The Swedish Authority for Data Protection (IMY) regularly conducts audits of the handling of personal data within companies. It is important for employers and employees to be aware of how data is stored and handled in their operations. Recently, the handling of personal data within Spotify and Bonnier News has been audited. The following summaries the decisions made by IMY regarding Spotify and Bonnier.
Under the General Data Protection Regulation (GDPR), individuals have the right to know what personal data a business handles about them and how that data is used.&
During IMY's audit of Spotify's handling of customers' right to access their personal data, it was found that the company provides the requested personal data to individuals, but it does not adequately inform individuals about how the data is used by the company.
According to IMY, it should be easy for individuals to understand exactly how their data is used by the company. The storage of data should also be explained in individuals' own language, not just in English. The purpose of this requirement is to allow individuals to verify the legality of the handling of their personal data.
IMY determined that the deficiencies were of low severity in the context. Spotify was also found to have taken measures to comply with individuals' access rights. These circumstances were considered mitigating by IMY. As a result of the inadequate information provided by Spotify and considering the mitigating circumstances, IMY imposed an administrative fine of SEK 58 million. The maximum amount that IMY can impose is EUR 20 million or four percent of the annual global turnover, whichever is higher.
Following an audit of Bonnier News' collection and handling of personal data, IMY discovered deficiencies. Bonnier News has collected personal data for use in marketing. The collected data has been used for targeted advertising through the internet, physical mail, and telephone sales.
The collected data includes, for example, purchases made within the Bonnier group and certain browsing behaviors. This data has been supplemented with other purchased personal data, such as information about car ownership, customer gender, postal code, and statistical data based on the residential area, giving indications of individuals' purchasing power and life stage.
Bonnier has stated that the handling of personal data is based on a balancing of interests between the data subjects and the necessary processing for current marketing purposes. However, IMY considers that the data subjects cannot reasonably expect such extensive data to be collected, for example, when visiting a website. Such extensive profiling, which requires consent and a balancing of interests, is not a sufficient legal basis for the processing of personal data, according to IMY.
However, a balancing of interests can, according to IMY, be used as a legal basis when the company processes personal data that does not include browsing history and uses that data for marketing purposes.
The fact that the company has taken various measures to limit privacy intrusion was taken into account in IMY's assessment. IMY imposed a fine of SEK 13 million for the deficiencies.
Both Spotify and Bonnier have users in multiple countries, which is why the decision on the sanction fee has been made in cooperation with other data protection authorities in the EU. It should be noted that both Spotify and Bonnier have appealed IMY's decision. We will provide an update when the administrative court has ruled on the case.
The above decision from IMY highlights the importance of conscious handling and storage of personal data to comply with the obligations under GDPR.