The Swedish Authority for Privacy Protection (“SDPA”) has issued an administrative fine of SEK 7,500,000 (approximately, GBP 601,425) against Klarna Bank AB on 28 March 2022 after an investigation highlighted non-compliance with various rules in the GDPR. Like many other organisations and financial companies, Klarna is legally obligated under the GDPR to provide concise and transparent information to customers on how it processes personal data.
On 27 March 2019, the SDPA commenced an audit into Klarna’s communication to customers about its personal data processing activities (the “audit”), and specifically examined Klarna’s Privacy Notice available on their website between the period 17 March 2020 to 26 June 2020. The audit found several shortcomings including, but not limited to, inadequate information about the data subjects' rights, such as the right to delete data, and the right to object to how one's personal data is processed, and incomplete and misleading information regarding the identity of the recipients of different categories of personal data when that data was shared with Swedish and foreign credit information companies.
Consequently, the SDPA determined that Klarna should receive an administrative fine for the shortcomings in the information available in their Privacy Notice, available between the period 17 March 2020 to 26 June 2020. Klarna has strongly opposed the basis on which the fine was issued as they have amended their Privacy Notice documents 11 times since the audit was conducted including seeking customer feedback to ensure that they understand all information published on data privacy and their process for handling personal data.
Klarna has announced it will appeal the decision of the SDPA on the grounds that the decision and reasoning for the fine was ambiguous and did not adequately identify the extent to which the information available in the version of the Privacy Notice reviewed was so insufficient to warrant an administrative fine. In addition, Klarna considers that an appeal will provide further guidance and clarification on what wording and information clearly demonstrates proper implementation of the GDPR to ensure full compliance in the future.
It will be interesting to monitor the outcome of the appeal as this will likely inform the basis on which other institutions may seek to overturn GDPR fines in the future.