The Swedish data protection authority (IMY) has issued a €5 million fine against Spotify for a violation of the right of access under Article 15 of the EU General Data Protection Regulation (GDPR). The IMY's enforcement follows a January 2019 complaint from the Austrian privacy group NOYB against several streaming services for failing to provide users an easy way to access their data.
The IMY confirmed Spotify does release personal when requested but that it "does not inform clearly enough about how this data is used by the company." Furthermore, the IMY said Spotify's disclosure needs to be "more specific" in order to make it "easy for the person requesting access to their data to understand how the company uses this data."
In a statement responding to the news, NOYB privacy lawyer, Stefano Rossetti, said: "We are glad to see that the Swedish authority finally took action. It is a basic right of every user to get full information on the data that is processed about them. However, the case took more than 4 years and we had to litigate the IMY to get a decision. The Swedish authority definitely has to speed up its procedures."
What is this page?
You are reading a summary article on the Privacy Newsfeed, a free resource for DPOs and other professionals with privacy or data protection responsibilities helping them stay informed of industry news all in one place. The information here is a brief snippet relating to a single piece of original content or several articles about a common topic or thread. The main contributor is listed in the top left-hand corner, just beneath the article title.
The Privacy Newsfeed monitors over 300 global publications, of which more than 4,250 summary articles have been posted to the online archive dating back to the beginning of 2020. A weekly roundup is available by email every Friday.