Swedish DPA's Investigation of Klarna Bank AB

€730,000 in fines


Klarna Bank was fined by the Swedish DPA for insufficiently informing data subjects about its processing activities, including international data transfers, retention periods, data subject rights, and automated decision-making, such as profiling.

Our analysis

Klarna Bank AB is a multinational company that provides credit and non-credit payment solutions to over 90 million consumers and 200,000 merchants in 17 countries through various financial services, such as direct payment, "try first and pay later" services, payment through installments, and account information services. To provide these services, Klarna processes large amounts of personal data, including privacy-sensitive data such as financial data and creditworthiness information. The Swedish Data Protection Authority (IMY) conducted an investigation and found that Klarna violated various provisions of the General Data Protection Regulation (GDPR) related to information on purpose and legal basis for processing personal data, recipients of personal data, international data transfers, retention periods, data subject rights, and automated decision-making, including profiling. The IMY also noted a common thread among these violations, which was a failure to comply with Articles 12(1) GDPR, 5(1)(a) GDPR and 5(2) GDPR.
Klarna provided incomplete and misleading information on who the recipients of different categories of personal data were when shared with Swedish and foreign credit reference agencies. This violated Article 13(1)(e) GDPR. Regarding retention periods for personal data, the IMY found that Klarna provided incomplete information about the periods for which personal data would be retained and the criteria used to determine those periods, in violation of Article 13(2)(a) GDPR. Klarna did not provide adequate information related to the right to erasure of personal data under Article 17 GDPR, restriction of processing concerning the data subject under Article 18 GDPR, the right to object under Article 20 GDPR, and the right to data portability under Article 21 GDPR, in violation of Article 13(2)(b) GDPR.


The IMY considered Klarna's status as a multinational company handling diverse categories of personal data on a large scale, including sensitive data like financial and creditworthiness information. The breaches were found to be long-standing, prompting the IMY to impose a fine of roughly €730,000 (SEK 7,500,000) on Klarna Bank AB.


Swedish DPA (IMY) and Klarna Bank AB

Case number


Related deceptive patterns

Related laws

Legal enforcement database by Leiser, Santos and Doshi

The information about laws and cases on this website is brought to you by the Leiser, Santos and Doshi enforcement database.

About us