On March 28 this year, Integritetsskyddsmyndigheten (“IMY”) [the Swedish Privacy Protection Authority] issued a penalty fee of SEK 7.5 million due to the fact that the information provided by Klarna to its customers fails to comply with the fundamental principle of transparency and individuals’ rights to information under the GDPR.
The Authority considered, among other things, that the information provided by Klarna on the purposes of the processing and the legal bases for the processing was not sufficiently concise, transparent, clear and easily accessible. The IMY also considered that Klarna had provided incomplete and misleading information regarding who the recipients of the personal data were, the countries outside the EU/EEA to which the personal data was transferred and how individuals could obtain information about the safeguards applied with regard to transfers of personal data to such countries. The defects were not considered to be negligible.
The decision shows how the IMY interprets the requirement for information in a personal data policy to be concise, transparent, clear, understandable and easily accessible. The IMY also clarifies how they consider that information regarding third-country transfers should be designed in order to describe with sufficient clarity to data subjects what safeguards are adopted when personal data is transferred to a country outside the EU/EEA and that the personal data controller must provide information on where to find more information on the safeguards in question. That information must also clearly indicate which countries the personal data is transferred to. The IMY also criticizes Klarna for the way in which it states the data subjects’ rights.
The IMY’s decision brings to the fore the difficult balance that must be struck when drafting a personal data policy or other information text for data subjects. The personal data policy must give a satisfactory, full account of the processing carried out by the personal data controller and must at the same time not become a document that is too difficult for the data subject to understand. This decision is the first in which the IMY examines the design of a personal data policy in accordance with the GDPR. Although much of what the IMY states in its decision is not completely new, and in many parts is stated in general terms, the decision shows the importance of regularly updating and improving your personal data policy and that it is a good idea (if you have not recently done so) to make sure that your own policy really complies with the requirements on information established in the GDPR.
In view of the decision, it may be a good idea to check that your personal data policy:
- clearly indicates the purposes for which personal data is processed and the legal basis for each processing,
- clearly describes how data is shared with third parties,
- lists the countries outside the EU/EEA to which personal data is transferred, what safeguards are applied and how the individual can access or obtain documents concerning the safeguards for transfer described,
- specifies the periods of time for which personal data is stored or the method for determining the storage period (e.g. linked to an employment or business relationship) and ensures that this is consistent with the organisation’s thinning procedures,
- describes data subjects’ rights and how they are coherent in a fair way, and
- clearly indicates whether automated decision-making exists, what the logic behind such decision-making is (e.g. what circumstances affect the decision) and the significance of the decision for the data subject.
Klarna has stated that they will appeal the decision and it thus remains to be seen whether the court issues the same assessment as the IMY. We will follow developments closely and will certainly have reason to return to these questions.