IMY issues an administrative fine against Spotify for shortcomings regarding transparency

Christophe BARDY - GRACES community
5/7/2023
Propulsé par Virginie
Cet article est réservé aux membres GRACES.community

Background information


  • Date of decision: 12 June 2023 
  • Cross-border case or national case: Cross-border case
  • LSA: Swedish Authority for Privacy Protection (IMY)
  • CSAs: All other SAs
  • Controller: Spotify
  • Legal references: Article 15 (Right to access by the data subject), Article 12.1, Article 12.3, Article 58, Article 83 (General conditions for imposing administrative fines)
  • Decision: Administrative fine, Reprimand, Order to comply with the complainants request for access
  • Key words: Exercise of data subject rights, Transparency, Administrative fine


Summary of the Decision

 

Origin of the case

The General Data Protection Regulation, GDPR, entered into force in 2018 and means, among other things, that the rights of individuals are strengthened. One such right is the right of access, which means a right for individuals to find out what personal data a business handles about the person in question and to receive information about how this data is used.

Due to complaints that the Swedish Authority for Privacy Protection (IMY) received against Spotify AB regarding the right of access IMY has audited how Spotify handles the right for individuals to access their personal data.

 

Key Findings

IMY finds that Spotify provides to individuals the personal data the company processes when individuals request it. However, Spotify shall also provide information to the person requesting access about how Spotify uses this data and this information must be easy to understand. In addition, personal data that is difficult to understand, such as those of a technical nature, may need to be explained not only in English but in the individual's own, native language. In these parts, IMY has seen certain shortcomings in the audit of Spotify.

The deficiencies that have been discovered are considered overall to be of a low level of seriousness. In light of that and, among other things, the number of registered users and Spotify's turnover, IMY issues an administrative fine of almost EUR 5 million (SEK 58 million) against Spotify for not having provided sufficiently clear information to individuals.

 

Decision

IMY has found shortcomings related to the information pursuant to article 15.1 a-h and 15.2 of the GDPR that should be provided to the individual making the request and to the description of the data in the technical logfiles provided by Spotify. IMY has issued an administrative fine of SEK 58 million against Spotify for not providing sufficiently clear information to individuals in this regard. The decision in this part includes violations of articles 12.1, 15.1 a-d, g and 15.2 of the GDPR.

IMY has further found that Spotify had failed in its handling of requests for access related to two out of three of the complaints examined. The decision in this part includes violation of articles 12.1, 12.3, 15.3 and 15.1 a-h and 15.2 of the GDPR. In relation to these infringements IMY issues a reprimand and an order to comply with one complainant`s request of access.


Envie de lire la suite de l’article ?
Il vous reste 50% de l’article à lire
Inscrivez-vous sur GRACES.community pour profitez de toute l’actualité compliance
directement depuis votre espace Membre !
M'inscrire

Plus de 200 sociétés ont trouvé leur compliance officer avec GRACES.community,

et si c’était vous ?