C015 Spotify

Data Subject Rights
Case project
Filing DPA
Controller
Spotify
Case status
Won
Filed: (5 years 2 months ago)

This case is part of a series of complaints on incomplete answers to access requests (a very common problem). These cases were also intended to develop further information on the functioning of the EU cooperation mechanism. So far not a single case have been decided.

Protocol
Date Summary
27.02.2023
noyb responds to DSB request
17.02.2023
DSB communicates IMY final investigation report and asks for noyb input
31.01.2023
noyb seeks and receives updates from Swedish lawfirm
19.12.2022
IMY appeals against the Court of Appeal rejection
12.12.2022
IMY appeals against the Court of Appeal rejection
05.12.2022
Court of Appeal rejects IMY appeal
17.11.2022
IMY appeals first instance decision
01.11.2022
Stockholm Court sides with noyb
19.09.2022
noyb appeals rejection by DSB
22.08.2022
DSB rejects submission of 8 June
27.07.2022
noyb replies to IMY submissions
21.06.2022
noyb files appeal against IMY before the Stockolm Admin Court
08.06.2022
noyb requires the DSB to take a position on IMY rejection
02.06.2022
IMY rejects noybs request to decide the matter

Main reason to do so: noyb is not a party to the proceeding

12.05.2022
noyb sends IMY go ahead and decide letter
11.05.2022
noyb sends IMY go ahead and decide letter
29.09.2021
noyb seeks update from DSB

noyb seeks update with the DSB

19.01.2021
IMY grants partial access to the file following noybs request
18.01.2021
IMY informs noyb about us not being party to the procedure and noyb files access to the IMY file
18.01.2021
noyb informs the DSB the accessed file is incomplete and request full access
12.01.2021
DSB grants access to the file following noyb request under 17 AVG
01.01.2021
back and forth between noyb and IMY check email exchange in the folder

back and forth between noyb and IMY.

10.07.2020
noyb inquires whether IMY is going to formally handle the complaint

Does this mean that our complaint is not being handled by the Swedish DPA but that a general audit of Spotify's policies, indepedent of our complaint, is being conducted instead?

10.07.2020
IMY informs noyb an audit on Spotify is being carried out

In June 2019 the Swedish DPA initiated an audit as regards Spotify and how they handle data subjectsrequests pursuant to the right of access. The audit was initiated due to complaints concerning Spotify. The audit however focus on the general policies of the company in relation to the right of access and not on how the company has handled the specific request made by the complainants. Spotify has submitted an opinion on the 31th of July 2019, and a supplementing opinion on the 15th of November 2019. The Swedish DPA has not yet issued a decision in the case.

09.07.2020
noyb seeks update by IMY
08.07.2020
noyb seeks update with the LSA IMY replies
18.05.2020
noyb seeks update from DSB
23.12.2019
noyb requests access to the case file
16.12.2019
DSB informs noyb on the Status

Following our previous update request the DSB informs us that they have forwarded the question to IMY and were told that the Swedish supervisory authority is conducting an ongoing investigation into spotify's guidelines with regard to the right of access.

10.10.2019
noyb seeks update by the DSB
17.07.2019
noyb provides the new mandate
05.07.2019
DSB requests new mandate and confirms IMY as LSA

The procedure initiated at the same time to determine the lead supervisory authority (Art. 56 DSGVO) has shown that the Swedish supervisory authority (Data Inspection Board) will act as the supervisory authority in this case. The Swedish supervisory authority has initiated investigations (audit) against the respondent.

05.06.2019
noyb seeks update from DSB

noyb requests whether a decision on the LSA has been reached

06.05.2019
noyb seeks update from DSB
15.04.2019
noyb seeks update from DSB
31.01.2019
DSB stays the Procedure and looks for LSA

The DSB stays the procedure while the LSA has been identified.

18.01.2019
Complaint filed with DPA

Complainant claims violation of Article 15 GDPR due to incomplete response provided by the controller.