top of page

Swedish DPA: Spotify Decision

The Swedish Data Protection Authority (IMY) issued a sanction fee of SEK 58 million against Spotify. This decision has been made in cooperation with other data protection authorities in the EU. Spotify AB is a company with branches and users in several EU Member States. Given the cross-border nature of the case, the IMY applied the cooperation and consistency procedures set out in Chapter VII of the GDPR.

All data protection authorities in the EU were involved as supervisory authorities in this case, and the procedure was led by the Swedish dataprotection authority.

Spotify breached GDPR rules on data subject rights. Namely, the right to access, which means "The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data" (Article 15 GDPR).

Spotify discloses the personal data it processes on data subject request , but is not transparent enough on how this data is used by the company.

According to GDPR rules, the information about how and for what purposes data is used:

a) should be more specific

b) should be easy for the data subject to understand. If it isn't, it may need to be explained not only in English but in the individual's own language.

Customers who have turned to Spotify to request access to their personal data have been

able to choose which personal data they want access to by Spotify dividing the customers'

personal data into different layers. In a warehouse there is the information that Spotify has

deemed to be of greatest interest to the data subjects, such as the customer's contact and

payment information, which artists the customer follows and listening history for a certain

period of time. If the customer wants more detailed information, such as all technical log

files relating to the customer, it has also been possible to request these in another


Spotify has taken several measures in order to meet the requirements for individuals' right of access and the deficiencies discovered are considered to be of low severity overall.

11 views0 comments


bottom of page