Spotify under investigation by Swedish data protection authority

The Swedish data protection authority (DPA) has launched an investigation into Spotify over the handling of consumer’s rights to access their data.

The DPA stated it had received numerous complaints about how Spotify handles registry extracts. In an announcement, the DPA wrote:

“The authority has become aware that there may be some shortcomings in how the company handles registry extracts, including that the extracts are not complete and that the information is not sufficiently clear.”

The DPA are investigating allegations that Spotify does not include data it needs to fulfill Articles 15(1) and 15(2) of the EU General Data Protection Regulation. The authority is looking into what information Spotify provides to customers, which information is copied by Spotify and how the collected information is handled.

Karin Ekström, a lawyer at the DPA said:

“Because Spotify handles a large amount of data on a very large number of users, it is important that the users’ request for registry extracts be handled correctly.

“You have the right to turn to a company or authority that processes your personal data and through a registry extract to know what the information is. You should also get information about how the data is used described with a clear and simple language.”

The announcement went on to emphasise that the right for individuals to access their personal data allows them to verify that their information is correct. Additionally it is a “prerequisite” for the individual to have the ability to use other rights, including the ability to request that information be corrected or deleted, or the ability to object to how the data is utilised.

Spotify’s communications manager, Fred Westin told Computer Sweden in a message:

“Spotify takes data integrity and our obligations to our users very seriously. We welcome Data Inspection’s questions about the processes we have in place to ensure that users receive the information they are looking for and are entitled to under the GDPR”.

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered.