Spotify – €4,900,000 Fine (Sweden, 2023)

€4,900,000Integritetsskyddsmyndigheten12 June 2023Sweden
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

Sweden fined Spotify EUR 4.9 million for not giving users enough information about their data. Spotify didn't clearly explain where users' data came from or how it was shared internationally. This case shows that companies must be transparent about data handling.

What happened

Spotify failed to provide users with clear information about the origin and international transfer of their data.

Who was affected

Spotify users who were not given sufficient details about their data's origin and international transfers.

What the authority found

The Swedish Data Protection Authority found Spotify did not comply with user rights to information under GDPR.

Why this matters

This case highlights the importance of transparency in data handling. Companies must ensure users understand how their data is used, especially regarding international transfers.

GDPR Articles Cited

AI-verified

Art. 12(1) GDPR
Art. 15(1) GDPR
View original scraped data
Art. 12(1) GDPR
Art. 15(1) GDPR
(2) GDPR

Original data from scraper before AI verification against source document.

Source verified 5 March 2026
articles corrected
amount discrepancy
date discrepancy
Sweden enforcementIntegritetsskyddsmyndigheten actionsAll Spotify actions
Full Legal Summary
Detailed

The Swedish Data Protection Authority (DPA) has imposed a fine of EUR 4.9 million on the music streaming provider Spotify. The DPA had launched an investigation after receiving a number of complaints and following a lawsuit filed against Spotify by the Austrian organization 'None of your Business'. In its investigation, the DPA found that Spotify had not sufficiently complied with data subject rights. Spotify failed, for example, to provide data subjects with sufficient information about the origin of their data or international transfers involving their data. Spotify also failed to provide information that was difficult to understand, such as information about technical processes, in the data subjects' native language; rather, such information was only available in English. Spotify has already taken measures to comply with the requirements for the handling of data subject requests. In addition, the DPA classified the identified deficiencies as not very serious.

Related Enforcement Actions (1)

Other enforcement actions involving Spotify in SE

Court Ruling
Oct 2022· Integritetsskyddsmyndigheten

An Austrian data subject made an access request with Spotify. In January 2019, the data subject filed a complaint in response to Spotify's answer to t...

Current
Jun 2023

Fine

€4.9M

Details

Fine Date

12 June 2023

Authority

Integritetsskyddsmyndigheten

Fine Amount

€4,900,000

Enforcement Tracker ID

ETid-1876

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Spotify - Sweden (2023). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: