Spotify, the popular music streaming service, has been hit with a hefty fine of €5 million by the Swedish Data Protection Authority (IMY) for violations of the General Data Protection Regulation (GDPR). The fine comes after a complaint filed by the non-profit organization noyb, which accused Spotify of failing to adequately respond to user requests for access to their personal data.
Under the GDPR, users have the right to access all of their personal data and information on how it is being used. However, Spotify fell short in fulfilling this obligation, leading to the IMY’s intervention. The IMY, as the competent authority in Sweden where Spotify is based, was responsible for handling the case.
The complaint against Spotify was lodged by noyb on January 18, 2019, along with similar complaints against other streaming services. The primary concern was that Spotify did not provide users with a user-friendly method to exercise their right to access their personal data, as stipulated in Article 15 of the GDPR. As the case involved Spotify, headquartered in Sweden, it was referred to the IMY.
However, the complaint remained unresolved for over four years, with the IMY even denying the complainants party status in the procedure. Frustrated by the lack of progress, noyb took legal action against the IMY in Swedish courts on June 22, 2022. The courts ruled in favor of noyb, compelling the IMY to issue a decision on the complaint against Spotify, as well as examine Spotify’s broader approach to providing information to its users. The case was consolidated with another complaint from the Netherlands.
Stefano Rossetti, a privacy lawyer at noyb, expressed satisfaction with the IMY’s final action, albeit after a protracted delay. He emphasized that users have a fundamental right to access complete information about their data processing. However, Rossetti also criticized the sluggishness of the Swedish authority’s procedures, calling for swifter action in such cases.
The right to access, as granted by the GDPR, entails not only obtaining a copy of one’s own personal data but also receiving details about its source, recipients, and any international transfers.
In Spotify’s case, this information was not adequately provided, and the company only granted access to some data without instructing users on how to obtain the remainder. The IMY has now ordered Spotify to furnish the full set of data, in compliance with Article 58(2)(c) of the GDPR.
Noyb will conduct a thorough examination of the IMY’s decision to ensure that users’ rights have been fully enforced. The organization remains committed to safeguarding privacy rights and holding companies accountable for GDPR violations.
🚀 Looking for a solution to easily document all the data processing activities within your organization and ensure compliance with GDPR?
Introducing our cutting-edge solution: the Register of Data Processing Activities. With this powerful tool, you can effortlessly create a comprehensive record of all your processing activities, add from over 1700 pre-made options, divide them by area, assign processors and members, and document legal bases and other GDPR-required records.
Our user-friendly interface ensures that your organization is fully equipped to handle user data access requests and comply with the GDPR’s right to access provisions. Don’t risk hefty fines or damage to your reputation—take control of your data processing activities with our Register of Data Processing Activities. Safeguard privacy rights and protect your organization from GDPR violations.
Ensure compliance every step of the way, started today!
