Klarna Bank AB – Court Ruling (Sweden, 2023)

On 28 March 2022, the Swedish DPA (IMY) fined Klarna AB (the controller) €730,000 (SEK 7,300,000) for not providing data subjects with adequate information related to their processing activities. IMY found that the controller violated the GDPR in the following respects: * It did not provide information about the purpose and the legal basis for data processing relating to the service "My economy", * It provided incomplete and misleading information about the recipients of different categories of personal data when they were shared with Swedish and foreign credit reference agencies. * It did not provide information about which countries outside the EU/EEA personal data was transferred to, and where and how data subjects can access or obtain documents regarding safeguards that applied to the applicable transfer. * It provided incomplete information about retention periods and the criteria to determine these periods. * It provided inadequate information about the data subjects' rights which did not comply with the principle of transparency, in particular the rights to request from the controller the erasure of personal data under Article 17 GDPR, to restrict processing of personal data Article 18 GDPR, to data portability under Article 20 GDPR and to object to the processing under Article 21 GDPR * Its privacy policy lacked meaningful information about the logic, significance and foreseen consequences of automated decision-making, including profiling, under Article 22(1) GDPR. The controller appealed the decision to the administrative court, challenging the basis of IMY's decision. It claimed, in particular, that IMY relied heavily on non-binding guidelines. The controller argued that both Swedish and European administrative law fundamentally require that an intervention (especially fines) against an individual may only take place if there is clear support in binding statute. Despite this, the controller claimed that it has been fined too heavily for violating non-bindi