• About us
    • About Lindahl
    • How we work
    • Said about Lindahl
    • Press
    • Find us
    • Privacy
  • Areas
    • Commercial dispute resolution
    • IT/Tech
    • Intellectual property
    • Life Sciences
    • M&A
    • All areas
  • Our people
    • Stockholm
    • Göteborg
    • Malmö
    • Uppsala
    • Helsingborg
    • Örebro
  • Latest news
    • Cases and transactions
    • News
    • Events
    • Knowledge
    • Portraits
  • Offices
    • Stockholm
    • Göteborg
    • Malmö
    • Uppsala
    • Örebro
    • Helsingborg

Penalty fee against Klarna – the importance of transparency and clarity in what is referred to as a "personal data policy"

  • Home
  • Latest news
  • Knowledge
  • 2022
  • Penalty fee against Klarna – the importance of transparency and clarity in what is referred to as a "personal data policy"

On March 28 this year, Integritetsskyddsmyndigheten (“IMY”) [the Swedish Privacy Protection Authority] issued a penalty fee of SEK 7.5 million due to the fact that the information provided by Klarna to its customers fails to comply with the fundamental principle of transparency and individuals’ rights to information under the GDPR.


The Authority considered, among other things, that the information provided by Klarna on the purposes of the processing and the legal bases for the processing was not sufficiently concise, transparent, clear and easily accessible. The IMY also considered that Klarna had provided incomplete and misleading information regarding who the recipients of the personal data were, the countries outside the EU/EEA to which the personal data was transferred and how individuals could obtain information about the safeguards applied with regard to transfers of personal data to such countries. The defects were not considered to be negligible.

The decision shows how the IMY interprets the requirement for information in a personal data policy to be concise, transparent, clear, understandable and easily accessible. The IMY also clarifies how they consider that information regarding third-country transfers should be designed in order to describe with sufficient clarity to data subjects what safeguards are adopted when personal data is transferred to a country outside the EU/EEA and that the personal data controller must provide information on where to find more information on the safeguards in question. That information must also clearly indicate which countries the personal data is transferred to. The IMY also criticizes Klarna for the way in which it states the data subjects’ rights.

The IMY’s decision brings to the fore the difficult balance that must be struck when drafting a personal data policy or other information text for data subjects. The personal data policy must give a satisfactory, full account of the processing carried out by the personal data controller and must at the same time not become a document that is too difficult for the data subject to understand. This decision is the first in which the IMY examines the design of a personal data policy in accordance with the GDPR. Although much of what the IMY states in its decision is not completely new, and in many parts is stated in general terms, the decision shows the importance of regularly updating and improving your personal data policy and that it is a good idea (if you have not recently done so) to make sure that your own policy really complies with the requirements on information established in the GDPR.


In view of the decision, it may be a good idea to check that your personal data policy:

  • clearly indicates the purposes for which personal data is processed and the legal basis for each processing,
  • clearly describes how data is shared with third parties,
  • lists the countries outside the EU/EEA to which personal data is transferred, what safeguards are applied and how the individual can access or obtain documents concerning the safeguards for transfer described,
  • specifies the periods of time for which personal data is stored or the method for determining the storage period (e.g. linked to an employment or business relationship) and ensures that this is consistent with the organisation’s thinning procedures,
  • describes data subjects’ rights and how they are coherent in a fair way, and
  • clearly indicates whether automated decision-making exists, what the logic behind such decision-making is (e.g. what circumstances affect the decision) and the significance of the decision for the data subject.

Klarna has stated that they will appeal the decision and it thus remains to be seen whether the court issues the same assessment as the IMY. We will follow developments closely and will certainly have reason to return to these questions.

 

IT/Tech

Lindahl’s IT/Tech team consists of more than 25 lawyers with many years’ diverse experience of legal advice in IT and technology. Our assignments reflect the general digitalisation of society, automation and dependence on software. Our clients operate in all industries in both the private and public sectors.

Visit page

Related

  • 12/13/2021 12:22:49 PM New EDPB guidelines on what constitutes a third country transfer
  • 12/9/2021 5:21:45 PM Reminder: New standard contractual clauses from the European Commission – Time to update contract templates and negotiate existing contracts

Contact

  • Lisa Liljekvist

    Stockholm

  • Felicia Olsson

    Göteborg

    felicia.olsson@lindahl.se +46 731 472 789
  • Max Stenberg

    Malmö

    max.stenberg@lindahl.se +46 723 571 457
  • Gabriel Miller

    Malmö

    gabriel.miller@lindahl.se +46 725 007 004
  • Mikael Olsson

    Uppsala

    mikael.olsson@lindahl.se +46 18 161 826
  • Ida Karlsson

    Örebro

    ida.karlsson@lindahl.se +46 736 721 753
  • Isabelle Selemba

    Helsingborg

Pages
  • Start
  • About us
  • Areas
  • Our people
  • Latest news
  • Privacy
Our offices
  • Stockholm reception.stockholm@lindahl.se +46 8 527 70 800
  • Göteborg reception.goteborg@lindahl.se +46 31 799 10 00
  • Malmö reception.malmo@lindahl.se +46 40 664 66 50
  • Uppsala reception.uppsala@lindahl.se +46 18 16 18 50
  • Örebro reception.orebro@lindahl.se +46 19 20 89 00
  • Helsingborg reception.helsingborg@lindahl.se +46 42 17 53 00
Social media
  • Connect with us on social networks: Instagram, Linkedin, Youtube, Facebook,

Disclaimer

The material and information on this site is intended for general informational purposes only and does not constitute legal advice on any specific matter. Please note that all images on Lindahl's website, www.lindahl.se, are subject to intellectual property protection and downloading, publication, copying and/or other use of the images requires the written consent of the rights holder. You'll find Advokatfirman Lindahl KB's general terms and conditions here.

Some cookies are essential, others help us improve your experience by providing insights into how the site is used. For more information, please visit our Cookie Policy.

Essential Cookies

These cookies are necessary for the functionality of the site and cannot be disabled.

Analytics Cookies>

We use Analytics cookies to collect information that gives us insight into how our website is being used. We anonymize IP addresses in Google Analytics. By clicking on Decline we won't save theese cookies.

Decline
We use cookies to get insights on how our site is used and give our visitors the best possible experience