Spotify AB
Issued by Integritetsskyddsmyndigheten (IMY) on 2023-06-13
What happened
Sweden's IMY (formerly Datainspektionen) fined Spotify SEK 58 million (approximately €5 million) for failing to adequately inform data subjects about how it processes their personal data and for providing insufficient responses to subject access requests. The investigation, triggered by a complaint from the privacy rights organization NOYB, found that when users exercised their right of access under Art. 15 GDPR, Spotify provided data in a format that was difficult to understand. The company failed to clearly explain the purposes of processing, retention periods, and recipients of personal data in response to access requests. Spotify's general privacy policy was also found to be insufficiently clear about the technical details of personal data processing.
Articles violated
Lessons learned
Responses to subject access requests must be comprehensive, clear, and provided in an easily understandable format. Simply providing a data download without clear explanations of processing purposes, retention periods, and data recipients is insufficient. Companies must go beyond raw data exports and provide contextual information. Privacy policies should be specific about how data is used, not just provide general categories. This case shows that even companies with sophisticated privacy programs can fall short on transparency requirements.
Source
View original decisionDisclaimer: This summary is for informational purposes only and does not constitute legal advice. Refer to the original decision for complete details.
Get enforcement alerts for Technology
We track GDPR fines across Europe. Enter your email to get notified about new enforcement actions.