Sanction fines from the Swedish Authority for Data Protection

The Swedish Authority for Data Protection (IMY) regularly conducts audits of the handling of personal data within companies. It is important for employers and employees to be aware of how data is stored and handled in their operations. Recently, the handling of personal data within Spotify and Bonnier News has been audited. The following summaries the decisions made by IMY regarding Spotify and Bonnier.

Spotify

Under the General Data Protection Regulation (GDPR), individuals have the right to know what personal data a business handles about them and how that data is used.&

During IMY's audit of Spotify's handling of customers' right to access their personal data, it was found that the company provides the requested personal data to individuals, but it does not adequately inform individuals about how the data is used by the company.

According to IMY, it should be easy for individuals to understand exactly how their data is used by the company. The storage of data should also be explained in individuals' own language, not just in English. The purpose of this requirement is to allow individuals to verify the legality of the handling of their personal data.

IMY determined that the deficiencies were of low severity in the context. Spotify was also found to have taken measures to comply with individuals' access rights. These circumstances were considered mitigating by IMY. As a result of the inadequate information provided by Spotify and considering the mitigating circumstances, IMY imposed an administrative fine of SEK 58 million. The maximum amount that IMY can impose is EUR 20 million or four percent of the annual global turnover, whichever is higher.

Bonnier

Following an audit of Bonnier News' collection and handling of personal data, IMY discovered deficiencies. Bonnier News has collected personal data for use in marketing. The collected data has been used for targeted advertising through the internet, physical mail, and telephone sales.

The collected data includes, for example, purchases made within the Bonnier group and certain browsing behaviors. This data has been supplemented with other purchased personal data, such as information about car ownership, customer gender, postal code, and statistical data based on the residential area, giving indications of individuals' purchasing power and life stage.

Bonnier has stated that the handling of personal data is based on a balancing of interests between the data subjects and the necessary processing for current marketing purposes. However, IMY considers that the data subjects cannot reasonably expect such extensive data to be collected, for example, when visiting a website. Such extensive profiling, which requires consent and a balancing of interests, is not a sufficient legal basis for the processing of personal data, according to IMY.

However, a balancing of interests can, according to IMY, be used as a legal basis when the company processes personal data that does not include browsing history and uses that data for marketing purposes.

The fact that the company has taken various measures to limit privacy intrusion was taken into account in IMY's assessment. IMY imposed a fine of SEK 13 million for the deficiencies.

In summary

Both Spotify and Bonnier have users in multiple countries, which is why the decision on the sanction fee has been made in cooperation with other data protection authorities in the EU. It should be noted that both Spotify and Bonnier have appealed IMY's decision. We will provide an update when the administrative court has ruled on the case.

The above decision from IMY highlights the importance of conscious handling and storage of personal data to comply with the obligations under GDPR.

Related articles

This website uses cookies

Cookies ("cookies") consist of small text files. The text files contain data which is stored on your device. To be able to place some type of cookies we need your consent. We at Alex AB (publ), corporate identity number 559338-7698 use these types of cookies. To read more about which cookies we use and storage duration, click here to get to our cookiepolicy.

Manage your cookie-settings

Necessary cookies

Necessary cookies are cookies that need to be placed for fundamental functions on the website to work. Fundamental functions are for instance cookies that are needed for you to use menus and navigate the website.

Statistical cookies

To know how you interact with the website we place cookies to collect statistics. These cookies anonymize personal data.

Ad measurement cookies

To be able to provide a better service and experience we place cookies to tailor marketing for you. Another purpose for this placement is to market products or services to you, give tailored offers or market and give recommendations on new concepts based on what you have bought from us previously.

Ad measurement user cookies

In order to show relevant ads we place cookies to tailor ads for you

Personalized ads cookies

To show relevant and personal ads we place cookies to provide unique offers that are tailored to your user data