Spotify is facing a fine of approximately €5 million ($5.4M) in Sweden for breaching data access rights of users in the European Union. Te fine highlights the challenges faced by European users in upholding their data protection rights. The complaint against Spotify was filed by the privacy rights organization noyb more than four years ago. The complaint alleged that Spotify did not provide adequate information in response to a subject access request, including failing to provide all personal data, information on processing purposes, recipients, and international transfers. The complaint was initially filed in Austria but was redirected to Sweden due to the GDPR’s one-stop-shop mechanism. The Swedish data protection authority (IMY) took several years to process the complaint, prompting noyb to take legal action against the authority. Last year, the Stockholm administrative court ruled that complainants have the right to request a decision after six months.
IMY has now issued a decision ordering Spotify to provide the full set of data requested. Spotify has stated its intention to appeal the decision, maintaining that it provides comprehensive information about data processing.
The case highlights the variable enforcement of GDPR across European countries and the ongoing challenges in upholding data access rights.
Data subject request management: https://privacy.partners