Klarna Bank AB – Court Ruling (Sweden, 2022)

A data subject submitted an access request to Klarna Bank AB (the controller). However, the controller did not provide all the requested personal data, including information regarding recipients to whom personal data of the data subject had been disclosed. After an unsuccessful follow-up request, the data subject filed a complaint with a German DPA. The complaint was transferred to the Swedish DPA in an Article 60 GDPR procedure. The Swedish DPA held in decision DI-2021-10263 that the controller should provide information about the actual recipients, not only categories of recipients, when the data subject expressly requests it. The DPA reached this conclusion by interpreting Article 15(1)(c) GDPR in light of the principles of fairness and transparency (Article 5(1)(a) GDPR) as well as the provision under Articles 19 GDPR. Thus, the DPA reprimanded the controller for a violation of Article 15 GDPR. The controller appealed this decision before the Stockholm Administrative Court. The controller argued, among others, that Article 15(1)(c) GDPR should be interpreted as allowing the controller to choose whether to give access to categories of recipients or specific recipients in a manner similar to the information requirements in Articles 13(1)(e) and 14(1)(e) GDPR. The Stockholm Administrative Court (the Court) recalled that Article 15 GDPR gives an individual the right to be informed as to whether a controller is processing personal data relating to them and, if so, to be provided with tailored information about the processing. The Court stated that it is up to the data subject to make the choice whether to exercise their right to know the recipients or categories of recipients to whom personal data were disclosed. The Court held that Article 15(1)(c) GDPR must be interpreted as obliging the controller to satisfy the data subject's request to the best of its abilities. If the data subject expressly requests access to information regarding the actual recipients of