The complaint against Spotify was initially filed in early 2019 by noyb, a privacy rights non-profit organization. The complaint claimed that Spotify did not provide all the personal data requested, failed to disclose information about the purposes of data processing and recipients, and did not furnish details about international data transfers, among other allegations.
Initially filed in Austria, the complaint was later redirected to Sweden through the GDPR’s one-stop-shop mechanism, as Spotify has its main EU presence in Sweden. However, the complaint remained unresolved for several years, with noyb claiming that the Swedish data protection authority (IMY) conducted a separate investigation without involving the complainants. This action went against the GDPR’s requirement for data controllers to respond to access requests within a month.
As a result of the prolonged lack of decision, noyb took the Swedish data protection authority (IMY) to court. Last year, the Stockholm administrative court ruled in favor of noyb, affirming the complainants’ right to request a decision six months after the initial complaint was filed.
In addition to the GDPR fine, Spotify recently announced plans to lay off 200 employees, which accounts for 2% of its workforce, from its podcast division as part of a larger corporate reorganization.
Sources By Agencies