Klarna Bank AB is a multinational company that provides credit and non-credit payment solutions to over 90 million consumers and 200,000 merchants in 17 countries through various financial services, such as direct payment, "try first and pay later" services, payment through installments, and account information services. To provide these services, Klarna processes large amounts of personal data, including privacy-sensitive data such as financial data and creditworthiness information. The Swedish Data Protection Authority (IMY) conducted an investigation and found that Klarna violated various provisions of the General Data Protection Regulation (GDPR) related to information on purpose and legal basis for processing personal data, recipients of personal data, international data transfers, retention periods, data subject rights, and automated decision-making, including profiling. The IMY also noted a common thread among these violations, which was a failure to comply with Articles 12(1) GDPR, 5(1)(a) GDPR and 5(2) GDPR.
Klarna provided incomplete and misleading information on who the recipients of different categories of personal data were when shared with Swedish and foreign credit reference agencies. This violated Article 13(1)(e) GDPR. Regarding retention periods for personal data, the IMY found that Klarna provided incomplete information about the periods for which personal data would be retained and the criteria used to determine those periods, in violation of Article 13(2)(a) GDPR. Klarna did not provide adequate information related to the right to erasure of personal data under Article 17 GDPR, restriction of processing concerning the data subject under Article 18 GDPR, the right to object under Article 20 GDPR, and the right to data portability under Article 21 GDPR, in violation of Article 13(2)(b) GDPR.