2 Min

Spotify's €5 million penalty: The importance of proper DSR management 

Managing data subject requests (DSRs) properly is a critical part of GDPR compliance. Getting it wrong had major consequences for Spotify, who were recently fined €5 million for providing inadequate information. Our experts explain what your business can learn from this mistake. 

What did Spotify get wrong?

In 2019, an Austrian organisation Noyb submitted several complaints against various streaming services on the basis of GDPR. Spotify was one of these services. 

The Nyob complaint states that Spotify didn't provide full information on the origin and recipients of personal data or details of international transfers in response to the complaint.

Spotify only provided information about a selection of data without explaining to data subjects how they could access the entire package. They merely disclosed a portion of the data, neglecting to guide data subjects on how to access the complete set of information. 

What happened after the complaint?

For a long time, nothing happened.

Nyob then filed a lawsuit in the Swedish courts in June 2022, citing inaction by the Swedish Authority for Privacy Protections (IMY).

The IMY then stated that the information provided by Spotify should be "more concrete" and that it should be easy for the person requesting access to their data to understand how the company uses this information.

The IMY considers the findings not to be too serious and had taken this into account when determining the sanction. Nevertheless, they imposed a fine of 58 million Swedish crowns on Spotify – the equivalent of approximately €5 million.

 

DataGuard Newsletter

Stay compliant with expert privacy insights

Get the latest privacy trends, regulations, and actionable tips—direct to your inbox.

Subscribe for privacy tips

 

What are data subject requests? 

A data subject request is a specific right granted to individuals under various data protection and privacy regulations, such as the General Data Protection Regulation (GDPR).

These requests empower individuals, referred to as "data subjects," to control their personal data by making requests to organisations that process their data. DSRs enable individuals to assert their rights, seek information, or take action concerning their personal data. 

Importance of a robust DSR process 

The management of Data Subject Requests is a critical aspect of your organisation's data protection strategy. Here are some general steps that can be taken to ensure effective management:

  • Implement a comprehensive DSR management system: A well-structured system can help manage all requests within the legal timeframe. The DataGuard platform incorporates a dedicated Data Subject Request app that can streamline this process. 
  • Regularly review your DSR process: It's important to continually assess and improve your DSR process. If you're unsure about the effectiveness of your current process, consulting with a data protection expert can provide valuable insights.
  • Invest in staff training: Raising awareness of DSRs across your company is crucial. Comprehensive training can ensure your team is equipped to handle DSRs effectively. Our platform offers resources such as the DataGuard Academy to facilitate this training. 

And remember, DSRs can be submitted in various ways. Ensuring your entire team is prepared to handle them effectively is key to maintaining compliance and protecting your organisation. 

Further resources:  

Tags

Über den Autor

Boris Otterbach Boris Otterbach
Boris Otterbach

Principal Privacy

Boris Otterbach ist Jurist und zertifizierter Datenschutzbeauftragter mit über fünf Jahren Erfahrung in diesem Bereich. Bereits während seines Studiums hat er sich vertieft mit den Bereichen Europarecht, Völkerrecht und Menschenrechtsschutz beschäftigt. Dabei war auch das Thema Datenschutz ein zentraler Aspekt. Die DSGVO hilft dabei, gemeinsam europäische Rahmenbedingungen zu schaffen, damit alle denselben Schutz erfahren – und diese Rahmenbedingungen müssen mit pragmatischen, alltagsfähigen Lösungen befüllt werden. Bei DataGuard arbeitet Boris an der Entwicklung pragmatischer Lösungen für DSGVO-Schutzmaßnahmen, damit Unternehmen DSGVO-konform werden können. Die tägliche Arbeit durch mehr Automatisierung effektiver zu gestalten, treibt ihn an, bei DataGuard jeden Tag neue Herausforderungen zu meistern und sicherzustellen, dass Unternehmen aus datenschutzrechtlicher Sicht geschützt sind und neueste Technologien optimal genutzt werden. Als Berater betreute er vor allem Kunden aus den Bereichen Personalwesen, Hotel und Gastgewerbe. In seiner Rolle als Principal Professional Services bei DataGuard unterstützt er die Datenschutz- , Informationssicherheit- und Compliance- Teams mit seinem umfassenden Know-how und seiner Erfahrung, um die Menschen hinter den Daten zu schützen.

Mehr Artikel ansehen

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by 4.000+ customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by 4.000+ customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies
Certified-Icon

100% success in ISO 27001 audits to date

 

 

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by 4.000+ customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by 4.000+ customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by 4.000+ customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Let's talk