Spotify AB – Court Ruling (Sweden, 2024)

On 12 June 2023, the Swedish DPA (“IMY”) imposed a fine of €5,167,615 (SEK 58 million) on Spotify AB (the controller) for violating the GDPR. The DPA held that the controller did not provide sufficiently clear information in the access request and violated Article 12(1), 15(1)(a) to (d), (1)(g) and (2) GDPR. The controller appealed the DPA’s decision at the Administrative Court of Stockholm (“Förvaltningsrätten I Stockholm”) and requested to annul the DPA’s decision, to impose a reprimand instead of a fine or otherwise reduce the imposed fine. The controller did not agree that with the DPA’s reliance on the guidelines of the EDPB and the Article 29 Working Party for their decision, as these were not legally binding. The controller argued that there was no requirement of how the information on categories of personal data should be presented under Article 15(1)(b) GDPR and thus it complied with the provision regardless of the generalised information. Also, the controller argued that there was a link to the privacy policy that had a more detailed description of the different categories. The controller further argued there was no obligation to provide information on the storage periods in relation to each category of personal data under Article 15(1)(d) GDPR, to provide precise information on the criteria for determining the storage periods and to provide information on which third countries the personal data was transferred to under Article 15(2) GDPR. Moreover, the controller argued that there was also no obligation to provide an explanation to the codes and numbers relating to personal data contained in the technical log files. There was also no obligation to provide this explanation in a specific language other than English. EDPB’s Guidelines The court agreed with the controller that the EDPB and Article 29 Working Party Guidelines are not legally binding. However, the court held that they can be used to support the interpretation of the GDPR. The court further