GDPR Article 15 Information

Your privacy and the security of your personal data is, and will always be, enormously important to us. Below you will find the information Spotify is required to provide about its processing of your data, under Article 15 of the GDPR.

Confirmation as to whether or not personal data about you is being processed

If you use the Spotify service, we process your personal data as outlined below and further detailed in our Privacy Policy.

Categories, purpose of the processing, relevant recipients and source of collection of personal data

Below you will find information regarding which categories of personal data we process about you, the related purposes of the processing, the recipients to whom the personal data may be disclosed and, where the personal data are not collected from you, information as to their source.


Purpose of the processing
Recipients or categories of recipients* Recipients of pseudonymised personal data*** Source (if not collected from you directly)


To provide and personalize the Spotify Service.

To understand, diagnose, troubleshoot, and fix issues with the Spotify Service.

To evaluate and develop new features, technologies, and improvements to the Spotify Service.

For marketing, promotion, and advertising purposes.

To comply with legal obligations and law enforcement requests.

To fulfill contractual obligations with third parties, for example licensing agreements and to take appropriate action with respect to reports of intellectual property infringement and inappropriate content.

To process your payment.

To establish, exercise, or defend legal claims.

To conduct business planning, reporting, and forecasting.
 


Other Spotify group companies in daily business operations.

Service providers that work on our behalf which may need access to certain personal data in order to provide their services to us.

Applications you choose to connect to your account or use to log into Spotify. (Third party applications and devices)

Users of the Support Community if you publicly post comments, questions or advice in the Support Community. (Spotify support community)

Where you have given us permission, artists and record labels to send you news and promotional offers. (Artists and record labels)

Your mobile provider or other service provider if you have received the Spotify Service through them. (Spotify partners)

Legal authorities in those instances where we in good faith believe it is necessary for us to disclose information in order to comply with a legal obligation, or respond to valid legal process, such as a search warrant, a court order, or a subpoena. (Law Enforcement and data protection authorities)
 

Where needed in connection with a company acquisition or merger, with appropriate prior notice to you. (Purchasers of our business)
 


Academic researchers for activities such as statistical analysis and academic study. (Academic researchers

Music industry partners to help them understand how the content they license to us is performing and to enable you to listen to streaming content via the Spotify Service. (Artists and record labels)

Marketing partners to help us with promotional efforts and advertisers that allow us to offer a free service. (Service providers and Advertising partners)
 


If you use a third party service to create an account, we will receive personal data via that third party service but only when you have consented to that third party service sharing your personal data with us.*
 
Purpose of the processing Recipients or categories of recipients* Recipients of pseudonymised personal data*** Source (if not collected from you directly)


To provide and personalize the Spotify Service.

To understand, diagnose, troubleshoot, and fix issues with the Spotify Service.

To evaluate and develop new features, technologies, and improvements to the Spotify Service.

For marketing, promotion, and advertising purposes.

To comply with legal obligations and law enforcement requests.

To fulfill contractual obligations with third parties, for example licensing agreements and to take appropriate action with respect to reports of intellectual property infringement and inappropriate content.

To establish, exercise, or defend legal claims.

To conduct business planning, reporting, and forecasting.
 

Other Spotify group companies in daily business operations.

Service providers that work on our behalf which may need access to certain personal data in order to provide their services to us.

Applications you choose to connect to your account or use to log into Spotify. (Third party applications and devices)

Users of the Support Community if you publicly post comments, questions or advice in the Support Community. (Spotify support community)

Legal authorities in those instances where we in good faith believe it is necessary for us to disclose information in order to comply with a legal obligation, or respond to valid legal process, such as a search warrant, a court order, or a subpoena. (Law Enforcement and data protection authorities)
 

Where needed in connection with a company acquisition or merger, with appropriate prior notice to you. (Purchasers of our business)
 

Academic researchers for activities such as statistical analysis and academic study. (Academic researchers

Music industry partners to help them understand how the content they license to us is performing and to enable you to listen to streaming content via the Spotify Service. (Artists and record labels)

Marketing partners to help us with promotional efforts and advertisers that allow us to offer a free service. (Service providers and Advertising partners)
 

We may receive personal data via Third Party Applications and advertising you receive.
Purpose of the processing Recipients or categories of recipients* Recipients of pseudonymised personal data*** Source (if not collected from you directly)


To provide and personalize the Spotify Service.

To comply with legal obligations and law enforcement requests.

To establish, exercise, or defend legal claims.

To detect fraud, including fraudulent payments and fraudulent use of the Spotify Service.
 


Other Spotify group companies in daily business operations.

Service providers that work on our behalf which may need access to certain personal data in order to provide their services to us.

Third party partners to help you verify your address and enable your use of certain plans on the Spotify Service. (Spotify partners)

Legal authorities in those instances where we in good faith believe it is necessary for us to disclose information in order to comply with a legal obligation, or respond to valid legal process, such as a search warrant, a court order, or a subpoena. (Law Enforcement and data protection authorities)
 

Where needed in connection with a company acquisition or merger, with appropriate prior notice to you. (Purchasers of our business)
 

N/A We may receive personal data via third party applications.

Data which enables you to use voice features if such features are available in your market.

Purpose of the processing Recipients or categories of recipients* Recipients of pseudonymised personal data*** Source (if not collected from you directly)

 
To provide and personalize the Spotify Service.

To evaluate and develop new features, technologies, and improvements to the Spotify Service.

For marketing, promotion, and advertising purposes.

To comply with legal obligations and law enforcement requests.

To establish, exercise, or defend legal claims.
 

Other Spotify group companies in daily business operations.

Service providers that work on our behalf which may need access to certain personal data in order to provide their services to us.

Legal authorities in those instances where we in good faith believe it is necessary for us to disclose information in order to comply with a legal obligation, or respond to valid legal process, such as a search warrant, a court order, or a subpoena. (Law Enforcement and data protection authorities)
 

Where needed in connection with a company acquisition or merger, with appropriate prior notice to you. (Purchasers of our business)
 

N/A

We may receive personal data via third party applications.

Data needed to process any payments you make and administer any subscriptions you have.

Purpose of the processing Recipients or categories of recipients* Recipients of pseudonymised personal data*** Source (if not collected from you directly)


To process your payment.

To provide and personalize the Spotify Service.

To comply with legal obligations and law enforcement requests.

To fulfill contractual obligations with third parties, for example licensing agreements and to take appropriate action with respect to reports of intellectual property infringement and inappropriate content.

To establish, exercise, or defend legal claims.

To conduct business planning, reporting, and forecasting.
To detect fraud, including fraudulent payments and fraudulent use of the Spotify Service.
 


Other Spotify group companies in daily business operations.
 
Service providers that work on our behalf which may need access to certain personal data in order to provide their services to us.

Your mobile provider or other service provider if you have received the Spotify Service through them. (Spotify partners)

Legal authorities in those instances where we in good faith believe it is necessary for us to disclose information in order to comply with a legal obligation, or respond to valid legal process, such as a search warrant, a court order, or a subpoena. (Law Enforcement and data protection authorities)
 

Where needed in connection with a company acquisition or merger, with appropriate prior notice to you. (Purchasers of our business)
 

N/A If you choose to pay for a service or feature by invoice, we may receive data from our payment partners to enable us to send you invoices, process your payment and provide you with what you’ve purchased.

Data which enables you to participate in contests, sweepstakes and surveys.

Purpose of the processing Recipients or categories of recipients* Recipients of pseudonymised personal data*** Source (if not collected from you directly)

 
To conduct research, contests, surveys, and sweepstakes.

To comply with legal obligations and law enforcement requests.

To establish, exercise, or defend legal claims.
 

 
Other Spotify group companies in daily business operations.

Applications you choose to connect to your account or use to log into Spotify. (Third party applications and devices)

Where you have given us permission, artists and record labels  (Artists and Record Labels), or other promotional partners, to send you news and promotional offers. (Artists and record labels)

Service providers that work on our behalf which may need access to certain personal data in order to provide their services to us.

Legal authorities in those instances where we in good faith believe it is necessary for us to disclose information in order to comply with a legal obligation, or respond to valid legal process, such as a search warrant, a court order, or a subpoena. (Law Enforcement and data protection authorities)
 

Where needed in connection with a company acquisition or merger, with appropriate prior notice to you. (Purchasers of our business)
 

N/A

We may receive personal data via third party applications and advertising you receive depending on the promotion.

 * Please note that certain personal data you share on the Spotify Service is publicly available to users and non-users, including your username, profile picture, who you follow and who follows you, your recently played artists, and your public playlists. Please see Section 5 of our Privacy Policy for further details.

** These types of personal data  may be processed depending on your Spotify settings and device settings, and whether you actively participate in e.g. contests or surveys.

*** 'Pseudonymized format' means that we provide information in a way that cannot be attributed to specific Spotify users without the use of additional information that we do not provide to the other party.

International transfers 

As described above, Spotify may share personal data globally with Spotify group companies, our service providers and partners, etc. When personal data is transferred from the European Economic Area (EEA), we ensure that the transfer is carried out in accordance with applicable data protection and privacy laws and that technical and organizational measures and, in particular, appropriate safeguards are in place, such as the Standard Contractual Clauses approved by the EU Commission. 

Criteria for the retention of personal data 

We keep your personal data only as long as necessary to provide you with the Spotify Service and for legitimate and essential business purposes, such as maintaining the performance of the Spotify Service, making data-driven business decisions about new features and offerings, complying with our legal obligations, and resolving disputes. Criteria used to determine the retention periods include:

  • Default retention periods are set to encourage data minimization.
    Our internal systems are set up to age out personal data in a short period of time by default (90 days), unless a longer period is affirmatively selected based on a legitimate business reason.
  • Do we need to retain data to ensure the service that customers expect? 
    Personal data is retained for an appropriate period to deliver a personalized service to our customers over time.  We typically keep streaming history for the life of an account, for example, to provide retrospective playlists that customers enjoy -- such as Your Summer Rewind and the end-of-year Wrapped campaign -- as well as personalized recommendations based on current listening habits.
  • Are customers able to update or delete the data themselves? 
    Where customers are able to see and update the personal data themselves, we keep the information for as long as the customer chooses.  For example, your Spotify email address and other profile information will be retained until you choose to change it yourself.
  • Is Spotify subject to a legal or contractual obligation to keep or delete the data?
    Examples can include mandatory data retention laws in the applicable jurisdiction, government orders to preserve data relevant to an investigation or data retained for the purposes of litigation. Conversely, if we are required by law to remove unlawful content, we will do so.

Your rights

According to the General Data Protection Regulation you are granted certain rights in relation to the processing of your personal data. As available and except as limited under applicable law, the rights afforded to you are:

  • Right of access - the right to be informed of, and request access to, the personal data we process about you;
  • Right to rectification - the right to request that we amend or update your personal data where it is inaccurate or incomplete;
  • Right to erasure - the right to request that we delete your personal data;
  • Right to restrict - the right to request that we temporarily or permanently stop processing all or some of your personal data;
  • Right to object -
    • the right, at any time, to object to us processing your personal data on grounds relating to your particular situation;
    • the right to object to your personal data being processed for direct marketing purposes;
  • Right to data portability - the right to request a copy of your personal data in electronic format and the right to transmit that personal data for use in another party’s service

If you have concerns around our processing of your personal data, we hope you will continue to work with us to resolve them. However, you can also contact and have the right to lodge a complaint with the Swedish Data Protection Authority (Datainspektionen) or your local Data Protection Authority.

You can find out more about your rights described above and the controls we provide to all Spotify users with respect to these rights in the Your Rights section contained in the Privacy Center. If you have any questions about your privacy, your rights, or how to exercise them, please see Section 3 of our Privacy Policy or contact our Data Protection Officer using the Contact Us form on the Privacy Center.

Automated decision making

You have a right to not be subject to a decision based solely on automated decision making, including profiling, where the decision would have a legal effect on you or produce a similarly significant effect. However, Spotify does not carry out any of this type of automated decision making in the Spotify Service.

Obtaining a copy of your personal data

If you have not already requested your personal data and are interested in receiving that information you can get a ZIP file with a copy of most of your personal data by using the automated Download your data function on the Privacy Settings section of your account page. The download will include information about your playlists, streaming history and searches, a list of items saved in your library, the number of followers you have, the number and names of the other users and artists you follow, and your payment and subscription data. For more detailed information about what is included in each file of your download, please see Understanding My Data.

If you have requested a copy of your personal data either via our Download your data functionality or through our support team, you should have received an email letting you know that the data is ready for download or will receive one shortly.

If you would also like to receive the technical log information we collect to provide and troubleshoot the Spotify service, extended streaming history, or have a special data request, please contact our Customer Service or email us at privacy@spotify.com to clarify your request.

Please visit our Privacy Center for additional information about personal data processing in the Spotify Service and how to manage your choices. 


 

Last updated: 26 November, 2020

Was this article helpful?