abusesaffiliationarrow-downarrow-leftarrow-rightarrow-upattack-typeburgerchevron-downchevron-leftchevron-rightchevron-upClock iconclosedeletedevelopment-povertydiscriminationdollardownloademailenvironmentexternal-linkfacebookfiltergenderglobegroupshealthC4067174-3DD9-4B9E-AD64-284FDAAE6338@1xinformation-outlineinformationinstagraminvestment-trade-globalisationissueslabourlanguagesShapeCombined Shapeline, chart, up, arrow, graphLinkedInlocationmap-pinminusnewsorganisationotheroverviewpluspreviewArtboard 185profilerefreshIconnewssearchsecurityPathStock downStock steadyStock uptagticktooltiptwitteruniversalityweb

这页面没有简体中文版本,现以English显示

文章

13 六月 2023

作者:
Natasha Lomas, TechCrunch

Sweden: Spotify is fine over GDPR data access complaint

"Spotify fined in Sweden over GDPR data access complaint", 13 June 2023

Music streaming giant Spotify is facing a fine of around €5 million ($5.4M) in Sweden years after it was accused of breaching the data access rights of users in the European Union by not providing full information about personal data it processes in response to individual requests.

While the size of the fine is unlikely to grab many headlines, the fact it’s finally happened is notable as further evidence of the mountain European users have to climb to get their data protection rights upheld.

The finding of a breach of Article 15 of the General Data Protection Regulation (GDPR) comes more than four years after a complaint was lodged against Spotify by the privacy rights not-for-profit, noyb. The complaint, which was filed at the start of 2019, alleged Spotify failed to provide adequate detail in response to the complainant’s subject access request (SAR).

The complaint argued the music streaming platform failed to provide all personal data requested; did not provide information on the purposes of the processing; nor on recipients; and also did not provide information on international transfers, among other allegations.

While it was originally filed in Austria the GDPR’s one-stop-shop mechanism, which is supposed to streamline case handling where data-processing crosses national borders, meant the complaint got routed to Sweden where Spotify has its main EU establishment. (Another complaint over the same issue which was filed in the Netherlands was also joined to the case in Sweden.)

The complaint then languished undecided for several years as, according to noyb, the Swedish authority undertook a parallel ex officio investigation to which the complainants weren’t party — despite the GDPR stating data controllers must respond to access requests within a month.

noyb ended up taking the Swedish data protection authority (IMY) to court over the lack of a decision. And last year it successfully challenged IMY’s position that the complainant is not a party in procedures, with the Stockholm administrative court holding that complainants have the right to request a decision after six months.

While that litigation is still ongoing (in front of a higher court) the administrative court decision last November ordering IMY to process and investigate the complaint appears to have moved the DPA to issue a decision in the meanwhile.

noyb said today that IMY ordered Spotify to finally provide the full set of data. Although it’s reserving judgement on whether the authority has done everything it asked until it can scrutinize the decision.

We reached out to the Swedish authority with questions and it sent the below statement — confirming it identified a number of violations by Spotify pertaining to three complaints it investigated. It also described the case as “complex and comprehensive”, saying it not only looked at individual instances of how it handled data access requests but also assessed general procedures.

Spotify was also contacted for comment. A company spokesperson sent us this statement — confirming it intends to appeal:

Spotify offers all users comprehensive information about how personal data is processed. During their investigation, the Swedish DPA found only minor areas of our process they believe need improvement. However, we don’t agree with the decision and plan to file an appeal.

隐私资讯

本网站使用 cookie 和其他网络存储技术。您可以在下方设置您的隐私选项。您所作的更改将立即生效。

有关我们使用网络存储的更多信息,请参阅我们的 数据使用和 Cookie 政策

Strictly necessary storage

ON
OFF

Necessary storage enables core site functionality. This site cannot function without it, so it can only be disabled by changing settings in your browser.

分析 cookie

ON
OFF

您浏览本网页时我们将以Google Analytics收集信息。接受此cookie将有助我们理解您的浏览资讯,并协助我们改善呈现资讯的方法。所有分析资讯都以匿名方式收集,我们并不能用相关资讯得到您的个人信息。谷歌在所有主要浏览器中都提供退出Google Analytics的添加应用程式。

市场营销cookies

ON
OFF

我们从第三方网站获得企业责任资讯,当中包括社交媒体和搜寻引擎。这些cookie协助我们理解相关浏览数据。

您在此网站上的隐私选项

本网站使用cookie和其他网络存储技术来增强您在必要核心功能之外的体验。