Sweden: IMY fines Spotify SEK 58M for failures regarding data subject requests
On June 13, 2023, the Swedish Authority for Privacy Protection (IMY) published, its Decision No. DI-2019-6696, as issued on June 12, 2023, in which it imposed a fine of SEK 58 million (approx. $5,4 million) on Spotify AB, for violations of the General Data Protection Regulation (GDPR), following complaints.
Background to the decision
In particular, the IMY highlighted that it received complaints beginning in May 2018, regarding Spotify's handling of data subject requests, and initiated an investigation regarding the exercise of data subject rights in 2019, with specific attention given to exercising the right of access.
Findings of the IMY
However, the IMY stipulated that information under the privacy notice must be designed in such a way that the purpose of the right of access is fulfilled, and that the information must be provided in a manner that meets the requirements of transparency. Therefore, the IMY considered Spotify to have violated Article 12(1) of the GDPR.
In addition, regarding the purpose of the right of access, the IMY held that there is a need to adapt the content of information relating to Article 15(1) and 15(2) of the GDPR, dependent on which services the data subject has chosen to use, such as which categories of personal data are processed, the recipients, and where personal data was collected. The IMY also established that the same requirements to adapt content applies to data transfers to third countries and the appropriate safeguards taken for such transfer, as required under Article 15(2) of the GDPR.
Centrally, the IMY outlined that the information provided to data subjects by Spotify was not specific enough. For example, IMY detailed that it must be easy for data subjects to understand how companies use their data, and regarding the retention of personal data, data subjects must understand how long their data will be stored, with a time of deletion specified. Equally, on third-country data transfers, the IMY provided that data subjects must receive meaningful information that makes it possible to determine whether their personal data has been transferred, and if so, what protective measures have been used.
The IMY further held that Spotify divided the personal data provided to data subjects into different layers. Consequently, the IMY determined that the provision of a sample of personal data concerning the data subject, risks leading the data subject to believe that the personal data sample is a complete copy.
Finally, the IMY provided that Spotify had not taken sufficient measures to ensure data subjects understand the description of data processing in non-technical terms and that the description of data in technical log files was provided by default in English only.
For the above reasons, the IMY considered Spotify to have violated Articles 12(1), 15(1)(a), 15(1)(b), 15(1)(c), 15(1)(d), 15(1)(g), and 15(2) of the GDPR.
In conclusion, IMY imposed a fine of SEK 58 million (approx. $5,4 million) for the above-mentioned violations of the GDPR, noting that the deficiencies are of low severity.