Klarna Bank β Complaint Upheld (Sweden, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Klarna Bank mistakenly addressed emails to the wrong person due to an automatic system error. The Swedish DPA found that Klarna failed to respond to a user's request to access their data. This case highlights the importance of ensuring accurate data handling and timely responses to user requests.
What happened
Klarna Bank sent emails with incorrect names and did not respond to a user's data access request.
Who was affected
Individuals who received emails from Klarna Bank with incorrect names due to shared email addresses.
What the authority found
The Swedish DPA found that Klarna Bank did not adequately address a user's request to access their personal data.
Why this matters
This case underscores the need for companies to ensure their systems correctly handle personal data and respond promptly to user requests, emphasizing the importance of data accuracy and user rights under GDPR.
GDPR Articles Cited
The data subject and partner had each used a Swedish payment provider (controller) multiple times over the span of a few years for online shopping. However, the controller had made the mistake of addressing the wrong person in the invoice more than once. The controller would use the first name of the data subject, while the partner had made the purchase. According to the data subject, in December 2018, the first rectification request was filed to request the controller to correct the names in the e-mails, because the partner had received invoices with the name of the data subject. The controller's services were then not used for some time by the data subject and partner. When the data subject's partner started using the controller's service again sometime in 2020, he received another e-mail, which was addressed to the data subject (first name only). After this, the data subject filed the second rectification request to request the controller to change the first names in the e-mails. On 15 October 2020, the data subject also submitted an access request, to which the controller never responded. The data subject filed a complaint at a German DPA (not clear which German DPA and not clear when the complaint was filed), which transferred the complaint to the Swedish DPA, which was the lead supervisory authority in this decision. The concerned supervisory authorities were the DPA's of Denmark, Finland, Germany, France, Norway and the Netherlands. The Swedish DPA started an investigation into the controller. During the investigation of the DPA, the controller informed the DPA that it had an automatic system in place which would generate the first name in the initial greetings of an email, which was apparently based on previous information provided by its clients. In this context, the controller also provided the DPA with the information that the data subject and partner had both separately used the same email address ('e-mail address Y'), which contained the partner's n
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Klarna Bank in SE
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Klarna Bank - Sweden (2022). Retrieved from cookiefines.eu
Last updated: