Next IT Security cybersecurity conference logo
Get Ticket

Ini Mini Miny Moe. . .IMY Can Be At Your Door

Ini Mini Miny Moe. . .IMY Can Be At Your Door

In 2022, the Swedish Authority for Privacy Protection investigated Klarna Bank AB, a prominent global FinTech and payments company. Subsequently, it imposed an administrative fine of approximately EUR 724,000 after discovering several instances of non-compliance with GDPR.

The authority found that Klarna must adhere to several GDPR rules in their website’s privacy policy, which outlines how the company processes personal data. Klarna processes personal data in various ways for numerous people, making it crucial for their information to be accurate and complete.

The investigation’s lead lawyer, Hans Kärnlöf, noted that the company’s shortcomings in providing correct and complete information about how they process personal data were concerning. The fine imposed by the Swedish Authority for Privacy Protection demonstrates the severity of the consequences of non-compliance with GDPR.

Throughout the investigation, Klarna changed its information regarding handling personal data. The Swedish Authority for Privacy Protection (IMY) based its decision on the information provided by Klarna in the spring of 2020. According to IMY, Klarna needed to provide complete information on the legal basis for processing personal data in one of its services. The company also provided misleading information on the recipients of different categories of personal data when shared with credit information companies, both within and outside Sweden.

Also, Klarna kept the information private in countries outside the EU/EEA where personal data was transferred. The company also needed to provide more details about the process for individuals to obtain information on the safeguards applied to third-country data transfers. IMY also noted that Klarna provided incomplete information about the data subjects’ rights, including the right to delete their data, data portability, and the right to object to processing their data.

What Is GDPR, and Why Is It Important?

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that sets new rules for how organisations must handle the personal data of individuals in the European Union (EU). The GDPR was implemented in May 2018 and replaced the EU’s previous data protection laws to reflect our digital age better.

The GDPR has significant implications for businesses operating within the EU or with EU-based customers. It applies to any organisation that collects, processes, or stores the personal data of EU residents, regardless of where the organisation is located. The regulation imposes strict requirements on how organisations must obtain and manage consent for using personal data and safeguard that data to protect against unauthorised access or misuse.

Who Needs To Comply With GDPR?

The General Data Protection Regulation (GDPR) applies to all organisations that process the personal data of European Union (EU) citizens, regardless of the organisation’s location. This includes businesses, non-profits, and government agencies. The GDPR defines personal data as any information that can be used to directly or indirectly identify a person, such as a name, email address, or IP address.

If your organisation collects, processes, or stores the personal data of EU citizens, it must comply with the GDPR, regardless of its size or industry. This means that even small businesses or non-profits that collect personal data from EU citizens must comply with the regulation. Failure to comply can result in severe penalties, including fines of up to €20 million or 4% of the organisation’s global annual revenue, whichever is higher.

It’s important to note that the GDPR applies to both data controllers and data processors. A data controller is an organisation that determines the purpose and means of processing personal data. In contrast, a data processor is an organisation that processes personal data on behalf of a data controller. Both data controllers and processors are subject to the GDPR’s requirements and can be held liable for non-compliance.

It’s also worth noting that GDPR compliance is an ongoing process. Organisations must continually review and update their data protection policies and practices to ensure continuous compliance with the regulation. This includes implementing appropriate organisational and technical measures to ensure the security of personal data and responding promptly and appropriately to any data breaches.

Understanding GDPR’s Core Principles

To comply with GDPR, it’s essential to understand the core principles on which it’s based. These principles underpin the regulation and guide the processing of personal data.

  • Principle one: Personal data must be processed lawfully, fairly, and transparently. This means individuals must be informed about how their data is collected, processed, and used. They also have the right to access, rectify, or erase their data.
  • Principle two: Personal data must be collected for specific, explicit, and legitimate purposes. This means that data should only be collected for a particular purpose and not used for other reasons without consent.
  • Principle three: Personal data must be adequate, relevant, and limited to necessary information. The minimum amount of data needed to achieve the purpose should be collected and processed.
  • Principle four: Personal data must be accurate and updated. This means businesses must take reasonable steps to ensure that personal data is accurate and correct.
  • Principle five: Personal data must be kept only as long as necessary. This means that data should only be retained for as long as it’s needed for the purpose for which it was collected.
  • Principle six: Personal data must be processed to ensure appropriate security. This means businesses must protect personal data from unauthorised access, alteration, or destruction.

Understanding these core principles is essential for complying with GDPR. By ensuring that personal data is collected and processed fairly, transparently, and securely, businesses can build trust with their customers and avoid costly penalties for non-compliance.

What Are The Consequences Of Non-Compliance?

The General Data Protection Regulation (GDPR) is a set of regulations designed to protect the personal data of individuals within the European Union (EU). It sets out strict rules for how organisations collect, use, and protect this data. Failure to comply with GDPR can result in severe consequences for organisations.

Firstly, organisations can face significant fines for non-compliance with GDPR. The fines can be up to €20 million or 4% of the organisation’s global annual revenue, whichever is greater. This amount is substantial and can significantly impact the organisation’s financial stability.

Secondly, non-compliance with GDPR can also lead to losing organisational trust. This loss of trust can decrease customer loyalty and negatively impact the organisation’s reputation. Customers are becoming increasingly aware of the importance of data privacy. They are likelier to take their business elsewhere if they do not trust an organisation’s ability to protect their data.

Thirdly, non-compliance with GDPR can also result in legal action being taken against the organisation. Individuals can take legal action against organisations that fail to comply with GDPR. This can result in costly legal fees and damage the organisation’s reputation.

Share on:

Linkedin X-twitter Facebook

Recent Posts

Join 150 Cybersecurity Leaders

Private, invitation-based event for CISOs and senior decision-makers.

    • No vendors. No noise.
    • Real discussions, real insights
  • Closed-door executive environment

Discover Our Exclusive Events

East Central September 30, 2026
Nordics October 22, 2026
Benelux November 12, 2026
DACH November 26, 2026
Get your pass

The most exclusive Cyber Security EVENTS in the world.

Exclusive C-level cybersecurity gatherings across Europe. Limited seats, maximum impact.

Session reserved
05:00
Your registration session is active. Complete your application within the reserved time.
By submitting this form, you acknowledge that you have read and agree to our Privacy Policy .
Next IT Security · East Central
Main Conference Ticket
€495
/ Ticket
Tickets are exclusively reserved for C-level executives from end-user companies of IT security services. September 30, Belgrade.
  • Full-day access
  • 1:1 executive meetings
  • Roundtable sessions
  • Networking dinner
  • All speaker sessions
  • Post-event materials
Workshops — Sold Separately
Workshop 1 Chapter 1 · Compliance & Regulation
From Regulation to Reality: Making NIS2 & DORA Work in Practice
A working session for security leaders who need to translate regulatory requirements into operational plans. Participants work through actual compliance gaps, build a self-assessment framework, and leave with a prioritised action list — without dedicated compliance teams or enterprise-level budgets.
Time
09:00 – 11:00
Format
Masterclass + working groups
Duration
2 hours
Capacity
Limited seats
Sold separately  249
Buy Ticket
Workshop 2 Chapter 2 · AI & Emerging Threats
Shadow AI: How to Find It, Govern It, and Not Kill Innovation Doing It
A practical masterclass for security leaders dealing with AI tools that were never approved, deployed without oversight, and are already inside the environment. Participants map their own shadow AI exposure and build a proportionate governance framework.
Time
11:30 – 13:30
Format
Masterclass + case analysis
Duration
2 hours
Capacity
Limited seats
Sold separately  249
Buy Ticket
Workshop 3 Chapter 3 · Vendor Dependency & Sovereignty
Managing Vendor Risk Without Rebuilding Your Stack
A strategic working session on third-party risk, technology dependency, and realistic options for East Central organisations. Participants conduct a structured dependency audit, evaluate viable European alternatives, and leave with a vendor risk strategy that is operationally grounded.
Time
14:15 – 16:15
Format
Masterclass + structured audit
Duration
2 hours
Capacity
Limited seats
Sold separately  249
Buy Ticket
Workshop 4 Chapter 4 · Cybercrime in a Borderless Threat Landscape
Cross-Border Cybercrime: What Private Sector Security Leaders Need to Know
A practitioner-led masterclass bridging private sector incident response and the realities of cross-jurisdictional law enforcement. Participants learn how cybercrime investigations unfold across borders and how to build an incident posture that works with — not against — public sector constraints.
Time
16:45 – 18:45
Format
Masterclass + Q&A
Duration
2 hours
Capacity
Limited seats
Sold separately  249
Buy Ticket
By submitting this form, you acknowledge that you have read and agree to our Privacy Policy .
Next IT Security · Nordics
C-Suite Edition
€990 €0
Promo Code Applied ✓
/ Ticket
Tickets are exclusively reserved for C-level executives from end-user companies of IT security services. October 22, Stockholm.
  • Full-day access
  • 1:1 executive meetings
  • Roundtable sessions
  • Networking dinner
  • All speaker sessions
  • Post-event materials
By submitting this form, you acknowledge that you have read and agree to our Privacy Policy .
Next IT Security · Benelux
C-Suite Edition
€990 €0
Promo Code Applied ✓
/ Ticket
Tickets are exclusively reserved for C-level executives from end-user companies of IT security services. November 12, Amsterdam.
  • Full-day access
  • 1:1 executive meetings
  • Roundtable sessions
  • Networking dinner
  • All speaker sessions
  • Post-event materials
By submitting this form, you acknowledge that you have read and agree to our Privacy Policy .
Next IT Security · DACH
C-Suite Edition
€990 €0
Promo Code Applied ✓
/ Ticket
Tickets are exclusively reserved for C-level executives from end-user companies of IT security services. November 26, Frankfurt.
  • Full-day access
  • 1:1 executive meetings
  • Roundtable sessions
  • Networking dinner
  • All speaker sessions
  • Post-event materials

Secure registration · Confirmation sent to email · Limited seats available