Swedish Data Protection Authority (IMY) fines Spotify for GDPR violations (Art. 15 GDPR)

We often say to our Customers, that the correct handling of data subject’s access requests (Art. 15 GDPR) - along with the data subject’s deletion requests (Art. 17 GDPR) – is  among the most frequent GDPR-related inquiries. The way a company handles such information access requests reflects a lot on its GDPR compliance management system and can significantly reduce the risk of a fine.

That was not the case with the Swedish digital audio streaming services provider Spotify, however. Following a complaint filed in the beginning of 2019, Spotify was fined approximately 5 million euros from the Swedish Data Protection Authority (IMY) for not allowing users to exercise their right to information in an easy and effective manner. More specifically, the IMY ruled that the right way to answer an access request does not only involve sending the data subject a copy of the data being processed, but also providing them with information on where the data was sourced from, the recipients of it and the possibility of international transfer (and how this is carried out).

Decisive for the amount of the fine was also the amount of time (4 years) the complaint was left unattended – which, of course, overly exceeds the usual one-month deadline set in Art. 12 (3) GDPR  for the Data Controller to answer a data subject’s request. We, as DP-Dock, are ready to provide assistance to our Customers regarding all aspects of handling the whole spectrum of GDPR requests.

The decision was published by the EDPB per June 12, 2023. You can find it here.