In its decision IMY states that there have been no minor infringements, and an administrative fine should therefore be issued. The basis for calculating the administrative fine is the annual turnover reported by Spotify Technology S.A in 2022, which was SEK 132 billion. The maximum amount of the fine that can be determined based on that number is SEK 5.28 billion, which is four percent of the annual turnover.
In assessing the seriousness of the infringements, IMY takes into account several aspects, including the following. IMY notes that the infringements have been able to affect a large number of data subjects, they have been going on for a long period of time, and the lack of information has meant that data subjects have been unable to exercise their rights. The data subject's right of access risks being lost, due to the difficulties in understanding which parts of their personal data has been processed and how. Thus, the data subjects have not been able to check whether the processing has been lawful. Furthermore, Spotify's processing of personal data has included a large amount of information about each data subject which also affects many data subjects in several countries.
At the same time, IMY notes that the processing does not include special categories of personal data. In addition, processing takes place within the framework of a customer relationship in the provision of a music streaming service, which normally does not have such a major impact on the data subjects. IMY further acknowledges that Spotify has had challenges in providing the comprehensive information about complex personal data processing. The supervisory authority also considers the fact that the company had, by its own initiative, taken several measures and put extensive work into developing and improving processes for access requests before the supervision matter was initiated by IMY. Further, there has been a lack of guidance on how the information should be provided, and at what level of detail. In summary, IMY concludes that the infringements are of low severity and that the administrative fine should be set relatively low in relation to the current maximum amount. At this stage, IMY recognises that the high turnover on which the fine is calculated should also be taken into account.
When determining the amount of the administrative fine, IMY considers mitigating circumstances. It has been possible for the data subjects to contact Spotify's customer service through several different channels to obtain further individualized information, and the company has made updates in the information to data subjects so they can understand the specific personal data processing that is applicable to their unique use. IMY also recognises that the data subjects have been given the opportunity to have their Spotify description explained or translated into their local language.
Considering the above, IMY sets the administrative fine at SEK 58 million, approximately 1 percent of the maximum possible amount of the fine. The supervisory authority writes that the amount is effective, proportionate and dissuasive, and is in accordance with the GDPR.