Summary
Spotify, the music streaming company, is facing a fine of 58 million Swedish Crown (around €5M or $5.4M), for failing to fully comply with the right of access held under the General Data Protection Regulation (GDPR).
Under the GDPR, businesses are required not only to provide ways for users to request access, deletion, or modification of their personal data that has been collected, but also to be specific about how this information is handled, and for what purpose, something that Spotify has apparently failed to do according to the Swedish Data Protection Authority (IMY):
"It must be easy for the person requesting access to their data to understand how the company uses this data. In addition, personal data that is difficult to understand, such as those of a technical nature, may need to be explained not only in English but in the individual’s own, native language. In these parts, we have seen certain shortcomings." - Karin Ekström, IMY lawyer (source: Sweden Postsen) |
The original complaint dates back to 2019 and was filed by Max Schrems' noyb, when Spotify did not provide adequate details in response to a personal data request. The case was originally filed in Austria, before being sent to the Swedish DPA, where Spotify is based. In a recent statement, noyb mentions the significant time it took for the complaint to be addressed:
"We are glad to see that the Swedish authority finally took action. It is a basic right of every user to get full information on the data that is processed about them. However, the case took more than 4 years and we had to litigate the IMY to get a decision. The Swedish authority definitely has to speed up its procedures." - Stefano Rossetti, privacy lawyer at noyb (source: noyb) |
Data Subject Access Requests (DSARs) can be handled with the appropriate technological solutions and processes. To learn more about these requests, what they entail, and how to get ready, head to this educational piece covering everything you need to know: