IMY – Court Ruling (Sweden, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Sweden's data protection authority found that Spotify did not provide clear information to users about their data access rights. This is important because it emphasizes the need for companies to be transparent about how they handle user data. Businesses should ensure they clearly communicate data practices to their customers.
What happened
Spotify was found to have systematic issues in how it handled user access requests for personal data.
Who was affected
Spotify users who requested access to their personal data were affected.
What the authority found
The authority ruled that Spotify violated multiple GDPR articles related to user access rights.
Why this matters
This ruling sets a precedent for how companies must handle data access requests, stressing the need for clarity and completeness in communication with users.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The DPA’s fine Spotify (the data controller) provided customers (the data subjects) with an online function to download their data directly from the controller’s online platform. This download function was meant to provide data subjects with a response to their access requests. In 2019 three complaints were filed in Austria, the Netherlands, and Denmark. The complainants used the controller’s download function and claimed that they did not receive clear and complete information. The data subject who filed a complaint in Austria was represented by noyb. In response to the complaints, the DPA launched an ex officio investigation on Spotify’s handling of access requests from customers. In 2023, after years of inactivity and an interlocutory ruling from the Stockholm administrative courtThis ruling was purely procedural. It is not to be confused with the ruling of June 2024 from the same court, which reviewed the DPA’s decision and lowered the fine. For more information on the interlocutory ruling and the procedural background of the case, see the comment., the DPA finally issued a decision as the lead supervisory authority. The decision was adopted according to the GDPR’s cooperation procedure and addressed both the complaints and the broader findings of the DPA’s investigation. With regards to the controller’s general practices for handling access requests, the DPA found systematic violations of the right of access. Some of the information in the controller’s responses was incomplete, while other information was complete but unclear, as it was provided in the form of technical log files and without a sufficiently clear explanationThe Court upheld the DPA's reasoning on this point. For more details, please refer to the summary for the DPA's decision.. On these grounds, the DPA held that the controller violated violating Articles 15(1)(a)-(d) and (g), 15(2), and 12(1) GDPR. The DPA issued a 58,000,000 SEK (approximately €5,000,000) fine. With regards to the complaints,
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (1)
Other cases involving IMY in SE
Details
Ruling Date
3 June 2025
Authority
Integritetsskyddsmyndigheten
About this data
Cite as: Cookie Fines. IMY - Sweden (2025). Retrieved from cookiefines.eu
Last updated: