Swedish Court Uphelds GDPR Fine on Spotify for Data Processing Failures
The Swedish Administrative Court of Appeal has ruled that Spotify AB failed to properly manage the rights of data subjects under the European Union’s General Data Protection Regulation (GDPR). The court found that Spotify did not provide clear and easily accessible information necessary for individuals to exercise their rights under GDPR. Additionally, Spotify did not give sufficient information about data retention periods or the criteria used to determine these periods.
The Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten) had previously imposed a penalty on Spotify AB following an investigation. The penalty was due to the company processing personal data in violation of GDPR requirements. The court confirmed that Spotify’s handling of personal data did not meet the standards required by the regulation.
Furthermore, Spotify failed to provide adequate information about the appropriate safeguards in place when transferring personal data to third countries or international organizations. These shortcomings led the court to uphold a fine of 5.2 million euros (58 million Swedish kronor). This decision highlights the importance of transparency and compliance in data processing activities under GDPR.
The GDPR applies to the automated processing of personal data and aims to ensure a consistent level of protection across the EU. The Swedish Authority for Privacy Protection is responsible for supervising compliance with GDPR in Sweden. This ruling serves as a reminder to companies about the critical need to respect data subjects’ rights and maintain clear communication about data processing practices.
