The EU’s General Data Protection Regulation (GDPR), which entered into force in 2018, provides individuals the right, among other things, to access their personal data, including the right to know what personal data a business has on them and how they are using that data.
Following an audit it conducted, IMY found that Spotify “releases the personal data the company processes when individuals request it, but that the company does not inform clearly enough about how this data is used by the company.”
“The information that the company provides about how, and for what purposes, individuals’ personal data is handled should be more specific,” said Karin Ekström, one of the legal advisors who led the supervision. “It must be easy for the person requesting access to their data to understand how the company uses this data.”
“In addition, personal data that is difficult to understand, such as those of a technical nature, may need to be explained not only in English, but in the individual’s own native language,” Ekström added. “In these parts, we have seen certain shortcomings.”
According to the IMY, customers who requested access to their personal data from Spotify have been able to choose which personal data they want to access, because Spotify has divided the customers’ personal data into different layers. One layer contains information Spotify has deemed to be of greatest interest—for example, customers’ contact and payment details, which artists customers follow, and listening history. If a customer wants more detailed information—for example, all technical log files relating to the customer—they may request these in another layer.
Ekström noted that dividing personal data into different layers doesn’t pose any obstacle, “as long as the right to access is satisfied. In some situations, on the contrary, it can make it easier for the data subject to take in the information if it is presented in different parts, at least when it is a question of an extensive amount of information,” she said. “It is important that the individual understands what information is in the various layers and how it can be requested. Here, we believe that Spotify has done enough.”
IMY said the purpose of the right of access is “to give individuals the opportunity to check that the processing of their personal data is lawful. That the individual receives sufficient information is often a prerequisite for exercising other rights—for example, the right to have incorrect information corrected or removed. As the information provided by Spotify has been unclear, it has been difficult for individuals to understand how their personal data is processed and to check whether the handling of their personal data is lawful.”
According to IMY, Spotify has taken several measures aimed at meeting the requirements regarding individuals’ right to access. It added that the deficiencies it discovered pose an overall “low level of seriousness,” and that the fine reflects that consideration.
Since Spotify has users in many countries, this decision has been made in cooperation with other data protection authorities in the EU. 
Jaclyn Jaeger is a contributing editor at Compliance Chief 360° and a freelance business writer based in Manchester, New Hampshire.