Your Privacy Hub

Yes We Trust moves to Didomi

We are excited to share that going forward, Yes We Trust content will be incorporated into Didomi, where we will continue to post relevant, educational content that helps you make sense of data privacy today, including out flagship newsletter and opinion pieces. Thank you for your continued support and see you there!

    • company-news
    • industry-news

    Published on June 19, 2023 last updated on June 20, 2023

    Spotify hit with €5M fine in Sweden for GDPR violation

    Spotify, the music streaming company, is facing a fine of 58 million Swedish Crown (around €5M or $5.4M), for failing to fully comply with the right of access held under the General Data Protection Regulation (GDPR).

    Under the GDPR, businesses are required not only to provide ways for users to request access, deletion, or modification of their personal data that has been collected, but also to be specific about how this information is handled, and for what purpose, something that Spotify has apparently failed to do according to the Swedish Data Protection Authority (IMY): 

    "It must be easy for the person requesting access to their data to understand how the company uses this data. In addition, personal data that is difficult to understand, such as those of a technical nature, may need to be explained not only in English but in the individual’s own, native language. In these parts, we have seen certain shortcomings."

    - Karin Ekström, IMY lawyer (source: Sweden Postsen)

    The original complaint dates back to 2019 and was filed by Max Schrems' noyb, when Spotify did not provide adequate details in response to a personal data request. The case was originally filed in Austria, before being sent to the Swedish DPA, where Spotify is based. In a recent statement, noyb mentions the significant time it took for the complaint to be addressed:

    "We are glad to see that the Swedish authority finally took action. It is a basic right of every user to get full information on the data that is processed about them. However, the case took more than 4 years and we had to litigate the IMY to get a decision. The Swedish authority definitely has to speed up its procedures."

    - Stefano Rossetti, privacy lawyer at noyb (source: noyb)

    Data Subject Access Requests (DSARs) can be handled with the appropriate technological solutions and processes. To learn more about these requests, what they entail, and how to get ready, head to this educational piece covering everything you need to know:

    Learn everything you need to know about DSARs

    avatar Yes We Trust

    Yes We Trust

    Your privacy hub.