IMY issued a €5 million fine against Spotify for GDPR violations

Spotify has been fined €5 million by the Swedish Data Protection Authority for violating GDPR, as it failed to give users access to their complete personal data and did not provide sufficient information about the transfer of such data.

Green, Logo, Spotify

The digital music service company Spotify has been fined 5 million by the Swedish Data Protection Authority (IMY) for violating the General Data Protection Regulation (GDPR). The Austrian non-profit organization NOYB (noyb) accused Spotify of failing to provide access to personal data and information regarding the use of data. Considering that Spotify’s headquarters are based in Sweden, the complaint was reviewed by the IMY.

IMY noted that the information regarding data processing was broken down into different categories of personal data, making it impossible for Spotify’s users to understand which personal data is included in the other types. Additionally, IMY found that it was difficult for users to identify when their personal data was retained while also noting that the information provided regarding retention periods did not fulfill the GDPR requirements. IMY also noted that the purpose of the right to access personal data is to ensure that the data subject is aware of the processing. While Spotify provides information regarding data transfer in third countries, IMY noted that the information was generalized and not linked to users’ own situation.

In its decision, IMY decied that Spotify violated users’ right to access the complete set of data that it processed and for failing to provide information on the appropriate safeguards relating to the transfer of personal data under Article 15 of the GDPR.