Klarna On-Site Messaging and Data Protection – What Belongs in Your Privacy Policy

If a website operator uses Klarna On-Site Messaging, when a product or cart page with the embedded OSM widget is loaded Klarna typically processes web server log data and – depending on the configuration – order context data, in order to display personalised notices about Klarna payment and financing options. This page shows website operators in Germany what data Klarna On-Site Messaging processes according to the provider's publicly available information and which mandatory disclosures belong in the website's privacy policy.

A. Purpose and Functionality of Klarna On-Site Messaging

Klarna On-Site Messaging (OSM) is a JavaScript widget that website operators – typically online shops – embed on product, category and cart pages to place notices about Klarna payment and financing options (e.g. "Pay later", "Pay in 3", instalments). The widget shows context-dependent banners or texts referring to Klarna payment options and links to further information.

This page focuses on the integration function OSM widget. Other Klarna functions (checkout integration, Klarna Hosted Payment Page, Klarna SDK for apps) are not within the scope of this article and must be examined separately by the website operator. As soon as a device loads a page with the embedded OSM widget, the user's browser fetches the widget directly from Klarna servers.

B. Mandatory Disclosures in the Privacy Policy when Using Klarna On-Site Messaging

The GDPR requires the privacy policy to set out tool-specific minimum content in addition to general information about the website operator, data subject rights and the supervisory authority. For the use of Klarna On-Site Messaging this includes in particular:

• the purposes of the processing (Art. 13 para. 1 lit. c GDPR),
• the legal bases (Art. 13 para. 1 lit. c GDPR),
• where based on legitimate interests, the specific interests pursued (Art. 13 para. 1 lit. d GDPR),
• the recipients or categories of recipients (Art. 13 para. 1 lit. e GDPR),
• whether data is transferred to an insecure third country (Art. 13 para. 1 lit. f GDPR),
• the storage duration or the criteria used to determine it (Art. 13 para. 2 lit. a GDPR),
• where data is not collected directly, additionally the categories of personal data (Art. 14 para. 1 lit. d GDPR).

It is not necessary to list Klarna On-Site Messaging with its own boilerplate text in the privacy policy, even though that practice is widespread. The "one boilerplate per tool" approach has become poor practice: it leads to long, redundant texts, makes the privacy policy hard to maintain and tends to run counter to the transparency requirement of Art. 12 para. 1 GDPR. A topic-oriented approach is more appropriate – describing processing across topics (third-party content, sales/payment, etc.) and naming Klarna only in an annex of recipients. This is exactly the methodology that the matterius generator follows.

C. Provider of Klarna On-Site Messaging

According to the publicly available information from the provider, the contracting party for German website operators is Klarna Bank AB (publ), based at Sveavägen 46, 111 34 Stockholm, Sweden. Klarna is a credit institution based in Sweden and licensed by the Swedish Financial Supervisory Authority (Finansinspektionen). Which Klarna group entity is the contracting party in any individual case must be checked by the website operator on the basis of the contract documents.

Klarna's registered office is in the EEA; according to the publicly available information, third-country transfers for OSM purposes are not primarily envisaged but may occur depending on the use of subprocessors.

Klarna's privacy notice is available at https://www.klarna.com/de/datenschutz/ (and in English locales). Information on the use of OSM is provided by Klarna in the trust/compliance area of its website.

D. Data Processing by Klarna On-Site Messaging – Step by Step

E. Data Collected by Klarna On-Site Messaging

In connection with Klarna On-Site Messaging, the data processed according to the provider's publicly available information typically includes IP address, timestamp, requested URL, referrer, user-agent, device and browser information and – depending on the configuration – order context data (order value, currency, product IDs).

The data can be classified into the following standardised data categories:

• Web server log data: IP address, timestamp, URL, referrer, user-agent, status code of the server response.
• Device data: device type and operating system, where derivable from the user-agent.
• Browser information: browser name and version.
• Coarse location data: location derived from the IP address at city or municipality level.
• Conversion events: display of an OSM widget, click on the notice, possibly transition to the Klarna payment function.

In addition, order context data (order value, currency, product identifier) may be transmitted where this is provided for in the configuration.

F. Purposes when Using Klarna On-Site Messaging

Website operators typically use Klarna On-Site Messaging to advertise Klarna payment and financing options on product, category and cart pages, to increase conversion rates and to inform users about available payment methods.

These purposes can be classified into the following standardised purpose categories:

• Provision of functionality: display of the OSM banners and texts as third-party content.
• Security and abuse prevention: detection of anomalous usage patterns.
• General product improvement: performance measurement of the banner display.
• General marketing: advertising of Klarna payment and financing options, reach analysis.

G. Legal Bases when Using Klarna On-Site Messaging

In a first step, Klarna On-Site Messaging must be assigned to a tool category: it is mainly a tool from the Third-party content category, complemented by functions in the Sales/Payment and possibly Tracking (Marketing) categories where conversion events are captured.

In a second step, the following legal bases typically come into consideration:

• For the embedding of the widget as third-party content: typically third-party-content consent under Art. 6 para. 1 lit. a GDPR in conjunction with § 25 para. 1 TDDDG.
• Alternatively – where the widget is embedded to provide a function explicitly requested (e.g. a specific payment information notice at the user's request) – a legitimate interest under Art. 6 para. 1 lit. f GDPR in security and efficiency may apply. This classification must be carefully examined on a case-by-case basis, as the OSM widget will generally not be "strictly necessary" within the meaning of § 25 para. 2 TDDDG.
• For performance measurement of the widget: typically marketing consent under Art. 6 para. 1 lit. a GDPR.

Which legal basis is specifically applicable depends on the configuration of the use (consent banner, widget configuration) and must be examined by the website operator on a case-by-case basis.

H. Particularities and Notes on Klarna On-Site Messaging

• Role of the provider: According to the publicly available information, Klarna typically acts as an independent controller for the data processed in connection with OSM. Processor status is therefore typically ruled out.
• Third-party content: OSM loads JavaScript and content from Klarna servers. Prior consent in the consent banner ("third-party-content consent") is generally required.
• Third-country transfer: Klarna is based in the EEA; depending on the subprocessors used, third-country transfers may occur in individual cases.
• Subprocessors: A list follows from Klarna's compliance documents.
• Settings for the website operator: Recommended is a deliberate configuration of which order context data is transmitted to Klarna and a coupling of the widget to the consent management system.
• Source note: The information is based on the provider's publicly available publications and does not replace a case-by-case assessment.

I. Frequently Asked Questions on Klarna On-Site Messaging and Data Protection

J. Conclusion on Klarna On-Site Messaging

When using Klarna On-Site Messaging, personal data of website visitors is transmitted directly to Klarna, which typically acts as an independent controller. The provider is Klarna Bank AB (publ), based in Sweden. Key obligations are the legally compliant integration as third-party content in consent management, a deliberate configuration of the order context data transmitted, and including Klarna in the recipients annex of the privacy policy.

For the website operator, it is generally not advisable to include a dedicated boilerplate text for Klarna On-Site Messaging in the privacy policy. A structured, topic-oriented approach is recommended that explains tools across topical blocks (third-party content, sales/payment, etc.) and only names individual providers such as Klarna in an annex of recipients. This is exactly the methodology that the matterius generator follows.

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com