Klarna Bank AB – Violation Found (Sweden, 2024)

The controller, Klarna Bank AB, commonly referred to as Klarna, is a Swedish fintech company that provides online financial services. The company provides payment processing services for the e-commerce industry, managing store claims and customer payments. The company is a "buy now, pay later" service provider.See Wikipedia for more information. A Klarna Bank AB customer in Germany contacted the controller in June 2020 to rectify their registered email address as per Article 16 GDPR. The controller’s customer service initially replied to the data subject that changing the email address was technically impossible as it was associated with the their credit card. The controller encouraged them to create a new Klarna account to change their email address. A new Klarna account would however influence the claimant’s credit standing. Klarna stated that email addresses were used as personal identifiers, and as part of a verification proces. This is why, if the data subject wanted to update their email address, a new Klarna account, which would be associated new email, would have to be created. In July 2020, the claimant requested the deletion of their personal data including the destruction of the Klarna account. As the data subject still had open invoices on their Klarna account, the controller deleted the account and added his new e-mail as an internal reference for the unpaid invoices. The data subject complained to a German supervisory authority about the inadequate fulfilment of their right to rectification in Article 16 GDPR. On the basis of Article 56 GDPR the complaint was passed on to Swedish DPA ('IMY') as the LSA. The Swedish DPA held that the controller processed personal data in violation of: 1) Article 12(2) GDPR, by not enabling the data subject to exercise their right to rectification stated in Article 16 GDPR. Article 12(2) GDPR thus includes an obligation for the controller to to proactively design solutions that make it easy for the data subject t