Spotify's €5 million penalty: The importance of proper DSR management 

What did Spotify get wrong? 

In 2019, an Austrian organisation Noyb submitted several complaints against various streaming services on the basis of GDPR. Spotify was one of these services. 

The Nyob complaint states that Spotify didn't provide full information on the origin and recipients of personal data or details of international transfers in response to the complaint.

Spotify only provided information about a selection of data without explaining to data subjects how they could access the entire package. They merely disclosed a portion of the data, neglecting to guide data subjects on how to access the complete set of information. 

What happened after the complaint?

For a long time, nothing happened.

Nyob then filed a lawsuit in the Swedish courts in June 2022, citing inaction by the Swedish Authority for Privacy Protections (IMY).

The IMY then stated that the information provided by Spotify should be "more concrete" and that it should be easy for the person requesting access to their data to understand how the company uses this information.

The IMY considers the findings not to be too serious and had taken this into account when determining the sanction. Nevertheless, they imposed a fine of 58 million Swedish crowns on Spotify – the equivalent of approximately €5 million.

What are data subject requests? 

A data subject request is a specific right granted to individuals under various data protection and privacy regulations, such as the General Data Protection Regulation (GDPR).

These requests empower individuals, referred to as "data subjects," to control their personal data by making requests to organisations that process their data. DSRs enable individuals to assert their rights, seek information, or take action concerning their personal data. 

Importance of a robust DSR process 

The management of Data Subject Requests is a critical aspect of your organisation's data protection strategy. Here are some general steps that can be taken to ensure effective management:

• Implement a comprehensive DSR management system: A well-structured system can help manage all requests within the legal timeframe. The DataGuard platform incorporates a dedicated Data Subject Request app that can streamline this process. 
• Regularly review your DSR process: It's important to continually assess and improve your DSR process. If you're unsure about the effectiveness of your current process, consulting with a data protection expert can provide valuable insights.
• Invest in staff training: Raising awareness of DSRs across your company is crucial. Comprehensive training can ensure your team is equipped to handle DSRs effectively. Our platform offers resources such as the DataGuard Academy to facilitate this training. 

And remember, DSRs can be submitted in various ways. Ensuring your entire team is prepared to handle them effectively is key to maintaining compliance and protecting your organisation. 

Further resources:  

• Data subject access request (DSAR): All you need to know  
• Decision of the IMY (in Swedish)