The Swedish Privacy Authority (IMY) has imposed a SEK 58 million (approximately $5.4 million) penalty on Spotify AB for violations of the GDPR following complaints.
The IMY received complaints about Spotify’s conduct in relation to data access requests made since May 2018, and began investigating the exercise of data processing rights in 2019, paying particular attention to the right of access.
The authority found that Spotify provides information about the exercise of data rights in 21 different languages, and that the language of the information provided will depend on the language settings of the browser used. IMY also found that Spotify provides information about the purpose of the processing, the categories of personal data processed and the source of the personal data, among other things, in the privacy notice. Importantly, the privacy notices provided by Spotify included instructions on how to exercise the right of access.
However, privacy notices must be drafted in a way that meets transparency requirements. Therefore, IMY considered that Spotify breached Article 12(1) of the GDPR.
In addition, with regard to the purpose of the right of access, IMY stated that there is a need to adapt the content of the information on Articles 15(1) and 15(2) of the GDPR, depending on the services chosen by the data subject, such as the categories of personal data processed, the recipients. IMY also stated that the same content adaptation requirements apply to data transfers to third countries and the appropriate safeguards for such transfers, in accordance with Article 15(2) of the GDPR.
The information provided by Spotify to data subjects was not sufficiently precise. For example, data subjects need to know how companies use their data, how long their data will be stored. With regard to data transfers to third countries, IMY stated that data subjects must be provided with relevant information to determine whether their personal data has been transferred and, if so, what protection measures have been applied.
For the above reasons, the supervisory authority found Spotify in breach of the GDPR and fined it SEK 58 million (approximately $5.4 million).