The Swedish Data Protection Authority has initiated an inquiry into how song streaming provider Spotify handles data access requests.

The questions posed in the inquiry can be useful to companies in structuring their procedures for responding to access requests under the General Data Protection Regulation and/or the California Consumer Privacy Act (especially re: profiling and encrypted data):

  • What information is provided and how (e.g. online, in the copy of personal data or otherwise)?
  • If only provided on the web, how do you see that the data subject receives the information? (e.g. information box, popup window, link etc.)
  • Do you exclude certain categories of personal information from the copy provided? Under what exemption?
  • If you analyze data on user behavior in the service, through so-called profiling, e.g. song selection, interrupted songs etc., how does this data appear from the copy of personal data?
  • How do you ensure that all information provided is given in a concise, clear, understandable and easily accessible form?
  • Are you leaving out encrypted personal data and if so, which, and do you attach a translation key or secure it in another way that the data subject can receive the information?

Details from the Swedish DPA.