IMY is fining Klarna the equivalent of €728,000. The Swedish regulator believes the online payment service violates the General Data Protection Regulation (AVG) on several counts. For example, the company did not sufficiently alert customers to the right to have their data erased, and with which countries their data is exchanged. IMY writes that in a press statement.
The privacy watchdog investigated how Klarna informs customers on its website about the processing of personal data. This showed that the payment service did not follow the ground rules set out in the AVG on several fronts. For starters, Klarna constantly changed the information provided on its website about how the company processes personal data.
In spring 2020, according to IMY, the Swedish payment service told nothing about the purpose for which and on what legal basis personal data was collected and processed. Also, the company provided "incomplete and misleading information" about the parties that received customer data. Several Swedish and foreign credit information companies received this data from Klarna, but the company was thus not open and honest about this.
Furthermore, the Swedish payment service told nothing about which countries outside the EU received personal data from the company. Or where customers could go for information about the protection measures that apply when personal data is transferred to countries outside the EU.
Finally, Klarna was not transparent about customers' privacy rights. Among other things, the AVG states that people have the right to see their data that a company keeps about them (right of inspection). They also have the right to amend their data (right to rectification) and the right for the company to erase their data (right to oblivion).
Because of the multiplicity and severity of the violations, IMY believes a fine of the equivalent of 728,000 is appropriate. The Swedish payment service can appeal the fine. It is unknown whether Klarna will actually do so.
IMY is not the first authority to investigate Klarna. In the summer of 2021, the Finansinspektionen did the same. The watchdog investigated whether the payment service had violated banking secrecy after a brief data breach occurred. For half an hour, customers who had logged in did not see their own data, but someone else's. That was the result of human error.
Early last year, the Consumers' Association claimed that Klarna does not adequately protect customers from identity fraud. The pressure group discovered in September 2020 that it was possible to place an order via Klarna in another person's name and account. Meanwhile, the order was neatly delivered to the fraudster's home. At checkout, the payment service did not ask for a password. Filling in personal data was sufficient, according to the Consumers' Association. There was also no form of multi-factor authentication.
In response, Klarna decided to implement additional security measures, including "additional authentication" and "high-level detection technology, internal algorithms and risk models" to detect fraud.
