Last week Sweden's Data Inspectorate announced that it would open a review into the Stockholm-based payment company's data processing. The regulator said it had received "several complaints" about the company. Data protection regulators in the EU have the power to carry out data protection audits under the EU's General Data Protection Regulation (GDPR).
"Klarna is a large company and their treatment concerns many individuals and relates to a large amount of personal data," the Data Inspectorate said in a statement. "After taking note of the company's data protection policy and several complaints from individuals that concern Klarna and these issues, there is reason for us to review Klarna's processing of personal data."
In response, Klarna told Out-Law.com that it is "positive" about the audit and that it would answer the Data Inspectorate's questions and assist the regulator "any way we can". It said it was not surprised that the Data Inspectorate had decided to open an audit into its practices given the priorities the regulator set in its supervisory plan for 2019-2020, which was adopted last month.
One of the priority areas that will be subject to the regulator's "special supervision" over the next year is in relation to clarifying firms' obligations under payment services laws in the context of the requirements they also face under data protection law.
Klarna said: "The data protection authority already formally clarified … in its supervisory plan for the coming year, that banks and payment service providers are one of several industries (alongside for example health and medical services where audits already initiated, mobile operators and school etc.) that they will focus on, and given that Klarna is the largest players in Sweden and across Europe, it is both expected and reasonable that we are included in this."
"Our hope is that the data protection authority can help to create even clearer guidelines and clarity about working with personal data going forward, and we are happy to be a constructive party to this work," it said.
"The careful handling of all kinds of data is extremely important, and it is also important that our customers feel confident in how we work with it. The questions asked are in relation to our credit products and data retention under GDPR which is the core of our offering, so again is reasonable we are included," Klarna said.
"We are aware that a small number of complaints have been filed in Sweden, we always take complaints seriously, and work proactively to ensure issues are addressed for future. Given we are processing up to over one million transactions a day, the number of questions and complaints about how we handle personal data is very low proportionate to that but of course very important," the company said.
Payments and technology law expert Angus McFadyen of Pinsent Masons, the law firm behind Out-Law.com, said: "The GDPR introduced new rights to data subjects that all businesses have had to factor into their compliance processes. Fulfilling ‘right to be forgotten’ requests, for example, will be a particular challenge for firms, including those in the payments sector, where they face anti-money laundering and transaction risk monitoring obligations. Some commentators have remarked that there is a tension between some of the GDPR’s provisions and those contained in the EU’s second Payment Services Directive (PSD2)."