In 2022, the Swedish Authority for Privacy Protection investigated Klarna Bank AB, a prominent global FinTech and payments company. Subsequently, it imposed an administrative fine of approximately EUR 724,000 after discovering several instances of non-compliance with GDPR.
The authority found that Klarna must adhere to several GDPR rules in their website’s privacy policy, which outlines how the company processes personal data. Klarna processes personal data in various ways for numerous people, making it crucial for their information to be accurate and complete.
The investigation’s lead lawyer, Hans Kärnlöf, noted that the company’s shortcomings in providing correct and complete information about how they process personal data were concerning. The fine imposed by the Swedish Authority for Privacy Protection demonstrates the severity of the consequences of non-compliance with GDPR.
Throughout the investigation, Klarna changed its information regarding handling personal data. The Swedish Authority for Privacy Protection (IMY) based its decision on the information provided by Klarna in the spring of 2020. According to IMY, Klarna needed to provide complete information on the legal basis for processing personal data in one of its services. The company also provided misleading information on the recipients of different categories of personal data when shared with credit information companies, both within and outside Sweden.
Also, Klarna kept the information private in countries outside the EU/EEA where personal data was transferred. The company also needed to provide more details about the process for individuals to obtain information on the safeguards applied to third-country data transfers. IMY also noted that Klarna provided incomplete information about the data subjects’ rights, including the right to delete their data, data portability, and the right to object to processing their data.
What Is GDPR, and Why Is It Important?
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that sets new rules for how organisations must handle the personal data of individuals in the European Union (EU). The GDPR was implemented in May 2018 and replaced the EU’s previous data protection laws to reflect our digital age better.
The GDPR has significant implications for businesses operating within the EU or with EU-based customers. It applies to any organisation that collects, processes, or stores the personal data of EU residents, regardless of where the organisation is located. The regulation imposes strict requirements on how organisations must obtain and manage consent for using personal data and safeguard that data to protect against unauthorised access or misuse.
Who Needs To Comply With GDPR?
The General Data Protection Regulation (GDPR) applies to all organisations that process the personal data of European Union (EU) citizens, regardless of the organisation’s location. This includes businesses, non-profits, and government agencies. The GDPR defines personal data as any information that can be used to directly or indirectly identify a person, such as a name, email address, or IP address.
If your organisation collects, processes, or stores the personal data of EU citizens, it must comply with the GDPR, regardless of its size or industry. This means that even small businesses or non-profits that collect personal data from EU citizens must comply with the regulation. Failure to comply can result in severe penalties, including fines of up to €20 million or 4% of the organisation’s global annual revenue, whichever is higher.
It’s important to note that the GDPR applies to both data controllers and data processors. A data controller is an organisation that determines the purpose and means of processing personal data. In contrast, a data processor is an organisation that processes personal data on behalf of a data controller. Both data controllers and processors are subject to the GDPR’s requirements and can be held liable for non-compliance.
It’s also worth noting that GDPR compliance is an ongoing process. Organisations must continually review and update their data protection policies and practices to ensure continuous compliance with the regulation. This includes implementing appropriate organisational and technical measures to ensure the security of personal data and responding promptly and appropriately to any data breaches.
Understanding GDPR’s Core Principles
To comply with GDPR, it’s essential to understand the core principles on which it’s based. These principles underpin the regulation and guide the processing of personal data.
- Principle one: Personal data must be processed lawfully, fairly, and transparently. This means individuals must be informed about how their data is collected, processed, and used. They also have the right to access, rectify, or erase their data.
- Principle two: Personal data must be collected for specific, explicit, and legitimate purposes. This means that data should only be collected for a particular purpose and not used for other reasons without consent.
- Principle three: Personal data must be adequate, relevant, and limited to necessary information. The minimum amount of data needed to achieve the purpose should be collected and processed.
- Principle four: Personal data must be accurate and updated. This means businesses must take reasonable steps to ensure that personal data is accurate and correct.
- Principle five: Personal data must be kept only as long as necessary. This means that data should only be retained for as long as it’s needed for the purpose for which it was collected.
- Principle six: Personal data must be processed to ensure appropriate security. This means businesses must protect personal data from unauthorised access, alteration, or destruction.
Understanding these core principles is essential for complying with GDPR. By ensuring that personal data is collected and processed fairly, transparently, and securely, businesses can build trust with their customers and avoid costly penalties for non-compliance.
What Are The Consequences Of Non-Compliance?
The General Data Protection Regulation (GDPR) is a set of regulations designed to protect the personal data of individuals within the European Union (EU). It sets out strict rules for how organisations collect, use, and protect this data. Failure to comply with GDPR can result in severe consequences for organisations.
Firstly, organisations can face significant fines for non-compliance with GDPR. The fines can be up to €20 million or 4% of the organisation’s global annual revenue, whichever is greater. This amount is substantial and can significantly impact the organisation’s financial stability.
Secondly, non-compliance with GDPR can also lead to losing organisational trust. This loss of trust can decrease customer loyalty and negatively impact the organisation’s reputation. Customers are becoming increasingly aware of the importance of data privacy. They are likelier to take their business elsewhere if they do not trust an organisation’s ability to protect their data.
Thirdly, non-compliance with GDPR can also result in legal action being taken against the organisation. Individuals can take legal action against organisations that fail to comply with GDPR. This can result in costly legal fees and damage the organisation’s reputation.