Sweden’s data protection authority (DPA) levied a fine of 58 million Swedish krona (U.S. $5.4 million) against music streaming service Spotify following an audit on how the company handles customers’ rights to access their personal data.

The Swedish Authority for Privacy Protection acknowledged Spotify is compliant with General Data Protection Regulation (GDPR) rules about providing data access to users when requested but ran afoul of Article 15 of the privacy law by “not inform[ing] clearly enough about how this data is used,” the DPA said in a press release Tuesday.

The details: In January 2019, privacy campaigner Max Schrems filed a complaint, along with two others, alleging Spotify breached Article 15 of the GDPR. The complaint was originally filed in Austria but routed to Sweden, where Spotify’s EU headquarters is located, in line with the GDPR’s one-stop shop mechanism.

The one-stop shop mechanism was established to expedite investigative processes in cross-border cases. In November 2022, Schrems’s privacy rights nonprofit NOYB took the Swedish DPA to court and won, arguing it had a right to due process and the DPA’s three-year investigation had gone on long enough.

The DPA noted Spotify has taken remedial measures to comply with Article 15, and the deficiencies are considered “to be of a low level of seriousness.”

Company response: “Spotify offers all users comprehensive information about how personal data is processed,” a company spokesperson said in an emailed statement. “During their investigation, the Swedish DPA found only minor areas of our process they believe need improvement. However, we don’t agree with the decision and plan to file an appeal.”

The spokesperson added the penalty is “approximately 1 percent of the maximum allowable fine,” and the decision “found us mostly compliant.”