IMY (Sweden) - DI-2019-6696
From GDPRhub
| IMY - DI-2019-6696 | |
|---|---|
 | |
| Authority: | IMY (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 12(1) GDPR Article 12(3) GDPR Article 15(1) GDPR Article 15(2) GDPR Article 15(3) GDPR Article 60 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | |
| Published: | 13.06.2023 |
| Fine: | 58000000 SEK |
| Parties: | Spotify AB |
| National Case Number/Name: | DI-2019-6696 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Swedish |
| Original Source: | IMY (sweden) (in SV) |
| Initial Contributor: | n/a |
Spotify was fined SEK58,000,000 (approx. €5,000,000) for insufficiently addressing access requests. Also, Spotify was reprimanded and ordered to comply with a user's access request. It was not sufficient under Article 15(1) GDPR that the information was available in Spotify’s privacy policy.
English Summary
Facts
Background
Following a complaint filed by noyb, in January 2019, as well as, complaints from the Netherlands and Denmark against Spotify AB (Spotify) regarding the right of access under Article 15 GDPR, the Swedish DPA initiated an ex officio investigation on whether Spotify’s general practices for handling access requests comply with the GDPR.
After 3 years of inactivity from the DPA, noyb sought remedy under Article 78(2) GDPR from the Stockholm Administrative Court, which eventually sided with noyb. As a result, the DPA has now finally issued a decision on noyb’s complaint, as well as, the other complaints filed against Spotify simultaneously with the DPA’s ex officio investigation. Since Spotify operates in several EU Member States, the DPA applied the cooperation and consistency mechanisms set out in Chapter VII GDPR.
The complaint brought by noyb was identified as ‘complaint 2’, and the complaint from the Netherlands as ‘complaint 1’. The complaint from Denmark was eventually rejected, because the investigation of the case did not show that Spotify has failed in its handling of the complainant's request for access.
Facts on Spotify’s general procedures for handling access requests (ex officio investigation)
With regard to Spotify's general practices on handling access requests, Spotify provides information required by Article 15(1)(a)-(h) and 15(2) GDPR via an online function. When Spotify provides a copy of personal data under Article 15(3) GDPR it includes a file called "Read me first" to each copy of data with a link to the information.
Moreover, Spotify provides a copy of personal data under Article 15(3) GDPR by dividing the information to three different layers: “Type 1” that consists profile information, “Type 2” that consists technical log files linked to the data subjects' user IDs and “Type3” that consists information specifically requested by a data subject. Spotify provides the information in JSON format.
Facts on individual complaints that triggered the DPA’s ex officio investigation
Complaint 1
The complainant had made an access request, on 27 May 2018, under Article 15 GDPR to Spotify, and contacted Spotify later again, as the complainant themself noticed that the information provided by Spotify was incomplete. Spotify thereafter provided the remaining data. The data was provided to the complainant in JSON format. Some of the technical log files were provided encrypted which Spotify, during the DPA's investigation, claimed to have been a mistake.
The complainant argued that 1) Spotify did not provide the personal data in due time under Article 12(3) GDPR and 2) that the data was not provided in an intelligible form as required by Article 12(1) GDPR.
Complaint 2
The complainant made an access request, on 10 Oct 2018, under Article 15 GDPR to Spotify by using Spotify's "Download your data" feature that provided the "Type 1" information. The "Type 1" data was provided to the complainant in JSON format. The complainant did not return to Spotify for further information.
It was argued by the complainant that 1) Spotify had not provided all of the personal data that Spotify processes about them, 2) Spotify had not provided any of the information as required by Article 15(1)(a)-(h) and 15(2) GDPR, and that 3) Spotify had not provided the personal data in an intelligible form as required by Article 12(1) GDPR. At the time of the complainant’s request, Spotify had not yet implemented its practice - mentioned above - where Spotify includes the “Read me first” file to its responses to access requests. Such information was available only in Spotify’s privacy policy, at the time.
Holding
Holding with regard to the ex officio investigation on Spotify’s general procedures for handling access requests
Spotify’s practices, with regard to providing the information via an online tool, were found to be sufficient in ensuring that information in accordance with Article 15 GDPR was provided to its users. However, the DPa emphasized that such information must be formulated, in a way, that it fulfils the purpose of the right of access. This means that such information must ensure that i. the data subject is aware of the processing and ii. can verify its lawfulness. Furthermore, the DPA noted that such information must also be provided in a way that fulfils the transparency requirements of Article 12(1) GDPR.
Essentially, the DPA found that Spotify should have taken steps to adapt the information to a user’s specific situation in order for the data subject to be able to verify the lawfulness of the processing concerning them. This was not the case with Spotify’s practices, as it provided the same information to users regardless of who requested access. Moreover, the DPA found that the information provided by Spotify was not concise, clear and transparent, nor easily accessible, because the information was of a general nature or too imprecise for a data subject to understand. In this respect, Spotify was found to be in breach of the Articles Articles 15(1)(a)-(d) and (g), and Article 15(2) GDPR as well as Article 12(1) GDPR.
Since a data subject has to take different actions to request the different layers of data, the DPA considered it may cause some inconvenience to the data subject. However, Spotify's practices in this respect did not violate Article 15(1) and (3) GDPR because the DPA considered that the data subject has the possibility to take all these actions at the same, if requested directly through Spotify's customer service. After an overall assessment, DPA concluded that Spotify's general procedures allow data subjects to request access in a sufficiently simple manner.
The DPA found that design and format used by Spotify generally meets the transparency requirements of Article 12(1) GDPR, but noted that Spotify provides by default the detailed description of the data in the technical log files only in English. It follows from Article 12(1) of the GDPR that the information provided under Article 15 GDPR must be given in a concise, clear and plain, intelligible and easily accessible form, using clear and plain language.
The DPA held that description of the data in the technical log files provided by Spotify did not fulfill the requirements of Article 12(1) GDPR, as such information was provided by default only in English. In this respect, Spotify was found to be in breach of Article 12(1) GDPR.
As a result of the investigation, Spotify was issued with a fine of approx. 5 000 000 EUR (58 000 000 SEK) as a result of its infringements.
Holdings on the individual complaints (Complaint 1, and Complaint 2)
Complaint 1
As was raised already in the ex officio investigation, the DPA found it possible to split the information into different layers, provided that the data subject has been sufficiently informed (how the copy of personal data is split and how access to the different layers can be requested).
As a result, the DPA found that Spotify, at the time of the complainant's access request, did not provide sufficiently clear information for the complainant to understand that the copy of personal data was disaggregated. Given the lack of information in that regard at the time of the complainant's request, Spotify should have disclosed all the personal data it processed about the complainant after the complainant’s initial access request. Furthermore, Spotify should have provided an explanation for the data provided in encrypted form. The complainant's possibility to contact customer service and request additional information was considered irrelevant by the DPA, as it found such behaviour presupposing that the complainant would understand that there was additional personal data to be disclosed.
Spotify breached Articles 12(1), 15(1), and 15(3) GDPR by failing to provide all of the complainant's personal data in an intelligible form. Furthermore, Spotify breached Article 12(3) GDPR by providing the copy of personal data too late. The DPA issued Spotify a reprimand.
Complaint 2
Likewise in Complaint 1, the DPA noted that it is possible to divide the copy of personal data into different layers, provided that the data subject has been sufficiently informed on how to request all data.
After assessing the information provided by Spotify, at the time of the complainant's access request, the DPA found that it was not sufficiently clear for the complainant to understand that only a subset of the personal data was covered by the request. Furthermore, the DPA considered irrelevant that the complainant could have, as claimed by Spotify, contacted Spotify's customer service requesting additional information.
The DPA highlighted, inter alia, that when it is unclear whether the request relates only to a part of the personal data, the controller should assume that the data subject wishes to have access to all their personal data.
Eventually, the DPA held that Spotify breached Articles 15(1) and 15(3) GDPR by failing to provide access to all personal data processed by Spotify about the complainant. Furthermore, Spotify was found to breach Articles 15(1)(a)-(h) and 15(2) GDPR by failing to provide any of the information listed in those provisions. It was not sufficient that information was available in Spotify’s privacy policy at the time of the complainant's request.
However, the DPA considered that JSON format is currently an electronic commonly used format referred to in Article 15(3) GDPR. The DPA issued Spotify a reprimand, and ordered Spotify to comply with the complainant's access request and provide the complainant with the remaining information.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
1(30)
Spotify AB
Regeringsgatan 19
11153 Stockholm
Diary number:
Decision after supervision according to
DI-2019-6696
data protection regulation - Spotify AB
Date:
2023-06-12
Table of Contents
The Privacy Protection Authority's decision................................................... ............................3
Spotify's general procedures for handling requests for access............................3
Review of individual complaints................................................... ..........................3
1 Description of the supervisory matter ............................................... .....................................5
2 Applicable regulations................................................... ............................................6
3 Spotify's general procedures for handling requests for access - Justification of decisions
................................................... ................................................ ...................................7
3.1 Information - article 15.1 a-h and 15.2 of the data protection regulation................7
3.1.1 What emerged in the case ........................................... ..............7
3.1.2 The Privacy Protection Authority's assessment...................................8
3.2 The right to access personal data and a copy of personal data under
processing - article 15.1 and 15.3 of the data protection regulation............................12
3.2.1 What has emerged in the case............................................. .......12
3.2.2 The Privacy Protection Authority's assessment...................................15
4 Review of individual complaints - Reasons for decisions............................................. ..20
4.1 Complaint 1 (from the Netherlands with national reference number z2018-
28415)................................................ ................................................ ..............20
4.1.1 Background................................................... ..........................................20
4.1.2 What has emerged in the case............................................. .......20
4.1.3 The Privacy Protection Authority's assessment...................................22
Postal address: 4.2 Complaint 2 (from Austria with national reference number D130.198) ......23
Box 8114
104 20 Stockholm 4.2.1 Background............................................ ............................................23
Website:
www.imy.se 4.2.2 What has emerged in the matter................................. ............23
E-mail: 4.2.3 Assessment by the Privacy Protection Authority...................................24
imy@imy.se 4.3 Complaint 3 (from Denmark with national reference number 2018-31-1198)26
Phone:
5 Choice of intervention................................................... ................................................... .......26
08-657 61 00 The Swedish Privacy Agency Diary number: DI-2019-6696 2(30)
Date: 2023-06-12
5.1 Applicable regulations................................................... ............................26
5.2 Same or connected data processing...................................27
5.3 Deficiencies in information according to article 15.1 and 15.2 of the data protection regulation
and in the description of the data in the technical log files............................27
5.4 Violations regarding complaints 1 and 2 ........................................... .......29 The Swedish Privacy Agency Diary number: DI-2019-6696 3(30)
Date: 2023-06-12
The Privacy Protection Authority's decision
Spotify's general procedures for handling requests for access
The Swedish Privacy Protection Authority states that Spotify AB (556703-7485) under
the period from and including 16 November 2021 to and including 16 May 2022 in the
1
information that must be provided according to article 15.1 and 15.2 of the data protection regulation does not
provided sufficiently clear information about
– the purposes of the processing,
– categories of personal data to which the processing applies,
– categories of recipients of the personal data,
– the foreseen periods during which personal data will be stored or, if
this is not possible, the criteria used to determine this period,
- where personal data comes from,
- appropriate protective measures when personal data is transferred to third countries.
The Privacy Protection Authority further notes that Spotify AB during the period from
and with June 11, 2019 through May 16, 2022 by default
do not provide the description of the data in the technical log files in English
has met the requirements that all communications provided to the data subject pursuant to
Article 15 of the Data Protection Regulation shall be clear and understandable in the manner specified in
article 12.1 of the data protection regulation.
Spotify AB has thus processed personal data in violation of articles 12.1, 15.1 a-d,
15.1 g and 15.2 of the data protection regulation.
The Privacy Protection Authority decides with the support of articles 58.2 and 83 i
the data protection regulation that Spotify AB must pay an administrative fee for these shortcomings
sanction fee of 58,000,000 (fifty-eight million) kroner.
Review of individual complaints
The Swedish Data Protection Authority notes with regard to complaint 1 that Spotify AB in its
handling of the appellant's request for access made on 27 May 2018 has
processed personal data in violation of
- Article 12.3 of the Data Protection Regulation, in that the copy of personal data has
left too late,
- articles 12.1, 15.1 and 15.3 of the data protection regulation, by in that copy on
personal data provided by Spotify AB has not been provided to all of the complainants
personal data in an understandable form.
The Swedish Data Protection Authority notes with regard to complaint 2 that Spotify AB in its
handling of the complainant's access request made on 10 October 2018 has
processed personal data in violation of
- articles 15.1 and 15.3 of the data protection regulation, by in that copy on
personal data provided by Spotify AB has not given access to all
personal data that Spotify AB processed about the complainant,
1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with
regarding the processing of personal data and on the free flow of such data and on the cancellation of
directive 95/46/EC (general data protection regulation). The Swedish Privacy Agency Diary number: DI-2019-6696 4(30)
Date: 2023-06-12
- articles 15.1 a-h and 15.2 of the data protection regulation, by not having
provided any of the information specified in these regulations.
The Swedish Data Protection Authority gives Spotify AB a reprimand according to article 58.2 b i
the data protection regulation for the deficiencies regarding complaints 1 and 2.
The Swedish Privacy Protection Authority orders Spotify AB according to article 58.2
c in the data protection regulation that regarding complaint 2 no later than one month after this
decision gained legal force accommodate the appellant's request for access by, with
subject to any applicable exceptions in Article 15.4 of the Data Protection Regulation and
5 ch. data protection law, give the complainant access to all personal data that
Spotify will process the complainant by providing the complainant with a copy of
the personal data according to 15.3 and provide information according to articles 15.1 a-h and
15.2.
2
3 The complainant's identification information appears in Appendix 1
The Act (2018:218) with supplementary provisions to the EU's data protection regulation. The Swedish Privacy Agency Diary number: DI-2019-6696 5(30)
Date: 2023-06-12
1 Description of the supervisory matter
The Swedish Data Protection Authority (IMY) has, in the light of IMY having taken note of
complaints directed against Spotify AB (Spotify) regarding the right of access pursuant to Article 15 i
data protection regulation, initiated supervision of Spotify with the aim of investigating the company's way of
handling the data subject's request for access is in accordance with the data protection regulation
regulations. IMY has initially reviewed the company's general procedures upon request
about access and not what existed in the individual complaints. The review has
been focused on whether the company's processes and routines to provide access according to article
15 on a general level enables data subjects to gain access to the personal data
the company processes them and other information according to the provision. With
registered refers in this context to the customers who use Spotify's services and
not other categories of data subjects, e.g. employees of Spotify.
Within the scope of this review, IMY has not checked which personal data
Spotify processes and if all of these are issued with each individual request. For example
has any comparison between Spotify's records of processing pursuant to Article 30 i
the data protection regulation and the personal data included in the copy of personal data
according to Article 15.3 of the data protection regulation has not been done. IMY also does not have within the framework
for this supervision reviewed whether Spotify's personal data processing otherwise complies
the provisions of the data protection regulation, e.g. regarding basic principles and
legal basis for the processing.
The supervisory case was initiated with a supervisory letter on 11 June 2019. Response to
the supervisory letter was received on July 31, 2019. On October 16, 2019, a request was sent
about completion in the case. Answer received on November 15, 2019. Spotify has subsequently
on his own initiative received further additions on 25 August 2020 for the purpose
to inform IMY of updates regarding procedures for handling requests for
access.
Spotify is an organization with operations and users in several EU member states.
In consideration of the fact that the case is cross-border, IMY has applied the mechanisms for
cooperation and uniformity found in Chapter VII of the Data Protection Regulation. Every
data protection authorities in the EU have been concerned supervisory authorities in this case. With
reason for the mechanisms of cooperation and uniformity, and the need for a
4
harmonized complaint handling within the EU, the IMY extended in November 2020 the
ongoing general supervision to also include what existed in three individuals
complaints, which also include the complaints that were initially the basis for
the supervision of the general routines.
On November 5, 2020, IMY requested that Spotify explain its approach to them
deficiencies alleged in the complaints and what steps Spotify has taken to respond
on the respective request for access. Spotify has responded to IMY's request on 18
December 2020. Spotify has subsequently submitted supplementary statements, on 15
April 2021 in response to supplementary questions that IMY asked on March 24, 2021 as well as
on 31 August 2021 in response to questions raised by IMY on 9 July 2021.
4
In 2020, the data protection authorities worked together to determine common working methods with
the handling of complaints, which resulted in internal guidance that was established in February 2021. From that
end the complaints with a standard response, IMY now makes an individual assessment of each complaint. Internal EDPB
Document 02/2021 on SA's duties in relation to alleged GDPR infringements, adopted February 2, 2021. Data Protection Agency Diary number: DI-2019-6696 6(30)
Date: 2023-06-12
On October 19, 2021, another request for completion was sent regarding
Spotify's general procedures. Answer received on 12 November 2021. On 8 June and 17
In October 2022, Spotify has, on its own initiative, submitted further additions in
purpose of informing IMY about updates regarding routines for handling the request
about access.
Spotify has commented on IMY's draft decision on 20 December 2022. IMY has
then provided the other relevant supervisory authorities with the opportunity to comment accordingly
Article 60 of the Data Protection Regulation. The French data protection authority has thereby
expressed a relevant and reasoned objection to IMY's draft decision. Spotify has
on March 13, 2023, an opportunity has been prepared to comment on the objection and IMY's revised
draft decision. Spotify's response was received on April 11, 2023.
Against the background of the above, the supervisory case includes an examination of
Spotify's general routines for handling requests for access, partly a review of
what existed in the three complaints. The general routines regarding the provision
of personal data according to article 15.1 and 15.3 of the data protection regulation which
reviewed are those that have been in force since IMY's supervision began on 11 June 2019
up to and including 16 May 2022. Regarding the information according to Article 15.1 and 15.2 of
the data protection regulation that must be provided when a request for access has Spotify
updated it several times since supervision began. IMY has therefore limited its
review to the information that was valid during the period from 16
November 2021 through May 16, 2022. 5
2 Applicable regulations
According to Article 15.1 of the data protection regulation, the data subject has the right to of it
personal data controller receive confirmation as to whether personal data concerning him
or her is being processed and in that case gain access to the personal data and
information about
a) The purposes of the processing.
b) The categories of personal data to which the processing applies.
c) The recipients or categories of recipients to whom the personal data has
provided or to be provided, especially recipients in third countries and international
organizations.
d) If possible, the anticipated period during which the personal data will
stored, or if this is not possible, the criteria used to determine
this period.
e) The existence of the right to request correction from the personal data controller or
deletion of the personal data or restrictions on processing of
personal data relating to the data subject or to object to such
treatment.
f) The right to lodge a complaint with a supervisory authority.
g) If the personal data is not collected from the data subject, all available
information about where this data comes from.
h) The existence of automated decision-making including profiling according to
article 22.1 and 22.4, whereby at least in these cases it must be left meaningful
5See Spotify's information according to Article 15 of the Data Protection Regulation in Appendix 2. Of the information, which was printed by
IMY on 16 May 2022, it appears that the current website was last updated on 16 November 2021. The time period for
the review is therefore set for the period from and including November 16, 2021 to and including May 16, 2022. The Swedish Privacy Agency Diary number: DI-2019-6696 7(30)
Date: 2023-06-12
information about the logic behind as well as the meaning and the anticipated consequences of
such treatment for the data subject.
Article 15.2 of the data protection regulation states that if the personal data is transferred to a
third country or to an international organisation, the data subject shall have the right to
information on the appropriate protective measures that have been taken in accordance with Article 46
at the time of transfer.
It follows from Article 15.3 of the data protection regulation that the person in charge of personal data must
provide the data subject with a copy of the personal data that is being processed.
Furthermore, it appears that if the request is made in electronic form, the information must, if not
otherwise requested, provided in an electronic format that is generally used.
Recital 63 of the data protection regulation states, as far as relevant, the following:
The data subject should have the right to access personal data that has been collected
this as well as being able to exercise this right in a simple way and at reasonable intervals, for
to be aware that treatment is taking place and to be able to check that it is
legal. (…) All data subjects should therefore have the right to be informed and notified
above all, for what purposes the personal data is processed, if possible which
time period the processing is in progress, who receives the personal data,
underlying logic in connection with automatic processing of personal data
and, at least when the processing is based on profiling, the consequences of
such treatment. (…)
It also follows from Article 12.1 of the data protection regulation that it
personal data controller must take appropriate measures to ensure that all communications given
to the registered under Article 15 must be in a concise, clear and clear, understandable and
easily accessible form, using clear and unambiguous language.
It follows from Article 12.2 of the data protection regulation that the person in charge of personal data must
facilitate the exercise of the data subject's right of access under Article 15.
According to Article 12.3 of the Data Protection Regulation, the personal data controller must
request, without undue delay and in any case no later than one month after
having received the request, provide the registered information about the actions
which was taken in accordance with Article 15 of the Data Protection Regulation. This period may if necessary
be extended by a further two months, taking into account the complexity of the request
and the number of requests received. The personal data controller must notify it
registered for such an extension within one month of the receipt of the request
and state the reasons for the delay.
3 Spotify's general procedures for handling
request for access - Justification of decision
3.1 Information - article 15.1 a-h and 15.2 i
data protection regulation
3.1.1 What emerged in the matter
In summary, Spotify has stated the following. Spotify provides information in
in accordance with article 15.1 a-h and 15.2 of the data protection regulation via an online function.
This function is available in 21 different languages and those who visit the page will The Danish Data Protection Agency Diary number: DI-2019-6696 8(30)
Date: 2023-06-12
automatically to be given the information in language based on language settings in their
browser.
Registrants who exercise their right of access are informed about the function in several ways. IN
each copy of personal data provided pursuant to Article 15.3 i
data protection regulation, a link to the information is included. The information also goes
to find online, partly in the list of available functions on the company's page for "Integrity &
Security" partly via the answer to the question "Where can I find information about Spotify's processing
of personal data that Spotify is obliged to provide under Article 15 of the GDPR?”
on the company's page for "Personal data rights and privacy settings".
In the information according to Article 15 of the data protection regulation that Spotify submitted
the period from and including 16 November 2021 to and including 16 May 2022, as IMY
taken note of, Spotify provided, among other things, information about the purpose of treatment (article
15.1 a), which categories of personal data are processed (Article 15.1 b), recipients
or categories of recipients (Article 15.1 c) and the source of the personal data (Article 15.1
g). In addition to that, the information according to Article 15 also contained information about
international transfers (Article 15.2), criteria for how long the personal data
saved (Article 15.1 d), what rights the data subject has (Article 15.1 e), the right to
submit a complaint to the data protection authority (Article 15.1 f), automated
decision-making (Article 15.1 h) and the possibility of obtaining a copy of personal data.
In the information pursuant to Article 15 of the Data Protection Regulation, Spotify also informed
that the processing of personal data is described in more detail in the company's
privacy policy, which could also be accessed through a direct link. In the privacy policy can be found
including descriptions of the categories of personal data that Spotify processes.
Spotify has stated that all questions that are not answered by the information according to Article 15 i
the data protection regulation or which has not been explained to the user in one
satisfactory manner is promptly escalated to the company's data protection team. In that way,
the company states, the data protection team is made aware of, and given the opportunity to respond,
questions about clarifications or requests for more individualized information about
the processing of personal data according to Article 15 of the Data Protection Regulation.
3.1.2 The Privacy Protection Authority's assessment
IMY states that Spotify's function for information according to Article 15 i
the data protection regulation during the period that is the subject of review existed
available on several different pages on Spotify's website. Furthermore, a link to was included
the information in the "Read me first" file that was attached to each copy of personal data
which was provided to the data subject in accordance with Article 15.3 i
the data protection regulation in case of a request for access. IMY assesses with that in mind
above that Spotify's routines during the relevant period were sufficient to
ensure that information according to Article 15 was provided to the data subject at each
access request.
IMY further notes that Spotify's information according to Article 15 i
the data protection regulation covered all the points of information that according to article
15.1 a-h and 15.2 of the data protection regulation must be provided to the data subject. For
that the information must meet the requirements set in the data protection regulation must
6 See appendix 2 The Swedish Privacy Agency Diary number: DI-2019-6696 9(30)
Date: 2023-06-12
however, the information is also designed in such a way that the purpose of the right of access
is fulfilled.
The purpose of the right of access is for the data subject to be aware that
processing takes place and be able to check that it is legal, which is evident from reason 63 to
data protection regulation. For example, a registered person must be able to check
which categories of data are processed about him or her, for which purposes
and for how long. So that the registered person can check if
the processing of personal data is legal, he or she must know which treatments are
are relevant in his or her specific case. The information provided must hereunder
provided in a manner that meets the requirements for transparency in Article 12.1 i
data protection regulation.
Against the background of the purpose of the right of access, there is often a need to
adapt the content of the information according to Article 15.1 and 15.2 i
the data protection regulation to the data subject who has made the request, for example
depending on which of the personal data controller's services the data subject has
chosen to use. However, this does not apply to all parts of the information. While the right to enter
complaints to a supervisory authority (Article 15.1 f of the Data Protection Regulation) not
changes depending on who requests access, other information may vary depending
on which service the data subject uses, for example which categories of
personal data processed, recipient and from where personal data was collected.
The same applies to information about whether a transfer has taken place to a third country and if so
what appropriate protective measures have been taken during the transfer.
In order for the data subject to have the opportunity to check that the processing concerns
him or her is legal it is therefore required, in accordance with what is stated above, that
Spotify must have taken measures to adapt the information to that of the registrant
7
specific situation.
IMY notes that the information provided by Spotify pursuant to Article 15 i
the data protection regulation was generally designed. The same information was thus provided
regardless of who requested access in accordance with Article 15 of the Data Protection Regulation.
The information was thus not adapted based on each request for access. However
described Spotify when certain information was relevant for the data subject, for example
"If you use a third-party service (…)", "If you choose to pay for a service or
function via invoice (…)” and “In cases where you have given us permission (…)”. There was
thereby certain prerequisites for the data subject to determine which information
meant him or her. There was also an opportunity for registrants to apply
to Spotify and request more individualized information as well as clarification of it
information that had been provided.
IMY considers that such generally designed information may be suitable for
standardized services that include personal data processing. Because they
data subjects must understand how their personal data is processed, however, it must always be
possible to clearly and simply read out which information is applicable in which situations
based on the information provided. This means that the possibility for those registered
to turn to Spotify for more individualized information as well as clarifications
does not affect the assessment of whether the information here is sufficiently clear
the respect. Generally designed information must not entail any ambiguities regarding
7 See the European Data Protection Board's (EDPB) guidelines on the right of access - Guidelines 01/2022 on data subject
rights – Right of access, version 2.0 (finally adopted on 28 March 2023), paragraph 113.
8 See appendix 2 The Swedish Privacy Agency Diary number: DI-2019-6696 10(30)
Date: 2023-06-12
whether the data subject is affected by the current information or not based on
his individual situation. IMY therefore has to test the information that Spotify
submitted met these requirements.
Information on categories of personal data, purpose, recipient and source
Information about the purpose of the processing must refer to the purposes for which it is
data subject's personal data is actually processed, and must not consist of only one
enumeration of various purposes without clarifying which purposes are relevant
the person requesting access. Furthermore, information about the categories of personal data
which are processed need to be adapted to the circumstances of the data subject who requests
access. With regard to information about recipients or categories of recipients, such should
information be as specific as possible. The data controller should normally
state to which actual recipients the personal data has or is to be disclosed, if
it is not impossible because, for example, there is no information yet
about who the recipients are. In addition, all available information must be provided about where from
the personal data will, if the personal data has not been collected from it
9
registered.
Regarding the information provided by Spotify about the purpose of the processing,
recipient of personal data and source from which the data was collected states
IMY that the information was divided based on different categories of personal data. These
categories of personal data consisted of "user data", "usage data", "data
on plan verification", "voting data", "payment and purchase data" and "competition, survey and
lottery data”. The categories of personal data specified were generally held and
contained none in several cases, for example regarding "user data" and "usage data".
more detailed description of which personal data could be included. IMY believes that,
especially in the absence of a clear description of the relevant categories, was not possible
for the data subjects to, based on the information provided, understand which personal data
which were included in the various categories. Because the information on purpose,
recipient and source was divided according to these categories of personal data entails
this lack that it was also not possible for data subjects to easily understand which
personal data processed for which purposes, which personal data
taken from which source or which personal data was provided to a particular recipient
or category of recipients. Those registered have thus not had the opportunity to read out
in which way their personal data was processed.
IMY therefore believes that Spotify has not provided sufficiently clear information about the purposes
with the processing (Article 15.1 a of the data protection regulation), the categories of
personal data processing applies (Article 15.1 b of the data protection regulation),
recipients or categories of recipients (Article 15.1 c of the data protection regulation) or
source from which the data was collected (Article 15.1 g of the Data Protection Regulation).
The information was not concise, clear and clear, nor was it easily accessible. The
thus also did not meet the requirements of Article 12.1 of the Data Protection Regulation.
Information on storage period
Information provided about how long personal data is stored must be sufficient
specific so that the data subject understands how long his personal data will last
to be stored. If it is not possible to specify the time of deletion, the relevant one should be used instead
9 Cf. the European Data Protection Board's (EDPB) guidelines on the right of access - Guidelines 01/2022 on data subject
rights – Right of access, version 2.0 (adopted on 28 March 2023), paragraphs 114-120 and judgment of 12 January 2023 in EU-
court case C-154/21, Österreichische Post.Integritetsskyddsmyndigheten Diary number: DI-2019-6696 11(30)
Date: 2023-06-12
the event affecting conservation is specified, such as the expiration of a
warranty period. The storage periods shall refer to the personal data that is linked
the data subject requesting access. If this personal data is subject to different
storage periods, information about the storage periods must be specified in relation to each
current personal data processing and category of personal data. 10
Spotify provided information about storage periods under the heading "Criteria for
retention of personal data”. The information contained general information about
for which purposes the personal data is saved and criteria used to
determine the storage periods. Among other things, it was stated that personal data as standard
is retained for 90 days, unless a longer period is chosen due to a legitimate business reason.
Furthermore, it was stated, among other things, that personal data is stored for a suitable period in order to
deliver a personalized service over time and that streaming history is usually preserved during
lifetime of an account.
The information on how long data is kept was generally designed and, with
exception, among other things, for the information about streaming history, not clearly linked to
which categories of personal data were intended by the different storage times. The
registrants could therefore find it difficult to decipher which of their personal data
was preserved for what period of time. The criteria for determining the storage period
which were stated in the information were furthermore in some cases very imprecise. It is for example
difficult for a data subject to understand what was included in "legitimate business reason" and
thus in which situations personal data was kept longer than 90 days or whatever
meant that streaming history was "usually" preserved for the lifetime of an account.
In an overall assessment, IMY considers that the information provided regarding
storage periods did not meet the requirements in Article 15.1 d of the data protection regulation partly then
the information in this part was generally designed and lacked connection to current
category of personal data, partly then some of the criteria used to
determining the storage period was too imprecise for the data subject to understand
how long his personal data was stored. The information was not concise, clear and
clear and also not easily accessible. It therefore also did not meet the requirements of the article
12.1 of the data protection regulation.
Information on third country transfer
In order for the registered person to be able to assess a possible transfer of his
personal data to third countries is legal, the data subject must get meaningful
information that makes it possible to find out whether his personal data has been transferred and
if so, what safeguards have been used. To enable it was registered
checking whether his or her personal data has been processed legally, it should i
11
it will normally also be clear to which third countries the transfer has taken place.
In the information provided by Spotify regarding transfers to third countries it was clear
under the heading "International transfers" that Spotify can share personal data
globally with other Spotify Group companies, service providers, partners, etc. Further
stated that Spotify ensures that the transfer is carried out in accordance with the applicable
data protection and privacy laws and that technical and organizational measures, and i
in particular, appropriate protective measures are applied, e.g. the standard contract clauses which
10 European Data Protection Board (EDPB) guidelines on the right of access - Guidelines 01/2022 on data subject rights
– Right of access, version 2.0 (finally adopted on 28 March 2023), paragraph 118.
11 Cf the Article 29 Group's Guidelines on Transparency under Regulation (EU) 2016/679, WP260rev.01, adopted by
European Data Protection Agency, p.40. Data Protection Agency Diary number: DI-2019-6696 12(30)
Date: 2023-06-12
approved by the European Commission when personal data is transferred from European
economic cooperation area (EEA).
IMY states that the information provided by Spotify regarding
third country transfers was generally designed and not linked to the registered
own situation. It was not clear whether the data subject's personal data had
transferred to any third country, and if so, what appropriate safeguards were in place
taken at the time of transfer. It was also not clear to which third countries the transfer had
happened. IMY therefore assesses that the information provided regarding
third country transfers did not meet the requirements of Article 15.2 of the Data Protection Regulation.
The information was not concise, clear and clear, nor was it easily accessible. The
thus also did not meet the requirements of Article 12.1 of the Data Protection Regulation.
Summary assessment of the information according to Article 15.1 and 15.2 i
data protection regulation
In summary, IMY finds that the information provided by Spotify according to article
15.1 and 15.2 of the data protection regulation during the period between 16 November 2021
up to and including 16 May 2022 has been deficient in the above-mentioned respects.
Spotify has thus processed personal data in violation of articles 12.1, 15.1 a-d,
15.1 g and 15.2 of the data protection regulation.
3.2 The right to access personal data and a copy of
personal data under processing – article 15.1 and 15.3 i
data protection regulation
3.2.1 What has emerged in the case
Spotify has stated that their response to access requests, with a few exceptions, is
designed to disclose all personal data that they process regarding it
registered. The company has further explained its routines to ensure that all
personal data is disclosed, for example when new or updated
personal data processing.
The copy of personal data provided by Spotify in accordance with Article 15.3 i
the data protection regulation can be given through three different answers, Type 1, Type 2 and Type 3.
The personal data covered by Type 1 is profile information and the personal data
which Spotify has deemed to be of greatest interest to those registered. In Type 1 is included
therefore, it recorded playlists, streaming history and recent searches
the year, objects saved in the registrant's library, the number of followers of the registrant
has, the number of users the registrant follows, the names of artists the registrant
follows, user data and payment information. To give the registrant access to
Type 1 information, the company has introduced a function called "download your data" on a
privacy settings web page. The web page through which the data subject can
access to this information is available to all customers via their Spotify account
and provided in the same language as their Spotify service. Those registered may
access to the Type 1 information within about seven days. Those registered can also get
access to the Type 1 information by contacting Spotify's customer service.
Type 2 information consists of technical log files that are stored in Spotify's system
linked to the data subject's user ID. To access the Type 2 information
the data subject can send a request via Spotify's web form for privacy issues
or by contacting customer service or Spotify's data protection officer through someone
Date: 2023-06-12
other channel (email, Facebook, Twitter or letter). It takes about two to four weeks to
compile and disclose this personal data.
Type 3 information consists of the information that a registered person specifically requests and can
for example, refer to the data subject's listening history on a particular date, an extended
listening history or a request for unstructured personal data, for example a
request for certain email correspondence. Type 3 information can be requested on the same
way as Type 2 and such a request normally takes less than 30 days to process.
In case it takes longer to process the request, due to the complexity of the request,
the data subject is informed of the delay.
On 15 June 2021, Spotify implemented changes which mean that all Spotify
users who request a copy of personal data beyond what is available in
"Download your data" tool, or that directly requests a copy of all its
personal data from Spotify's customer service, get access to extended streaming history
as well as technical log information in one package.
Spotify has stated that the design of the process and its development up to today are one
aggregate result of joint discussions, careful considerations and analyses
as well as meetings with relevant customer service and development teams. Spotify's data protection team
has provided advice regarding legal requirements and "best practices" in data protection and
continues to continuously update these based on a number of identified parameters,
including relevant and current legislation, guidance, the ability to
quickly respond to a large number of requests, ease of use and categories of
personal data that is processed.
Spotify has stated that they have over 232 million monthly active users and that
during the period from 25 May 2018 to 30 June 2019 they answered 753,575 requests
about access. According to Spotify, the division of data into three different types has done so
possible to provide a quick and easy way for the data subject to download them
personal data that is likely to be most relevant to the data subject and to generate
answer in large measure and with the speed required to satisfy the majority
of those registered.
12
Spotify further refers to statements in the EDPB's transparency guidelines that it i
data protection regulation there is an inherent tension between the requirements to provide the
recorded extensive information on the one hand and that the information should be given in one
concise, clear and clear, comprehensible and easily accessible form on the other hand, that one must
determine how to prioritize information that must be provided to data subjects and
which levels of detail and methods are suitable for conveying the information and that
the principle of openness is an overarching obligation. Spotify believes that these guidelines
has relevance for the design of a concise, open, easy to understand and easily accessible
process for data subjects to exercise their rights under Article 15 i
data protection regulation. By providing three layers of response to requests for access to
registered, Spotify intends to balance the data protection regulation's interests on one
correct way in favor of Spotify's registrants. Spotify's goal is to provide correct
information in accordance with Article 15 to all data subjects at the right time by
provide information in different layers and in different ways.
Spotify has stated that the company informed registered users that it was possible to
request access to more personal data than those covered by Type 1 and Type 2, as well as
12Article 29 Working Party Guidelines on Transparency under Regulation (EU) 2016/679, WP260rev.01, as adopted by
European Data Protection Board, point 1 and point 34. Data Protection Authority Diary number: DI-2019-6696 14(30)
Date: 2023-06-12
that this information was provided to data subjects before they requested access to theirs
personal data. Furthermore, Spotify has stated that it appeared that those registered could
request access to more personal data than those covered by Type 1 by
request a Type 2 response. In addition, registered users could contact Spotify's customer service with
special requests (so-called Type 3 request). The information about this is provided in different ways
way, including on the website for "Personal data rights and
privacy settings" and on the website where information according to Article 15 i
the data protection regulation is published. When a user requests access to the
personal data covered by Type 1 by going to "Download your data" is
further according to Spotify clear from the context that users get access to a selection of
their personal data and not all their personal data. On the "Download your data" page
there is also a reference to the web page "Personal data rights and
privacy settings”. For requests according to both Type 1 and Type 2, information is given according to
article 15 of the data protection regulation which contains a comprehensive description of
available data. The information sources also explain that the user can request access
to their personal data via customer service or by contacting Spotify via email. If
a user contacts Spotify's customer service to exercise the right of access according to article
15 of the data protection regulation, customer service can explain all three types of
personal data that is available and inform users about it further
information that is available. The registrants were also informed that they could
request access to more personal data than they have already downloaded on the website
"Understand my data".
Furthermore, during the processing of the case, Spotify has updated the information that directs
itself to the data subjects in order to make it more transparent for data subjects that it exists
more to request than what is available in the "Download Your Data" tool.
With regard to the clarity of the information, Spotify has essentially stated the following. At
designing the access request response format the company focused on
provide all information in a way that makes it relevant, transparent and helpful
for those registered. The company developed a routine to ensure that the descriptions of
the personal data is correct and complete, which included extensive efforts for
to translate technical information into a simple language that can be understood by a
average customer, however, without removing such details as are necessary for transparency.
To facilitate understanding, Spotify does, among other things, the following.
- When downloading Type 1 information, the registered person also receives a so-called
"Read Me First" file. In the "Read Me First" file there is a link to the web page "Understand my
data", where the format and personal data included in Type 1 are described. This one
page has been updated during the processing of the case to now also include one
general description of the data in the technical log files and the extended
the streaming history. The linked pages are automatically displayed on the customer's preferred one
language based on the language setting in the customer's browser.
- In the Type 2 information, which consists of technical log files, there is some information
which is highly technical in nature. To help data subjects understand
the formatting of the personal data Spotify provides a detailed
description of the personal data in a special file in connection with the data
provided (in a “Read Me First” file for Type 2 requests). This description
provided by default in English. Spotify also answers customers' questions
about the significance of the personal data provided, as part of its process for
access request was registered. Spotify also continuously updates both
13From June 15, 2019 comprehensive Type 2 information, in addition to the technical log files, also expanded
listening history. The Swedish Privacy Agency Diary number: DI-2019-6696 15(30)
Date: 2023-06-12
the format of technical log files attributable to the customer's user ID (Type 2) and
corresponding information in the Type 2 “Read Me First” file to increase transparency
based on the questions asked.
– As regards special requests (Type 3), when the personal data which
provided may require explanations, Spotify may, if necessary, leave the information in
an e-mail to the data subject together with the copy of
the personal data.
Spotify has stated the following as background to the description of the Type 2 data
by default is left in English. To ensure that the information that the company
providing the registrants are correctly translated into their local language they are sent files
to be translated by manual translation to professional translators. Against
background of technical log data changing more dynamically over time than others
personal data that is collected, the company would have to send the extensive "Read
me First” file on translation several times a month. This would be
disproportionate and unreasonable to do for all local languages given the extra time,
resources and administration it would entail. Furthermore, many of the words have
appear in the technical log data typically no translation because they
often reflect technical concepts communicated primarily in English and
usually not translated into local languages. However, the company helps with translation
the information into local language if a user requests it to the extent they
the technical terms are translatable. Spotify has further stated that they have
responded to approximately 340,000 requests for access to technical log files. Of these
requests, only two registrants have turned to the company and requested one
translation of the description into their local language. Spotify further believes that
translation of the technical log files without request would mean that all
data subjects would have to wait longer to obtain their right of access by the technical
the log files provided.
In terms of which format is used, Spotify has stated that the personal data
provided in JSON format which, according to the company, is a structured and widely used
format that can be understood by both computers and humans. Data provided to
however, following a Type 3 request is provided in the format needed to respond
request.
Spotify has further informed IMY on 17 October 2022 that the company has since
the time allowed for data subjects to request access to account data, extended
streaming history and technical log information directly through "Download your data"-
the tool, i.e. without contacting customer service. These routines are not covered by IMY's
review when the update has taken place after May 16, 2022.
3.2.2 The Privacy Protection Authority's assessment
According to Article 15.1 of the data protection regulation, the data subject has the right to receive confirmation
on whether the personal data controller processes personal data concerning him or
her and in that case gain access to the personal data. The personal data controller has,
according to Article 15.3, an obligation to provide the data subject with a copy of the
personal data that is being processed. The right of access is the same regardless
by who the data controller is but the way to handle a request for access
may vary, among other things depending on the extent of the personal data that
processed and the number of registrants. According to Article 12.2 of the Data Protection Ordinance,
the personal data controller an obligation to facilitate the data subject to exercise
their rights. The Data Protection Agency Diary number: DI-2019-6696 16(30)
Date: 2023-06-12
The purpose of the right of access is for the data subject to become aware of it
processing that takes place and be able to check that it is legal. The
The data controller must therefore ensure that the copy of personal data
that is provided contains all the personal data processed about it
registered and is designed in a way that is comprehensible to the registered. Access
to the personal data must be given in a way that meets the requirements for transparency
in Article 12.1 of the Data Protection Regulation.
The requirements placed on the design and content of the copy mean that they
personal data controllers who process a large amount of data or data that is
particularly difficult to understand, may need to take special measures when the information
presented to those registered.
Spotify, whose personal data processing is both extensive and complex, has taken
develop special procedures for handling requests for access. The question is about these
routines enable the company to provide access to the personal data they process in one
way that satisfies the data subject's right of access.
Division of the copy of personal data into different layers
Spotify divides the copy of personal data into different layers, Type 1, Type 2 and Type 3.
IMY believes that there is no obstacle to dividing the copy of personal information in this way
as long as the right of access is satisfied. In some situations, on the contrary, it can help
the registrant to absorb the information if it is presented separately, in any case when
it is a matter of an extensive amount of information. The provision of the copy on
however, personal data in different layers must neither restrict the right of access nor make it difficult
the exercise of it. The person in charge of personal data must therefore take this into account in particular
the assessment of whether it is an appropriate measure to divide the copy of personal data.
A data subject who addresses a personal data controller to request access to
their personal data normally lacks knowledge of which personal data are
actually treated. Acquiring this knowledge is instead often the very purpose of
request. If the personal data controller in this situation only provides it
registrant with a selection of his personal data, the registrant risks that
is led to believe that the copy provided is complete.
For this reason, IMY considers that the personal data controller, in the channel he has
established so that the data subject can request access, must be clear that
the copy of the personal data is divided into different layers. It must also be clear to
it recorded what information is in the various layers and in what way
registrants can access these.4
In the report Spotify has submitted, it appears that the registered, in several different channels,
receives information that access to different personal data can be requested in different ways.
Through these channels it appears that access to "your most relevant personal data" can
obtained through the "download your data" function as well as access to technical log information,
extended streaming history or responses to other specific data protection requests may be obtained
upon request via e-mail or customer service. IMY can, of those reported in the report
the examples, state that the information provided to the registered also contains
14 Cf. The European Data Protection Board's (EDPB's) guidelines on the right of access - Guidelines 01/2022 on data subject
rights – Right of access, version 2.0 (finally adopted on March 28, 2023), point 146. The Swedish Privacy Agency Diary number: DI-2019-6696 17(30)
Date: 2023-06-12
an overall enumeration of which personal data the various types of
requests include.
IMY assesses that the information provided by Spotify in this regard, during that period
which the review of the general routines refers to, is sufficiently clear that it
data subjects must understand how the copy is divided, including what information is contained in them
the different layers, and how the different layers should be requested.
To set up special conditions for the exercise of the right of access without support i
the data protection regulation risks causing the data subject to be unduly hindered in
their exercise of the right. In other words, it can be perceived as unnecessarily complicated to
exercise the right, which in turn may result in the data subject refraining from requesting
out all information to which the registered person is entitled. There are reasons to emphasize that the
personal data controller, according to article 12.2 of the data protection regulation, has a
obligation to facilitate the exercise of the data subject's rights. In order to
the provision of the copy of personal data in different layers shall not entail that
the right is restricted or that the exercise of the right is made more difficult, IMY therefore considers that
it cannot be required that the data subject returns to the personal data controller
on several occasions to gain access to all personal data. Nor can it
be complicated to request access to the various layers. IMY therefore considers that it
registrants must be able to request access to all warehouses from the beginning and that
it should be easy to get access to these. Another thing is that the registered, with
the knowledge of how the data is divided, yet can choose to only request access
15
to one or more layers.
From Spotify's statement, it appears that the registered person can request access to the various
the layers in different ways. It is not required that the registrant returns to Spotify to take
part of the different layers. However, the data subject may have to take several measures to
get access to several layers, e.g. by both downloading Type 1 information through
function "download your data" and by requesting access to Type 2 and Type 3
information through customer service. If the data subject contacts customer service directly
with their request, the data subject can request access to all personal data
at the same time.
IMY considers that the fact that the data subject must take various measures for
requesting the various layers of data may cause some inconvenience. The registered
however, has the opportunity to take all of these actions at one and the same time.
All measures can also be taken easily via Spotify's website. At
an overall assessment, IMY believes that Spotify's routines enable the registered to
request access to all their personal data in a sufficiently simple way.
The design of the copy and format of the copy
It follows from Article 12.1 of the data protection regulation that the information provided according to
Article 15 of the Data Protection Regulation must be given in a concise, clear and understandable, understandable and
easily accessible form using clear and unambiguous language. What requirements should
placed on clarity in the individual case must be assessed against the background of the purpose of
the right of access, i.e. that the data subject must become aware of the treatment which
takes place and be able to check that the processing is legal.
1 Cf. The European Data Protection Board's (EDPB's) guidelines on the right of access - Guidelines 01/2022 on data subject
rights – Right of access, version 2.0 (finally adopted on March 28, 2023), point 146. The Swedish Privacy Agency Diary number: DI-2019-6696 18(30)
Date: 2023-06-12
The majority of the data that Spotify processes, especially when it comes to data in
the technical log files are by their very nature very technical as they contain e.g. codes and
numbers. Such information can be difficult for the average data subject to understand. To
to provide such information without further explanation would, according to IMY, not live up to
the requirements for clarity, in terms of the purpose of the right. Because the data to
provided in accordance with Article 15.1 of the Data Protection Regulation and covered by a copy
according to article 15.3 of the data protection regulation shall be the personal data which
is processed, however, it is not permitted for the personal data controller to change
difficult-to-understand personal data to facilitate understanding. Such data can
instead need to be explained.
Spotify provides, together with the copy of personal data, additional descriptions for
to make the data in the various layers comprehensible to the data subject. Spotify responds
also on the data subject's questions about the meaning of the personal data provided and
updates its general procedures and descriptions based on the questions that are asked.
IMY believes that data in the technical log files that Spotify provides can be
complicated to understand, despite the descriptions provided by Spotify. IMY believes
however, that by providing these descriptions, Spotify enables it
registered, albeit with some effort, to assimilate the information. That it
despite descriptions, some effort may be required by the data subject to understand some
particularly complicated tasks are a natural consequence of the nature of these tasks.
By default, Spotify provides only the detailed description of
the data in the technical log files in English. Neither Article 12.1 nor Article 15 i
the data protection regulation contains an explicit requirement in which language
personal data, or the description thereof, must be provided to the data subject.
However, IMY believes that it follows from the purpose of the right of access and the requirements for clarity i
article 12.1 that the registered should be able to receive the information in a language they know, i
at least when the personal data controller directs its activities to countries where this
constitutes an official language. This means that the personal data controller must take
sufficient measures to ensure that the data subject understands the information.
Spotify provides the majority of information provided to
registered according to Article 15 of the Data Protection Regulation, including a general
description of what the technical log files may include, based on
the language settings in the individual's web settings, i.e. the local language. Further
Spotify leaves clear information, in the local language, about the possibility to request
translation of the description of the technical log files in the "Read Me First" file which
provided with each request for access. This information is also provided at the local
the language on the "Understand my data" webpage. Spotify has thus taken extensive
measures to provide information in a language that the data subject must know
comprehend. However, Spotify has reported significant difficulties in translating
the description of the data in the technical log files to all local languages in them
countries to which they direct their operations. The difficulties have their basis in the constant
the changes to the data in the technical log files and the fact that many
technical concepts can hardly be translated from English.
1Cf the Article 29 Group's Guidelines on Transparency under Regulation (EU) 2016/679, WP260rev.01, adopted by
European Data Protection Board, point 13 and the European Data Protection Board's (EDPB) guidelines on the right to
access – Guidelines 01/2022 on data subject rights – Right of access, version 2.0 (finally adopted on 28 March 2023)
point 142. The Swedish Privacy Agency Diary number: DI-2019-6696 19(30)
Date: 2023-06-12
However, IMY notes that Spotify has stated that, at the request of a data subject, they have
possibility to translate the description of the data in the technical log files into one
local language to the extent that the technical terms are translatable. Since
a translation is therefore possible in practice, IMY believes that such a translation should
can be provided even before a request for translation has been made from one
registered. Spotify's stated difficulty in translating the description, including that
translation may need to be done on several occasions each month and the additional ones
resources this requires, cannot justify leaving the description as default either
in English. Considering the purpose of the right of access, it is crucial that it
data subjects understand which of their personal data has been processed in the technical
the log files, which requires an understandable description of its content. IMY therefore considers
that Spotify should have provided the description in local language already in connection with
that the technical log files were provided to the data subject, at least to that extent
it was necessary to understand the data in the technical log files.
Against this background, IMY believes that Spotify has not taken sufficient measures to
ensure that the data subject understands the description of the data in the technical
the log files when this information is only provided in English by default. The
information that Spotify provides in this part therefore did not meet the requirements that all
communications provided to the data subject pursuant to Article 15 i
the data protection regulation must be clear and understandable in the manner specified in Article 12.1 i
data protection regulation. The fact that a data subject has the opportunity to return to
Spotify to request a translation does not cure this deficiency.
It follows from Article 15.3 of the data protection regulation that a data subject who makes a request
if access in electronic form must receive the information in an electronic format that is
generally used, unless the data subject requests otherwise. Spotify is leaving
the data in JSON format. In the guidelines on the right to data portability, JSON format is given
17
as an example of a widely used open format.
IMY states that the requirements set for formats are different for the right to data portability
and the right of access when data portability according to article 20.1 of the data protection regulation
also requires that the data be provided in a structured and machine-readable format
format. In terms of the purpose of the right of access, IMY requires that the format in which
the data is provided in accordance with Article 15 of the Data Protection Regulation must be possible
to read for a natural person. However, there is nothing to prevent the format from also being
machine readable. Such a format can, in many cases, make it easier for the registered to himself
make various summaries or searches to facilitate understanding. IMY
believes that JSON format, which can be read by both computers and natural persons, i
the current situation is such an electronic generally used format as referred to in Article 15.3 i
data protection regulation.
Summary assessment regarding the right of access to personal data and copy
on personal data during processing – article 15.1 and 15.3 of the data protection regulation
In summary, IMY finds that Spotify's way of dividing the copy of personal data
in different layers does not hinder the exercise of the data subjects' rights and thus is
in accordance with article 12.2 of the data protection regulation and that the design and format
on the copy of personal data largely meets the requirements for transparency in Article 12.1 i
data protection regulation.
1Article 29 Group Guidelines on the right to data portability, WP242 rev.01, adopted by the European
the Swedish Data Protection Agency, p. 19. The Swedish Data Protection Agency Diary number: DI-2019-6696 20(30)
Date: 2023-06-12
However, IMY finds that the description of the data in the technical log files which
Spotify left during the period from and including 11 June 2019 to and including 16 May
2022 has not met the requirements of Article 12.1 of the Data Protection Regulation when this
information by default has only been provided in English. Spotify has thus i
in this respect processed personal data in violation of Article 12.1 i
data protection regulation during the relevant time period.
4 Examination of individual complaints - Justification
of decisions
4.1 Complaint 1 (from the Netherlands with national
reference number z2018-28415)
4.1.1 Background
The appellant has argued in summary that Spotify due to his
the access request made on 27 May 2018 has not provided access to all of his
personal data within the time prescribed in Article 12.3 of the data protection regulation
and that, once he has gained access to all personal data, these have not
provided in an understandable form in the manner prescribed in Article 12.1 i
data protection regulation.
4.1.2 What has emerged in the matter
Spotify provides three types of responses to ensure an appropriate and complete response
response to its users' requests in accordance with Article 15 of the Data Protection Regulation.
Spotify has stated that information about all three types of responses (Type 1, Type 2 and Type 3)
as well as information on how to request access to them was available at
the time of the appellant's request. In connection with a user choosing to load
down its data (Type 1), was evident from the description and instructions in direct connection with
the download tool that this was just a convenient way to get a copy of “the
most" personal data from his account and which categories of personal data that
were available through the tool. From the context it was therefore clear enough that
other personal data was also available. The appellant also had the opportunity to
contact customer service via several channels and request additional personal data.
The complainant had also had the opportunity to turn to customer service and directly request
access to all their personal data.
Spotify believes that the process at the time was transparent enough to
users would be able to understand as well as request additional available data in addition to those
which was included in the "Download your data" tool. Many other users also requested
both Type 2 and Type 3 tasks at that time. The appellant also succeeded in requesting
and access both Type 1 and Type 2 information. Spotify has subsequently done the majority
improvements in their processes to ensure that users cannot miss all three
types of information available and how to easily request access to it
the information.
Spotify has stated that with regard to the provision of the complainant's personal data, so
provided all requested personal data within the time frame specified in
article 12.3 of the data protection regulation. "Download your data" (Type 1) was requested by
complainant on 27 May 2018. The data was made available and downloaded by
complainant on May 28, 2018. A response time of one day is consistent with Spotify's
goal of quickly providing the most relevant information to users through
their automatic tools. The Swedish Privacy Agency Diary number: DI-2019-6696 21(30)
Date: 2023-06-12
Technical log files (Type 2) were requested by the complainant via email on 11 June 2018. In
Spotify's response on July 6, 2018, Spotify informed the complainant that the provision of
the personal data would take a little longer than expected due to the high number
requests and the complexity of compiling such technical information.
The information was made available for download on July 17, 2018. Even after having
informed the appellant of the reason why the response would be delayed, only 36 elapsed
calendar days (26 working days) between the complainant's request and the receipt of a response.
Regarding the complainant's complaint regarding the format of the personal data, Spotify has
stated that Type 2 data contains a large number of files with technical log data.
What data is processed may differ significantly for different users based on
what kind of Spotify service plan they have (eg Free, Premium, Family), features and
the specific user's activity, as well as variations in the usual internal
the processing and error logging of the Spotify software itself. Its a challenge
to find a way to explain this kind of technical information in a way like that
the average Spotify user can understand.
At the time of the complainant's request, Spotify provided the information in a JSON
format. However, Spotify did not provide any additional documentation to
further clarify what types of data were included and how these should be interpreted
(in addition to the information that appears in the JSON data fields themselves). Since 2019
however, Spotify provides a supplementary "Read Me First" file upon delivery of
all Type 2 data, which further describes the information contained in each file and
data field. Given the complexity and volume of the technical log files required
the creation of the "Read Me First" file a lot of work, and Spotify had not yet
completed this process at the time of the appellant's original request for access.
It was a mistake to provide the appellant with some of the technical log files in
encrypted format. Spotify stores data in its systems in encrypted format to reinforce
the integrity and security in connection with the company's own internal processing of
personal data. It was not Spotify's intention to withhold from the complainant
personal data from him. Although most of the encrypted data was decrypted
before being included in the appellant's technical log files, some of the fields were not
decrypted. That kind of problem was fixed upon discovery of this, and now
requested personal data is always provided unencrypted.
Spotify wants to draw IMY's attention to the fact that the complainant requested their personal data
again in July 2020. This request came after his complaint to IMY and the improvements
as described above. The complainant received his personal data significantly faster than
within 30 days. The complainant requested "Download your data" (Type 1) on 28 July 2020.
Spotify provided the personal data three calendar days later, on July 31, 2020.
The complainant also requested its technical log files (Type 2) on August 3, 2020 and
downloaded the personal data when it was available 15 days later, on August 18
2020. Both of these requests were answered within a total of 18 days by Spotify and
the complainant was able to receive all his personal data within a total of 21 calendar days. This one
timeframe is representative of Spotify's handling of these types of requests from
user. All technical information received by the complainant on August 18, 2020 was
unencrypted. The complainant should also have received a "Read Me First" file as field by field
explained the information provided. With the fulfillment of the appellant's latest
request, Spotify hopes that all the complainant's questions regarding articles 12.1 and
12.3 of the data protection regulation that he raised in his complaint have been answered. The Swedish Privacy Agency Diary number: DI-2019-6696 22(30)
Date: 2023-06-12
4.1.3 The Privacy Protection Authority's assessment
As IMY states in the assessment of the company's general routines, section 3.2.2 i
this decision, it is possible to divide the copy of personal data into different layers provided
that the data subject has received sufficient information, among other things, about how the copy
personal data is divided and how access to the various layers can be requested.
The fact that the complainant claims that his personal data was not provided in time shows that
the appellant must have considered that his initial request which was sent on 27 May 2018
referred to all personal data that Spotify processed about him. Of data such as
the complainant left further states that he contacted Spotify because he himself
noticed that the copy of personal data he received on 28 May 2018 was not
full. The fact that he contacted Spotify was thus a consequence of those conclusions
the appellant himself drew from the copy of personal data he received and not from
on the grounds that the complainant understood Spotify's division of the copy into personal data and
how access to additional data could be requested. These circumstances speak according to
IMY for the information provided by Spotify at the time of the complainant
the request regarding the division of the copy on personal data has not been sufficient
clear.
IMY also believes in an assessment of the information provided by Spotify
description and instructions in connection with the appellant making his Type 1 request
on May 27, 2018 that that information alone was not clear enough to
the appellant should have understood that it was only a subset of the personal data which
was covered by the request. At the time of the appellant's request, it was also missing
information that is currently available on Spotify's website, including on the website
for "Personal data rights and privacy settings", where it is clear which
personal data given in the various responses, and how access to these can be requested. IMY
further considers that what Spotify stated that the complainant could turn to customer service and
requesting additional information is irrelevant as such action presupposes that
the complainant would have understood that there were additional personal data that could
be released.
In view of the above, IMY considers that Spotify, at the time of the complainant
request for access, did not provide sufficiently clear information for the appellant to
understand that the copy of personal data was divided. That there is sufficient information for
that a registered person must understand that his request only refers to a selection of them
personal data that is processed is a prerequisite for the personal data controller
must be able to limit the disclosure of this personal data. In case it is unclear about
the request only concerns a selection of the personal data, so it should
personal data controller assume that the registered person wants access to all of their
personal data. Spotify should therefore, as the information in this regard was deficient
at the time of the complainant's request, have disclosed all personal data that they
dealt with the appellant in connection with his request for access made on
May 27, 2018. The time within which Spotify had to leave the copy on all
personal data must therefore be calculated from this time. Spotify would, according to the article
12.3 of the data protection regulation, have provided a full copy of the complainant
personal data or notified the complainant of an extension of the time period at the latest
on 27 June 2018. Spotify first notified the complainant of an extension on 6 July 2018
of the time period. The copy of the additional personal data was provided on 17 July
2018. IMY states that Spotify did not announce the extension within the time that
prescribed in article 12.3 of the data protection regulation. Spotify has therefore left the copy on
the complainant's personal data too late. The Swedish Data Protection Agency Diary number: DI-2019-6696 23(30)
Date: 2023-06-12
From the complainant's information, as confirmed by Spotify, it appears that they further
personal data he gained access to on 17 July 2018 has been difficult to understand as well as, in some
case, encrypted.
As IMY states under section 3.2.2, it is required that the personal data controller
explains particularly difficult to understand personal data so that the purpose of the right of access shall
considered fulfilled. IMY notes that Spotify has not lived up to its obligations in
the appellant's case as they have not provided an explanation for the particularly difficult to understand
information they provided in the copy as well as when they have provided certain information encrypted.
IMY states with regard to the above that Spotify in its management of
the complainant's request for access made on 27 May 2018 has processed
personal data in violation of article 12.3 of the data protection regulation, by making the copy on
personal data has been provided too late, as well as in violation of articles 12.1, 15.1 and 15.3 of
the data protection regulation, by not having provided all the complainants
personal data in an understandable form.
4.2 Complaint 2 (from Austria with national reference no
D130.198)
4.2.1 Background
The complainant has alleged that Spotify due to his request for access
which was made on October 10, 2018 has not provided all the personal data that
Spotify treats the complainant that Spotify has not provided any of it
information on the processing of the complainant's personal data as required by Article
15.1 a–h and 15.2 of the data protection regulation and that Spotify has not provided
the personal data in an understandable form in the manner prescribed in Article 12.1 i
data protection regulation. The appellant has stated, among other things, that the information has
provided in a format that is only machine-readable and not comprehensible to physical users
people.
4.2.2 What has emerged in the matter
Spotify has stated that the complainant requested access to "Download your data" (Type 1) on
10 October 2018. The data was made available and downloaded by the complainant on
18 October 2018. The complainant then never contacted Spotify again to bring them forward
views raised in his complaint to the IMY. Nor did he request access to
additional information beyond that made available through "Download Your Data"-
the tool.
Spotify provides three types of responses to ensure an appropriate and complete response
response to its users' requests in accordance with Article 15 of the Data Protection Regulation.
Spotify has stated that information about all three types of responses (Type 1, Type 2 and Type 3),
as well as information on how to request access to them was available at
the time of the appellant's request. In connection with a user choosing to load
down its data (Type 1), was evident from the description and instructions in direct connection with
tool that this was just a convenient way to get a copy of "most"
personal data from his account and which categories of personal data were
available through the tool. From the context it was therefore clear enough that
other personal data was also available. The appellant also had the opportunity to
contact customer service via several channels and request additional personal data.
Spotify believes that the process at the time was transparent enough to
users would be able to understand and request additional available data in addition to those
Date: 2023-06-12
which was included in the "Download your data" tool. Many other users also requested
both Type 2 and Type 3 tasks at that time. Spotify has subsequently done the majority
improvements in their processes to ensure that users cannot miss all three
types of information available and how to easily request access to it
the information.
At the time of the appellant's request, the specific web page had information
according to article 15.1 a-h and 15.2 of the data protection regulation not yet created and such
information was also not automatically included in the access request response.
Spotify confirms that the complainant did not receive this information along with his Type 1-
response in October 2018. Spotify notes that although the complainant did not receive the specific
the information under Article 15 in connection with its request, the information was available
for the complainant in Spotify's privacy policy.
Spotify has further stated that the company had processes in place to provide
additional information and take action in the event that their response would not be considered
sufficient to fully respond to a data subject's access request. About the appellant
had contacted privacy@spotify.com or Spotify's customer service team regarding their
questions, they would have been happy to provide additional personal data and other information
according to Article 15 of the Data Protection Regulation which he requested.
It is true that the complainant's "Download your data" data was provided in JSON
format. JSON is a recommended standard format that can be understood by both
people and computers. The information in "Download your data" (Type 1) is largely
self-explanatory based on the file and field names. Nowadays, Spotify provides
however, also a detailed description of the data on the information webpage,
"Understand my data".
4.2.3 The Privacy Protection Authority's assessment
As IMY states in the assessment of the company's general routines, section 3.2.2 i
this decision, it is possible to divide the copy of personal data into different layers provided
that the data subject has received sufficient information, among other things, about how the copy
personal data is divided and how access to the various layers can be requested.
The complainant has, as IMY understands it, wanted access to all the information that
Spotify treats about him. However, the appellant has only requested access to Type 1-
the data and has also not returned to Spotify for further information.
According to IMY, the complainant's actions indicate that the information provided by Spotify
at the time of the appellant's request regarding the division of the copy on
personal data and how access to the various layers could be requested was not sufficient
clear so that the complainant would understand how he would get access to all the information.
IMY also believes in an assessment of the information provided by Spotify
description and instructions in connection with the appellant making his Type 1 request
on October 10, 2018 that that information alone was not clear enough to
the appellant should have understood that it was only a subset of the personal data which
was covered by the request. At the time of the appellant's request, it was also missing
information that is currently available on Spotify's website, including on the website
for "Personal data rights and privacy settings", where it is clear which
personal data given in the various responses, and how access to these can be requested. IMY
further considers that what Spotify stated that the complainant could turn to customer service and
requesting additional information has no meaning as such action requires that the Swedish Privacy Agency Diary number: DI-2019-6696 25(30
Date: 2023-06-12
the complainant would have understood that there were additional personal data that could
be released.
In view of the above, IMY considers that Spotify, at the time of the complainant
request for access, did not provide sufficiently clear information for the appellant to
understand that the copy of personal data was divided. That there is sufficient information for
that a registered person must understand that his request only refers to a selection of them
personal data that is processed is a prerequisite for the personal data controller
must be able to limit the disclosure of this personal data. In case it is unclear about
the request only concerns a selection of the personal data, so it should
personal data controller assume that the registered person wants access to all of their
personal data. Spotify should therefore, as the information in this regard was deficient
at the time of the complainant's request, have disclosed all personal data that they
processed about the appellant. IMY states that Spotify has not disclosed all of them
personal data they processed about the complainant. Spotify has therefore not complied
the requirements in articles 15.1 and 15.3 of the data protection regulation to give the data subject
access to their personal data as the company has not provided the registered with one
full copy of the personal data that was being processed.
The complainant has further stated that the personal data he has been given access to was difficult
to understand. Spotify's response shows that at the time of the complainant's request
a description of the information provided to the appellant (Type 1) was missing. IMY
however, deems that the information provided pursuant to a Type 1 request is sufficient
clear for the average user to be able to understand the data and that
these therefore do not require any further explanation. IMY therefore believes that they
personal data provided has been sufficiently clear to meet the requirements according to
article 12.1 of the data protection regulation, i.e. that the information provided according to
Article 15 of the Data Protection Regulation must be given in a concise, clear and understandable, understandable and
easily accessible form using clear and unambiguous language. Some lack therefore has
was not available regarding how clear the personal data provided to the appellant was
where. However, IMY looks positively on the improvements that Spotify has implemented after this
time, which can further increase the understanding of the personal data provided in
Type 1 response.
The complainant has further stated that his personal data was provided in a format which
was only machine readable and not comprehensible to natural persons. Spotify has stated
that the data was provided in JSON format. IMY believes, which also appears above below
3.2.2, that JSON format, which can be read by both computers and natural persons, i
the current situation is such an electronic generally used format as referred to in Article 15.3 i
data protection regulation. IMY therefore considers that there was no deficiency in respect of
the format in which the information was provided to the complainant.
The appellant has finally claimed that he did not receive information according to Article 15.1 a-h
and 15.2 of the data protection regulation. Spotify has confirmed that the complainant did not receive this
information together with the response to the request submitted in October 2018. Spotify
has thus not fulfilled its obligation to, in connection with the appellant's request for
access, provide information according to article 15.1 a-h and 15.2. The fact that information
at the time of the complainant's request was available in the company's privacy policy healer
not this deficiency.
IMY concludes in summary that Spotify in its handling of the complainant's request
if access made on 10 October 2018 has processed personal data in violation
with article 15.1 and 15.3 of the data protection regulation, by not having given access to the Privacy Protection Agency Diary number: DI-2019-6696 26(30)
Date: 2023-06-12
all personal data that Spotify processed about the complainant and in conflict with
article 15.1 a-h and 15.2 of the data protection regulation, by not having provided
any of the information set out in these regulations.
4.3 Complaint 3 (from Denmark with national reference number
2018-31-1198)
The complainant has claimed that Spotify has not responded to the complainant's request
access according to Article 15 of the data protection regulation made on November 12, 2018.
The investigation into the matter has not shown that Spotify failed in its handling of the complainant
request for access, which means that the current complaint must be rejected. The
receiving supervisory authority, i.e. the Danish data protection authority, shall therefore
adopt the decision regarding this complaint in accordance with Article 60.8 of the Data Protection Regulation.
The justification for the decision in this part is thus reported in a separate decision from it
Danish Data Protection Authority.
5 Choice of intervention
5.1 Applicable Regulations
In the event of violations of the data protection regulation, IMY has a number of corrective measures
powers, including reprimands, injunctions and penalty charges. It follows from
article 58.2 a–j of the data protection regulation.
IMY shall impose penalty fees in addition to or in lieu of other corrective measures
as referred to in Article 58(2) of the Data Protection Regulation, depending on the circumstances i
each individual case.
If a personal data controller or a personal data assistant, with respect to a
and the same or connected data processing, intentionally or by
negligence violates several of the provisions of this regulation, it may
the total amount of the administrative penalty fee does not exceed the amount determined
for the most serious violation. It appears from Article 83.3 i
data protection regulation.
Each supervisory authority must ensure that the imposition of administrative
penalty charges in each individual case are effective, proportionate and dissuasive. The
stated in Article 83.1 of the Data Protection Regulation.
In article 83.2 of the data protection regulation, the factors that must be considered in order to
decide whether an administrative penalty fee should be imposed, but also what should
affect the size of the penalty fee.
The EDPB has adopted guidelines on the calculation of administrative penalty fees according to
the data protection regulation which aims to create a harmonized method and principles
18
for calculation of penalty fees.
18EDPB's guidelines 8/2020 Guidelines 04/2022 on the calculation of administrative fines under the GDPR, final
adopted on 24 May 2023. Data Protection Authority Diary number: DI-2019-6696 27(30)
Date: 2023-06-12
5.2 Same or connected data processing
As noted above, IMY, in the review carried out by the authority, has
Spotify's general processes and routines for providing access according to Article 15 i
data protection regulation, found deficiencies in the information provided in accordance with Article 15.1
a–h and 15.2 of the data protection regulation as well as in the description of the data in them
the technical log files provided by Spotify. Spotify has also failed in its handling of
request for access in relation to two of the complaints IMY has reviewed, complaint 1 and
complaint 2.
The violations regarding the general routines relate to the information
according to article 15.1 a-h and 15.2 of the data protection regulation, to the period from
on November 16, 2021 through May 16, 2022 as well as, regarding the description
of the data in the technical log files, to the period from June 11, 2019 to
and with May 16, 2022. Request for access covered by the individuals
the complaints were made on 27 May 2018 and 10 October 2018 respectively. IMY assesses
among other things against this background that the violations refer to the general ones
the procedures and violations relating to the two complaints do not constitute the same or
connected treatments in the manner referred to in Article 83.3 i
data protection regulation.
However, IMY considers that Spotify's provision of information covered by article
15.1 and 15.2 of the data protection regulation and the provision of the description of
the data in the technical log files are interconnected. The
the assessment is made, among other things, against the background of the identified deficiencies in these
parts relate to the requirements for transparency in the information that Spotify has provided to them
registered according to Article 15 of the Data Protection Regulation under a partial
coinciding time period. Furthermore, the complaints are deemed to be connected with
each other.
IMY must therefore decide on the choice of intervention partly for the identified deficiencies i
Spotify's information according to article 15.1 and 15.2 of the data protection regulation and i
the description of the data in the technical log files partly for the findings
the deficiencies regarding the two complaints.
5.3 Deficiencies in information according to article 15.1 and 15.2 i
the data protection regulation and in the description of the data i
the technical log files
IMY has assessed that Spotify has violated articles 12.1, 15.1 a-d, 15.1 g and 15.2 i
data protection regulation. Against the background, among other things, that the violations have been able to
affect a large number of registrants, that the violations have been going on for a long time and
as the deficiencies in the information made it difficult for registered users to take care of their others
rights according to the data protection act, it is not a question of minor violations.
Spotify must therefore be charged a penalty fee for the violations in this part.
IMY states that Spotify has violated articles covered by Article 83.5 i
data protection regulation which means that a penalty fee of up to twenty million
EUR or four percent of the global annual turnover in the previous financial year,
depending on which value is higher, may be imposed.
When determining the maximum amount of a penalty charge to be imposed on a company
should the definition of the term company be used that the EU Court of Justice uses at the Privacy Protection Agency Diary number: DI-2019-6696 28(30)
Date: 2023-06-12
application of Articles 101 and 102 of the TFEU (see recital 150 i
data protection regulation). It appears from the court's practice that this includes every entity
that carries out economic activities, regardless of the legal form of the entity and the way of doing so
financing as well as even if the unit in the legal sense consists of several physical or
legal entities.
IMY assesses that the company's turnover is to be used as a basis for calculating the
administrative penalty fees that Spotify may impose are Spotify's parent company
Spotify Technology S.A. From Spotify Technology S.A.'s annual report for the year 2022
it appears that the annual turnover in 2022 was approximately SEK 132,000,000,000. The highest
sanction amount that can be determined in the case is four percent of this amount, approx
SEK 5,280,000,000.
When assessing the seriousness of the violations, IMY takes in addition to what is stated above, i.e.
that the violations have been able to affect a large number of registrants, that the violations
has been going on for a long time and that the deficiencies in the information made it difficult for data subjects to
take advantage of your other rights according to the data protection regulation, also taking into account the following.
The violations have entailed a risk that the purpose of the right of access is then thwarted
the deficiencies in the information provided made it difficult for data subjects to understand which of
their personal data that has been processed and how. The registrant thus does not have
nor had the opportunity to check whether the processing was legal. Spotify's
processing of personal data further includes a large amount of personal data about each
registered and affects many registered users in several different countries.
However, as far as has come to light, the data processed are not such special ones
categories of personal data specified in Article 9 of the Data Protection Regulation.
Processing of personal data that takes place within the framework of a customer relationship at
the provision of a music streaming service does not normally get large either
consequences for the data subjects. IMY has further, despite the scope of Spotify's
personal data processing, only received a few complaints regarding the company's
handling access requests.
It is also important that Spotify has a challenge in providing comprehensive information
about complex personal data processing in a way that is comprehensible to the data subjects
which entails difficult trade-offs to assess how the information should best be used
is presented. Spotify has provided certain information in accordance with all points in Article 15.1 and
15.2 of the data protection regulation. Furthermore, Spotify has provided information about its
processing of personal data on several pages on the company's website. Some information about
how the personal data was processed can also be read from that copy
personal data according to article 15.3 of the data protection regulation that Spotify has
provided to the data subjects who requested access and which IMY has generally assessed
meet the requirements for clarity in Article 12.1 of the Data Protection Regulation.
The investigation into the matter further shows that Spotify, on its own initiative and before the relevant date
supervisory case was initiated, has taken several measures and put in extensive work to
produce, develop and improve processes regarding requests for access that shall be
transparent for those registered. These processes and routines have since been developed
and continuously improved. According to IMY, this suggests that Spotify intends to fulfill
the right of access in a way that is transparent to the data subjects. It also has forward
until last year, when the EDPB adopted guidelines on the right of access, was lacking in detail
guidance on how the information should be provided and at what level of detail, among other things
19 European Data Protection Board (EDPB) guidelines on the right of access - Guidelines 01/2022 on data subject rights
– Right of access, (adopted on January 18, 2022 for public consultation and finally adopted on March 28, 2023). Data Protection Agency Diary number: DI-2019-6696 29(30)
Date: 2023-06-12
regarding the degree of individualization of the information to be provided according to article
15.1 and 15.2 of the data protection regulation and which language should be used in
communication according to Article 15 of the Data Protection Regulation.
Overall, IMY assesses, against the background of the reported circumstances, that they
the violations in question are of low seriousness. The starting point for the calculation
of the penalty fee should therefore be set relatively low in relation to the current situation
the maximum amount. To ensure a proportional penalty fee in the individual case
there are also reasons to further adjust the starting point for it already at this stage
continue the calculation downwards, taking into account the high turnover involved
basis for the calculation of the penalty fee.
In addition to assessing the seriousness of the violation, IMY must assess whether it exists
any aggravating or mitigating circumstances that become relevant
the amount of the penalty fee. The circumstances which have already been considered at
the assessment of the seriousness of the infringement cannot be reconsidered at this stage of
the assessment.
IMY assesses that there are no further aggravating circumstances that affect
the amount of the penalty fee. As a mitigating circumstance, IMY attaches particular importance
the possibility for those registered to contact Spotify's customer service through several different
channels to receive further individualized information. Furthermore, Spotify has in June 2022
informed that the company has made updates to the information in accordance with Article 15 among
other for the data subject to understand the specific personal data processing which
is applicable to their unique use of the Spotify service. As for the shortcomings
regarding Spotify's choice of language for the description of the data in the technical
the log files, it is also important that data subjects have had the opportunity to turn to
Spotify to have the description translated or explained in its local language and to
Spotify provided clear information about this possibility in the "Read Me First" file which
submitted in connection with the data being provided to the data subject.
Against the background of the seriousness of the violations, aggravating and mitigating
circumstances and the high turnover in relation to those established
the violations, the IMY determines the administrative penalty fee for Spotify at 58
000 000 kroner. In doing so, IMY has assessed that this amount, which corresponds to approximately 1
percent of the highest possible sanction amount that can be determined in the case, is
effective, proportionate and dissuasive in the present case.
5.4 Violations regarding complaints 1 and 2
IMY has established that Spotify breached its obligations in relation to the complainants in
complaints 1 and 2. However, IMY can state that the complainants in both cases have received
access to some of their personal data in a timely manner. Spotify has further, when the appellant in
complaint 1 contacted them, were helpful in providing further information and
answered questions. Regarding complaint 2, Spotify has not been made aware that
the complainant considered that his request for access was not fully met. The appellant has
did not turn to Spotify and stated that he was dissatisfied with the company's handling of
his request for access why Spotify has had difficulty remedying the shortfall.
IMY states that the violations currently in question did not include sensitive ones
personal data. Spotify has further taken measures, albeit insufficient, in order to
accommodate the appellants' requests. Although the complainants' right of access does not
Date: 2023-06-12
met fully, the deficiencies that have been present are therefore of a less serious nature
character than if the requests had been left unanswered.
In an overall assessment, IMY finds that, regarding the violations in complaint 1
and 2, are minor violations and that there is therefore reason to waive
from imposing a penalty fee on Spotify for the established violations herein
part. Spotify must instead be given a reprimand in accordance with Article 58.2 b i
data protection regulation.
Spotify has stated that the company is happy to cooperate with the complainants directly in order to
ensure that it has provided all the data and the information that the complainants
searching as well as that it has answered their questions.
From information that emerged in the case, the complainant in complaint 1 has turned to Spotify
again in July 2020 and subsequently granted access in accordance with Article 15 of the Data Protection Regulation.
The complainant received all his personal data, including an explanatory document
about the personal data that was processed, within 21 days. The personal data that then
were left unencrypted. When the appellant has had his request for access granted
if there is no reason to order Spotify to grant access again in accordance with Article 15.
Regarding complaint 2, no information has emerged that the complainant has received
access to more personal data or more information after the response to the access request
in October 2018. Spotify must therefore, with the support of Article 58.2 c of the data protection regulation,
ordered to comply with the appellant's request for access pursuant to Article 15 i
the data protection regulation by giving the complainant access to all
personal data that Spotify processes about him by providing him with a
copy of the personal data according to article 15.3 of the data protection regulation as well as
information according to article 15.1 a-h and 15.2 of the data protection regulation. Spotify has thereby
to take into account the exceptions to the right of access in Article 15.4 of the Data Protection Regulation
and ch. 5 the data protection act that can be updated. IMY assesses that access should
submitted within one month of this decision becoming legally binding.
_____________________________
This decision has been taken by the general manager Lena Lindgren Schelin after a presentation
by lawyers Karin Ekström and Evelin Palmér. At the final processing has
also the head of justice David Törngren and the head of unit Catharina Fernquist participated.
Lena Lindgren Schelin, 2023-06-12 (This is an electronic signature)
Appendix
Appendix 1 - complainant's identification details (complaint 2)
Appendix 2 - Spotify's information according to article 15 of the data protection regulation, on 16
November through May 16, 2022
Appendix 3 – Information on payment of penalty fee
