The Swedish Data Protection Authority (SDPA) recently informed Klarna of the conclusion of its audit of Klarna. The conclusions raise a few flaws about Klarna’s Privacy Notice from 17 March 2020 to 26 June 2020 (the document in which Klarna informs consumers about its use of personal data). This was an audit of the information provided in the privacy notice at that time, not about how Klarna collects and/or handles data. Based on these conclusions, the SDPA will be issuing Klarna a fine of 7,5 million SEK (~USD 787 000) .
Klarna will appeal the SDPA’s decision for two reasons. Firstly, we find the SDPA’s decision ambiguous and without clear explanation as to why the information in the version of the Privacy Notice they reviewed is insufficient to such a degree that an administrative fine is issued. Secondly, by appealing the decision we hope to gain further clarity on guidelines and best-practice implementation of the regulation to ensure future compliance which the SDPA has not previously provided.
We have made significant improvements to our privacy notice since the version the SDPA reviewed was live and therefore this decision is no longer relevant. We have made improvements based on customer input to ensure our Privacy Notice is fit for purpose and this is an area we continue to seek input on to make sure it’s clear and transparent to users.
Background on the SDPA’s investigation
As any other organization or company that handles EU personal data, Klarna is legally obligated under the GDPR to inform data subjects about how and why it handles personal data, such as how it collects such data and how long it retains personal data. The law states that the information has to be concise, transparent, intelligible and easily accessible, using clear and plain language. There is, however, no guidance from the GDPR or data protection authorities on what is considered sufficient versus insufficient when it comes to conveying this kind of information.
Klarna has worked hard to write the Privacy Notice in a way that is easy to understand by Klarna customers and we continuously update it to ensure the information is always up-to-date, using customer input to guide any changes we make. For reference, since the version of the Privacy Notice the SDPA reviewed in this investigation, we have updated our Privacy Notice document 11 times, including reformulating it in its entirety after seeking customer feedback to ensure they fully understand the information. Klarna’s Privacy Notice is easily accessed via the bottom of the Klarna.com page, in the Klarna-app and in the Klarna Checkout.
Setting the bar beyond legal requirements
We use consumer data to provide people with a safe, transparent and intuitive shopping experience which they have come to expect from Klarna. Therefore, it is a top priority to manage consumers’ data with the utmost respect and it is a responsibility we take extremely seriously.
While the Privacy Notice serves an important purpose, we know that consumers often find them lengthy and complicated. Fulfilling the legal requirements to be compliant, does not necessarily provide consumers with information that is clear and easily understandable. Therefore, we have created an information hub for our customers on Klarna.com where we provide a clear overview of how we collect personal data and why, how we process personal data and how our customers can exercise their rights to extract the information we have about them as well as their right to be forgotten. Even though it is a notable improvement from purely referring to a long and complicated legal document such as the privacy notice, we can and will do more.
Klarna strives to set a new standard for customer experience in everything we do. The field of personal data information is no exception, but we have realized we are not where we want to be yet. Actually, we are quite far from where we want to be.
We are using this moment to take a step back and think about what more we can do in this area to be truly customer centric. That’s why today, among other things, we are creating a dedicated team that will work as diligently on improving the customer experience on data and privacy as we would with any of our products. The ambition is to create an experience that goes beyond legal compliance. It should meet the same criteria as all of our products – to be smooth, transparent, secure and save time for customers so that they can spend it on something they love instead.
27 March 2019: SDPA informs Klarna that it has opened an audit into Klarna’s communication to data subjects about its personal data processing activities. IMY includes several questions for Klarna.
26 April 2019: Klarna responds to SDPA’s questions.
1 August 2019: SDPA reverts to Klarna with additional questions on Klarna’s business model, contractual relationships with consumer/merchants, purchase history and its connection to the Klarna Shopping Service Terms, and more.
27 September 2019: Klarna responds to SDPA additional questions and clarifies misunderstandings.
18 September 2020: SDPA asks Klarna to provide the terms and clarify the specific service “Min Ekonomi” (Eng: My Economy)
2 October 2020: Klarna provides SDPA with the terms for “Min Ekonomi” and clarifies how and when these terms are made available to consumers (only via the App).
17 December 2020: SDPA informs Klarna that it concluded its audit and was ready to make a decision “within short” and that it was considering sanctioning Klarna with an administrative fine.
25 January 2021: Klarna responds to SDPA’s information notice with a submission focused on wrongdoings by SDPA under administrative law rather than on the merits of the case.
17 December 2021: Upon request from Klarna, SDPA provides Klarna with a draft of its decision that it has communicated to other relevant authorities.
28 March 2022: Klarna receives the decision from SDPA.