Swedish BNPL provider Klarna fined SKr7.5m over GDPR failings

The company failed to provide information on user data storage, protection and transfers outside the EU.

The Swedish payments group Klarna has been fined Skr7.5m ($733,324) for violating the EU’s GDPR by failing to provide adequate information to its users.

A Swedish court ruled this week that Klarna had failed to provide customers with information about how it stored users’ personal data, and that the information was unclear or hard to access.

Integritetsskyddsmyndigheten (IMY), the Swedish Authority for Privacy Protection, first issued the fine in March 2022 after investigating Klarna. It found multiple EU GDPR failings.

“Klarna is a financial company that processes personal data about many people and in many different ways. It is important that the information that Klarna provides about how the company processes personal data is correct and as complete as possible. We have seen shortcomings here”, lawyer Hans Kärnlöf said.

Data rights unclear

According to the IMY, Klarna failed to provide information to the authority about the purpose and legal basis of the way personal data was processed. Klarna also gave IMY incomplete and misleading information about who received the different categories of personal data when it was shared with Swedish and foreign credit reporting companies.

Klarna also failed to provide information about which countries outside the EU/EEA personal data was transferred to, or where and how users could receive information about the protective measures that applied to third-country transfers. The company also didn’t provide sufficient information about the users’ rights, including the right to delete data, data portability or how to object to how personal data was processed.

Klarna appealed the decision, and said: “We find the SDPA’s decision ambiguous and without clear explanation as to why the information in the version of the Privacy Notice they reviewed is insufficient to such a degree that an administrative fine is issued”.

The company also said it had made “significant improvements” to its privacy notice, and therefore “this decision is no longer relevant. We have made improvements based on customer input to ensure our Privacy Notice is fit for purpose and this is an area we continue to seek input on to make sure it’s clear and transparent to users.”

Last year, a court found that IMY’s findings weren’t as serious as claimed, and lowered the fine to Skr6m ($583,765). However, the Administrative Court of Appeal has now raised the penalty back to Skr7.5m ($733,324).

A spokesperson from Klarna told Reuters that it is “too early to comment” on the ruling.