KR - 4512-24

Summary

Sweden's Stockholm Court of Appeal upheld a €5,000,000 fine against Spotify for systematically failing to adequately respond to GDPR data access requests (Article 15) between November 2021 and May 2022. The DPA found that Spotify's responses were incomplete, unclear, or provided only in technical formats without sufficient explanation. The court confirmed the fine was proportionate despite finding fewer individual infringements than the original DPA decision.

Full text

Help KR - 4512-24: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 10:30, 7 November 2025 view sourceLde (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators181 editsm ← Older edit Latest revision as of 08:57, 16 April 2026 view source Sfl (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators405 editsm Line 62: Line 62: |Party_Link_4=|Party_Link_4= |Appeal_From_Body=IMY|Appeal_From_Body=IMY (Sweden) |Appeal_From_Case_Number_Name=DI-2019-6696|Appeal_From_Case_Number_Name=DI-2019-6696 |Appeal_From_Status=|Appeal_From_Status= Latest revision as of 08:57, 16 April 2026 KR - 4512-24 Court: KamR Stockholm (Sweden) Jurisdiction: Sweden Relevant Law: Article 12(1) GDPR Article 15(1)(a) GDPR Article 15(1)(b) GDPR Article 15(1)(d) GDPR Article 15(1)(g) GDPR Article 15(1)(c) GDPR Article 15(2) GDPR Article 83(3) GDPR Decided: 03.06.2025 Published: Parties: IMY Spotify AB National Case Number/Name: 4512-24 European Case Law Identifier: Appeal from: IMY (Sweden)DI-2019-6696 Appeal to: Unknown Original Language(s): Swedish Original Source: KR (in Swedish) Initial Contributor: cci The Administrative court of appeal of Stockholm upheld a 58,000,000 SEK (approximately €5,000,000) fine against Spotify for systematically failing to adequately respond to access requests. An Administrative court had previously lowered the fine to 40,000,000 SEK. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The DPA’s fine Spotify (the data controller) provided customers (the data subjects) with an online function to download their data directly from the controller’s online platform. This download function was meant to provide data subjects with a response to their access requests. In 2019 three complaints were filed in Austria, the Netherlands, and Denmark. The complainants used the controller’s download function and claimed that they did not receive clear and complete information. The data subject who filed a complaint in Austria was represented by noyb. In response to the complaints, the DPA launched an ex officio investigation on Spotify’s handling of access requests from customers. In 2023, after years of inactivity and an interlocutory ruling from the Stockholm administrative court[1], the DPA finally issued a decision as the lead supervisory authority. The decision was adopted according to the GDPR’s cooperation procedure and addressed both the complaints and the broader findings of the DPA’s investigation. With regards to the controller’s general practices for handling access requests, the DPA found systematic violations of the right of access. Some of the information in the controller’s responses was incomplete, while other information was complete but unclear, as it was provided in the form of technical log files and without a sufficiently clear explanation[2]. On these grounds, the DPA held that the controller violated violating Articles 15(1)(a)-(d) and (g), 15(2), and 12(1) GDPR. The DPA issued a 58,000,000 SEK (approximately €5,000,000) fine. With regards to the complaints, the DPA found several violations relating to the content, clarity, and timing of the responses to the Austrian and Dutch complainants. The issued a warning and ordered the controller to properly respond to the access request of the Austrian and Dutch complainants in a clearer and more accessible way. The DPA found no violations with regards to the Danish complaint. The appeals The controller later challenged the decision before the Stockholm administrative court. In its ruling, the Court upheld some of the DPA’s findings but lowered the fine to SEK 40,000,000 (approximately €3,484,720 at the time). In turn, the DPA challenged the ruling before the Stockholm court of appeal, claiming the original €5,000,000 fine was appropriate. The Court of appeal had to assess: Whether the controller violated Articles 12(1) and 15 GDPR between November 2021 and May 2022, by failing to respond properly to access requests; Whether the controller infringed on Articles 12 and 15 when dealing with the Austrian and Dutch access requests specifically. Holding The Court found less infringements than the DPA[3] did but upheld the DPA's €5,000,000 fine nonetheless. In this regard, the Court held that the original fine was proportionate to the severity of the controller's conduct and clarified that the number of infringements was immaterial to the calculation of the fine in the case at hand. The ruling largely focused on the controller’s general practices for handling access requests. However, the Court also ordered the controller to respond adequately to the requests from the complainants within one month of the decision becoming final. Additionally, the Court upheld the DPA’s warning over the inadequate responses to the complainants. On Articles 15(1)(d) and 15(2) The controller used vague and imprecise terms to describe its data retention periods and its safeguard for transfers of personal data to third countries. On this basis, the DPA and the Administrative court held that the controller violated Articles 15(1)(d) and (2) GDPR as well as Article 12(1). The Court of appeal mostly upheld these findings. However, the Court also held that the DPA did not convincingly show that Article 12(1) was violated specifically[4] by the information provided to fulfill the requirements of Article 15(2). On the language of Spotify’s explainers The DPA and the Administrative court both held that the controller further violated Article 12(1) because the detailed descriptions of the data in the technical log files, was only available in English. The Administrative court of appeal reversed this finding and held that no violation of the Article took place by only including an English explained. In this regard, the Court observed that the controller informed data subjects that they could require a translation. Furthermore, the Court pointed out that higher level information was provided in the data subject’s own language. On the determination of the fine The DPA inflicted a fine of €5,000,000 over a number of violations, including Articles 5(1)(a)-(d) and (g) GDPR. The Administrative court of appeal did not uphold the violations of Article 15(a)-(d) and (g) GDPR and lowered the fine. The Administrative court of appeal confirmed that the controller did not violate Articles 5(1)(a)-(d) and (g) GDPR. However, the Court also found that the DPA's fine was proportionate to the severity of the controller's infringements and upheld its original (and higher) amount. In this regard, the Court held that under Article 83 GDPR, fines must be determined on the basis of the controller's overall conduct and the seriousness of the infringements. Therefore, the Court clarified that a lower number of infringements is not, in and of itself, grounds for lowering a fine[5]. Comment The procedural background of the DPA’s decision was somewhat complex. The DPA’s investigation was formally ex officio despite having been prompted by three complaints. For this reason, the DPA held that the complainants were not parties in the proceedings and did not enjoy the corresponding procedural rights. The status of the complainants later became a point of contention: when the Austrian complainant challenged the DPA’s inactivity, the DPA claimed that the complainant was not a party and, therefore, had no standing before the Administrative court. In its 2022 ruling, the Stockholm administrative court held that the complainant enjoyed party status in the proceedings before the DPA. The Court also clarified that the fact that the complaint was cross-border, was not relevant to the determination of the complainants’ status as parties. On this basis, the Court ordered the DPA to issue a decision. This ruling is not to be confused with the 2024 ruling

Entities