Klarna Bank AB – Court Ruling (Sweden, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A court ruled that Klarna Bank did not provide enough information to users about how their data was processed. The court found that while Klarna made some improvements, they did not need to specify every country where data is sent. This ruling clarifies what companies must disclose in their privacy policies.
What happened
Klarna Bank was found to have inadequately informed users about their data processing activities.
Who was affected
Users of Klarna Bank who were not given complete information about how their personal data was handled.
What the authority found
The court held that Klarna did not violate GDPR by not naming specific countries for data transfers, as the law does not require this level of detail.
Why this matters
This ruling sets a precedent for how companies can communicate data transfer practices. Businesses should ensure their privacy policies meet legal requirements while being clear and informative.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
On 28 March 2022, the Swedish DPA ("IMY") fined Klarna AB ("the controller") €730,000 (SEK 7,300,000) for not providing data subjects with adequate information related to their processing activities. The DPA found that the controller violated the GDPR in several respects. The controller appealed the DPA's decision to a court of first instance, the Administrative Court of Stockholm ("FiS"). The Administrative Court upheld the controller's appeal in part and lowered the administrative fine to €600,000 (SEK 6,000,000) because the violations did not cause considerable harm and were not intentional and the controller had improved its information. The DPA appealed this decision to a court of appeal, the Administrative Court of Appeal of Stockholm ("KamR Stockholm"), requesting the fine to be raised back to €730,000 (SEK 7,300,000). The court of appeal, reviewed the entire appealed decision to decide whether the controller should be fined on the grounds put forward by the DPA. The Court therefore reviewed whether the controller provided complete or sufficient information on different aspects in their privacy policy and if they fulfilled the requirements on how it should be provided under Article 12 GDPR, Article 13 GDPR and Article 14 GDPR. The court of appeal disagreed with the court of first instance on whether the controller infringed Article 13(1)(f) GDPR by not indicating the specific countries to which personal data is transferred. The court of appeal found that the GDPR does not require that the specific third countries must be named. Therefore, the Court held that the controller did not violate Article 13(1)(f) GDPR by not specifying the third countries in their privacy policy. Moreover, the court of appeal disagreed with the court of first instance on whether the information provided by the controller on the rights of data subjects fulfilled the requirements of Article 13(2)(b) GDPR. This Article requires the controller to inform the data subject of the existen
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (8)
Other cases involving Klarna Bank AB in SE
Court Ruling
Details
About this data
Cite as: Cookie Fines. Klarna Bank AB - Sweden (2024). Retrieved from cookiefines.eu
Last updated: