Music streaming platform Spotify has been fined about $5.4 million in Sweden for breaching the data access rights of users in the European Union (EU).
There were allegations that the company failed to provide full information about personal data it processes in response to individual requests, which is a violation of Article 15 of the General Data Protection Regulation (GDPR), reports TechCrunch.
The complaint was filed at the start of 2019 by noyb, a privacy rights non-profit organisation.
According to the complaint, Spotify failed to provide all personal data requested, did not provide information on the purposes of the processing or recipients, and did not provide information on international transfers, among other allegations.
While the complaint was initially filed in Austria, the GDPR’s one-stop-shop mechanism, which is intended to streamline case handling when data processing crosses national borders, resulting in the complaint being routed to Sweden, where Spotify has its main EU presence.
The complaint then sat unresolved for several years, according to noyb, because the Swedish authority conducted a parallel ex officio investigation to which the complainants were not invited — despite the GDPR’s requirement that data controllers respond to access requests within a month, according to the report.
Due to the lack of a decision, noyb ended up taking the Swedish data protection authority (IMY) to court.
Last year, it successfully challenged IMY’s position that the complainant is not a party in procedures, with the Stockholm administrative court ruling that complainants have the right to request a decision six months after the complaint was filed, the report mentioned.
Meanwhile, Spotify has announced to lay off 200 employees, 2 per cent of its workforce, from its podcast division as part of a corporate reorganisation.
20230614-115403