On 11 March 2024, the Stockholm Administrative Court of Appeal handed down a judgement in case 2829-23, establishing that Klarna Bank AB must pay a fine of SEK 7.5 million due to violations of the General Data Protection Regulation (EU) 2016/679 (”GDPR”). Klarna's violations consist of providing inadequate information to data subjects concerning processing of their personal data, which does not meet the requirements in GDPR. The ruling will not come as a major surprise as the Administrative Court has also previously found that Klarna failed in its obligations according to GDPR. However, the Administrative Court of Appeal has made a partially different assessment than the Administrative Court in certain issues of significance in assessing the extent of the personal data controller's obligation to provide information according to GDPR, as well as which requirements can be placed on information in privacy policies and equivalent documents.
Not necessary to provide information about the identity of recipient countries in connection with third country transfers
According to GDPR, the personal data controller is obliged to inform data subjects when it intends to transfer personal data to countries outside the EU/EEA. One issue in the Klarna case was whether this obligation also constitutes a requirement to state which third countries personal data is being transferred to. In its ruling, the Administrative Court found that Klarna did not fulfil the information requirements according to GDPR, as Klarna had not indicated in its disclosures the specific third countries to which personal data was being transferred. However, the Administrative Court of Appeal arrived at an alternative assessment and found that GDPR's requirements for disclosure in connection with third country transfers did not include having to specify third countries in privacy policies or similar documents.
Sufficient that data subjects are made aware of their rights
GDPR also stipulates that data subjects must be informed of their rights according to GDPR, such as the right to access to and correction and deletion of their personal data. The Administrative Court interpreted this requirement that the personal data controller must provide the data subject with such information that makes it possible for the data subject to understand the rights' significance and utilise those rights. However, the Administrative Court of Appeal also arrived at an alternative assessment on this point and finds that it is sufficient that data subjects are made aware of their rights according to GDPR, without provision of a more detailed description of the rights' significance.
Important to continue monitoring legal developments
The Administrative Court of Appeal's ruling in the Klarna case is of particular significance as it is more nuanced than the Administrative Court's previous assessments of the personal data controller's obligation to provide information according to GDPR. However, even though this ruling has now gained legal force, it cannot be viewed as guiding; the final interpretation of GDPR's provisions, including those concerning the personal data controller's obligation to provide information, lie with the European Court of Justice. Personal data controllers and others concerned must consequently continue to carefully monitor legal developments in the area.
If you would like to discuss how the Klarna ruling might potentially affect your business and how Lindahl can assist you with adaptation to GDPR's requirements, you are welcome to contact Mårten Lindberg or Josefin Tegnvallius Boklund.