Klarna Bank AB – Complaint Upheld (Sweden, 2022)

The data subject complained that a bank (controller) violated Article 15 GDPR, because it did not provide all information he initially requested. The controller did not provide information regarding recipients to whom personal data of the data subject had been disclosed. The controller did not provide this additional information even after the data subjects specifically asked for it in a follow-up request. The data subject filed his complaint with the DPA in Germany. A German DPA transferred the complaint to the Swedish DPA, which was the Lead Supervisory Authority (Article 56 GDPR) in this case. The Swedish DPA used the mechanisms for cooperation and consistency (Chapter VII GDPR), because this complaint regarded cross-border processing. The CSAs (Concerned Supervisory Authorities) were located in Germany, Denmark, Austria, Italy, Poland and Finland. The controller stated that it did not have the obligation to provide access in the way the data subject requested and that it had acted in a GDPR compliant way. To support this argument, the controller also stated that the [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf EDPB Guidelines 01/2022 on Access] were adopted on 18 January 2022, two years after the data subject's case regarding access was closed. These Guidelines state that the controller should provide the actual recipients unless it would only be possible to indicate the category of recipients. It already followed from Articles 13 and 14 GDPR that the recipients or categories of recipients of personal data should be as concrete as possible in respect of the principles of transparency and fairness. These Guidelines also state that storing information about the actual recipients is also necessary to comply with Article 5(2) GDPR. The DPA determined that the controller violated Article 15 GDPR. The DPA stated that Article 15(1)(c) GDPR must be interpreted as a right to obtain information from the controller about th