The Swedish supervisory authority (IMY) has reprimanded Spotify AB for violating Articles 12(2), 12(3), 15 and 16 of the GDPR. IMY launched an investigation following the complaint. The complainant claimed that the controller had refused to update his address data. According to Spotify, it was not possible to change the data without deleting the account and creating a new one. The complainant also wanted to exercise his right of access. Spotify failed to meet its obligations as an administrator in this case as well.
The complainant submitted a data access request in December 2018. Spotify did not respond to this request until June 2021. IMY found that Spotify did not exercise proper technical control over the account to ensure that the user could make changes to the data relating to him.
In deciding to reprimand Spotify, IMY took into account the following mitigating factors:
- the violation concerned one person,
- the personal data did not belong to special categories of data
- the controller had not previously been sanctioned for a violation of the GDPR,
- Spotify finally updated the data and changed its procedures so that data subjects could exercise their rights in the future.