Klarna Bank AB – Court Ruling (Sweden, 2024)

On 28 March 2022, the Swedish DPA ("IMY") fined Klarna AB ("the controller") €730,000 (SEK 7,300,000) for not providing data subjects with adequate information related to their processing activities. The DPA found that the controller violated the GDPR in several respects. The controller appealed the DPA's decision to a court of first instance, the Administrative Court of Stockholm ("FiS"). The Administrative Court upheld the controller's appeal in part and lowered the administrative fine to €600,000 (SEK 6,000,000) because the violations did not cause considerable harm and were not intentional and the controller had improved its information. The DPA appealed this decision to a court of appeal, the Administrative Court of Appeal of Stockholm ("KamR Stockholm"), requesting the fine to be raised back to €730,000 (SEK 7,300,000). The court of appeal, reviewed the entire appealed decision to decide whether the controller should be fined on the grounds put forward by the DPA. The Court therefore reviewed whether the controller provided complete or sufficient information on different aspects in their privacy policy and if they fulfilled the requirements on how it should be provided under Article 12 GDPR, Article 13 GDPR and Article 14 GDPR. The court of appeal disagreed with the court of first instance on whether the controller infringed Article 13(1)(f) GDPR by not indicating the specific countries to which personal data is transferred. The court of appeal found that the GDPR does not require that the specific third countries must be named. Therefore, the Court held that the controller did not violate Article 13(1)(f) GDPR by not specifying the third countries in their privacy policy. Moreover, the court of appeal disagreed with the court of first instance on whether the information provided by the controller on the rights of data subjects fulfilled the requirements of Article 13(2)(b) GDPR. This Article requires the controller to inform the data subject of the existen