Klarna has reportedly been fined 7.5 million Swedish crowns ($733,324) after a Swedish court ruled that the company violated the European Union’s (EU) General Data Protection Regulation (GDPR).
Sweden’s Administrative Court of Appeal ruled that the provider of payment and shopping solutions gave its clients insufficient information about how it would store their personal data, and that the information it did provide was unclear or difficult to access, Reuters reported Monday (March 11).
Reached by PYMNTS, the Klarna Press Office said in an email: “We have just received the court’s decision, and it is too early to comment.”
The Swedish Authority for Privacy Protection (IMY), formerly the Swedish Data Protection Authority (SDPA), announced in March 2022 that it had completed an investigation of Klarna and found that the company had not complied with GDPR rules having to do with how it informs users about its handling of their personal data.
IMY said at the time that Klarna did not inform users about why it processed their data, that it provided incomplete and misleading information about which credit information companies it shared that data with, that it did not provide information about the countries it transferred that data to, and that it provided incomplete information about users’ rights when it comes to their data.
Responding to the audit at the time, Klarna said in a blog post that the audit looked into flaws in a privacy notice that was used for three months, from March to June 2020, and that it concerned information provided in the privacy notice — not Klarna’s collection or handling of data.
The company said at the time that it would appeal the SDPA’s decision because the regulator didn’t explain why it imposed such a large fine and because Klarna hoped to gain further clarity on the guidelines so that it could better implement them.
“We have made significant improvements to our privacy notice since the version the SDPA reviewed was live and therefore this decision is no longer relevant,” Klarna said in the March 2022 blog post. “We have made improvements based on customer input to ensure our Privacy Notice is fit for purpose and this is an area we continue to seek input on to make sure it’s clear and transparent to users.”
The GDPR is an EU data privacy law that, among other things, restricts transfers of personal data from Europe to countries outside of Europe, unless and until a country has been recognized as offering a level of data protection that is essentially equivalent to that level of protection offered in Europe, Ashley Eisenberg, data privacy officer at Forter, told PYMNTS in an interview posted in September 2023.