←back to thread

Klarna users are being signed in to random accounts

(twitter.com)
475 points danielstocks | 3 comments | 27 May 21 10:28 UTC | HN request time: 0.001s | source
Show context
ecmascript ◴[27 May 21 11:10 UTC] No.27301525[source]
Time to GDPR my account on klarna then.
replies(1): >>27302679 #
onoira ◴[27 May 21 13:14 UTC] No.27302679[source]
You can't—at least in Sweden—remove much from Klarna.

Your marketing profile is tied in with their accounting system. The law requires them to store accounting data for at least 7 years, with no obligation to actually remove it once that time is up. Since the accounting laws supersede the GDPR: they can hoard data pretty effectively.

The Swedish 'Data Protection Authority' tried to launch (yet another) investigation for their shady practices, but Klarna strategically applied for bank status and now the reach and power of the data authority is cripplingly limited.

replies(4): >>27303048 #>>27303534 #>>27304218 #>>27341856 #
1. elliekelly ◴[27 May 21 13:47 UTC] No.27303048[source]
Whats Klarna’s argument for the data in a customer’s marketing profile being necessary for accounting purposes? You can’t just store data in your accounting system and wipe your hands of GDPR.
replies(1): >>27303614 #
2. onoira ◴[27 May 21 14:32 UTC] No.27303614[source]
That's what the investigation aimed to find out before it was cut short. Klarna's general reasoning has been (A) 'because', and (B) 'because it's all in the same system and we have no obligations or confidence in thinning it'.

Any request for data or information regarding their architecture is rejected on the grounds of 'trade secrets'.

replies(1): >>27303982 #
3. dkersten ◴[27 May 21 15:04 UTC] No.27303982[source]
Hmm, that's strange. I did some contract work for Klarna about a year ago and had to go through mandatory on-site training and a big chunk of that was with their legal team about data protection, GDPR, about storing the least amount possible etc. It sounded like they treat it very seriously, so this is surprising to me.

I do know there are various legal requirements to retain certain data for some time (PSD2 for example must be stored for 13 months, I believe), but outside of that, it sounded to me like they tried very hard not to store anything for longer than necessary or without user consent.

I mean, doesn't mean its true, just the impression I got from the training.