The Swedish Data Protection Authority, IMY, believes that Spotify has failed in its duty to disclose how the company utilizes and stores personal data, leading to a decision to impose a penalty of 58 million SEK (approximately 5.4 million dollars) on Spotify.
IMY states that Spotify, as required by GDPR legislation, provides individuals with access to their stored personal data upon request. However, they believe that there are shortcomings in Spotify’s information regarding how the stored personal data is used by the company.
“The information provided by the company on how individuals’ personal data is processed and for what purposes should be more specific. It should be easy for individuals who request access to their data to understand how the company utilizes that data. Additionally, personal data that is difficult to comprehend, such as technically-oriented information, may need to be explained not only in English but also in the individual’s own language. We have identified certain deficiencies in these areas,” says Karin Ekström, one of the lawyers leading the investigation.
As Spotify has users in multiple countries, IMY’s decision has been made in collaboration with other data protection authorities in the EU.