On June 13, 2023, the Swedish Authority for Privacy Protection (IMY) imposed a fine of SEK 58 million (around £5 million) on Spotify for breaching the General Data Protection Regulation (GDPR). The fine was issued after Spotify allegedly failed to comply with GDPR provisions relating to data subject rights. The decision followed an investigation initiated by the IMY in 2019, following complaints from users.
As an online music streaming service, Spotify processes a vast amount of consumer data. To comply with GDPR, users have the right to access their personal data held by businesses and can request information regarding how their data is being used.
However, Spotify failed to provide satisfactory responses to users who exercised their rights of access and did not fulfil its obligations to respond to requests within the specified time frames set out in the GDPR.
The case of Spotify emphasises the importance of GDPR compliance in today’s data-driven world. The mishandling of data subject requests by Spotify underscores the necessity for companies to act with integrity and establish robust procedures that efficiently and transparently deal with such inquiries.
