standing. Klarna stated that email addresses were used as personal identifiers, and as part of a verification proces. This is why, if the data subject wanted to update their email address, a new Klarna account, which would be associated new email, would have to be created.  


Klarna’s customer service initially replied to the customer that changing the email address was technically impossible as it was associated with the claimant’s card, and encouraged them to order a new card to change their email address.
In July 2020, the claimant requested the deletion of their personal data including the destruction of the Klarna account. As the data subject still had open invoices on their Klarna account, the controller deleted the account and added his new e-mail as an internal reference for the unpaid invoices.


A new Klarna card would however influence the claimant’s credit standing.
The data subject complained to a German supervisory authority about the inadequate fulfilment of their right to rectification in [[Article 16 GDPR]]. On the basis of [[Article 56 GDPR]] the complaint was passed on to Swedish DPA ('IMY') as the LSA.  
 
In July 2020, the claimant requested the deletion of their personal data including the destruction of the Klarna card. A customer service employee informed the data subject that their email address had been changed for their unsettled invoices.
 
Klarna stated that email addresses were used as personal identifiers, and as part of a verification process, which is why the controller needed to issue a new payment card to update the email address. 
 
The data subject complained to a German supervisory authority (SA) about the inadequate fulfilment of their right to rectification in [[Article 16 GDPR|Article 16 GDPR]]. On the basis of [[Article 56 GDPR|Article 56 GDPR]], and this case concerning 13 European SAs, the complaint was passed on to IMY as the lead SA.


=== Holding ===
=== Holding ===
IMY held that the controller processed personal data in violation of:   
The Swedish DPA held that the controller processed personal data in violation of:   
 
1) [[Article 12 GDPR#2|Article 12(2) GDPR]], by not enabling the data subject to exercise their right to rectification stated in [[Article 16 GDPR|Article 16 GDPR]]


2) and [[Article 16 GDPR|Article 16 GDPR]], by not enabling the data subject to change their email address as requested.
1) [[Article 12 GDPR#2|Article 12(2) GDPR]], by not enabling the data subject to exercise their right to rectification stated in [[Article 16 GDPR|Article 16 GDPR]]. Article 12(2) GDPR thus includes an obligation for the controller to to proactively design solutions that make it easy for the data subject to exercise their rights. Klarna instead had a system which would force the data subject to create a new account. This would adversly affect his credit score with his bank. The excercise of his right as envisaged by the controller would result in a negative consequence to the data subject.  


Based on [[Article 25 GDPR|Article 25 GDPR]], the lead SA argued that the controller had design flaws in its product resulting in the unnecessary complication of rectification. It also emphasised the infringement of the principle of accuracy in [[Article 5 GDPR#1d|Article 5(1)(d) GDPR]], because process information was inaccurate and rectification delayed.
2) [[Article 16 GDPR|Article 16 GDPR]], by not enabling the data subject to change their email address as requested. The controller had a system where data linked to an already issued card could be changed. This meant that data could not be rectified, even when it was outdated or incorrect. A controller cannot use the design of its own systems as an excuse to derogate from its obligations under the GDPR.


IMY decided to reprimand Klarna Bank AB based on Article 58(2)(b) and Recital 148 for a minor infringement.
The Swedish DPA decided to reprimand Klarna Bank AB based on [[Article 58 GDPR|Article 58(2)(b) GDPR]] and Recital 148 for a minor infringement. The infringement was ruled as a minor because it only impacted one person. Furthermore, while an unecessarily complex solution that did not enable the effective excersise of data subject rights, the controller did at least offer a solution to the data subject (the creation of a new account).  


== Comment ==
== Comment ==

Latest revision as of 15:53, 28 February 2024

IMY - IMY 2023-8336
LogoSE.png
Authority: IMY (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 5(1)(d) GDPR
Article 12(2) GDPR
Article 16 GDPR
Article 25 GDPR
Article 56 GDPR
Article 58(2)(b) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 09.01.2024
Published: 09.01.2024
Fine: n/a
Parties: Klarna Bank AB
National Case Number/Name: IMY 2023-8336
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Swedish
Original Source: IMY (in SV)
Initial Contributor: Maximilien Hjortland

The DPA reprimanded Klarna Bank for refusing to rectify an email address linked to the data subject’s payment card unless the latter accepted to create a new account

English Summary

Facts

The controller, Klarna Bank AB, commonly referred to as Klarna, is a Swedish fintech company that provides online financial services. The company provides payment processing services for the e-commerce industry, managing store claims and customer payments. The company is a "buy now, pay later" service provider.[1]

A Klarna Bank AB customer in Germany contacted the controller in June 2020 to rectify their registered email address as per Article 16 GDPR.

The controller’s customer service initially replied to the data subject that changing the email address was technically impossible as it was associated with the their credit card. The controller encouraged them to create a new Klarna account to change their email address. A new Klarna account would however influence the claimant’s credit standing. Klarna stated that email addresses were used as personal identifiers, and as part of a verification proces. This is why, if the data subject wanted to update their email address, a new Klarna account, which would be associated new email, would have to be created.

In July 2020, the claimant requested the deletion of their personal data including the destruction of the Klarna account. As the data subject still had open invoices on their Klarna account, the controller deleted the account and added his new e-mail as an internal reference for the unpaid invoices.

The data subject complained to a German supervisory authority about the inadequate fulfilment of their right to rectification in Article 16 GDPR. On the basis of Article 56 GDPR the complaint was passed on to Swedish DPA ('IMY') as the LSA.

Holding

The Swedish DPA held that the controller processed personal data in violation of:

1) Article 12(2) GDPR, by not enabling the data subject to exercise their right to rectification stated in Article 16 GDPR. Article 12(2) GDPR thus includes an obligation for the controller to to proactively design solutions that make it easy for the data subject to exercise their rights. Klarna instead had a system which would force the data subject to create a new account. This would adversly affect his credit score with his bank. The excercise of his right as envisaged by the controller would result in a negative consequence to the data subject.

2) Article 16 GDPR, by not enabling the data subject to change their email address as requested. The controller had a system where data linked to an already issued card could be changed. This meant that data could not be rectified, even when it was outdated or incorrect. A controller cannot use the design of its own systems as an excuse to derogate from its obligations under the GDPR.

The Swedish DPA decided to reprimand Klarna Bank AB based on Article 58(2)(b) GDPR and Recital 148 for a minor infringement. The infringement was ruled as a minor because it only impacted one person. Furthermore, while an unecessarily complex solution that did not enable the effective excersise of data subject rights, the controller did at least offer a solution to the data subject (the creation of a new account).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.


  1. See Wikipedia for more information.