The IMY found that while Spotify did provide users with their personal data upon request, it lacked clarity in informing them about how the company utilizes that data. The regulator emphasized the need for greater transparency from Spotify regarding the handling and processing of individuals’ personal data. Insufficient clarity made it challenging for users to comprehend how their data was being processed and verify the lawfulness of its handling, according to the IMY.
Despite deeming the violations to be of low severity, the IMY imposed the fine based on factors such as Spotify’s revenue, user base, and the steps the company has taken to address the issues. The decision was reached in collaboration with other EU data protection authorities due to Spotify’s widespread user presence across numerous countries.
