The Swedish Data Protection Authority Investigates the Right to Access Under the GDPR

On June 11, 2019, the Swedish Data Protection Authority (Datainspektionen, DPA) launched an investigation regarding the processing of personal data of the registered users of Spotify services.

More specifically, the DPA focuses its investigation on the way Spotify handles data subject access requests and will assess the legality of the general procedures in place when a data subject files a request regarding access to personal data processed by Spotify.

The investigation started after the DPA had received a number of complaints from registered Spotify users with respect to their right of access pursuant to article 15 of the GDPR. The DPA expressed that its decision was also motivated by the fact that Spotify is an important player that processes a significant amount of personal data of a great number of data subjects.

Spotify is requested to provide information on the following aspects of how it handles access requests: 1. which information is provided to the data subject, 2. what information is included in the provided copy of personal data and 3. under which form the information is provided to the data subject. The requested information will have to be submitted by 1 July 2019. The DPA will then assess the compliance with GDPR and issue a decision in that respect. To read the full text of the letter of the Data Protection Authority in Swedish, please click here, and the press release, please click here.

Although no decision has been rendered yet, this initiative of the Swedish DPA underlines the importance for companies of having its data subject request procedures up and running. Indeed, the investigations of the authorities are nowadays often triggered by complaints from data subjects who have become fully aware of their rights. The timely and complete answers to such requests should therefore be a priority for companies in particular when their activities implicate a significant amount of personal data and data subjects.