The General Data Protection Regulation, GDPR, entered into force in 2018 and means, among other things, that the rights of individuals are strengthened. One such right is the right of access, which means a right for individuals to find out what personal data a business handles about the person in question and to receive information about how this data is used.
IMY has audited how Spotify handles the right for individuals to access their personal data. IMY assesses that Spotify releases the personal data the company processes when individuals request it, but that the company does not inform clearly enough about how this data is used by the company.
- The information that the company provides about how and for what purposes individuals' personal data is handled should be more specific. It must be easy for the person requesting access to their data to understand how the company uses this data. In addition, personal data that is difficult to understand, such as those of a technical nature, may need to be explained not only in English but in the individual's own, native language. In these parts, we have seen certain shortcomings, says Karin Ekström, who is one of the legal advisors who led the supervision.
Customers who have turned to Spotify to request access to their personal data have been able to choose which personal data they want access to because Spotify has divided the customers' personal data into different layers. One layer contains the information that Spotify has deemed to be of greatest interest to the individual, for example the customer's contact and payment details, which artists the customer follows and listening history for a certain period of time. If the customer wants more detailed information, for example all technical log files relating to the customer, it has also been possible to request these in another layer.
- There is no obstacle to dividing the copy of personal data into different layers as long as the right to access is satisfied. In some situations, on the contrary, it can make it easier for the data subject to take in the information if it is presented in different parts, at least when it is a question of an extensive amount of information. It is important that the individual understands what information is in the various layers and how it can be requested. Here we believe that Spotify has done enough, says Karin Ekström.
The purpose of the right of access is to give individuals the opportunity to check that the processing of their personal data is lawful. That the individual receives sufficient information is often a prerequisite for exercising other rights, for example the right to have incorrect information corrected or removed. As the information provided by Spotify has been unclear, it has been difficult for individuals to understand how their personal data is processed and to check whether the handling of their personal data is lawful.
Spotify has taken several measures with the aim of meeting the requirements for individuals' right to access, and the deficiencies that have been discovered are considered overall to be of a low level of seriousness. In light of that and, among other things, the number of registered users and Spotify's turnover, IMY issues an administrative fine of SEK 58 million against Spotify for not having provided sufficiently clear information to individuals.
Since Spotify has users in many countries, this decision has been made in cooperation with other data protection authorities in the EU.