Klarna Bank AB – Violation Found (Sweden, 2022)

The complainant requested erasure under Article 17 GDPR. It took two months before they received a reply from the controller. After two months, the data subject received a reply which stated that her request will be handled but that her request for erasure may take another 90 days to be completed. The complainant considered it unreasonable that it takes a total of five months for the controller to handle her request. The controller stated that the initial delays were due to issues on its side in verifying the data subject's identity. The erasure was delayed due to lower staffing during the Christmas and New Year holidays. The controller holds that it has handled the complainants request without undue delay considering the Christmas and New Year holidays and the individual error concerning the confirmation. The DPA pointed out that Article 12(3) GDPR requires the controller to provide the data subject, upon request, without undue delay and in any event no later than one month after receiving the request, with information on the actions taken pursuant to Article 17 GDPR. Moreover, the one-month time limit may be extended by a further two months where the request is particularly complex or the number of requests received is high. In this case, the controller shall inform the data subject of the extension and indicate the reasons for the delay. The investigation found that the controller did not inform the data subject until approximately two months after the request was received and the identity of the complainant was verified, that the erasure process was initiated and that it can take up to 90 days for the erasure to be completed nor did the controller state the reasons for the delay. Consequently, the DPA held that controller did not dealt with the complainant’s request without undue delay within the meaning of Article 12(3) GDPR. In light of the this, the DPA concluded that the controller has processed the complainant’s personal data in violation of Article 12