FiS - 13539-23

From GDPRhub
Revision as of 06:53, 16 July 2024 by Wp (talk | contribs) (fixed category)
FiS - 13539-23
Courts logo1.png
Court: FiS (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 12(1) GDPR
Article 15(1)(a) GDPR
Article 15(1)(b) GDPR
Article 15(1)(d) GDPR
Article 15(1)(g) GDPR
Article 15(1)(c) GDPR
Article 15(2) GDPR
Decided: 28.06.2024
Published:
Parties: Spotify AB
National Case Number/Name: 13539-23
European Case Law Identifier:
Appeal from: IMY (Sweden)
DI-2019-6696
Appeal to:
Original Language(s): Swedish
Original Source: GDPRhub (in Swedish)
Initial Contributor: ec

The Administrative Court of Stockholm reduced the DPA's fine to €3,484,720 (SEK 40 million) against Spotify, because not providing information under Article 15 GDPR does not automatically mean a violation of Article 12(1) GDPR.

English Summary

Facts

On 12 June 2023, the Swedish DPA (“IMY”) imposed a fine of €5,167,615 (SEK 58 million) against Spotify AB (the controller) for violating the GDPR. The DPA held that the controller did not provide sufficiently clear information in the access request and violated Article 12(1), 15(1)(a) to (d), (1)(g) and (2) GDPR.

The controller appealed the DPA’s decision at the Administrative Court of Stockholm (“Förvaltningsrätten I Stockholm”) to annul the DPA’s decision, to impose a reprimand instead of a fine or otherwise reduce the imposed fine.

The controller did not agree that with the DPA’s reliance on the guidelines of the EDPB and the Article 29 Working Party for their decision, as these were not legally binding.

Regarding the various violations on the information the controller provided, the controller argued that there was no requirement of how the information on categories of personal data should be presented under Article 15(1)(b) GDPR and thus complied with the Article regardless of the generalised information and that there was a link to the privacy policy that had a more detailed description of the different categories.

The controller further argued there was no obligation to provide information on the storage periods in relation to each category of personal data under Article 15(1)(d) GDPR, to provide precise information on the criteria for determining the storage periods and to provide information on which third countries the personal data was transferred to under Article 15(2) GDPR. Moreover, there was also no obligation to provide a description of the personal data that contained technical log files, and thus also no obligation to provide this in a specific language other than English.

Holding

EDPB’s Guidelines

The court agreed with the controller that the EDPB and Article 29 Working Party Guidelines are not legally binding. However, the court held that they can be used to support the interpretation of the GDPR. The court further held that the DPA had not based its decision on the requirements in the EDPB’s guidelines or other requirements that do not follow from the GDPR.

Information on the purposes, the categories, the recipients and sources (Articles 15(1)(a), (b), (c) and (g) GDPR)

The court held that in order for the information provided to data subjects to be considered as meeting the requirements of Article 15 GDPR, the data subject must be able to ensure that the personal data concerning them is accurate and that it is processed lawfully. Merely complying with the information obligation is therefore not enough.

The court first looked whether the controller provided information on the categories of personal data concerned under Article 15(1)(b) GDPR. The court found that the descriptions given by the controller were general and the data included in the categories were not specified. In some categories, no description was even given. Therefore, the court held that it was difficult to determine which personal data were included in the various categories and that, therefore, the information provided was not sufficient to assess whether the data subject’s personal data was accurate and was being processed lawfully.

Regarding the link to the privacy policy which contained additional descriptions of the categories, the court held this indeed required active steps from the data subject as the data subject had to search for the relevant information in the policy on their own. However, the court held that the decisive factor should be whether the information was actually available to the data subject and therefore considered linking the privacy policy as making the information available under the requirements of Article 15 GDPR.

Therefore, taking into account the information provided on the categories of personal data in the document and the additional descriptions contained in the privacy policy, the court found that the controller provided sufficient information for a data subject to be able to assess whether their personal data was processed and if this was done in a lawful manner. The court therefore found that the controller did not violate Article 15(1)(b) GDPR, disagreeing with the DPA.

The court then looked into whether the controller provided information on the purposes of the processing (Article 15(1)(a) GDPR), the recipients or categories of recipient to whom the personal data have been or will be disclosed (Article 15(1)(c) GDPR) and any available information of the source when the personal data is not collected from the data subject (Article 15(1)(g) GDPR). As the DPA found that the controller violated these Articles because it linked to the various categories of data, the court found that there were no violations of Articles 15(1)(a), (c) and (g) GDPR either.

However, the court did take into account that the information provided under Articles 15(1)(a), (b), (c) and (g) GDPR were not provided to the data subject in one document, but in different documents. The court found that although the controller linked to their privacy policy in the access request, it was not clear what further information was in there. The data subject had to actively look for relevant information. Therefore, the court held that the information provided under Articles 15(1)(a), (b), (c) and (g) GDPR were not sufficiently clear and easily accessible. Thus, the court held that the controller violated Article 12(1) GDPR, agreeing with the DPA.

Information on the storage period and transfer of personal data to third countries (Article 15(1)(d) and (2) GDPR)

The court found that the information provided on the storage period and the criteria used to determine that period was of a general nature and lacked detailed descriptions. Therefore, the court held that the controller did not provide sufficient information to the data subject for them to assess whether their personal data was accurate and processed lawfully. Thus, the court held that the controller did violate Article 15(1)(d) GDPR.

The court agreed with the DPA’s assessment that a prerequisite for a data subject to be able to verify the lawfulness of the processing of his personal data is that it contains an indication of whether a transfer to a third country or an international organisation had actually taken place. The controller failed to provide such information and thus violated Article 15(2) GDPR.

The court further noted that a violation of Article 15 GDPR does not automatically mean a violation of Article 12(1) GDPR. As the required information under Articles 15(1)(d) and (2) GDPR was missing, the court did not agree with the DPA that the information violated the requirements of Article 12(1) GDPR.

Provision of personal data in the form of technical log files

The court took into account the CJEU’s judgement of case C-487/21, stating it is for the controller to take measures to ensure that the personal data provided to the data subject are intelligible. The court held that the controller is obligated to take appropriate measures to render the data intelligible, for example, by providing a description of them, to comply with Article 12(1) GDPR. In this case, the personal data in question were in the form of technical log files consisting of codes and numbers, which are by their nature difficult to understand. Although the controller provided a more detailed description of the technical log files in English, the court found that this could not be considered to be making the log files comprehensible to everyone. The court found that especially a data subject who had requested a copy of their personal data containing technical log files should not have to take their own initiative make the information comprehensible. Therefore, the court found that the measures taken by the controller were not sufficient to ensure that the personal data in the technical log files were intelligible and thus violated Article 12(1) GDPR.

Conclusion

The court thus found that the controller did not violate Articles 15(1)(a) to (c) and (g) GDPR. However, the information in these parts were provided in such a way that it did violate Article 12(1) GDPR. Moreover, the court found that the controller violated Articles 15(1)(d) and 15(2) GDPR, but did not agree that the information in these parts violated Article 12(1) GDPR, unlike the DPA. Lastly, the court found that the controller did violate Article 12(1) GDPR as the measures taken have not been sufficient to ensure that the personal data in the technical log files have been intelligible.

As the court did not find violations of Articles 15(1)(a), (b), (c) and (g) GDPR and Article 12(1) GDPR in the information provided on the storage period and transfer of personal data to third countries, the court reduced the fine to €3,484,720 (SEK 40 million). The Administrative Court thus partially upheld the appeal.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

Page 2

         ADMINISTRATIVE COURT JUDGMENT 13539-23
         IN STOCKHOLM


                          BACKGROUND



                          The Swedish Privacy Authority (IMY) decided on 12 June 2023 that, among other things,

                          impose a sanction fee of SEK 58 million on Spotify AB (Spotify) for
                          violations of the data protection regulation. As reasons for the decision in this part

                          stated IMY that Spotify during the period 16 November 2021–16 May 2022 in the

                          information to be provided according to article 15.1 and 15.2 i

                          the data protection regulation did not provide sufficiently clear information about

                                      the purposes of the processing,
                                      categories of personal data to which the processing applies,

                                      categories of recipients of the personal data,

                                      the anticipated periods during which personal data will

                                      stored or, if this is not possible, the criteria used to

                                      determine this period,

                                      where personal data comes from, as well as
                                      appropriate protective measures when personal data is transferred to third countries.



                          Furthermore, IMY stated that Spotify during the period 11 June 2019–16 May 2022

                          by providing by default the description of the data in them
                          the technical log files in English have not met the requirements that all

                          communications provided to the data subject pursuant to Article 15 i

                          the data protection regulation must be clear and comprehensible in the manner specified in

                          article 12.1 of the data protection regulation.


                          Spotify has thus processed personal data in violation of articles 12.1,

                          15.1 a-d, 15.1 g and 15.2 of the data protection regulation.






                          1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of
                          natural persons with regard to the processing of personal data and on the free flow of
                          such information and on the repeal of Directive 95/46/EC (General Data Protection Regulation).






Doc.Id 1750289 Page 3

         ADMINISTRATIVE COURT JUDGMENT 13539-23
         IN STOCKHOLM


                          The IMY also decided to impose a reprimand on Spotify for not handling two

                          was registered the request to access personal data in accordance with

                          data protection regulation. As the reason for the decision in this part, IMY stated,
                          regarding complaint 1, that Spotify in its handling of the complainant's request for

                          access made on 27 May 2018 has processed personal data in violation of

                                      article 12.3 of the data protection regulation, by placing the copy on

                                      personal data has been submitted too late, and
                                      articles 12.1, 15.1 and 15.3 of the data protection regulation, by

                                      the copy of personal data that Spotify did not have

                                      provided all the complainant's personal data in an understandable way
                                      form.



                          Regarding complaint 2, IMY stated that Spotify in its handling of the complainant

                          the access request made on October 10, 2018 has been processed
                          personal data in violation of

                                      articles 15.1 and 15.3 of the data protection regulation, by that in it

                                      copy of personal data that Spotify has not given access to

                                      to all personal data that Spotify processed about it
                                      complainant, and

                                      articles 15.1 a-h and 15.2 of the data protection regulation, by

                                      have not provided any of the information listed therein

                                      regulations.


                          Regarding complaint 2, IMY also decided to order Spotify to, at the latest, a

                          month after the decision became final, accommodate the appellant's request for
                          access.



                          The reasons for the decision in their entirety appear in Appendix 1.











Doc.Id 1750289 Page 4

         ADMINISTRATIVE COURT JUDGMENT 13539-23
         IN STOCKHOLM


                          CLAIMS, M.M.



                          Spotify primarily requests that the administrative court cancel the appeal
                          the decision in its entirety. Alternatively, it is requested that the company instead of a

                          penalty charge is imposed a reprimand and thirdly that imposed penalty charge

                          is put down.


                          IMY considers that the appeal should be rejected.



                          On June 5, 2024, the Administrative Court held an oral hearing in the case.


                          THE REASONS FOR THE DECISION



                          Starting points for the trial


                          The questions in the case


                          The first question that the administrative court has to examine is whether Spotify should

                          a penalty fee is imposed on the grounds put forward by IMY. More specifically is

                          the question of the information that Spotify has provided to registrants under

                          the period 16 November 2021–16 May 2022 has fulfilled the requirements in articles 12.1
                          and 15 of the data protection regulation and on the provision of technical

                          log files during the period 11 June 2019–16 May 2022 have met the requirements in article

                          12.1 of the data protection regulation.


                          The administrative court also has to take a position on Spotify when dealing with

                          two data subjects' requests for access to their personal data have been violated

                          articles 12 and 15 of the data protection regulation. If so have
                          the administrative right to examine whether the company should be reprimanded.










Doc.Id 1750289 Page 5

         ADMINISTRATIVE COURT JUDGMENT 13539-23
         IN STOCKHOLM


                          Burden of proof and proof requirements



                          According to the principle of accountability, the personal data controller must be able to
                          show that the processing of personal data is carried out in accordance with

                          the provisions of the data protection regulation (articles 5.2 and 24 i

                          data protection regulation). This means that it is the personal data controller
                          who has the burden of proof that the processing meets the requirements of the regulations

                          (The judgment of the European Court of Justice on 24 February 2022 in case C-175/20 "SS" SIA et al.,

                          paragraphs 77–81).


                          It must also be clearly stated that there are conditions for imposing a certain

                          administrative penalty fee and it is IMY that has the burden of proof in that

                          respect (see the Court of Appeal in Stockholm's judgment on January 26, 2023 in case no
                          1552-22).



                          Guidelines


                          Spotify has objected that some of the requirements that IMY lays the basis for

                          the violations are based on an interpretation of guidelines announced by the European

                          data protection board (European Data Protection Board, EDPB) and Article-29

                          the group. Spotify asserts that these guidelines lack standing as a source of law and
                          is not legally binding. Nor were the EDPB guidelines on the right of access

                          adopted at the time of the alleged violations.


                          The Article 29 Group was established pursuant to Article 29 of the Data Protection Directive 95/46/EC.

                          On 29 November 2017, the group adopted guidelines on transparency according to regulation

                          (EU) 2016/679. Through the introduction of the data protection regulation, the group has

                          replaced by the EDPB. The EDPB has, among other things, tasked with issuing guidelines and
                          recommendations regarding the interpretation of the data protection regulation. The EDPB has

                          adopted the Article 29 Working Party's guidelines on transparency.








Doc.Id 1750289 Page 6

         ADMINISTRATIVE COURT JUDGMENT 13539-23
         IN STOCKHOLM


                           The Administrative Court notes in this regard that the guidelines cannot determine

                           binding obligations unless the interpretation of the requirements they express

                           because can be deduced from the wording of the regulation text. That this is the case follows
                           generally accepted requirements for legality and predictability. Administrative law

                           further notes that IMY has not asserted that Spotify has violated requirements in

                           EDPB's guidelines, or imposed other requirements that do not follow from
                           data protection regulation as the basis for the decision. However, the purpose of the guidelines is

                           to promote a uniform application of the regulation by the supervisory authorities i

                           Member States of the EU. The guidelines are not legally binding but may according to

                           the sentence of the administrative court be used as support in the interpretation of
                           data protection regulation. Any possibility of imposing sanctions from outside

                           the guidelines and without support in the data protection regulation do not exist, however.


                           Legal starting points



                           In Article 15 of the Data Protection Regulation, the information is specified as a

                           registered has the right to receive from the personal data controller in question
                           personal data concerning him or her. This information shall according to

                           Article 12.1 is submitted in a concise, clear, clear, comprehensible and easily accessible form,

                           using clear and unambiguous language.


                           Article 15 thus specifies what information must be provided, while Article 12.1

                           imposes requirements on how this information must be provided. An application of Article

                           12.1 presupposes both that information has actually been provided and that there is one
                           information requirements according to Article 15.

















Doc.Id 1750289 Page 7

         ADMINISTRATIVE COURT JUDGMENT 13539-23
         IN STOCKHOLM


                           Spotify's general procedures for handling requests for access



                           Information to data subjects according to article 15.1 a-c and 15.1 g


                           According to Article 15.1 a-c and 15.1 g, the personal data controller must leave

                           information about the purposes of the processing of personal data, they
                           categories of personal data to which the processing applies, the recipients or

                           categories of recipients to whom the personal data has been or will be provided

                           disclosed, especially recipients in third countries or international organizations

                           and if the personal data is not collected from the data subject, all available
                           information about where this data comes from.



                           During the time period relevant to the case, Spotify has provided information according to
                           Article 15 of the Data Protection Regulation in a special document (Article 15-

                           information). In each copy of personal data provided to the registrant

                           pursuant to Article 15.3, a link to the Article 15 information has been included. IN

                           the article 15 information, there has in turn been a link to Spotify's
                           privacy policy in which supplementary information about the processing of

                           the personal data has existed.



                           Spotify states that the information about categories of personal data that
                           provided corresponds well with the data protection regulation's requirements. Whether it

                           information provided was too general and meaningless because

                           Article 15.1 b of the data protection regulation does not prescribe a requirement to
                           the information must be designed in a certain way. Notwithstanding this provided

                           Spotify descriptions of the different categories in the Article 15 information and

                           in addition, detailed descriptions in the privacy policy. That registrants were provided

                           with a link to the privacy policy in the Article 15 information does not mean that they
                           actively needed to search for information in question. If it left the description in

                           despite this, the privacy policy would be judged to be difficult to access, this is one

                           relationship that aims at how the description has been provided and not






Doc.Id 1750289 Page 8

         ADMINISTRATIVE COURT JUDGMENT 13539-23
         IN STOCKHOLM


                          the information as such. The company has further provided in Article 15 the information

                          all the information that the company is obliged to provide about the purposes of

                          the processing, the recipients or categories of recipients and that of the personal data
                          source. The company also provided this information in relation to various

                          categories. Users thus had the opportunity to find out how their different

                          personal data was processed.


                          IMY points out that the information provided by Spotify about categories of

                          personal data has been generally held and lacking further explanations.

                          The information has not enabled the data subject to ascertain
                          that the personal data concerning him or her are correct and that they

                          processed in a lawful manner. Furthermore, the registered person must not actively themselves

                          need to search for information that the data controller is obliged to
                          hand over to the data subject. Spotify's statement that there were descriptions of

                          certain categories of personal data in the privacy policy are therefore irrelevant

                          for the assessment of the clarity of the information in this regard. This

                          as this information cannot be considered to have been provided to the data subject.
                          IMY has stated at the oral hearing that in the event that

                          the information in the privacy policy is considered to have been provided to the individual if it,

                          together with the Article 15 information, sufficient to the information requirement

                          according to Article 15.1 b must be fulfilled.


                          The Administrative Court makes the following assessment.


                          In the interpretation of a Union provision, it is not only the wording that is in accordance

                          with its customary meaning in normal language to be considered, but also

                          the context and the goals pursued by the regulations which

                          the provision is included in (the judgment of the European Court of Justice on 4 May 2023 in case no. C-487/21
                          p. 19 and the case law cited there).










Doc.Id 1750289 Page 9

         ADMINISTRATIVE COURT JUDGMENT 13539-23
         IN STOCKHOLM


                           Article 15 of the data protection regulation further imposes a more far-reaching requirement on

                           the information that is provided to registered than that it only to his

                           wording must comply with the information obligation in the article. For
                           that the information provided to data subjects shall be considered to meet the requirements which

                           follows from Article 15, it must enable the data subject to insure

                           that the personal data concerning him or her are correct and that they
                           processed in a legal manner (cf. the judgment of the European Court of Justice on 4 May 2023 in the case

                           C‑487/21 p. 34 and recital 63 of the data protection regulation).



                           The question is therefore about the information that Spotify has provided to registered users
                           this part has enabled such control. According to the opinion of the administrative court

                           it is a prerequisite for this that the information provided has gone through

                           to find out which personal data is processed in which ways.


                           The Article 15 information provided to data subjects specifies which categories

                           of personal data that Spotify processes. In connection with some of

                           the categories are also given a description of which tasks are included in each
                           category. However, according to the opinion of the administrative court, these descriptions are

                           generally held and which information the categories include is not specified

                           closer. Regarding the categories of user data and usage data is given

                           no description at all and there is a lack of other clarifications
                           example. The Administrative Court considers that, based on this information, it is difficult to

                           determine which personal data is included in the various categories and that

                           the information provided in this part is therefore not sufficient to a
                           registered person must be able to assess whether the personal data concerning him or

                           her are correct and that they are processed in a legal manner.



                           However, the Article 15 information contains a link to Spotify's
                           privacy policy. The privacy policy contains, among other things, supplementary information

                           descriptions of the categories of personal data that Spotify processes. IMY

                           has submitted that this information should not be considered because it cannot be considered






Doc.Id 1750289 Page 10

         ADMINISTRATIVE COURT JUDGMENT 13539-23
         IN STOCKHOLM


                           have been given to the registered person when he has had to search for it

                           the information itself.


                           The Article 29 group's guidelines on transparency state, among other things, that the requirement that the

                           personal data controller must provide information to the registered means that

                           the controller must take active steps to provide
                           the information in question to the data subject or actively accompany the data subject

                           to the location where the information is located (e.g. via a direct link). The registered

                           shall not have to actively search for such information covered by these

                           articles among other information, such as terms of use for a website or
                           app.



                           The Administrative Court initially notes that the guidelines deal with
                           the application of Article 12(1) in relation to Articles 13 and 14 i

                           data protection regulation. However, the Administrative Court believes that the guidelines can serve

                           as guidance also in the application of Article 12(1) in relation to

                           Article 15.


                           The administrative court assesses that Spotify by linking to the privacy policy in

                           the Article 15 information may be deemed to have taken active steps to provide

                           the information in question to the data subject. Admittedly, the link has been to the whole
                           the privacy policy and not only to the parts containing Article 15-

                           information. The registered person has therefore had to independently search for relevant

                           information in the document. When assessing whether the company is to be considered to have given
                           the registered access to the information according to Article 15 i

                           the data protection regulation, however, the administrative court considers that the decisive factor is that

                           the information has actually been available to the data subject. By

                           the link to the privacy policy, the administrative court considers that the information has
                           made available to such an extent that it can be taken into account in the assessment of

                           if Spotify has met the requirements of Article 15 of the Data Protection Regulation.








Doc.Id 1750289 Page 11

         ADMINISTRATIVE COURT JUDGMENT 13539-23
         IN STOCKHOLM


                           In a balanced assessment of the information given about

                           the personal data categories in the Article 15 information along with those

                           supplementary descriptions found in the privacy policy consider
                           the administrative court that Spotify has provided enough information to a

                           registrant must be able to understand which information is included in each category.

                           The information has thus overall made it possible for a registered person to
                           check that the personal data is handled correctly and legally. Against

                           against this background, the administrative court judges that Spotify has not violated the article

                           15.1 b of the data protection regulation.


                           It appears from the appealed decision that IMY has assessed that the violations of

                           Article 15.1 a, c and g is due to the fact that the information in these parts has been linked to them

                           the various categories of personal data. That the information about purpose, recipient
                           and source as such has been deficient has not been asserted in the case.

                           Because the administrative court considers that it provided the information according to article

                           15.1 b has been sufficient, there is therefore also no violation

                           of Article 15.1 a, c and g.


                           IMY has also assessed that the information provided pursuant to Article 15.1 a-c

                           and 15.1 g has not been sufficiently concise, clear and clear and neither

                           readily available. According to IMY, it has therefore not met the requirements in Article 12.1 i
                           data protection regulation.



                           It appears from the Article 29 Group's guidelines on transparency that the requirement to
                           information provided or communicated to the data subjects shall be

                           in a "concise, clear and clear" form means that the data controllers should

                           present the information in an efficient and concise manner to avoid

                           information exhaustion. The information should be clearly distinguished from others
                           information that does not relate to privacy, for example contractual provisions or

                           general terms of use. The requirement that the information be easily accessible

                           means that it should be immediately obvious to the registered where and how they can






Doc.Id 1750289 Page 12

         ADMINISTRATIVE COURT JUDGMENT 13539-23
         IN STOCKHOLM


                           access the information. The Article 29 Group recommends that all the

                           information addressed to the data subjects should also be available on a

                           single place or in a single document.


                           The Administrative Court notes that the information in question has not been collected

                           in one place without it having been given to the registrant in different documents.
                           Spotify has indeed linked to the privacy policy in the Article 15 information

                           but according to the opinion of the administrative court, it has not been clear which

                           additional information that was available there. The data subject thus has

                           had to actively look for relevant information about, for example, those
                           categories of personal data that Spotify processes. The administrative court considers

                           against this background that the information provided pursuant to article 15.1 a-c and

                           15.1 g of the data protection regulation has not been sufficiently clear and
                           readily available. The administrative court therefore considers, similarly to IMY, that Spotify i

                           this part has violated Article 12.1 of the Data Protection Regulation.



                           Information to data subjects according to Article 15.1 d


                           Article 15.1 d of the data protection regulation states that it

                           personal data controller must provide information about the anticipated period

                           during which the personal data will be stored or, if this is not
                           possible, the criteria used to determine this period.



                           Spotify states that the company has provided information about the criteria that
                           used to determine retention periods. Any obligation to leave

                           information on storage periods in relation to the respective category of

                           however, personal data does not exist. Furthermore, there is also none

                           obligation to provide precise information about the criteria for determining
                           the storage periods.










Doc.Id 1750289 Page 13

         ADMINISTRATIVE COURT JUDGMENT 13539-23
         IN STOCKHOLM


                           IMY submits that it provided the information on storage periods and criteria

                           for determining these was very imprecisely designed, e.g. through vague

                           concepts such as "legitimate business reasons" and that data is "usually" kept under
                           lifetime of an account. Overall, it has not been possible for data subjects to

                           through the information provided by Spotify understand and control the preservation of

                           his or her personal data was legal.


                           The Administrative Court makes the following assessment.



                           Spotify's Article 15 information shows, among other things, that personal data is kept that way
                           for as long as it takes to provide the Spotify service for the data subject

                           and for legitimate and essential business purposes. Furthermore, examples are given of them

                           criteria used to determine the retention periods. Among these
                           stated that the standard period for retention of personal data is 90 days,

                           unless a longer period is chosen due to a legitimate business reason. Further

                           it is stated that personal data is retained for an appropriate period to deliver

                           a personal service to the data subject and that streaming history usually
                           retained for the lifetime of an account.



                           The administrative court considers that Spotify has provided certain information about it

                           period during which the personal data is stored as well as, in cases where this is not
                           possible, the criteria used to determine this period. The information

                           is however generally designed and there is a lack of detailed descriptions of how long

                           the data subject's various personal data are actually stored. As IMY brings forward
                           vague and imprecise concepts are further used to describe the criteria which

                           used to determine the storage periods. The administrative court considers that

                           Spotify has not provided enough information to make that possible

                           a registered person to ensure that the personal data concerning him or
                           her are correct and that they are processed in a legal manner. Spotify has thus

                           violated Article 15.1 d of the data protection regulation.








Doc.Id 1750289 Page 14

         ADMINISTRATIVE COURT JUDGMENT 13539-23
         IN STOCKHOLM


                           IMY has also assessed with regard to this information that the requirements to

                           the information must be provided in a concise, clear, and easily accessible form

                           have not been fulfilled.


                           The Administrative Court would like to point out at the outset that a violation of Article 15

                           does not automatically entail a violation of Article 12.1. The circumstance that
                           information that must be provided according to Article 15 is missing means according to

                           the opinion of the administrative court does not in itself mean that there is also a violation of

                           article 12.1. The Administrative Court has assessed that Spotify violated Article 15.1 d

                           as the company has not provided enough information about its storage of
                           personal data. However, the Administrative Court does not consider that IMY has been prejudicial

                           show that the information that Spotify has actually provided has not been compliant

                           with the requirements in Article 12.1. There is therefore no simultaneous infringement
                           of Article 12.1 of this part.



                           Information to data subjects according to Article 15.2


                           Article 15.2 of the data protection regulation stipulates that the personal data

                           transferred to a third country or to an international organization, it shall

                           data subjects have the right to information about the appropriate protective measures as i

                           in accordance with Article 46 has been taken at the time of the transfer.


                           Spotify states in this part that the company has provided information about the appropriate ones

                           protective measures taken when transferring data to a third country.
                           It is objected to there being a requirement to indicate to which third countries

                           the personal data has been transferred. In the case of transfers to third countries relied on

                           Spotify to a certain extent on the decision of the European Commission on adequate

                           protection level. When a decision on an adequate level of protection was missing, Spotify applied
                           during the relevant period only standard contract clauses as appropriate

                           protective measure. With this in mind, Spotify admits that the current

                           the information could have been designed without indicating that the appropriate






Doc.Id 1750289 Page 15

         ADMINISTRATIVE COURT JUDGMENT 13539-23
         IN STOCKHOLM


                           the protective measures "e.g." were made up of standard contract clauses. The concept

                           "for example." was used to avoid making the information incomplete and

                           referred to, in addition to standard contract clauses, the adequacy decisions that some
                           transfers relied on. Spotify also acknowledges that the information that

                           provided if appropriate protective measures were general. However, this was one

                           result of standard contract clauses being the only appropriate safeguard which
                           Spotify actually applied. The general writing was thus under it

                           current period applicable to all users, and there was accordingly

                           no need for any individualization and further description.


                           IMY states that in order for the data subject to be able to check that it

                           treatment concerning him or her is legal must information about

                           appropriate protective measures according to Article 15.2 at least include information
                           which clarifies whether the data subject's personal data has been transferred to a third party

                           country and, if so, to which countries and indicating which safeguards.

                           Spotify has not provided such information. IMY further considers that it lacks

                           meaning that Spotify at the time in question only applied
                           standard contract clauses, as it is not something that the data subject would have been able to do

                           know without being informed of it.



                           The Administrative Court makes the following assessment.


                           The Administrative Court assesses that the wording of Article 15.2 i

                           the data protection regulation states that the obligation to provide information refers to
                           appropriate safeguards taken when data has actually been transferred to one

                           third country or to an international organization. So it's not just a question

                           about an obligation to inform about the appropriate protective measures that generally

                           be taken in this regard. Instead, the information provided according to article
                           15 be adapted to the data subject's situation. Administrative law shares IMY's

                           assessment that a prerequisite for a registered person to be able to check that

                           the processing of his personal data is legal is that the information






Doc.Id 1750289 Page 16

         ADMINISTRATIVE COURT JUDGMENT 13539-23
         IN STOCKHOLM


                           contains information on whether a transfer to a third country or a

                           international organization has actually taken place. The information that Spotify

                           provided to registered users has lacked such information. The Administrative Court considers that
                           this constitutes a violation of Article 15.2 of the Data Protection Regulation.



                           IMY has also assessed the information provided in accordance with Article 15.2
                           that the provision has not been compatible with Article 12.1. So like

                           the administrative court stated above does not mean a lack of information according to

                           Article 15 necessarily a deficiency under Article 12(1). As for the violation of

                           article 15.2, the administrative court has assessed that this is mainly due to the fact that
                           has been missing relevant information and not that the content actually provided

                           to the data subject itself has been difficult to access or unclear. Of the

                           the appealed decision does not specify in what way IMY considers that it
                           the information provided is incompatible with Article 12.1. The administrative court considers

                           nor that IMY has otherwise given a sufficiently clear account of which

                           circumstances that would entail a violation in this case. Against this one

                           background, the administrative court considers that IMY in this part has not shown that Spotify
                           has acted in violation of Article 12.1 of the Data Protection Regulation.



                           The provision of personal data in the form of technical log files


                           In connection with a registered person having received a copy of personal data

                           containing technical log files, Spotify has also provided a description

                           of these. This is to help the user understand the data. Spotify has partly
                           provided a detailed description of the files in English, partly an overview

                           description in the user's local language. At the request of the data subject

                           Spotify also assisted with a translation of the detailed description.

                           IMY has assessed that the detailed description has been necessary in order to
                           enable a user to assimilate the information in

                           the log files. That the description, as a starting point, has only been provided in English

                           means, however, according to IMY, that Spotify has not taken sufficient measures to






Doc.Id 1750289 Page 17

         ADMINISTRATIVE COURT JUDGMENT 13539-23
         IN STOCKHOLM


                           ensure that users understand the description of the data. The information

                           has thus not met the requirements that all communication according to Article 15 i

                           the data protection regulation must be clear and comprehensible in the manner specified in
                           article 12.1.



                           In this part, Spotify presents, among other things, following. The company has in accordance with article
                           15.3 of the data protection regulation provided a copy of them upon request

                           data subject's personal data. Any obligation to provide one

                           description of this personal data, or even less to provide one

                           such a description in a certain language, however, does not exist.


                           One reason the technical log files were provided as a starting point

                           English was that they reflect technical concepts and codes that above all
                           communicated in English and where local translations are often established

                           is missing. It is not considered to be justified that in all requests for

                           technical log files provide the detailed description of these on

                           local languages. If a user requests that the files be translated, Spotify assists
                           free of charge with such a translation. Out of about 400,000 requests that

                           Spotify has received since 2018 only three users have requested one

                           translation of the detailed description into their local languages. It shows

                           that it would be disproportionate to as a starting point and without special request
                           provide the description in all users' own languages.



                           IMY adds in this part i.a. following. Exactly which actions a
                           the personal data controller must take steps to make personal data comprehensible to them

                           registered may be assessed based on the circumstances of the individual case. The question

                           the language in which information is to be provided must be assessed against the background of

                           the purpose of the provision. A description provided in a language of the registrant
                           does not master cannot help to make the tasks comprehensible to it

                           registered. IMY has not stated that Spotify should translate its detailed

                           description of the technical log files in their entirety. However, a closer one is required






Doc.Id 1750289 Page 18

         ADMINISTRATIVE COURT JUDGMENT 13539-23
         IN STOCKHOLM


                           description in local language of the central concepts in the technical log files

                           or other information that makes the personal data comprehensible to it

                           registered.


                           The Administrative Court makes the following assessment.


                           The European Court of Justice has stated that to ensure that the information which

                           provided is easy to understand, as required by Article 12.1 i

                           the data protection regulation, compared with recital 58 of the same regulation, it can show

                           it may be necessary to reproduce extracts from documents or even the whole of them
                           documents or extracts from databases, which, among other things, contain them

                           personal data that is processed, if it is necessary that they processed

                           the information is put into context to ensure that it is understandable
                           (Judgment of the European Court of Justice on 4 May 2023 in case C-487/21 p. 41).



                           The Administrative Court considers that the EU Court's statement can be understood as saying that

                           it is up to the personal data controller to take measures to ensure
                           that the personal data provided to the data subject is comprehensible. IN

                           in the current case, it is a matter of personal data in the form of technical log files

                           consisting of i.a. codes and numbers. Personal data of this kind is for its own

                           nature difficult to understand. According to the administrative court's opinion, it has therefore been imposed
                           Spotify to take appropriate measures to make the data comprehensible,

                           for example by providing a description of these, in order to provide

                           shall be compatible with Article 12.1 of the Data Protection Regulation.


                           The question then is whether the measures that Spotify has taken in this regard have been

                           sufficient for a data subject to be able to understand the content of the log files.


                           In the overview description of the data in the technical log files, which

                           provided in the registrant's local language, it is stated that these contain detailed

                           technical data such as commands, error messages and log strings such as






Doc.Id 1750289 Page 19

         ADMINISTRATIVE COURT JUDGMENT 13539-23
         IN STOCKHOLM


                           Spotify collected to be able to provide and troubleshoot the service.

                           However, the description lacks further information and administrative law

                           assesses that based on this it has not been possible for a registered person to understand
                           the data in the log files.



                           However, Spotify has also provided a more detailed description of them
                           the technical log files. In the case it is undisputed that this description has done so

                           possible for a registered user to utilize the information in the files.

                           However, the description has only been provided in English as a starting point.

                           Admittedly, there is no express requirement in Article 12(1) or Article 15 i
                           the data protection regulation that information must be provided in a certain way

                           language. However, the Administrative Court shares IMY's assessment that it may be considered to follow

                           the purpose behind the right of access as well as the requirements in Article 12.1 that information to a
                           registered is in a language that he/she knows. Against this background, one can

                           description provided only in English is not considered to contribute to making

                           the log files comprehensible to all users targeted by Spotify. Spotify

                           has in this regard brought forward that users have been given clear information about
                           the possibility of having the description translated into their local languages and that such

                           the request has only been made in a few cases. However, the Administrative Court considers that

                           a data subject who requested a copy of personal data containing technical

                           log files should not have to take their own initiative to obtain information that is
                           understandable. Instead, it arrives on Spotify, as

                           personal data controller, that even without further request from data subjects

                           ensure that the information provided is easy to understand. That users have
                           was able to return to Spotify to have the description translated weighs according to

                           The administrative court's opinion therefore does not fully account for this deficiency.



                           In summary, the Administrative Court has found that the information which
                           registered may in their local language has not been extensive enough to

                           it must be possible to understand the personal data in the technical log files. The

                           detailed description provided in English has also not been rated






Doc.Id 1750289 Page 20

         ADMINISTRATIVE COURT JUDGMENT 13539-23
         IN STOCKHOLM


                           make the data comprehensible for all registered users. The administrative court considers

                           against this background that the measures taken by Spotify have not been

                           sufficient to ensure that the personal data in the technical log files have
                           were understandable. The provision of these has therefore not been compatible

                           with the requirements of Article 12.1 of the Data Protection Regulation.


                           Summary of Violations



                           The administrative court has found the following.


                                Spotify has not violated Article 15.1 a-c or 15.1 g. The information in these

                                however, parts have been provided in such a way that there is a

                                violation of Article 12.1.

                                Spotify has violated Article 15.1 d and 15.2. However, IMY has not been able to
                                show that information in these parts has been provided in violation of Article

                                12.1.

                                Spotify has further violated Article 12.1 as the measures taken did not

                                have been sufficient to ensure that the personal data in the technical
                                the log files have been understandable.



                           Choice of penalty for violations of Spotify's general procedures


                           Conditions for imposing a penalty fee



                           The question then is whether, due to the violations found, Spotify should
                           an administrative penalty fee is imposed.



                           Spotify states in this part that if an intervention is to take place, it should be imposed

                           the penalty charge is changed to a reprimand. It is undisputed that the violations
                           is of low severity. In this context, they must also be considered to have taken place

                           for only a short period of time. Nor have they caused any damage in






Doc.Id 1750289 Page 21

         ADMINISTRATIVE COURT JUDGMENT 13539-23
         IN STOCKHOLM


                           meaning of the data protection regulation. Spotify may also be considered to have done what

                           could be expected from the company in terms of technical and organizational measures.

                           The fixed penalty fee also amounts to just over 1 percent
                           of the maximum penalty fee. In such circumstances one must

                           choose a different penalty as a starting point. Furthermore, it is not necessary to

                           impose a sanction on Spotify to ensure compliance with
                           data protection regulation. IMY has also not shown that Spotify's alleged

                           violations have been committed intentionally or through negligence, which is a

                           prerequisite for a penalty fee to be imposed. The violations have

                           have not been possible to predict with regard to the practice, information and
                           adopted guidance that was available at the time. Against the background of

                           this neither has nor should Spotify have had reason to assume that the handling

                           would constitute a violation of the data protection regulation. Spotify thus has
                           was unaware that the action constituted a violation.



                           IMY states that all circumstances that were significant for the assessment

                           of both the choice of penalty and when determining the amount of the penalty fee has
                           considered. That IMY clarified how the degree of seriousness has been assessed is not one

                           circumstance that militate against imposing a penalty fee on Spotify.

                           The categorization of the infringement as one of low seriousness is to be understood against

                           background of the EDPB's guidelines, whereby a relatively low sanction amount within it
                           the current span should be selected as the starting point. IMY has further under all

                           circumstances showed that Spotify was negligent to a sufficient degree. It should thereby

                           it is particularly emphasized that it is Spotify that has developed routines and
                           processes for handling data subjects' access requests. It is also

                           Spotify which has produced and designed the information provided to

                           data subjects who requested access to their personal data from Spotify. IMY

                           has not claimed that Spotify has intended the violations in question, but
                           it is in any case clear that the company has acted with negligence when it was not alive

                           up to the requirements set by the data protection regulation in the relevant respects.








Doc.Id 1750289 Page 22

         ADMINISTRATIVE COURT JUDGMENT 13539-23
         IN STOCKHOLM


                           The Administrative Court makes the following assessment.



                           According to Article 58.2 of the Data Protection Regulation, each supervisory authority has
                           power to impose administrative penalty charges in accordance with Article 83

                           in addition to or instead of the measures referred to in Article 58(2), depending

                           the circumstances of each individual case. Article 83.2 states which factors must
                           taken into account when determining whether a penalty fee should be imposed and whether

                           the size of the amount.



                           Recital 148 of the data protection regulation states, among other things, following. To strengthen
                           the enforcement of this regulation should be imposed sanctions, including

                           administrative penalty fees, for violations of this regulation in addition

                           or in lieu of the appropriate action taken by the regulatory authority accordingly
                           with this regulation. In case of a minor violation or about it

                           penalty fee likely to be imposed would involve a disproportionate

                           burden on a natural person, a reprimand may be issued instead

                           penalty fees.


                           Spotify has violated the data protection regulation by not providing sufficient

                           information according to Article 15.1 d and Article 15.2 as well as by other

                           information that has been provided under Article 15 in several respects has not been
                           compatible with the requirements of Article 12.1. The administrative court considers that it

                           taken together cannot be considered a minor violation. One

                           penalty fee cannot therefore be replaced by a reprimand.


                           In order for a penalty fee to be imposed, it is also required that the personal data

                           responsible party was at fault in the sense that the personal data controller did not

                           can be considered to have been unaware that the action constituted an infringement (EU
                           the Court's judgments of 5 December 2023 in cases C-683/21 and C-807/21).










Doc.Id 1750289 Page 23

         ADMINISTRATIVE COURT JUDGMENT 13539-23
         IN STOCKHOLM


                           As a personal data controller, Spotify has a responsibility for that

                           personal data processing is compatible with the requirements that follow from

                           data protection regulation. The Administrative Court has assessed that the violations of
                           Article 15.1 d and 15.2 is because Spotify has not satisfied the registered

                           right to information as it follows from the wording of the article and the reasons for it

                           data protection regulation. The violation of Article 12.1 regarding the information
                           submitted according to Article 15.1 a-c and 15.1 g, it also depends on an action

                           which was in conflict with requirements that could clearly be deduced from the data protection regulation

                           as well as its reasons. The administrative court considers that, against this background, Spotify does not

                           may be considered to have been ignorant that the action in these parts has involved a
                           violation of the data protection regulation. There are therefore conditions for

                           to impose an administrative penalty fee on Spotify due to these

                           violations.


                           As regards the violation of Article 12.1 which consisted in Spotify's failure to act

                           sufficient measures to ensure that the personal data in the technical

                           the log files have been comprehensible, however, the administrative court considers the following. Of
                           the investigation shows that Spotify has taken relatively extensive measures on its own initiative

                           measures to make the technical log files comprehensible. As stated

                           above, it is also undisputed that the detailed description has been sufficient

                           so that a data subject can understand the data in the log files. Spotify has
                           also assisted the registrant with translating the description if necessary as well as

                           provided clear information about this possibility. With regard to that Spotify

                           undisputedly stated that only a few requests for translation have
                           produced, it may be considered that there was no reason for the company to believe that the taken

                           the measures have not been sufficient to make the data comprehensible for

                           all registered. At the time of the violation, it was also missing

                           more detailed guidance on the matter. The Administrative Court assesses against this background
                           that Spotify may be considered to have been unaware that the action in this part involved a

                           violation of the regulation. This violation shall therefore not be taken into account

                           the calculation of the amount of the penalty fee.






Doc.Id 1750289 Page 24

         ADMINISTRATIVE COURT JUDGMENT 13539-23
         IN STOCKHOLM


                          The size of the penalty fee



                          To assess the amount of the penalty fee, the administrative court will take
                          position on the seriousness of the violations and whether there are aggravating factors

                          and extenuating circumstances. In the assessment, all relevant

                          circumstances specified in Article 83.2 of the Data Protection Regulation are taken into account.
                          According to Article 83.1, the imposition of the penalty fee must also be effective,

                          proportionate and dissuasive.



                          In this part, Spotify brings forward, in addition to what was stated in the previous section, i.a.
                          following. The imposed penalty fee is not in reasonable proportion to those

                          the alleged violations. IMY has not sufficiently considered them

                          many mitigating circumstances that apply in the case. Although
                          the penalty fee is a seemingly small part of the maximum amount that can

                          is determined according to the data protection regulation, the fee in absolute terms is a lot

                          high.


                          The Administrative Court makes the following assessment.



                          The established violations of the data protection regulation have meant that

                          data subjects have not been able to acquire basic information about how
                          their personal data is processed. The violations have affected a very large

                          number of registrants. The shortcomings in the provision of information have also in large

                          extent affected data subjects' opportunities to check whether their
                          personal data is handled in a correct and legal manner and by extension

                          their opportunities to exercise their rights according to the data protection regulation.

                          Spotify's personal data processing also covers a large amount

                          personal data, even if these do not belong to those particularly worthy of protection
                          categories of personal data specified in Article 9 of the Data Protection Regulation.










Doc.Id 1750289 Page 25

         ADMINISTRATIVE COURT JUDGMENT 13539-23
         IN STOCKHOLM


                          When assessing the seriousness of the violations,

                          However, the administrative court also emphasized that Spotify on its own initiative and before

                          the supervisory case was initiated has taken extensive technical and organizational
                          measures to improve their procedures in order to provide correct

                          information according to Article 15. It is undisputed that this work has since been carried out

                          continuously and that the routines have been improved. The administrative court also considers, i
                          contrary to IMY, that the period of six months that the violations have been ongoing

                          cannot be considered a period of time of such length that it entails that

                          the seriousness of the violations increases. It is further undisputed that the violations

                          has not been done intentionally. However, this only means that the seriousness of
                          violations do not increase due to intent. There is no support for that

                          assess that the seriousness of the violations is reduced as a result of their not having occurred

                          intentionally (see the Court of Appeal in Stockholm's judgment of 16 September 2022 in the case
                          No. 7837-21).



                          The administrative court finds in a balanced assessment that the violations,

                          based on the categorization that must take place according to the EDPB's guidelines, is of low
                          severity level. A penalty fee of between 0 and 10 percent of that

                          the applicable maximum amount, which in the current case is SEK 5,280 million, shall

                          therefore determined (cf. the EDPB's guidelines on the calculation of administrative

                          penalty fees according to the General Data Protection Regulation, adopted on
                          24 May 2023). IMY has also considered the violations to be low

                          degree of seriousness and assessed that in light of Spotify's high

                          turnover there is reason to adjust the starting point for the calculation of
                          the penalty fee downwards. The Administrative Court shares this assessment.



                          The question then is whether there are mitigating or aggravating circumstances

                          which has significance for the size of the sanction amount. Circumstances that have
                          taken into account when assessing the seriousness of the infringements shall not

                          considered again.








Doc.Id 1750289 Page 26

         ADMINISTRATIVE COURT JUDGMENT 13539-23
         IN STOCKHOLM


                           In mitigation, IMY has above all placed importance on the fact that registered persons have

                           had the opportunity to contact Spotify's customer service through several different channels in order to

                           receive additional individualized information. Furthermore, Spotify has in June 2022 done
                           updates to the Article 15 information for data subjects to understand it

                           specific personal data processing applicable to their uniqueness

                           use of the service. There are no additional aggravating circumstances
                           brought forward. The administrative court considers that IMY has taken the mitigating factors into account

                           circumstances that apply in the case and that there is no reason to do so

                           any other assessment in this part.


                           In summary, the administrative court thus considers, similarly to IMY, that

                           the violations are of low seriousness and that there are some mitigations

                           circumstances. IMY has set the penalty fee at SEK 58 million.


                           Unlike IMY, however, the administrative court has judged that Spotify does not

                           has violated Article 15.1 a-c and 15.1 g, nor Article 12.1 in all

                           the aspects stated in the appealed decision. Administrative law has
                           also assessed that Spotify may be considered to have been unaware that the provision of

                           technical log files was not compatible with the requirements of Article 12.1, therefore this

                           violation shall not be the basis for the imposition of a penalty fee. The

                           has not emerged other than that IMY has taken these violations into account at
                           the determination of the amount of the penalty fee. This speaks according to

                           the opinion of the administrative court that the violations cannot be considered as a whole

                           be as serious as IMY has assessed. The penalty fee must therefore be set
                           down. The Administrative Court notes that the violation of Article 12.1 regards

                           the technical log files seem to have led to an increase in the penalty fee with

                           three million kroner. Otherwise, it is not clear to what extent respectively

                           violation has affected the size of the penalty fee.


                           The administrative court finds in a summary assessment of the violations

                           severity and the mitigating circumstances of the case that






Doc.Id 1750289 Page 27

         ADMINISTRATIVE COURT JUDGMENT 13539-23
         IN STOCKHOLM


                           the sanction fee shall be set at SEK 40 million. The amount is

                           only to approximately 0.75 percent of the maximum penalty fee that may be levied.

                           Taking into account the very high turnover that is the basis for

                           the calculation of the sanction fee, however, the administrative court considers that this
                           amount is still effective, proportionate and dissuasive.



                           Case processing time



                           Finally, the question is whether there is reason to lower the penalty fee as well
                           due to the processing time of the case.



                           Spotify states that the extended processing time should mean that someone

                           penalty shall not be issued. The handling has, among other things, consisted of two longer sub-periods
                           about a total of almost two years of inactivity on the part of the authority. The long one

                           the processing time constitutes a violation of the company's right to legal review

                           within a reasonable time according to Article 6 of the European Convention. The company is consequently

                           entitled to compensation under Article 13 of the European Convention, which should
                           is left by not imposing a possible sanction at all or by one

                           reduction of any penalty fee. In this assessment, particular

                           taken into account that the long processing time has meant that a higher turnover

                           has formed the basis for the calculation of the penalty fee.


                           In this part, IMY presents, among other things, following. In light of the complexity of the matter

                           the current processing time has not been unreasonably long. The case contains

                           several complicated legal issues and has, due to the fact that the case is

                           cross-border, entailed cooperation with all data protection authorities i
                           EU. Furthermore, the investigation has included an examination of Spotify's general

                           procedures and expanded to also include three individual complaints from three




                           2European Convention for the Protection of Human and Fundamental Rights
                           the freedoms.






Doc.Id 1750289 Page 28

         ADMINISTRATIVE COURT JUDGMENT 13539-23
         IN STOCKHOLM


                          different countries. Processing has also been delayed as a result of updates to

                          the information covered by the review. During one of the time periods that

                          Spotify has referred to as inactive ongoing i.a. intense discussions between
                          data protection authorities in the EU on how cross-border complaints according to

                          the data protection regulation would be handled. The discussions had direct significance

                          for the current case. Furthermore, the processing time has not meant that a
                          higher penalty fee has been determined. The sanction fee that has been imposed

                          deemed effective, proportionate and dissuasive, both in percentage and

                          nominally. That Spotify has had an increased annual turnover has therefore not had anyone

                          greater impact on the size of the fee.


                          The Administrative Court makes the following assessment.


                          When assessing what is an unreasonably long processing time according to

                          article 6.1 of the European Convention, the total processing time must be taken into account, how

                          complicated the goal has been, the actions of the individual and the authority, if it has

                          there have been longer periods of inactivity, as well as the importance of the matter to it
                          individual (cf. the judgment of the European Court of Justice on 27 January 2015 in case no. 66232/10,

                          Kincses v. Hungary p. 47 and HFD 2014 ref. 12).



                          IMY's total processing time for the case has been approximately four years. According to
                          dagboksbladet, communication in the matter has taken place continuously. However, it has

                          there have been two longer periods without action on the part of IMY. The periods add up

                          for a total of approximately two years. The administrative court considers that it is a question of
                          relatively long periods without measures. However, IMY has submitted that it

                          during the first period of inactivity a boundary crossing was in progress

                          cooperation with other data protection authorities in the EU that were important to it

                          the current case and that the case during this time was expanded to also refer to
                          three complaints. During the second period, IMY produced a draft decision

                          in the matter. In connection with the writing of the decision, however, attention was drawn to the fact that








Doc.Id 1750289 Page 29

         ADMINISTRATIVE COURT JUDGMENT 13539-23
         IN STOCKHOLM


                          Spotify made significant changes to its Article 15 information which according to IMY

                          contributed to the delay of the case.


                          The Administrative Court considers that there is no reason to doubt that IMY, under the

                          periods which appear from the diary sheet as inactive, have taken action i

                          purpose of moving the case forward. The described measures can according to
                          The administrative court's opinion admittedly does not fully explain the long one

                          the delay of the case. However, the case raises several complicated issues

                          legal issues and a relatively comprehensive basis.


                          According to administrative law, the total processing time can be set against this

                          background is not considered to have been unreasonably long. Spotify's right to a legal review

                          within a reasonable time according to Article 6.1 of the European Convention has therefore not
                          violated. There is thus no reason to put down on this basis

                          the penalty fee. Regarding what Spotify stated about the processing time

                          led to a higher turnover being the basis for the calculation notes

                          the administrative court that it appears from the appealed decision that IMY, with
                          due to the high turnover, has chosen to adjust the starting point down

                          for the calculation of the penalty fee.



                          Complaint


                          IMY has also assessed that Spotify should be reprimanded as a result of

                          violations of the data protection regulation in the handling of two were registered
                          access request.



                          Complaint 1


                          Spotify disputes that the company has violated the data protection regulation in connection

                          with the handling of the appellant's request for access except for

                          violations of article 15.1 and 15.3 of the data protection regulation, by






Doc.Id 1750289 Page 30

         ADMINISTRATIVE COURT JUDGMENT 13539-23
         IN STOCKHOLM


                          the company accidentally handed over encrypted personal data to the complainant. The

                          however, was only a limited part of the personal data in the copy that was

                          encrypted and the violation must be considered minor. The assessment of whether
                          the appellant's request for access concerned all or only some

                          personal data must further be made based on the information that

                          Spotify left at the current time. If the complainant in question understood that
                          the request was limited to certain personal data must be irrelevant. Of

                          the information provided by Spotify at the time made it clear enough

                          clearly that a registrant who used the "Download your data" tool did not get

                          access to all their personal data. Because the appellant gained access to
                          the requested personal data already the day after the request was made, Spotify can

                          is not considered to have violated Article 12.3 of the Data Protection Regulation. It is further

                          undisputed that at the relevant time Spotify did not provide any
                          description of the personal data that existed in the form of technical log files. The

                          however, it is contested that the lack of such provision would constitute a

                          violation of the data protection regulation.


                          In this part, IMY presents, among other things, following. The information provided by Spotify

                          that the data subject gained access to "most" personal data such as Spotify

                          processed cannot result in Spotify being considered to have provided sufficient

                          information on how the copy of personal data was divided. This applies in particular
                          as there was a lack of information about what additional information was available

                          available and how this could be requested. Spotify should therefore have considered the request

                          about access as a request to obtain all personal data. Appellant's
                          action is further a circumstance that suggests that the information was not

                          clear enough, but is not alone decisive.



                          It is also clear that the information provided in encrypted format was so
                          unclear that they could not be understood by the data subject. Spotify therefore has not

                          gave the complainant access to his personal data in accordance with Article 15.1 and 15.3 i

                          data protection regulation. This information has also not been provided in a summary,






Doc.Id 1750289 Page 31

         ADMINISTRATIVE COURT JUDGMENT 13539-23
         IN STOCKHOLM


                          clear and distinct, comprehensible and easily accessible form, as prescribed in article

                          12.1 of the data protection regulation.


                          The Administrative Court makes the following assessment.



                          Article 15.3 of the data protection regulation states that it
                          the personal data controller must provide the data subject with a copy of them

                          personal data that is being processed. Article 12.3 states, among other things, to

                          this copy shall be provided without undue delay and during all

                          circumstances no later than one month after the request is received.


                          As can be seen from the appealed decision, Spotify provides the copy on

                          personal data in three different layers. At the time in question, one could
                          registered use the "Download your data" tool to access one of

                          the layers. In the tool it was stated that the registrant by downloading his data got

                          access to "most" of their personal data. Information about which others

                          personal data that Spotify handled or how the data subject could request
                          access to these was lacking.



                          The Administrative Court, like IMY, considers that based on the information that

                          Spotify at the time left was difficult to understand if and in such cases how
                          the copy of personal data was divided. A data subject who requested access

                          to his tasks cannot therefore have been expected to understand that he only received

                          access to a selection of these. With this in mind, Spotify should have managed
                          the complainant's request as referring to all his personal data. Of

                          the investigation shows that the complainant requested access to his personal data

                          on 27 May 2018 and that he was given access to a copy of all of them

                          data only on 17 July 2018. The Administrative Court divides against this background
                          IMY's assessment that Spotify has thereby violated Article 12.3 i

                          data protection regulation.








Doc.Id 1750289 Page 32

         ADMINISTRATIVE COURT JUDGMENT 13539-23
         IN STOCKHOLM


                           The Administrative Court has further in the section the provision of personal data i

                           in the form of technical log files deemed to be Spotify's duty to make comprehensible

                           the personal data contained in technical log files. It is indisputable that someone
                           description of this information has not been provided to the appellant in connection with

                           that the copy of personal data was provided. Neither have the log files

                           explained or otherwise made comprehensible. The Administrative Court considers that
                           the provision of these has therefore been inconsistent with Article 12.1 i

                           data protection regulation. In the copy of personal data provided to it

                           registered, some information has also been encrypted. A registrant who takes

                           against personal data in an encrypted format can according to the administrative law
                           means not considered to have gained access to these in accordance with Article 15.1. Not

                           nor has the registered person then received a complete copy of his

                           personal data as prescribed in article 15.3. The Administrative Court considers that
                           this deficiency thus constitutes a violation of both Article 15.1 and 15.3. The

                           Spotify stated that there was only a limited number of data that

                           was given out in encrypted format and that this happened by mistake does not cause anyone

                           other assessment.


                           In summary, the administrative court therefore agrees with IMY's assessment that

                           Spotify has handled the complainant's request for access in breach of Articles 12.1,

                           12.3, 15.1 and 15.3 of the data protection regulation.


                           Complaint 2


                           Spotify brings forward, in addition to what was stated in the previous section, essentially

                           following. It is common ground that Spotify did not provide it to the appellant

                           information prescribed in article 15.1 a–h and 15.2. The reason for this

                           was that Spotify at the time of the alleged infringement did not automatically
                           provided this information in connection with an access request. The

                           however, it does not follow from the data protection regulation that a request for access to

                           personal data necessarily needs to be accompanied by this information.






Doc.Id 1750289 Page 33

         ADMINISTRATIVE COURT JUDGMENT 13539-23
         IN STOCKHOLM


                           The appellant's request in the present case was clearly limited to a copy of

                           the personal data that was being processed. It must therefore be compatible

                           with the Data Protection Regulation to only provide such a copy and not
                           also the special information specified in article 15.1 a-h and 15.2.



                           IMY states in this part that Spotify admits that it did not register
                           was provided with the information prescribed in Article 15.1 a-h and 15.2.

                           Previously, Spotify stated that it was a mistake that the information did not

                           was provided to the appellant. However, Spotify believes in the appeal that it

                           registrants in the present case had limited their request to the copy of
                           personal data. What Spotify now presents appears as one

                           post construction. IMY does not consider that it has emerged that the appellant gave

                           any instruction to only access the copy of personal data.
                           The complainant has used the referred channel to access his

                           personal data and therefore had to expect that the answer he then received

                           would give him access in the manner prescribed by the Data Protection Regulation.


                           The Administrative Court makes the following assessment.



                           In the previous section, the Administrative Court has assessed that Spotify, as far as it is concerned

                           information that was provided to data subjects at the relevant time, should
                           have handled a request for access as if it concerned all personal data

                           which the company processed about the registered person. In the current case, the appellant has not

                           provided a copy of all his personal data despite his request
                           may be considered to have intended these. The Administrative Court shares IMY's assessment that Spotify

                           has thereby violated article 15.1 and 15.3 of the data protection regulation.



                           It is also undisputed in the case that the appellant has not received information either
                           according to article 15.1 a-h and 15.2 of the data protection regulation in connection with its

                           access request. The administrative court considers that the space for a

                           personal data controller not to disclose this information is very small and






Doc.Id 1750289 Page 34

         ADMINISTRATIVE COURT JUDGMENT 13539-23
         IN STOCKHOLM


                          that it presupposes that the data subject has clearly delineated his request to not

                          refer to such information. That the registered in the current case would have

                          demarcated his request in such a way has not emerged.
                          Against this background, the Administrative Court assesses that Spotify has violated

                          article 15.1 a-h and 15.2 by not providing information according to these

                          regulations.


                          In summary, the administrative court therefore agrees with IMY's assessment that

                          Spotify has handled the complainant's request for access in breach of Article 15(1),

                          15.2 and 15.3 of the data protection regulation.


                          Reprimand


                          The administrative court has found that Spotify has violated the data protection regulation

                          provisions in several respects when handling two data subjects' requests

                          about access. The administrative court considers that there is no reason to do anything else

                          assessment than the IMY made when choosing a penalty. Spotify must therefore be imposed one
                          reprimand according to article 58.2 b of the data protection regulation.



                          The administrative court further finds that Spotify should be ordered to do so regarding complaint 2

                          to accommodate the appellant's request for access in accordance with what is set out in
                          the appealed decision within one month of this judgment becoming final

                          force.




















Doc.Id 1750289 Page 35

        ADMINISTRATIVE COURT JUDGMENT 13539-23
        IN STOCKHOLM


                       HOW TO APPEAL



                       This decision can be appealed. Information on how to appeal can be found in
                       appendix 2 (FR-03).




                       Sofi Nyström

                       Alderman



                       The referees Birgitta Guntsch, Annicka Hörnsten Blommé and Ulf Wester
                       has also participated in the decision.



                       Administrative law prosecutor Mikael Stade has been the rapporteur.





































Doc.Id 1750289 Appendix 1



                                                                                                                              1(30)





                                                                                                                ADMINISTRATIVE LAW
                                                                          Spotify AB IN STOCKHOLM
                                                                                                                Section 8
                                                                          Regeringsgatan 19
                                                                          11153 Stockholm RECEIVED: 2023-06-30
                                                                                                                TARGET NO: 13539-23
                                                                                                                ACTIVE CAR: 3




Diary number:
                                  Decision after supervision according to
DI-2019-6696

                                  data protection regulation - Spotify AB

Date:
2023-06-12




                                  Table of Contents


                                  The Privacy Protection Authority's decision................................................... ............................3

                                         Spotify's general procedures for handling requests for access............................3

                                         Review of individual complaints................................................... ..........................3

                                  1 Description of the supervisory matter ............................................... .....................................5
                                  2 Applicable regulations................................................... ............................................6

                                  3 Spotify's general procedures for handling requests for access - Justification of decisions
                                  ................................................ ................................................ ...................................7

                                         3.1 Information - article 15.1 a-h and 15.2 of the data protection regulation................7

                                                 3.1.1 What emerged in the case ........................................... ..............7

                                                 3.1.2 The Privacy Protection Authority's assessment...................................8

                                         3.2 The right to access personal data and a copy of personal data under
                                         processing - article 15.1 and 15.3 of the data protection regulation............................12

                                                 3.2.1 What has emerged in the case............................................. .......12

                                                 3.2.2 The Privacy Protection Authority's assessment...................................15

                                  4 Review of individual complaints - Reasons for decisions............................................. ..20

                                         4.1 Complaint 1 (from the Netherlands with national reference number z2018-
                                         28415)................................................ ................................................ ..............20

                                                 4.1.1 Background................................................... ..........................................20
                                                 4.1.2 What has emerged in the case............................................. .......20

                                                 4.1.3 The Privacy Protection Authority's assessment...................................22

Postal address: 4.2 Complaint 2 (from Austria with national reference number D130.198) ......23
Box 8114
104 20 Stockholm 4.2.1 Background............................................ ............................................23
Website:
www.imy.se 4.2.2 What has come to light in the matter................................. ............23

E-mail: 4.2.3 The Privacy Protection Authority's assessment...................................24
imy@imy.se 4.3 Complaint 3 (from Denmark with national reference number 2018-31-1198)26
Phone:
                                  5 Choice of intervention................................................... ................................................ .......26
08-657 61 00 The Swedish Privacy Agency Diary number: DI-2019-6696 2(30)
                                   Date: 2023-06-12







                                           5.1 Applicable regulations................................................... ............................26

                                           5.2 Same or connected data processing.................................27

                                           5.3 Deficiencies in information according to article 15.1 and 15.2 of the data protection regulation
                                           and in the description of the data in the technical log files............................27

                                           5.4 Violations regarding complaints 1 and 2 ........................................... .......29 The Swedish Privacy Agency Diary number: DI-2019-6696 3(30)
                               Date: 2023-06-12






                               The Privacy Protection Authority's decision


                               Spotify's general procedures for handling requests for access


                               The Swedish Privacy Protection Authority states that Spotify AB (556703-7485) under
                               the period from and including 16 November 2021 to and including 16 May 2022 in the
                                                                                                                    1
                               information that must be provided according to article 15.1 and 15.2 of the data protection regulation does not
                               provided sufficiently clear information about


                               – the purposes of the processing,
                               – categories of personal data to which the processing applies,
                               – categories of recipients of the personal data,

                               - the foreseen periods during which personal data will be stored or, if
                                   this is not possible, the criteria used to determine this period,
                               - where personal data comes from,

                               - appropriate protective measures when personal data is transferred to third countries.

                               The Privacy Protection Authority further states that Spotify AB during the period from

                               and with June 11, 2019 through May 16, 2022 by default
                               do not provide the description of the data in the technical log files in English
                               has met the requirements that all communications provided to the data subject pursuant to

                               Article 15 of the Data Protection Regulation shall be clear and understandable in the manner specified in
                               article 12.1 of the data protection regulation.


                               Spotify AB has thus processed personal data in violation of articles 12.1, 15.1 a-d,
                               15.1 g and 15.2 of the data protection regulation.


                               The Privacy Protection Authority decides with the support of articles 58.2 and 83 i
                               the data protection regulation that Spotify AB must pay an administrative fee for these shortcomings
                               sanction fee of 58,000,000 (fifty-eight million) kroner.


                               Review of individual complaints


                               The Swedish Data Protection Authority notes with regard to complaint 1 that Spotify AB in its
                               handling of the appellant's request for access made on 27 May 2018 has
                               processed personal data in violation of

                               - Article 12.3 of the Data Protection Regulation, in that the copy of personal data has
                                   left too late,
                               - articles 12.1, 15.1 and 15.3 of the data protection regulation, by in that copy on

                                   personal data provided by Spotify AB has not been provided to all of the complainants
                                   personal data in an understandable form.


                               The Swedish Data Protection Authority notes with regard to complaint 2 that Spotify AB in its
                               handling of the complainant's access request made on 10 October 2018 has
                               processed personal data in violation of


                               - articles 15.1 and 15.3 of the data protection regulation, by in that copy on
                                   personal data provided by Spotify AB has not given access to all

                                   personal data that Spotify AB processed about the complainant,


                               1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with
                               regarding the processing of personal data and on the free flow of such data and on the cancellation of
                               directive 95/46/EC (general data protection regulation). The Swedish Privacy Agency Diary number: DI-2019-6696 4(30)
                                Date: 2023-06-12







                                - articles 15.1 a-h and 15.2 of the data protection regulation, by not having
                                   provided any of the information specified in these regulations.


                                The Privacy Protection Authority gives Spotify AB a reprimand according to article 58.2 b i

                                the data protection regulation for the deficiencies regarding complaints 1 and 2.


                                The Swedish Privacy Protection Authority orders Spotify AB according to article 58.2
                                c in the data protection regulation that regarding complaint 2 no later than one month after this

                                decision gained legal force accommodate the appellant's request for access by, with
                                subject to any applicable exceptions in Article 15.4 of the Data Protection Regulation and

                                5 ch. data protection law, give the complainant access to all personal data that
                                Spotify will process the complainant by providing the complainant with a copy of

                                the personal data according to 15.3 and provide information according to articles 15.1 a-h and

                                15.2.

























































                                2
                                3 The complainant's identification information appears in Appendix 1
                                 The Act (2018:218) with supplementary provisions to the EU's data protection regulation. The Swedish Privacy Agency Diary number: DI-2019-6696 5(30)
                                Date: 2023-06-12







                                1 Statement of the supervisory matter


                                The Swedish Privacy Protection Authority (IMY) has, in light of IMY's having taken note of
                                complaints directed against Spotify AB (Spotify) regarding the right of access pursuant to Article 15 i
                                data protection regulation, initiated supervision of Spotify with the aim of investigating the company's way of

                                handling the data subject's request for access is in accordance with the data protection regulation
                                regulations. IMY has initially reviewed the company's general procedures upon request
                                about access and not what existed in the individual complaints. The review has

                                been focused on whether the company's processes and routines to provide access according to article
                                15 on a general level enables data subjects to gain access to the personal data

                                the company processes them and other information in accordance with the provision. With
                                registered refers in this context to the customers who use Spotify's services and
                                not other categories of data subjects, e.g. employees of Spotify.


                                Within the scope of this review, IMY has not checked which personal data
                                Spotify processes and if all of these are issued with each individual request. For example

                                has any comparison between Spotify's records of processing pursuant to Article 30 i
                                the data protection regulation and the personal data included in the copy of personal data

                                according to Article 15.3 of the data protection regulation has not been done. IMY also does not have within the framework
                                for this supervision reviewed whether Spotify's personal data processing otherwise complies
                                the provisions of the data protection regulation, e.g. regarding basic principles and

                                legal basis for the processing.

                                The supervisory case was initiated with a supervisory letter on 11 June 2019. Response to

                                the supervisory letter was received on 31 July 2019. On 16 October 2019 a request was sent
                                about completion in the case. Response received on November 15, 2019. Spotify has subsequently
                                on its own initiative received further additions on 25 August 2020 for the purpose

                                to inform IMY of updates regarding procedures for handling requests for
                                access.


                                Spotify is an organization with operations and users in several EU member states.
                                IMY has, taking into account that the case is cross-border, applied the mechanisms for

                                cooperation and uniformity found in Chapter VII of the Data Protection Regulation. Every
                                data protection authorities in the EU have been concerned supervisory authorities in this matter. With
                                reason for the mechanisms of cooperation and uniformity, and the need for a
                                                                             4
                                harmonized complaint handling within the EU, the IMY extended in November 2020 the
                                ongoing general supervision to also include what existed in three individuals
                                complaints, which also include the complaints that were initially the basis for them

                                the supervision of the general routines.


                                On November 5, 2020, IMY requested that Spotify explain its attitude towards them
                                deficiencies alleged in the complaints and what steps Spotify has taken to respond
                                on the respective request for access. Spotify has responded to IMY's request on 18

                                December 2020. Spotify has subsequently submitted supplementary statements, on 15
                                April 2021 in response to supplementary questions that IMY asked on March 24, 2021 as well as
                                on 31 August 2021 in response to questions raised by IMY on 9 July 2021.




                                4
                                 In 2020, the data protection authorities worked together to determine common working methods with
                                the handling of complaints, which resulted in internal guidance that was established in February 2021. From that
                                end the complaints with a standard response, IMY now makes an individual assessment of each complaint. Internal EDPB
                                Document 02/2021 on SA's duties in relation to alleged GDPR infringements, adopted February 2, 2021. Data Protection Agency Diary number: DI-2019-6696 6(30)
                                Date: 2023-06-12






                                On October 19, 2021, another request for completion was sent regarding
                                Spotify's general procedures. Answer received on 12 November 2021. On 8 June and 17

                                In October 2022, Spotify has, on its own initiative, submitted further additions in
                                purpose of informing IMY about updates regarding routines for handling the request
                                about access.


                                Spotify has commented on IMY's draft decision on 20 December 2022. IMY has
                                then provided the other relevant supervisory authorities with the opportunity to comment accordingly

                                Article 60 of the Data Protection Regulation. The French data protection authority has thereby
                                expressed a relevant and reasoned objection to IMY's draft decision. Spotify has
                                on March 13, 2023, an opportunity to comment on the objection and IMY's revised

                                draft decision. Spotify's response was received on April 11, 2023.

                                Against the background of the above, the supervisory matter includes an examination of

                                Spotify's general routines for handling requests for access, partly a review of
                                what existed in the three complaints. The general procedures regarding the provision
                                of personal data according to article 15.1 and 15.3 of the data protection regulation which

                                reviewed are those that have been in force since IMY's supervision began on 11 June 2019
                                up to and including 16 May 2022. Regarding the information according to Article 15.1 and 15.2 of
                                the data protection regulation that must be submitted when a request for access has Spotify

                                updated it several times since supervision began. IMY has therefore limited its
                                review to the information that was valid during the period from 16
                                November 2021 through May 16, 2022. 5



                                2 Applicable regulations

                                According to Article 15.1 of the data protection regulation, the data subject has the right to of it

                                personal data controller receive confirmation as to whether personal data concerning him
                                or her is being processed and in that case gain access to the personal data and
                                information about


                                   a) The purposes of the processing.
                                   b) The categories of personal data to which the processing applies.

                                   c) The recipients or categories of recipients to whom the personal data has
                                       provided or to be provided, especially recipients in third countries and international
                                       organizations.

                                   d) If possible, the anticipated period during which the personal data will
                                       stored, or if this is not possible, the criteria used to determine
                                       this period.

                                   e) The existence of the right to request correction from the personal data controller or
                                       deletion of the personal data or restrictions on processing of
                                       personal data relating to the data subject or to object to such

                                       treatment.
                                   f) The right to lodge a complaint with a supervisory authority.
                                   g) If the personal data is not collected from the data subject, all available

                                       information about where this data comes from.
                                   h) The existence of automated decision-making including profiling according to
                                       article 22.1 and 22.4, whereby at least in these cases it must be left meaningful




                                5See Spotify's information according to Article 15 of the Data Protection Regulation in Appendix 2. Of the information, which was printed by
                                IMY on 16 May 2022, it appears that the current website was last updated on 16 November 2021. The time period for
                                the review is therefore set for the period from and including November 16, 2021 to and including May 16, 2022. The Swedish Privacy Agency Diary number: DI-2019-6696 7(30)
                                Date: 2023-06-12





                                       information about the logic behind as well as the meaning and the anticipated consequences of

                                       such treatment for the data subject.

                                Article 15.2 of the data protection regulation states that if the personal data is transferred to a
                                third country or to an international organisation, the data subject shall have the right to

                                information on the appropriate protective measures that have been taken in accordance with Article 46
                                at the time of transfer.


                                It follows from Article 15.3 of the data protection regulation that the person in charge of personal data must
                                provide the data subject with a copy of the personal data that is being processed.
                                Furthermore, it appears that if the request is made in electronic form, the information must, if not
                                otherwise requested, provided in an electronic format that is generally used.


                                Recital 63 of the data protection regulation states, as far as relevant, the following:


                                       The data subject should have the right to access personal data that has been collected
                                       this as well as being able to exercise this right in a simple way and at reasonable intervals, for
                                       to be aware that treatment is taking place and to be able to check that it is
                                       legal. (…) All data subjects should therefore have the right to be informed and notified

                                       above all, for what purposes the personal data is processed, if possible which
                                       time period the processing is in progress, who receives the personal data,
                                       underlying logic in connection with automatic processing of personal data
                                       and, at least when the processing is based on profiling, the consequences of

                                       such treatment. (…)

                                It also follows from Article 12.1 of the data protection regulation that it

                                personal data controller must take appropriate measures to ensure that all communications given
                                to the registered under Article 15 must be in a concise, clear and clear, understandable and
                                easily accessible form, using clear and unambiguous language.


                                It follows from Article 12.2 of the data protection regulation that the person in charge of personal data must
                                facilitate the exercise of the data subject's right of access under Article 15.

                                According to Article 12.3 of the Data Protection Regulation, the personal data controller must

                                request, without undue delay and in any case no later than one month after
                                to have received the request, provide the registered information about the actions
                                which was taken in accordance with Article 15 of the Data Protection Regulation. This period may if necessary

                                be extended by a further two months, taking into account the complexity of the request
                                and the number of requests received. The personal data controller must notify it
                                registered for such an extension within one month of the receipt of the request
                                and state the reasons for the delay.


                                3 Spotify's general procedures for handling

                                request for access - Justification of decision


                                3.1 Information - article 15.1 a-h and 15.2 i

                                data protection regulation

                                3.1.1 What emerged in the matter
                                In summary, Spotify has stated the following. Spotify provides information in

                                in accordance with article 15.1 a-h and 15.2 of the data protection regulation via an online function.
                                This function is available in 21 different languages and those who visit the page will The Danish Data Protection Agency Diary number: DI-2019-6696 8(30)
                                Date: 2023-06-12






                                automatically to be given the information in language based on language settings in their
                                browser.


                                Registrants who exercise their right of access are informed about the function in several ways. IN

                                each copy of personal data provided pursuant to Article 15.3 i
                                data protection regulation, a link to the information is included. The information also goes
                                to find online, partly in the list of available functions on the company's page for "Integrity &

                                Safety" partly via the answer to the question "Where can I find information about Spotify's processing
                                of personal data that Spotify is obliged to provide under Article 15 of the GDPR?”
                                on the company's page for "Personal data rights and privacy settings".


                                In the information according to Article 15 of the data protection regulation that Spotify submitted
                                the period from and including 16 November 2021 to and including 16 May 2022, as IMY

                                taken note of, Spotify provided, among other things, information about the purpose of processing (article
                                15.1 a), which categories of personal data are processed (Article 15.1 b), recipients
                                or categories of recipients (Article 15.1 c) and the source of the personal data (Article 15.1

                                g). In addition to that, the information according to Article 15 also contained information about
                                international transfers (Article 15.2), criteria for how long the personal data
                                saved (Article 15.1 d), what rights the data subject has (Article 15.1 e), the right to

                                submit a complaint to the data protection authority (Article 15.1 f), automated
                                decision-making (Article 15.1 h) and the possibility of obtaining a copy of personal data.


                                In the information pursuant to Article 15 of the Data Protection Regulation, Spotify also informed
                                that the processing of personal data is described in more detail in the company's

                                privacy policy, which could also be accessed through a direct link. In the privacy policy can be found
                                including descriptions of the categories of personal data that Spotify processes.


                                Spotify has stated that all questions that are not answered by the information according to Article 15 i
                                the data protection regulation or which has not been explained to the user in one
                                satisfactory manner is promptly escalated to the company's data protection team. In that way,

                                the company states, the data protection team is made aware of, and given the opportunity to respond,
                                questions about clarifications or requests for more individualized information about
                                the processing of personal data in accordance with Article 15 of the Data Protection Regulation.


                                3.1.2 The Privacy Protection Authority's assessment
                                IMY states that Spotify's function for information according to Article 15 i

                                the data protection regulation during the period that is the subject of review existed
                                available on several different pages on Spotify's website. Furthermore, a link to was included

                                the information in the "Read me first" file that was attached to each copy of personal data
                                which was provided to the data subject in accordance with Article 15.3 i
                                the data protection regulation in case of a request for access. IMY assesses with that in mind

                                above that Spotify's routines during the relevant period were sufficient to
                                ensure that information according to Article 15 was provided to the data subject at each
                                access request.


                                IMY further notes that Spotify's information according to Article 15 i
                                the data protection regulation covered all the points of information that according to article

                                15.1 a-h and 15.2 of the data protection regulation must be provided to the data subject. For
                                that the information must meet the requirements set in the data protection regulation must





                                6 See appendix 2 The Swedish Privacy Agency Diary number: DI-2019-6696 9(30)
                                Date: 2023-06-12







                                however, the information is also designed in such a way that the purpose of the right of access
                                is fulfilled.


                                The purpose of the right of access is for the data subject to be aware that
                                processing takes place and be able to check that it is legal, which is evident from reason 63 to

                                data protection regulation. For example, a registered person must be able to check
                                which categories of data are processed about him or her, for which purposes
                                and for how long. So that the registered person can check if

                                the processing of personal data is legal, he or she must know which treatments are
                                are relevant in his or her specific case. The information provided must hereunder

                                provided in a manner that meets the requirements for transparency in Article 12.1 i
                                data protection regulation.


                                Against the background of the purpose of the right of access, there is often a need to
                                adapt the content of the information according to Article 15.1 and 15.2 i

                                the data protection regulation to the data subject who has made the request, for example
                                depending on which of the personal data controller's services the data subject has
                                chosen to use. However, this does not apply to all parts of the information. While the right to enter

                                complaints to a supervisory authority (Article 15.1 f of the data protection regulation) not
                                changes depending on who requests access, other information may vary depending

                                on which service the data subject uses, for example which categories of
                                personal data processed, recipient and from where personal data was collected.
                                The same applies to information about whether a transfer has taken place to a third country and if so

                                what appropriate protective measures have been taken during the transfer.

                                In order for the data subject to have the opportunity to check that the processing concerns

                                him or her is legal it is therefore required, in accordance with what is stated above, that
                                Spotify must have taken measures to adapt the information to that of the registrant
                                                    7
                                specific situation.

                                IMY notes that the information provided by Spotify pursuant to Article 15 i

                                the data protection regulation was generally designed. The same information was thus provided
                                regardless of who requested access in accordance with Article 15 of the Data Protection Regulation.

                                The information was thus not adapted based on each request for access. However
                                described Spotify when certain information was relevant for the data subject, for example
                                "If you use a third-party service (…)", "If you choose to pay for a service or

                                function via invoice (…)” and “In cases where you have given us permission (…)”. There was
                                thereby certain prerequisites for the data subject to determine which information

                                meant him or her. There was also an opportunity for registrants to apply
                                to Spotify and request more individualized information as well as clarification of it
                                information that had been provided.


                                IMY considers that such generally designed information may be suitable for

                                standardized services that include personal data processing. Because they
                                data subjects must understand how their personal data is processed, however, it must always be
                                possible to clearly and simply read out which information is applicable in which situations

                                based on the information provided. This means that the possibility for those registered
                                to turn to Spotify for more individualized information as well as clarifications

                                does not affect the assessment of whether the information here is sufficiently clear
                                the respect. Generally designed information must not entail any ambiguities regarding


                                7 See the European Data Protection Board's (EDPB) guidelines on the right of access - Guidelines 01/2022 on data subject
                                rights – Right of access, version 2.0 (finally adopted on 28 March 2023), paragraph 113.
                                8 See appendix 2 The Swedish Privacy Agency Diary number: DI-2019-6696 10(30)
                                Date: 2023-06-12






                                whether the data subject is affected by the current information or not based on

                                his individual situation. IMY therefore has to test the information that Spotify
                                submitted met these requirements.


                                Information on categories of personal data, purpose, recipient and source

                                Information about the purpose of the processing must refer to the purposes for which it is

                                data subject's personal data is actually processed, and must not consist of only one
                                enumeration of different purposes without clarifying which purposes are relevant

                                the person requesting access. Furthermore, information about the categories of personal data
                                which is processed need to be adapted to the circumstances of the data subject who requests
                                access. With regard to information about recipients or categories of recipients, such should

                                information be as specific as possible. The data controller should normally
                                state to which actual recipients the personal data has or is to be disclosed, if
                                it is not impossible because, for example, there is no information yet

                                about who the recipients are. In addition, all available information must be provided about where from
                                the personal data will, if the personal data was not collected from it
                                              9
                                registered.

                                Regarding the information provided by Spotify about the purpose of the processing,

                                recipient of personal data and source from which the data was collected states
                                IMY that the information was divided based on different categories of personal data. These
                                categories of personal data consisted of "user data", "usage data", "data

                                about plan verification", "voting data", "payment and purchase data" and "competition, survey and
                                lottery data”. The categories of personal data specified were generally held and
                                contained none in several cases, for example regarding "user data" and "usage data".

                                more detailed description of which personal data could be included. IMY considers that,
                                especially in the absence of a clear description of the relevant categories, was not possible

                                for the data subjects to, based on the information provided, understand which personal data
                                which were included in the various categories. Because the information on purpose,
                                recipient and source were divided according to these categories of personal data entails

                                this shortcoming that it was also not possible for data subjects to easily understand which
                                personal data processed for which purposes, which personal data
                                taken from which source or which personal data was provided to a particular recipient

                                or category of recipients. Those registered have thus not had the opportunity to read out
                                in which way their personal data was processed.


                                IMY therefore believes that Spotify has not provided sufficiently clear information about the purposes
                                with the processing (Article 15.1 a of the data protection regulation), the categories of

                                personal data processing applies (Article 15.1 b of the data protection regulation),
                                recipients or categories of recipients (Article 15.1 c of the data protection regulation) or
                                source from which the data was collected (Article 15.1 g of the Data Protection Regulation).

                                The information was not concise, clear and clear, nor was it easily accessible. The
                                thus also did not meet the requirements of Article 12.1 of the Data Protection Regulation.


                                Information on storage period

                                Information provided about how long personal data is stored must be sufficient

                                specific so that the data subject understands how long his personal data will last
                                to be stored. If it is not possible to specify the time of deletion, the relevant one should be used instead


                                9 Cf. the European Data Protection Board's (EDPB) guidelines on the right of access - Guidelines 01/2022 on data subject
                                rights – Right of access, version 2.0 (adopted on 28 March 2023), paragraphs 114-120 and judgment of 12 January 2023 in EU-
                                court case C-154/21, Österreichische Post.Integritetsskyddsmyndigheten Diary number: DI-2019-6696 11(30)
                                Date: 2023-06-12







                                the event affecting conservation is specified, such as the expiration of a
                                warranty period. The storage periods shall refer to the personal data that is linked
                                the data subject requesting access. If this personal data is subject to different

                                storage periods, information about the storage periods must be specified in relation to each
                                current personal data processing and category of personal data.      10


                                Spotify provided information about storage periods under the heading "Criteria for
                                retention of personal data”. The information contained general information about

                                for which purposes the personal data is saved and criteria used to
                                determine the storage periods. Among other things, it was stated that personal data as standard

                                is retained for 90 days, unless a longer period is chosen due to a legitimate business reason.
                                Furthermore, it was stated, among other things, that personal data is stored for a suitable period in order to
                                deliver a personalized service over time and that streaming history is usually preserved during

                                lifetime of an account.


                                The information on how long data is kept was generally designed and, with
                                exception, among other things, for the information about streaming history, not clearly linked to
                                which categories of personal data were intended by the different storage times. The

                                registrants could therefore find it difficult to decipher which of their personal data
                                was preserved for what period of time. The criteria for determining the storage period

                                which were stated in the information were furthermore in some cases very imprecise. It is for example
                                difficult for a data subject to understand what was included in "legitimate business reason" and
                                thus in which situations personal data was kept longer than 90 days or whatever

                                meant that streaming history was "usually" preserved for the lifetime of an account.

                                In an overall assessment, IMY considers that the information provided regarding

                                storage periods did not meet the requirements in Article 15.1 d of the data protection regulation partly then
                                the information in this part was generally designed and lacked connection to current

                                category of personal data, partly then some of the criteria used to
                                determining the storage period was too imprecise for the data subject to understand
                                how long his personal data was stored. The information was not concise, clear and

                                clear and also not easily accessible. It therefore also did not meet the requirements in the article
                                12.1 of the data protection regulation.


                                Information on third country transfer


                                In order for the registered person to be able to assess a possible transfer of his
                                personal data to third countries is legal, the data subject must get meaningful

                                information that makes it possible to find out whether his personal data has been transferred and
                                if so, what safeguards have been used. To enable it was registered
                                checking whether his or her personal data has been processed legally, it should i
                                                                                                        11
                                it will normally also be clear to which third countries the transfer has taken place.


                                In the information provided by Spotify regarding transfers to third countries it was clear
                                under the heading "International transfers" that Spotify can share personal data
                                globally with other Spotify Group companies, service providers, partners, etc. Further

                                stated that Spotify ensures that the transfer is carried out in accordance with the applicable
                                data protection and privacy laws and that technical and organizational measures, and i

                                in particular, appropriate protective measures are applied, e.g. the standard contract clauses which


                                10 European Data Protection Board (EDPB) guidelines on the right of access - Guidelines 01/2022 on data subject rights
                                – Right of access, version 2.0 (finally adopted on 28 March 2023), paragraph 118.
                                11 Cf the Article 29 Group's Guidelines on Transparency under Regulation (EU) 2016/679, WP260rev.01, adopted by
                                European Data Protection Board, p.40. Data Protection Agency Diary number: DI-2019-6696 12(30)
                                Date: 2023-06-12






                                approved by the European Commission when personal data is transferred from European
                                economic cooperation area (EEA).


                                IMY states that the information provided by Spotify regarding
                                third country transfers was generally designed and not linked to the registered
                                own situation. It was not clear whether the data subject's personal data had
                                transferred to any third country, and if so, what appropriate safeguards were in place

                                taken at the time of transfer. It was also not clear to which third countries the transfer had
                                happened. IMY therefore assesses that the information provided regarding
                                third country transfers did not meet the requirements of Article 15.2 of the Data Protection Regulation.

                                The information was not concise, clear and clear, nor was it easily accessible. The
                                thus also did not meet the requirements of Article 12.1 of the Data Protection Regulation.


                                Summary assessment of the information according to Article 15.1 and 15.2 i
                                data protection regulation


                                In summary, IMY finds that the information provided by Spotify according to article
                                15.1 and 15.2 of the data protection regulation during the period between 16 November 2021
                                up to and including 16 May 2022 has been deficient in the above-mentioned respects.
                                Spotify has thus processed personal data in violation of articles 12.1, 15.1 a-d,

                                15.1 g and 15.2 of the data protection regulation.

                                3.2 The right to access personal data and a copy of

                                personal data under processing – article 15.1 and 15.3 i
                                data protection regulation


                                3.2.1 What has emerged in the case
                                Spotify has stated that their response to access requests, with a few exceptions, is

                                designed to disclose all personal data that they process regarding it
                                registered. The company has further explained its routines to ensure that all
                                personal data is disclosed, for example when new or updated

                                personal data processing.

                                The copy of personal data provided by Spotify in accordance with Article 15.3 i

                                the data protection regulation can be given through three different answers, Type 1, Type 2 and Type 3.

                                The personal data covered by Type 1 is profile information and the personal data
                                which Spotify has deemed to be of greatest interest to those registered. In Type 1 is included

                                therefore, it recorded playlists, streaming history and recent searches
                                the year, objects saved in the registrant's library, the number of followers of the registrant
                                has, the number of users the registrant follows, the names of artists the registrant

                                follows, user data and payment information. To give the registrant access to
                                Type 1 information, the company has introduced a function called "download your data" on a
                                privacy settings web page. The web page through which the data subject can

                                access to this information is available to all customers via their Spotify account
                                and provided in the same language as their Spotify service. Those registered may
                                access to the Type 1 information within about seven days. Those registered can also get

                                access to the Type 1 information by contacting Spotify's customer service.

                                Type 2 information consists of technical log files that are stored in Spotify's system
                                linked to the data subject's user ID. To access the Type 2 information

                                the data subject can send a request via Spotify's web form for privacy issues
                                or by contacting customer service or Spotify's data protection officer through someone
                                Date: 2023-06-12






                                other channel (email, Facebook, Twitter or letter). It takes about two to four weeks to

                                compile and disclose this personal data.

                                Type 3 information consists of the information that a registered person specifically requests and can

                                for example, refer to the data subject's listening history on a particular date, an extended
                                listening history or a request for unstructured personal data, for example a
                                request for certain email correspondence. Type 3 information can be requested on the same

                                way as Type 2 and such a request normally takes less than 30 days to process.
                                In case it takes longer to process the request, due to the complexity of the request,

                                the registered person is informed of the delay.

                                On 15 June 2021, Spotify implemented changes which mean that all Spotify

                                users who request a copy of personal data beyond what is available in
                                "Download your data" tool, or which directly requests a copy of all its
                                personal data from Spotify's customer service, get access to extended streaming history

                                as well as technical log information in one package.


                                Spotify has stated that the design of the process and its development up to today are one
                                aggregate result of joint discussions, careful considerations and analyses
                                as well as meetings with relevant customer service and development teams. Spotify's data protection team

                                has provided advice regarding legal requirements and "best practices" in data protection and
                                continues to continuously update these based on a number of identified parameters,
                                encompassing, among other things, relevant and current legislation, guidance, the ability to

                                quickly respond to a large number of requests, ease of use and categories of
                                personal data that is processed.


                                Spotify has stated that they have over 232 million monthly active users and that
                                during the period from 25 May 2018 to 30 June 2019 they answered 753,575 requests

                                about access. According to Spotify, the division of data into three different types has done so
                                possible to provide a quick and easy way for the data subject to download them
                                personal data that is likely to be most relevant to the data subject and to generate

                                answer in large measure and with the speed required to satisfy the majority
                                of those registered.

                                                                                                          12
                                Spotify further refers to statements in the EDPB's transparency guidelines that it i
                                data protection regulation there is an inherent tension between the requirements to provide the
                                recorded extensive information on the one hand and that the information should be given in one

                                concise, clear and clear, comprehensible and easily accessible form on the other hand, that one must
                                determine how to prioritize information that must be provided to data subjects and

                                which levels of detail and methods are suitable for conveying the information and that
                                the principle of openness is an overarching obligation. Spotify believes that these guidelines
                                has relevance for the design of a concise, open, easy to understand and easily accessible

                                process for data subjects to exercise their rights under Article 15 i
                                data protection regulation. By providing three layers of response to requests for access to
                                registered, Spotify intends to balance the data protection regulation's interests on one

                                correct way in favor of Spotify's registrants. Spotify's goal is to provide correct
                                information in accordance with Article 15 to all data subjects at the right time by
                                provide information in different layers and in different ways.


                                Spotify has stated that the company informed registered users that it was possible to

                                request access to more personal data than those covered by Type 1 and Type 2, as well as

                                12Article 29 Working Party Guidelines on Transparency under Regulation (EU) 2016/679, WP260rev.01, as adopted by
                                European Data Protection Board, point 1 and point 34. Data Protection Agency Diary number: DI-2019-6696 14(30)
                                Date: 2023-06-12






                                that this information was provided to data subjects before they requested access to theirs
                                personal data. Furthermore, Spotify has stated that it appeared that those registered could

                                request access to more personal data than those covered by Type 1 by
                                request a Type 2 response. In addition, registered users could contact Spotify's customer service with

                                special requests (so-called Type 3 request). The information about this is provided in different ways
                                way, including on the website for "Personal data rights and
                                privacy settings" and on the website where information according to Article 15 i

                                the data protection regulation is published. When a user requests access to the
                                personal data covered by Type 1 by going to "Download your data" is
                                further according to Spotify clearly from the context that users get access to a selection of

                                their personal data and not all their personal data. On the "Download your data" page
                                there is also a reference to the web page "Personal data rights and
                                privacy settings”. For requests according to both Type 1 and Type 2, information is given according to

                                article 15 of the data protection regulation which contains a comprehensive description of
                                available data. The information sources also explain that the user can request access
                                to their personal data via customer service or by contacting Spotify via email. If

                                a user contacts Spotify's customer service to exercise the right of access according to article
                                15 of the data protection regulation, customer service can explain all three types of
                                personal data that is available and inform users about it further

                                information that is available. Those registered were also informed that they could
                                request access to more personal data than they have already downloaded on the website
                                "Understand my data".


                                Furthermore, during the processing of the case, Spotify has updated the information that directs

                                itself to the data subjects in order to make it more transparent for data subjects that it exists
                                more to request than what is available in the "Download Your Data" tool.


                                With regard to the clarity of the information, Spotify has essentially stated the following. At
                                designing the access request response format the company focused on
                                provide all information in a way that makes it relevant, transparent and helpful

                                for those registered. The company developed a routine to ensure that the descriptions of
                                the personal data is correct and complete, which included extensive efforts for
                                to translate technical information into a simple language that can be understood by a

                                average customer, however, without removing such details as are necessary for transparency.
                                To facilitate understanding, Spotify does, among other things, the following.


                                - When downloading Type 1 information, the registered person also receives a so-called
                                   "Read Me First" file. In the "Read Me First" file there is a link to the web page "Understand my
                                   data", where the format and personal data included in Type 1 are described. This one

                                   page has been updated during the processing of the case to now also include one
                                   general description of the data in the technical log files and the extended

                                   the streaming history. The linked pages are automatically displayed on the customer's preferred one
                                   language based on the language setting in the customer's browser.
                                - In the Type 2 information, which consists of technical log files, there is some information

                                   which is highly technical in nature. To help data subjects understand
                                   the formatting of the personal data Spotify provides a detailed
                                   description of the personal data in a special file in connection with the data

                                   provided (in a “Read Me First” file for Type 2 requests). This description
                                   provided by default in English. Spotify also answers customers' questions
                                   about the significance of the personal data provided, as part of its process for

                                   access request was registered. Spotify also continuously updates both

                                13From June 15, 2019 comprehensive Type 2 information, in addition to the technical log files, also expanded
                                listening history. The Swedish Privacy Agency Diary number: DI-2019-6696 15(30)
                                Date: 2023-06-12






                                   the format of technical log files attributable to the customer's user ID (Type 2) and
                                   corresponding information in the Type 2 “Read Me First” file to increase transparency
                                   based on the questions asked.

                                – As regards special requests (Type 3), when the personal data which
                                   provided may require explanations, Spotify may, if necessary, leave the information in
                                   an e-mail to the data subject together with the copy of

                                   the personal data.

                                Spotify has stated the following as background to the description of the Type 2 data

                                by default is left in English. To ensure that the information that the company
                                providing the registrants are correctly translated into their local language they are sent files
                                to be translated by manual translation to professional translators. Against

                                background of technical log data changing more dynamically over time than others
                                personal data that is collected, the company would have to send the extensive "Read
                                me First” file on translation several times a month. This would be

                                disproportionate and unreasonable to do for all local languages given the extra time,
                                resources and administration it would entail. Furthermore, many of the words have
                                appear in the technical log data typically no translation because they

                                often reflect technical concepts communicated primarily in English and
                                usually not translated into local languages. However, the company helps with translation
                                the information into local language if a user requests it to the extent they

                                the technical terms are translatable. Spotify has further stated that they have
                                responded to approximately 340,000 requests to access technical log files. Of these
                                requests, only two registrants have turned to the company and requested one

                                translation of the description into their local language. Spotify further believes that
                                translation of the technical log files without request would mean that all
                                data subjects would have to wait longer to obtain their right of access by the technical
                                the log files accommodated.


                                In terms of which format is used, Spotify has stated that the personal data
                                provided in JSON format which, according to the company, is a structured and widely used

                                format that can be understood by both computers and humans. Data provided to
                                however, following a Type 3 request is provided in the format needed to respond
                                request.


                                Spotify has further informed IMY on 17 October 2022 that the company has since
                                the time allowed for data subjects to request access to account data, extended

                                streaming history and technical log information directly through "Download your data"-
                                the tool, i.e. without contacting customer service. These routines are not covered by IMY's
                                review when the update has taken place after May 16, 2022.


                                3.2.2 The Privacy Protection Authority's assessment
                                According to Article 15.1 of the data protection regulation, the data subject has the right to receive confirmation

                                on whether the personal data controller processes personal data concerning him or
                                her and in that case gain access to the personal data. The personal data controller has,
                                according to Article 15.3, an obligation to provide the data subject with a copy of the

                                personal data that is being processed. The right of access is the same regardless
                                by who the data controller is but the way to handle a request for access
                                may vary, among other things depending on the extent of the personal data that

                                processed and the number of registrants. According to Article 12.2 of the Data Protection Ordinance,
                                the personal data controller an obligation to facilitate the data subject to exercise
                                their rights. The Data Protection Agency Diary number: DI-2019-6696 16(30)
                                Date: 2023-06-12






                                The purpose of the right of access is for the data subject to become aware of it

                                processing that takes place and be able to check that it is legal. The
                                The data controller must therefore ensure that the copy of personal data
                                provided contains all the personal data processed about it

                                registered and is designed in a way that is comprehensible to the registered. Access
                                to the personal data must be given in a way that meets the requirements for transparency
                                in Article 12.1 of the Data Protection Regulation.


                                The requirements placed on the design and content of the copy mean that they

                                personal data controllers who process a large amount of data or data that is
                                particularly difficult to understand, may need to take special measures when the information
                                presented to those registered.


                                Spotify, whose personal data processing is both extensive and complex, has taken
                                develop special procedures for handling requests for access. The question is about these

                                routines enable the company to provide access to the personal data they process in one
                                way that satisfies the data subject's right of access.


                                Division of the copy of personal data into different layers


                                Spotify divides the copy of personal data into different layers, Type 1, Type 2 and Type 3.

                                IMY believes that there is no obstacle to dividing the copy of personal information in this way

                                as long as the right of access is satisfied. In some situations, on the contrary, it can help
                                the registrant to absorb the information if it is presented separately, in any case when
                                it is a matter of an extensive amount of information. The provision of the copy on

                                however, personal data in different layers must neither restrict the right of access nor make it difficult
                                the exercise of it. The person in charge of personal data must therefore take this into account in particular

                                the assessment of whether it is an appropriate measure to divide the copy of personal data.

                                A data subject who addresses a personal data controller to request access to

                                their personal data normally lacks knowledge of which personal data
                                actually treated. Acquiring this knowledge is instead often the purpose itself
                                request. If the personal data controller in this situation only provides it

                                registrant with a selection of his personal data, the registrant risks that
                                is led to believe that the copy provided is complete.


                                For this reason, IMY considers that the personal data controller, in the channel he has
                                established so that the data subject can request access, must be clear that

                                the copy of the personal data is divided into different layers. It must also be clear to
                                it recorded what information is in the various layers and in what way
                                registrants can access these.4


                                In the report Spotify has submitted, it appears that the registered, in several different channels,
                                receives information that access to different personal data can be requested in different ways.

                                Through these channels it appears that access to "your most relevant personal data" can
                                obtained through the "download your data" function as well as access to technical log information,
                                extended streaming history or responses to other specific data protection requests may be obtained

                                upon request via e-mail or customer service. IMY can, of those reported in the report
                                the examples, state that the information provided to the registered also contains



                                14 Cf. The European Data Protection Board's (EDPB's) guidelines on the right of access - Guidelines 01/2022 on data subject
                                rights – Right of access, version 2.0 (finally adopted on March 28, 2023), point 146. The Swedish Privacy Agency Diary number: DI-2019-6696 17(30)
                                 Date: 2023-06-12






                                 an overall enumeration of which personal data the various types of

                                 requests include.

                                 IMY assesses that the information provided by Spotify in this regard, during that period

                                 which the review of the general routines refers to, is sufficiently clear that it
                                 data subjects must understand how the copy is divided, including what information is contained in them
                                 the different layers, and how the different layers should be requested.


                                 To set up special conditions for the exercise of the right of access without support i

                                 the data protection regulation risks causing the data subject to be unduly hindered in
                                 their exercise of the right. In other words, it can be perceived as unnecessarily complicated to
                                 exercise the right, which in turn may result in the data subject refraining from requesting

                                 out all information to which the registered person is entitled. There are reasons to underline that the
                                 personal data controller, according to article 12.2 of the data protection regulation, has a
                                 obligation to facilitate the exercise of the data subject's rights. In order to

                                 the provision of the copy of personal data in different layers shall not entail that
                                 the right is restricted or that the exercise of the right is made more difficult, IMY therefore considers that

                                 it cannot be required that the data subject returns to the personal data controller
                                 on several occasions to gain access to all personal data. Nor can it
                                 be complicated to request access to the various layers. IMY therefore considers that it

                                 registrants must be able to request access to all warehouses from the beginning and that
                                 it should be easy to access these. Another thing is that the registered, with
                                 the knowledge of how the data is divided, can still choose to only request access
                                                        15
                                 to one or more layers.

                                 From Spotify's statement, it appears that the registered person can request access to the various

                                 the layers in different ways. It is not required that the registrant returns to Spotify to take
                                 part of the different layers. However, the data subject may have to take several measures in order to

                                 get access to several layers, e.g. by both downloading Type 1 information through
                                 function "download your data" and by requesting access to Type 2 and Type 3
                                 information through customer service. If the data subject contacts customer service directly

                                 with their request, the data subject can request access to all personal data
                                 at the same time.


                                 IMY considers that the fact that the data subject must take various measures for
                                 requesting the various layers of data may cause some inconvenience. The registered
                                 however, has the opportunity to take all of these actions at one and the same time.

                                 All measures can also be taken easily via Spotify's website. At
                                 an overall assessment, IMY believes that Spotify's routines enable the registered to

                                 request access to all their personal data in a sufficiently simple way.

                                 The design of the copy and format of the copy


                                 It follows from Article 12.1 of the data protection regulation that the information provided according to
                                 Article 15 of the Data Protection Regulation must be given in a concise, clear and understandable, understandable and

                                 easily accessible form using clear and unambiguous language. What requirements should
                                 placed on clarity in the individual case must be assessed against the background of the purpose of
                                 the right of access, i.e. that the data subject must become aware of the treatment which

                                 takes place and be able to check that the processing is legal.




                                 1 Cf. The European Data Protection Board's (EDPB) guidelines on the right of access - Guidelines 01/2022 on data subject
                                 rights – Right of access, version 2.0 (finally adopted on March 28, 2023), point 146. The Swedish Privacy Agency Diary number: DI-2019-6696 18(30)
                                 Date: 2023-06-12






                                 The majority of the data that Spotify processes, especially when it comes to data in

                                 the technical log files, are by their very nature very technical as they contain e.g. codes and
                                 numbers. Such information can be difficult for the average data subject to understand. To

                                 to provide such information without further explanation would, according to IMY, not live up to
                                 the requirements for clarity, in terms of the purpose of the right. Because the data to
                                 provided in accordance with Article 15.1 of the Data Protection Regulation and covered by a copy

                                 according to article 15.3 of the data protection regulation shall be the personal data which
                                 is processed, however, it is not permitted for the personal data controller to change
                                 difficult-to-understand personal data to facilitate understanding. Such data can

                                 instead need to be explained.


                                 Spotify provides, together with the copy of personal data, additional descriptions for
                                 to make the data in the various layers comprehensible to the data subject. Spotify responds
                                 also on the data subject's questions about the meaning of the personal data provided and

                                 updates its general procedures and descriptions based on the questions that are asked.


                                 IMY believes that data in the technical log files that Spotify provides can be
                                 complicated to understand, despite the descriptions provided by Spotify. IMY believes
                                 however, that by providing these descriptions, Spotify enables it

                                 registered, albeit with some effort, to assimilate the information. That it
                                 despite descriptions, some effort may be required by the data subject to understand some
                                 particularly complicated tasks are a natural consequence of the nature of these tasks.


                                 By default, Spotify provides only the detailed description of

                                 the data in the technical log files in English. Neither Article 12.1 nor Article 15 i
                                 the data protection regulation contains an explicit requirement in which language
                                 personal data, or the description thereof, must be provided to the data subject.

                                 However, IMY believes that it follows from the purpose of the right of access and the requirements for clarity i
                                 article 12.1 that the registered should be able to receive the information in a language they know, i
                                 at least when the personal data controller directs its activities to countries where this

                                 constitutes an official language. This means that the personal data controller must take
                                 sufficient measures to ensure that the data subject understands the information.


                                 Spotify provides the majority of information provided to
                                 registered according to Article 15 of the Data Protection Regulation, including a general

                                 description of what the technical log files may include, based on
                                 the language settings in the individual's web settings, i.e. the local language. Further

                                 Spotify leaves clear information, in the local language, about the possibility to request
                                 translation of the description of the technical log files in the "Read Me First" file which
                                 provided with each request for access. This information is also provided at the local

                                 the language on the "Understand my data" webpage. Spotify has thus taken extensive
                                 measures to provide information in a language that the data subject must know
                                 comprehend. However, Spotify has reported significant difficulties in translating

                                 the description of the data in the technical log files to all local languages in them
                                 countries to which they direct their operations. The difficulties have their basis in the constant

                                 the changes to the data in the technical log files and the fact that many
                                 technical concepts can hardly be translated from English.





                                 1Cf the Article 29 Group's Guidelines on Transparency under Regulation (EU) 2016/679, WP260rev.01, adopted by
                                 European Data Protection Board, point 13 and the European Data Protection Board's (EDPB) guidelines on the right to
                                 access – Guidelines 01/2022 on data subject rights – Right of access, version 2.0 (finally adopted on 28 March 2023)
                                 point 142. The Swedish Privacy Agency Diary number: DI-2019-6696 19(30)
                                 Date: 2023-06-12






                                 However, IMY notes that Spotify has stated that, at the request of a data subject, they have

                                 possibility to translate the description of the data in the technical log files into one
                                 local language to the extent that the technical terms are translatable. Since
                                 a translation is therefore possible in practice, IMY believes that such a translation should

                                 can be provided even before a request for translation has been made from one
                                 registered. Spotify's stated difficulty in translating the description, including that
                                 translation may need to be done on several occasions each month and the additional ones

                                 resources this requires, cannot justify leaving the description as default either
                                 in English. Considering the purpose of the right of access, it is crucial that it

                                 data subjects understand which of their personal data has been processed in the technical
                                 the log files, which requires an understandable description of its content. IMY therefore considers
                                 that Spotify should have provided the description in local language already in connection with

                                 that the technical log files were provided to the data subject, at least to that extent
                                 it was necessary to understand the data in the technical log files.


                                 Against this background, IMY believes that Spotify has not taken sufficient measures to
                                 ensure that the data subject understands the description of the data in the technical

                                 the log files when this information is only provided in English by default. The
                                 information that Spotify provides in this part therefore did not meet the requirements that all
                                 communications provided to the data subject pursuant to Article 15 i

                                 the data protection regulation must be clear and understandable in the manner specified in Article 12.1 i
                                 data protection regulation. The fact that a data subject has the opportunity to return to
                                 Spotify to request a translation does not cure this deficiency.


                                 It follows from Article 15.3 of the data protection regulation that a data subject who makes a request
                                 if access in electronic form must receive the information in an electronic format that is

                                 generally used, unless the data subject requests otherwise. Spotify is leaving
                                 the data in JSON format. In the guidelines on the right to data portability, JSON format is given
                                                                                        17
                                 as an example of a widely used open format.

                                 IMY states that the requirements set for formats are different for the right to data portability

                                 and the right of access when data portability according to article 20.1 of the data protection regulation
                                 also requires that the data be provided in a structured and machine-readable format
                                 format. In terms of the purpose of the right of access, IMY requires that the format in which

                                 the data is provided in accordance with Article 15 of the Data Protection Regulation must be possible
                                 to read for a natural person. However, there is nothing to prevent the format from also being
                                 machine readable. Such a format can in many cases make it easier for the registered person to

                                 make various summaries or searches to facilitate understanding. IMY
                                 believes that JSON format, which can be read by both computers and physical persons, i

                                 the current situation is such an electronic generally used format as referred to in Article 15.3 i
                                 data protection regulation.


                                 Summary assessment regarding the right of access to personal data and copy
                                 on personal data during processing – article 15.1 and 15.3 of the data protection regulation


                                 In summary, IMY finds that Spotify's way of dividing the copy of personal data
                                 in different layers does not hinder the exercise of the data subjects' rights and thus is
                                 in accordance with article 12.2 of the data protection regulation and that the design and format

                                 on the copy of personal data largely meets the requirements for transparency in Article 12.1 i
                                 data protection regulation.



                                 1Article 29 Group Guidelines on the right to data portability, WP242 rev.01, adopted by the European
                                 the Swedish Data Protection Agency, p. 19. The Swedish Data Protection Agency Diary number: DI-2019-6696 20(30)
                                Date: 2023-06-12





                                However, IMY finds that the description of the data in the technical log files which

                                Spotify left during the period from and including 11 June 2019 to and including 16 May
                                2022 has not met the requirements of Article 12.1 of the Data Protection Regulation when this
                                information by default has only been provided in English. Spotify has thus i
                                in this respect processed personal data in violation of Article 12.1 i

                                data protection regulation during the relevant time period.


                                4 Examination of individual complaints - Justification

                                of decisions

                                4.1 Complaint 1 (from the Netherlands with national

                                reference number z2018-28415)

                                4.1.1 Background

                                The appellant has argued in summary that Spotify due to his
                                the access request made on 27 May 2018 has not provided access to all of his
                                personal data within the time prescribed in article 12.3 of the data protection regulation

                                and that, once he has gained access to all personal data, these have not
                                provided in an intelligible form in the manner prescribed in Article 12.1 i
                                data protection regulation.


                                4.1.2 What has emerged in the matter
                                Spotify provides three types of responses to ensure an appropriate and complete response
                                response to its users' requests in accordance with Article 15 of the Data Protection Regulation.

                                Spotify has stated that information about all three types of responses (Type 1, Type 2 and Type 3)
                                as well as information on how to request access to them was available at
                                the time of the appellant's request. In connection with a user choosing to load
                                down its data (Type 1), was evident from the description and instructions in direct connection with

                                the download tool that this was just a convenient way to get a copy of “the
                                most" personal data from his account and which categories of personal data that
                                were available through the tool. From the context it was therefore clear enough that

                                other personal data was also available. The appellant also had the opportunity to
                                contact customer service via several channels and request additional personal data.
                                The complainant had also had the opportunity to turn to customer service and directly request
                                access to all their personal data.


                                Spotify believes that the process at the time was transparent enough to
                                users would be able to understand as well as request additional available data in addition to those
                                which was included in the "Download your data" tool. Many other users also requested

                                both Type 2 and Type 3 tasks at that time. The appellant also succeeded in requesting
                                and access both Type 1 and Type 2 information. Spotify has subsequently done the majority
                                improvements in their processes to ensure that users cannot miss all three

                                types of information available and how to easily request access to it
                                the information.

                                Spotify has stated that with regard to the provision of the complainant's personal data, so

                                provided all requested personal data within the time frame specified in
                                article 12.3 of the data protection regulation. "Download your data" (Type 1) was requested by
                                complainant on 27 May 2018. The data was made available and downloaded by
                                complainant on May 28, 2018. A response time of one day is consistent with Spotify's

                                goal of quickly providing the most relevant information to users through
                                their automatic tools. The Swedish Privacy Agency Diary number: DI-2019-6696 21(30)
                                Date: 2023-06-12






                                Technical log files (Type 2) were requested by the complainant via email on 11 June 2018. In
                                Spotify's response on July 6, 2018, Spotify informed the complainant that the provision of
                                the personal data would take a little longer than expected due to the high number

                                requests and the complexity of compiling such technical information.
                                The information was made available for download on July 17, 2018. Even after having
                                informed the appellant of the reason why the response would be delayed, only 36 elapsed

                                calendar days (26 working days) between the complainant's request and the receipt of a response.

                                Regarding the complainant's complaint regarding the format of the personal data, Spotify has

                                stated that Type 2 data contains a large number of files with technical log data.
                                What data is processed may differ significantly for different users based on
                                what kind of Spotify service plan they have (eg Free, Premium, Family), features and

                                the specific user's activity, as well as variations in the usual internal
                                the processing and error logging of the Spotify software itself. Its a challenge
                                to find a way to explain this kind of technical information in a way like that

                                the average Spotify user can understand.

                                At the time of the complainant's request, Spotify provided the information in a JSON

                                format. However, Spotify did not provide any additional documentation to
                                further clarify what types of data were included and how these should be interpreted
                                (in addition to the information that appears in the JSON data fields themselves). Since 2019

                                however, Spotify provides a supplementary "Read Me First" file upon delivery of
                                all Type 2 data, which further describes the information contained in each file and
                                data field. Given the complexity and volume of the technical log files required

                                the creation of the "Read Me First" file a lot of work, and Spotify had not yet
                                completed this process at the time of the appellant's original request for access.

                                It was a mistake to provide the appellant with some of the technical log files in

                                encrypted format. Spotify stores data in its systems in encrypted format to reinforce
                                the integrity and security in connection with the company's own internal processing of
                                personal data. It was not Spotify's intention to withhold from the complainant

                                personal data from him. Although most of the encrypted data was decrypted
                                before being included in the appellant's technical log files, some of the fields were not
                                decrypted. That kind of problem was fixed upon discovery of this, and now

                                requested personal data is always provided unencrypted.

                                Spotify wants to draw IMY's attention to the fact that the complainant requested their personal data

                                again in July 2020. This request came after his complaint to IMY and the improvements
                                as described above. The complainant received his personal data significantly faster than
                                within 30 days. The complainant requested "Download your data" (Type 1) on 28 July 2020.

                                Spotify provided the personal data three calendar days later, on July 31, 2020.
                                The complainant also requested its technical log files (Type 2) on August 3, 2020 and
                                downloaded the personal data when it was available 15 days later, on August 18

                                2020. Both of these requests were answered within a total of 18 days by Spotify and
                                the complainant was able to receive all his personal data within a total of 21 calendar days. This one
                                timeframe is representative of Spotify's handling of these types of requests from

                                user. All technical information received by the complainant on August 18, 2020 was
                                unencrypted. The complainant should also have received a "Read Me First" file as field by field
                                explained the information provided. With the fulfillment of the appellant's latest

                                request, Spotify hopes that all the complainant's questions regarding articles 12.1 and
                                12.3 of the data protection regulation that he raised in his complaint have been answered. The Swedish Privacy Agency Diary number: DI-2019-6696 22(30)
                                Date: 2023-06-12






                                4.1.3 The Privacy Protection Authority's assessment
                                As IMY states in the assessment of the company's general routines, section 3.2.2 i

                                this decision, it is possible to divide the copy of personal data into different layers provided
                                that the data subject has received sufficient information, among other things, about how the copy
                                personal data is divided and how access to the various layers can be requested.


                                The fact that the complainant claims that his personal data was not provided in time shows that
                                the appellant must have considered that his initial request which was sent on 27 May 2018
                                referred to all personal data that Spotify processed about him. Of data such as

                                the complainant left further states that he contacted Spotify because he himself
                                noticed that the copy of personal data he received on 28 May 2018 was not
                                full. The fact that he contacted Spotify was thus a consequence of those conclusions

                                the appellant himself drew from the copy of personal data he received and not from
                                on the grounds that the complainant understood Spotify's division of the copy into personal data and
                                how access to additional data could be requested. These circumstances speak according to

                                IMY for the information provided by Spotify at the time of the complainant
                                the request regarding the division of the copy on personal data has not been sufficient
                                clear.


                                IMY also believes in an assessment of the information provided by Spotify
                                description and instructions in connection with the appellant making his Type 1 request

                                on 27 May 2018 that that information alone was not clear enough to
                                the appellant should have understood that it was only a subset of the personal data which
                                was covered by the request. At the time of the appellant's request, it was also missing

                                information that is currently available on Spotify's website, including on the website
                                for "Personal data rights and privacy settings", where it is clear which
                                personal data given in the various responses, and how access to these can be requested. IMY

                                further considers that what Spotify stated that the complainant could turn to customer service and
                                requesting additional information is irrelevant as such action assumes that
                                the complainant would have understood that there were additional personal data that could

                                be released.

                                In view of the above, IMY considers that Spotify, at the time of the complainant
                                access request, did not provide sufficiently clear information for the appellant to

                                understand that the copy of personal data was divided. That there is sufficient information for
                                that a registered person must understand that his request only refers to a selection of them
                                personal data that is processed is a prerequisite for the personal data controller

                                must be able to limit the disclosure of this personal data. In case it is unclear about
                                the request only concerns a selection of the personal data, so it should
                                personal data controller assume that the registered person wants access to all of their

                                personal data. Spotify should therefore, as the information in this regard was deficient
                                at the time of the complainant's request, have disclosed all personal data that they
                                dealt with the appellant in relation to his request for access made on

                                May 27, 2018. The time within which Spotify had to leave the copy on all
                                personal data must therefore be calculated from this time. Spotify would, according to the article
                                12.3 of the data protection regulation, have provided a full copy of the complainant

                                personal data or notified the complainant of an extension of the time period at the latest
                                on 27 June 2018. Spotify only notified the complainant of an extension on 6 July 2018
                                of the time period. The copy of the additional personal data was submitted on 17 July

                                2018. IMY states that Spotify did not announce the extension within the time that
                                prescribed in Article 12.3 of the Data Protection Regulation. Spotify has therefore left the copy on
                                the complainant's personal data too late. The Swedish Data Protection Agency Diary number: DI-2019-6696 23(30)
                                Date: 2023-06-12






                                From the complainant's information, as confirmed by Spotify, it appears that they further
                                personal data he gained access to on 17 July 2018 has been difficult to understand as well as, in some
                                cases, encrypted.


                                As IMY states under section 3.2.2, it is required that the personal data controller
                                explains especially difficult to understand personal data so that the purpose of the right of access shall
                                considered fulfilled. IMY notes that Spotify has not lived up to its obligations in

                                the appellant's case as they have not provided an explanation for the particularly difficult to understand
                                information they provided in the copy as well as when they have provided certain information encrypted.


                                IMY states with regard to the above that Spotify in its management of
                                the complainant's request for access made on 27 May 2018 has processed
                                personal data in violation of article 12.3 of the data protection regulation, by making the copy on

                                personal data has been submitted too late, as well as in violation of articles 12.1, 15.1 and 15.3 of
                                the data protection regulation, by not having provided all the complainants
                                personal data in an understandable form.


                                4.2 Complaint 2 (from Austria with national reference no
                                D130.198)


                                4.2.1 Background
                                The complainant has alleged that Spotify due to his request for access

                                which was made on October 10, 2018 has not provided all the personal data that
                                Spotify treats the complainant that Spotify has not provided any of it
                                information on the processing of the complainant's personal data as required by Article

                                15.1 a–h and 15.2 of the data protection regulation and that Spotify has not provided
                                the personal data in an understandable form in the manner prescribed in Article 12.1 i
                                data protection regulation. The appellant has stated, among other things, that the information has

                                provided in a format that is machine-readable only and not comprehensible to physical users
                                people.


                                4.2.2 What has emerged in the matter
                                Spotify has stated that the complainant requested access to "Download your data" (Type 1) on
                                10 October 2018. The data was made available and downloaded by the complainant on
                                18 October 2018. The complainant then never contacted Spotify again to bring them forward

                                views raised in his complaint to the IMY. Nor did he request access to
                                additional information beyond that made available through "Download Your Data"-
                                the tool.


                                Spotify provides three types of responses to ensure an appropriate and complete response
                                response to its users' requests in accordance with Article 15 of the Data Protection Regulation.

                                Spotify has stated that information about all three types of responses (Type 1, Type 2 and Type 3),
                                as well as information on how to request access to them was available at
                                the time of the appellant's request. In connection with a user choosing to load

                                down its data (Type 1), was evident from the description and instructions in direct connection with
                                tool that this was just a convenient way to get a copy of "most"
                                personal data from his account and which categories of personal data were
                                available through the tool. From the context it was therefore clear enough that

                                other personal data was also available. The appellant also had the opportunity to
                                contact customer service via several channels and request additional personal data.


                                Spotify believes that the process at the time was transparent enough to
                                users would be able to understand and request additional available data in addition to those
                                Date: 2023-06-12






                                which was included in the "Download your data" tool. Many other users also requested
                                both Type 2 and Type 3 tasks at that time. Spotify has subsequently done the majority
                                improvements in their processes to ensure that users cannot miss all three

                                types of information available and how to easily request access to it
                                the information.


                                At the time of the appellant's request, the specific web page had information
                                according to article 15.1 a-h and 15.2 of the data protection regulation not yet created and such
                                information was also not automatically included in the access request response.

                                Spotify confirms that the complainant did not receive this information along with his Type 1-
                                response in October 2018. Spotify notes that although the complainant did not receive the specific
                                the information under Article 15 in connection with its request, the information was available

                                for the complainant in Spotify's privacy policy.

                                Spotify has further stated that the company had processes in place to provide

                                additional information and take action in the event that their response would not be considered
                                sufficient to fully respond to a data subject's access request. About the appellant
                                had contacted privacy@spotify.com or Spotify's customer service team regarding their

                                questions, they would have been happy to provide additional personal data and other information
                                according to Article 15 of the Data Protection Regulation which he requested.


                                It is true that the complainant's "Download your data" data was provided in JSON
                                format. JSON is a recommended standard format that can be understood by both
                                people and computers. The information in "Download your data" (Type 1) is largely

                                self-explanatory based on the file and field names. Nowadays, Spotify provides
                                however, also a detailed description of the data on the information web page,
                                "Understand my data".


                                4.2.3 The Privacy Protection Authority's assessment
                                As IMY states in the assessment of the company's general routines, section 3.2.2 i

                                this decision, it is possible to divide the copy of personal data into different layers provided
                                that the data subject has received sufficient information, among other things, about how the copy
                                personal data is divided and how access to the various layers can be requested.


                                The complainant has, as IMY understands it, wanted access to all the information that
                                Spotify treats about him. However, the appellant has only requested access to Type 1-
                                the data and has also not returned to Spotify for further information.

                                According to IMY, the complainant's actions indicate that the information provided by Spotify
                                at the time of the appellant's request regarding the division of the copy at
                                personal data and how access to the various layers could be requested was not sufficient

                                clear so that the complainant would understand how he would get access to all the information.

                                IMY also believes in an assessment of the information provided by Spotify

                                description and instructions in connection with the appellant making his Type 1 request
                                on October 10, 2018 that that information alone was not clear enough to
                                the appellant should have understood that it was only a subset of the personal data which

                                was covered by the request. At the time of the appellant's request, it was also missing
                                information that is currently available on Spotify's website, including on the website
                                for "Personal data rights and privacy settings", where it is clear which

                                personal data given in the various responses, and how access to these can be requested. IMY
                                further considers that what Spotify stated that the complainant could turn to customer service and
                                requesting additional information is irrelevant as such action requires that the Swedish Privacy Agency Diary number: DI-2019-6696 25(30)
                                Date: 2023-06-12






                                the complainant would have understood that there were additional personal data that could
                                be released.


                                In view of the above, IMY considers that Spotify, at the time of the complainant
                                request for access, did not provide sufficiently clear information for the appellant to
                                understand that the copy of personal data was divided. That there is sufficient information for

                                that a registered person must understand that his request only refers to a selection of them
                                personal data that is processed is a prerequisite for the personal data controller
                                must be able to limit the disclosure of this personal data. In case it is unclear about

                                the request only concerns a selection of the personal data, so it should
                                personal data controller assume that the registered person wants access to all of their
                                personal data. Spotify should therefore, as the information in this regard was deficient

                                at the time of the complainant's request, have disclosed all personal data that they
                                processed about the appellant. IMY states that Spotify has not disclosed all of them
                                personal data they processed about the complainant. Spotify has therefore not complied

                                the requirements in articles 15.1 and 15.3 of the data protection regulation to give the data subject
                                access to their personal data as the company has not provided the data subject with one
                                full copy of the personal data that was being processed.


                                The complainant has further stated that the personal data he has been given access to was difficult
                                to understand. Spotify's response shows that at the time of the complainant's request

                                a description of the information provided to the appellant (Type 1) was missing. IMY
                                however, deems that the information provided pursuant to a Type 1 request is sufficient
                                clear for the average user to be able to understand the data and that

                                these therefore do not require any further explanation. IMY therefore believes that they
                                personal data provided has been sufficiently clear to meet the requirements according to
                                article 12.1 of the data protection regulation, i.e. that the information provided according to
                                Article 15 of the Data Protection Regulation must be given in a concise, clear and understandable, understandable and

                                easily accessible form using clear and unambiguous language. Some lack therefore has
                                was not available regarding how clear the personal data provided to the appellant was
                                where. However, IMY looks positively on the improvements that Spotify has implemented after this

                                time, which can further increase the understanding of the personal data provided in
                                Type 1 response.


                                The complainant has further stated that his personal data was provided in a format which
                                was only machine readable and not comprehensible to natural persons. Spotify has stated
                                that the data was provided in JSON format. IMY believes, which also appears above below

                                3.2.2, that JSON format, which can be read by both computers and natural persons, i
                                the current situation is such an electronic generally used format as referred to in Article 15.3 i
                                data protection regulation. IMY therefore considers that there was no deficiency in respect of

                                the format in which the information was provided to the complainant.

                                The appellant has finally claimed that he did not receive information according to Article 15.1 a-h

                                and 15.2 of the data protection regulation. Spotify has confirmed that the complainant did not receive this
                                information together with the response to the request submitted in October 2018. Spotify
                                has thus not fulfilled its obligation to, in connection with the appellant's request for

                                access, provide information according to article 15.1 a-h and 15.2. The fact that information
                                at the time of the complainant's request was available in the company's privacy policy leker
                                not this deficiency.


                                IMY concludes in summary that Spotify in its handling of the complainant's request
                                if access made on 10 October 2018 has processed personal data in violation
                                with article 15.1 and 15.3 of the data protection regulation, by not having given access to the Privacy Protection Agency Diary number: DI-2019-6696 26(30)
                                Date: 2023-06-12






                                all personal data that Spotify processed about the complainant and in conflict with
                                article 15.1 a-h and 15.2 of the data protection regulation, by not having provided
                                any of the information set out in these regulations.


                                4.3 Complaint 3 (from Denmark with national reference number
                                2018-31-1198)


                                The complainant has claimed that Spotify has not responded to the complainant's request
                                access according to Article 15 of the data protection regulation made on November 12, 2018.


                                The investigation into the matter has not shown that Spotify failed in its handling of the complainant
                                request for access, which means that the complaint in question must be rejected. The
                                receiving supervisory authority, i.e. the Danish data protection authority, shall therefore

                                adopt the decision regarding this complaint in accordance with Article 60.8 of the Data Protection Regulation.
                                The justification for the decision in this part is thus reported in a separate decision from it
                                Danish Data Protection Authority.


                                5 Choice of intervention


                                5.1 Applicable Regulations


                                In the event of violations of the data protection regulation, IMY has a number of corrective measures
                                powers, including reprimands, injunctions and penalty charges. It follows from
                                article 58.2 a–j of the data protection regulation.


                                IMY shall impose penalty fees in addition to or in lieu of other corrective measures
                                as referred to in Article 58(2) of the Data Protection Regulation, depending on the circumstances i

                                each individual case.

                                If a personal data controller or a personal data assistant, with respect to a

                                and the same or connected data processing, intentionally or by
                                negligence violates several of the provisions of this regulation, it may
                                the total amount of the administrative penalty fee does not exceed the amount determined

                                for the most serious violation. It appears from Article 83.3 i
                                data protection regulation.


                                Each supervisory authority must ensure that the imposition of administrative
                                penalty charges in each individual case are effective, proportionate and dissuasive. The
                                stated in Article 83.1 of the Data Protection Regulation.


                                In article 83.2 of the data protection regulation, the factors that must be taken into account are stated in order to
                                decide whether an administrative penalty fee should be imposed, but also what should
                                affect the size of the penalty fee.


                                The EDPB has adopted guidelines on the calculation of administrative penalty fees according to
                                the data protection regulation which aims to create a harmonized method and principles
                                                                    18
                                for calculation of penalty fees.






                                18EDPB's guidelines 8/2020 Guidelines 04/2022 on the calculation of administrative fines under the GDPR, final
                                adopted on 24 May 2023. Data Protection Agency Diary number: DI-2019-6696 27(30)
                               Date: 2023-06-12






                               5.2 Same or connected data processing

                               As stated above, the IMY, in the review carried out by the authority, has
                               Spotify's general processes and routines for providing access according to Article 15 i

                               data protection regulation, found deficiencies in the information provided in accordance with Article 15.1
                               a–h and 15.2 of the data protection regulation as well as in the description of the data in them
                               the technical log files provided by Spotify. Spotify has also failed in its handling of

                               request for access in relation to two of the complaints IMY has reviewed, complaint 1 and
                               complaint 2.

                               The violations regarding the general routines relate to the information

                               according to article 15.1 a-h and 15.2 of the data protection regulation, to the period from
                               on November 16, 2021 through May 16, 2022 as well as, regarding the description
                               of the data in the technical log files, to the period from June 11, 2019 to

                               and with May 16, 2022. Request for access covered by the individuals
                               the complaints were made on 27 May 2018 and 10 October 2018 respectively. IMY assesses
                               among other things against this background that the violations refer to the general ones
                               the procedures and violations relating to the two complaints do not constitute the same or

                               connected treatments in the manner referred to in Article 83.3 i
                               data protection regulation.


                               However, IMY considers that Spotify's provision of information covered by article
                               15.1 and 15.2 of the data protection regulation and the provision of the description of
                               the data in the technical log files are interconnected. The

                               the assessment is made, among other things, against the background of the identified deficiencies in these
                               parts relate to the requirements for transparency in the information that Spotify has provided to them
                               registered according to Article 15 of the Data Protection Regulation under a partial
                               coinciding time period. Furthermore, the complaints are deemed to be connected with

                               each other.

                               IMY must therefore decide on the choice of intervention partly for the identified deficiencies i

                               Spotify's information according to article 15.1 and 15.2 of the data protection regulation and i
                               the description of the data in the technical log files partly for the findings
                               the deficiencies regarding the two complaints.


                               5.3 Deficiencies in information according to article 15.1 and 15.2 i
                               the data protection regulation and in the description of the data i

                               the technical log files

                               IMY has assessed that Spotify has violated articles 12.1, 15.1 a-d, 15.1 g and 15.2 i
                               data protection regulation. In light of, among other things, the fact that the violations have been able to

                               affect a large number of registered users, that the violations have been going on for a long time and
                               as the deficiencies in the information made it difficult for registered users to take advantage of their others
                               rights according to the data protection act, it is not a question of minor violations.

                               Spotify must therefore be charged a penalty fee for the violations in this part.

                               IMY states that Spotify has violated articles covered by Article 83.5 i

                               data protection regulation which means that a penalty fee of up to twenty million
                               EUR or four percent of the global annual turnover in the previous financial year,
                               depending on which value is higher, may be applied.


                               When determining the maximum amount of a penalty charge to be imposed on a company
                               should the definition of the term company be used that the EU Court of Justice uses at the Privacy Protection Agency Diary number: DI-2019-6696 28(30)
                                Date: 2023-06-12






                                application of Articles 101 and 102 of the TFEU (see recital 150 i

                                data protection regulation). The court's practice shows that this includes every unit
                                that carries out economic activities, regardless of the legal form of the entity and the way of doing so
                                financing as well as even if the unit in the legal sense consists of several physical or

                                legal entities.

                                IMY assesses that the company's turnover is to be used as a basis for calculating the

                                administrative penalty fees that Spotify may impose are Spotify's parent company
                                Spotify Technology S.A. From Spotify Technology S.A.'s annual report for the year 2022

                                it appears that the annual turnover in 2022 was approximately SEK 132,000,000,000. The highest
                                sanction amount that can be determined in the case is four percent of this amount, approx
                                SEK 5,280,000,000.


                                When assessing the seriousness of the violations, IMY takes in addition to what is stated above, i.e.
                                that the violations have been able to affect a large number of registered persons, that the violations

                                has been going on for a long time and that the deficiencies in the information made it difficult for data subjects to
                                exercise your other rights according to the data protection regulation, also taking into account the following.

                                The violations have entailed a risk that the purpose of the right of access is then thwarted
                                the deficiencies in the information provided made it difficult for data subjects to understand which of
                                their personal data that has been processed and how. The registrant thus does not have

                                nor had the opportunity to check whether the processing was legal. Spotify's
                                processing of personal data further includes a large amount of personal data about each
                                registered and affects many registered users in several different countries.


                                However, as far as has come to light, the data processed are not such special ones
                                categories of personal data specified in Article 9 of the Data Protection Regulation.

                                Processing of personal data that takes place within the framework of a customer relationship at
                                the provision of a music streaming service does not normally get large either

                                consequences for the data subjects. IMY has further, despite the scope of Spotify's
                                personal data processing, only received a few complaints regarding the company's
                                handling access requests.


                                It is also important that Spotify has a challenge in providing comprehensive information
                                about complex personal data processing in a way that is comprehensible to the data subjects

                                which entails difficult trade-offs to assess how the information should best be used
                                is presented. Spotify has provided certain information in accordance with all points in Article 15.1 and
                                15.2 of the data protection regulation. Furthermore, Spotify has provided information about its

                                processing of personal data on several pages on the company's website. Some information about
                                how the personal data was processed can also be read from that copy

                                personal data according to article 15.3 of the data protection regulation that Spotify has
                                provided to the data subjects who requested access and which IMY has generally assessed
                                meet the requirements for clarity in Article 12.1 of the Data Protection Regulation.


                                The investigation into the matter further shows that Spotify, on its own initiative and before the relevant date
                                supervisory case was initiated, has taken several measures and put in extensive work to

                                produce, develop and improve processes regarding requests for access that shall be
                                transparent for those registered. These processes and routines have since been developed
                                and continuously improved. According to IMY, this suggests that Spotify intends to fulfill

                                the right of access in a way that is transparent to the data subjects. It also has forward
                                until last year, when the EDPB adopted guidelines on the right of access, was lacking in detail

                                guidance on how the information should be provided and at what level of detail, among other things

                                19 European Data Protection Board (EDPB) guidelines on the right of access - Guidelines 01/2022 on data subject rights
                                – Right of access, (adopted on January 18, 2022 for public consultation and finally adopted on March 28, 2023). Data Protection Agency Diary number: DI-2019-6696 29(30)
                                Date: 2023-06-12






                                regarding the degree of individualization of the information to be provided according to article
                                15.1 and 15.2 of the data protection regulation and which language should be used in
                                communication according to Article 15 of the Data Protection Regulation.


                                Overall, IMY assesses, against the background of the reported circumstances, that they
                                the violations in question are of low seriousness. The starting point for the calculation

                                of the penalty fee should therefore be set relatively low in relation to the current situation
                                the maximum amount. To ensure a proportional penalty fee in the individual case
                                there are also reasons to further adjust the starting point for it already at this stage

                                continue the calculation downwards, taking into account the high turnover involved
                                basis for the calculation of the penalty fee.


                                In addition to assessing the seriousness of the violation, IMY must assess whether it exists
                                any aggravating or mitigating circumstances that become relevant
                                the amount of the penalty fee. The circumstances which have already been considered at

                                the assessment of the seriousness of the infringement cannot be reconsidered at this stage of
                                the assessment.


                                IMY assesses that there are no further aggravating circumstances that affect
                                the amount of the penalty fee. As a mitigating circumstance, IMY attaches particular importance
                                the possibility for those registered to contact Spotify's customer service through several different

                                channels to receive further individualized information. Furthermore, Spotify has in June 2022
                                informed that the company has made updates to the information in accordance with Article 15 among
                                other for the data subject to understand the specific personal data processing which

                                is applicable to their unique use of the Spotify service. As for the shortcomings
                                regarding Spotify's choice of language for the description of the data in the technical
                                the log files, it is also important that data subjects have had the opportunity to turn to
                                Spotify to have the description translated or explained in its local language and to

                                Spotify provided clear information about this possibility in the "Read Me First" file which
                                provided in connection with the data being provided to the data subject.


                                Against the background of the seriousness of the violations, aggravating and mitigating
                                circumstances and the high turnover in relation to those established
                                the violations, the IMY determines the administrative penalty fee for Spotify at 58

                                000 000 kroner. In doing so, IMY has assessed that this amount, which corresponds to approximately 1
                                percent of the highest possible sanction amount that can be determined in the case, is
                                effective, proportionate and dissuasive in the present case.


                                5.4 Violations regarding complaints 1 and 2


                                IMY has established that Spotify breached its obligations in relation to the complainants in
                                complaints 1 and 2. However, IMY can state that the complainants in both cases have received
                                access to some of their personal data in a timely manner. Spotify has further, when the appellant in

                                Complaint 1 contacted them, were helpful in providing further information and
                                answered questions. Regarding complaint 2, Spotify has not been made aware that
                                the complainant considered that his request for access was not fully met. The appellant has

                                did not turn to Spotify and stated that he was dissatisfied with the company's handling of
                                his request for access why Spotify has had difficulty remedying the shortfall.


                                IMY states that the violations currently in question did not include sensitive ones
                                personal data. Spotify has further taken measures, albeit insufficient, in order to
                                comply with the appellants' requests. Even if the complainants' right of access does not
                                Date: 2023-06-12






                                have been fully met, the deficiencies that have been present are therefore of a less serious nature
                                character than if the requests had been left unanswered.


                                In an overall assessment, IMY finds that, regarding the violations in complaint 1
                                and 2, are minor violations and that there is therefore reason to waive

                                from imposing a penalty fee on Spotify for the established violations herein
                                part. Spotify must instead be given a reprimand in accordance with Article 58.2 b i
                                data protection regulation.


                                Spotify has stated that the company is happy to cooperate with the complainants directly in order to
                                ensure that it has provided all the data and the information that the complainants

                                searching as well as that it has answered their questions.

                                From information that emerged in the case, the complainant in complaint 1 has turned to Spotify

                                again in July 2020 and subsequently granted access in accordance with Article 15 of the Data Protection Regulation.
                                The complainant received all his personal data, including an explanatory document
                                about the personal data that was processed, within 21 days. The personal data that then

                                were left unencrypted. When the appellant has had his request for access granted
                                if there is no reason to order Spotify to grant access again in accordance with Article 15.


                                Regarding complaint 2, no information has emerged that the complainant has received
                                access to more personal data or more information after the response to the access request
                                in October 2018. Spotify must therefore, with the support of Article 58.2 c of the data protection regulation,

                                ordered to comply with the appellant's request for access pursuant to Article 15 i
                                the data protection regulation by giving the complainant access to all
                                personal data that Spotify processes about him by providing him with a

                                copy of the personal data according to article 15.3 of the data protection regulation as well as
                                information according to article 15.1 a-h and 15.2 of the data protection regulation. Spotify has thereby
                                to take into account the exceptions to the right of access in Article 15.4 of the Data Protection Regulation

                                and ch. 5 the data protection act that can be updated. IMY assesses that access should
                                submitted within one month of this decision becoming legally binding.


                                _____________________________

                                This decision has been taken by the general manager Lena Lindgren Schelin after a presentation

                                by lawyers Karin Ekström and Evelin Palmér. At the final processing has
                                also the head of justice David Törngren and the head of unit Catharina Fernquist participated.




                                Lena Lindgren Schelin, 2023-06-12 (This is an electronic signature)



                                Appendix

                                Appendix 1 - complainant's identification details (complaint 2)

                                Appendix 2 - Spotify's information according to article 15 of the data protection regulation, on 16

                                November through May 16, 2022

                                Appendix 3 – Information on payment of penalty fee Appendix 2




















             How to appeal FR-03

             ________________________________________________________________



             If you want the decision to be changed in any part, you can raise your appeal (read more about
             you appeal. Here you will find out how it is done.                                 trial permission further down).


                                                                                         3. Talk about what evidence you want to refer to.

             Appeal in writing within 3 weeks Explain what you want to show with each piece of evidence.
                                                                                             Send with written evidence that has not already

             The time is usually counted from the day that you received is in the goal.
             part of the written decision. In some cases count

             the time instead from the date of the decision. It applies to 4. Leave name and social security number or
             if the decision was delivered at an oral organization number.

             negotiation, or about the right at the negotiation Provide current and complete information
             gave notice of the date of the decision.
                                                                                             about where the court can reach you: postal addresses,
                                                                                             email addresses and phone numbers.
             For a party representing the public (to

             for example authorities) the time is always counted from If you have a representative, leave as well
- the day the court announced the decision.                                           agent's contact details.
0
•
i Note that the appeal must have arrived 5. Send or submit the appeal to
c administrative law. You can find the address in
t into court when time runs out.
o the decision.
pp
d
ö What day does the time expire?
d The last day for appeals is the same day of the week What happens next?
A
e as time begins to count. For example, if you received
e part of the decision on Monday 2 March the time expires The Administrative Court checks that the appeal-
o Monday, March 23.                                                    it came in at the right time. Has it come in for
pp
o If the last day falls on a Saturday, Sunday or late, the court rejects the appeal. The
v means that the decision applies.
a holiday, Midsummer's Eve, Christmas Eve or New Year's
c evening, it is enough that the appeal is received
o next weekday.                                                            If the appeal arrived in time, send
P administrative court appeal and all
T
- documents in the case forwarded to the Court of Appeal.
v
in
e How to do it Have you previously received letters through simplified
a service, the Court of Appeal can also send a letter
l 1. Write the name of the administrative court and
e in this way.
Island target number.
–
-
F 2. Explain why you think the decision should
d is changed. Tell us what change you want
g
k and why you think the Court of Appeal should
v
r
r
n
in Page 1 of 2
n
A
                                                                            www.domstol.se Trial permission in the Court of Appeal


               When the appeal comes to the chamber-
               the right, the court first decides whether

               the case must be taken up for consideration.


               The Court of Appeal grants leave to appeal in four

               different cases.


                 • The court considers that there is

                     reason to doubt that administrative
                     the court ruled correctly.


                 • The court considers that it is not possible

                     assess whether the administrative court ruled correctly
                     without addressing the goal.


                 • The court needs to take up the case in order to

                     provide guidance to other courts in legal
                     the application.


                 • The court considers that there is

                     extraordinary reasons to raise the case of someone
                     other reason.


               If you do not receive leave to appeal, it applies

               appealed the decision. Therefore, it is important that i

               the appeal include everything you want to bring forward.



5
0 Do you want to know more?
0
•
n Contact the administrative court if you have
k questions. You can find the address and phone number at
v
s first page of the decision.
t
m
d More information is available at www.domstol.se.
f
d
A
e
e
l
pp
O
D
a
r
u
O
P
T
-
v
d
e
n
g
k
e
ISLAND
–
-
F
d
a
l
e
island
f
a
in
in Page 2 of 2
n
A
                                                                                  www.domstol.se