Spotify, the music streaming giant, has been fined 58 million kronor (USD 5.4 million) by the Swedish Authority for Privacy Protection (IMY) for violating the EU’s General Data Protection Regulation (GDPR). The fine was imposed after a complaint by Noyb, a privacy rights group, which claimed that Spotify did not provide adequate information to users about how their personal data was processed and used by the company. Spotify has denied the allegations and said it plans to appeal the decision.

According to IMY, Spotify failed to inform users clearly enough about the purposes, recipients and legal basis of processing their personal data, as well as their rights to access, rectify and erase such data. IMY said that this lack of transparency made it difficult for users to understand and control how their data was handled by Spotify. IMY also noted that Spotify had taken some measures to improve its data practices, but they were not sufficient to avoid the fine.

Spotify said in a statement that it offers all users comprehensive information about how their personal data is processed and that it disagrees with IMY’s decision. The company said it has been working closely with IMY throughout the investigation and has made several changes to its data policies and procedures. Spotify said it believes that it complies with the GDPR and that it will file an appeal against the fine.