Introduction and scope
This Policy applies to all Personnel regardless of work location. Spotify may also introduce local policies in certain locations to comply with applicable privacy laws - and in case there are any inconsistencies will this Policy, the local policies will prevail.
For the purposes of this Policy, the terms referenced are defined as follows:
- “Personnel” includes full-time, part-time and temporary employees, contractors and consultants of Spotify. 1
- “Spotify” means the local Spotify entity which is responsible for the collection and use of your Personal Data, in its capacity as your employer or the company with which you have a contractor, consultancy or similar agreement. 2
- “Personal Data” means any information which relates to you as a directly or indirectly identified or identifiable employee, contractor or consultant.
1. For avoidance of doubt, to the extent that this policy may refer to contractors and consultants asemployees, doing so will not create an employee-employer relationship; rather, the contracts between the parties control the parties’ relationship.
2. For the avoidance of doubt, in Russia the local Spotify entity is Spotify OOO, registered at room 52, 8 floor, building 1, 16A, Leningradskoe shosse, Moscow, 125171, Russia.
How we collect your Personal Data
Subject to applicable laws, we obtain your Personal Data:
- through publicly accessible sources such as government agencies, e.g. tax authorities; and
- during the course of job related activities, throughout the period of you working at Spotify.
How and why we process your Personal Data
As an employer, we need to collect and use certain Personal Data about our Personnel where it is required to perform the contract we have entered into with you, to comply with collective agreements or legal obligations, to fulfil our legitimate interests as an employer and company and to achieve other purposes specified in the contracts with you, our local policies or your consent to processing of your personal data. If you require further information about the balancing test that Spotify has undertaken to justify its reliance on the legitimate interest legal basis, please see our contact details in the end of this Policy.
The section below outlines the different categories of Personal Data that we will collect, how we use it and the legal ground(s) that the data processing is based upon. The ‘data’ detailed under each heading below is designed to provide as transparent and comprehensive a list as possible but may not always be exhaustive or relevant to your location. Please note that we may process your Personal Data without any additional notification or consent, in compliance with the below rules, where this is required or permitted by law.
Administering your employment/engagement
- Data -- Name, gender, date of birth, national ID number, contact details including your personal email address, home address, nationality, position, recruitment data, salary and benefits, proof of work status and work permit, bank details, tax details, records of absence, e-mails, username and log-in details to work-related systems, internal communication and other data necessary to administer your employment/engagement.
- Purpose -- Registering you as Personnel, paying your salary or other payments and associated taxes and charges to governmental authorities, for legal reporting purposes, reimbursing expenses, for financial purposes (including accounting and analytics of this data), providing you with the benefits you are entitled to or tools you need to perform your work, and, as necessary in combination with the Personal Data set out below, in order to be able to fulfil the other purposes of this Policy.
- Legal basis -- Performance of contract, legal obligation, your consent
Administering Spotify for Personnel, events and similar activities
- Data -- Voluntary information about you and your dependents, your photo and other data that you may post on Workplace and similar, Spotify service account details and usage data, information about participation in events or other activities organised by Spotify including food and drink preferences, clothing size, etc. In case of emergency, your location may also be collected through the International SOS App.
- Purpose -- Administering benefits such as life/medical insurance, internal communications, setting up free Spotify Premium for employees including running of nightly beta builds, tests and user research, administering and running Spotify events and activities, recruitment efforts, sending gifts or flowers in case of a life event, and distributing Spotify swag in the right size. In case of emergency, we may also process your reported location to ensure that you are safe and contact your near ones.
- Legal basis -- Legitimate interest, your consent
Career development and planning
- Data -- Personal Data that may be collected may reflect evaluation of your job performance and may include, for example, output from performance reviews, feedback from co-workers and yourself, your satisfaction with your current role, career and development goals, focus areas, personal values and behavioral preferences, group development questions, performance metrics, including through third party applications used to perform your job, and survey responses, excluding any which have been completed anonymously.
- Purpose -- Enabling you to develop your career and give you and your team relevant training, tools and other support. We may also ask you to provide data around your well- being for planning purposes and in order to manage workloads and expectations. Information described in this paragraph is only available to other employees who need the information to evaluate, assess and follow up your performance and career development.
- Legal basis -- Performance of contract, legitimate interest, your consent
Identifying and protecting work products and other assets
- Data -- During and after the term of your employment/engagement some of your professional details such as your name, email and username will be associated with work products you produce or contribute to. For example, your name and email address will be associated with documents you produce or emails you send.
- Purpose -- This link between your identity and your work product is to allow you to communicate and collaborate with internal and external stakeholders and to allow Spotify to understand the context in which such material has been produced, when it was produced, and by whom or when IT systems, data and workplaces have been accessed. It also allows us to protect our interests as an employer in relation to any know-how and intellectual property rights related to such material.
- Legal basis -- Performance of contract, legitimate interest, compliance with applicable law requirements, your consent
- Data -- We may monitor Personal Data and network traffic through internal websites and work related systems, servers and networks including, but not limited to, Antivirus and Computer management systems. We may also collect system interactivity through measurement tools on internal websites. Under certain circumstances, work-related emails may be monitored. Further, monitoring may include use of staff ID to access Spotify offices and printers.
- Purpose -- To protect Spotify data, assets, contractors and employees by detecting, and where necessary, investigating and resolving security incidents or threats, and to monitor that employees and contractors comply with Spotify’s internal policies. Monitoring may also be carried out when there is a legal obligation to monitor a certain activity, if necessary to carry out a legal investigation, or for the establishment, exercise of defence of legal claims. In addition, monitoring may be carried out to learn about and improve our organisation and processes, e.g. by measuring employees’ and contractors’ system interactivity on an aggregate level.
- Legal basis -- Legitimate interest, legal obligation, your consent
Processing of sensitive personal data
- Data -- In certain limited circumstances and only where permitted by local laws, we may collect so called “special categories” of Personal Data like health and sickness records including information about allergies, trade union membership, disability, gender reassignment, pregnancy, race, religion or belief, and sexual orientation.
- Purpose -- To register and administer sick leave and parental leave, to assess your working capability on health grounds, equal opportunities monitoring and reporting, to provide rehabilitation if needed, to handle legal claims or to carry out other legal obligations as an employer.
- Legal basis -- If necessary to carry out the obligations and exercising specific rights in the field of employment; if the data is manifestly made public by the data subject or if necessary for the establishment; to exercise or defence of legal claims; or, in limited circumstances involving the processing of particularly sensitive data, explicit consent.
How your Personal Data is shared or disclosed
In this section, we have outlined how your Personal Data will be shared by Spotify, both internally and externally:
- Internally within the Spotify Group: Your Personal Data may be shared between different functions and Spotify entities if there is a legitimate business interest for that function or entity to access the data. Some of your professional details will also be available to all other employees and contractors who have access to the Spotify intranet and in systems used for communication and collaboration.
- Third Parties / Service Providers: We may share your Personal Data with service providers for the purpose of administering certain employment-related functions, such as insurances, health care providers, payroll, expenses, etc. We may also share your Personal Data with providers of IT systems, including messaging services that you use as an employee or contractor, and with external advisors (including, but not limited to, independent public accountants, auditors or attorneys). In addition, where permitted by law, Personal Data may be disclosed in connection with a corporate restructuring, sale, or assignment of assets, merger, divestiture, or other changes of control of Spotify (or any of its affiliates). These third parties are contractually bound to treat your Personal Data in a confidential and secure manner and we evaluate their information security practices and compliance with applicable privacy laws to help ensure that they have sufficient controls in place to protect your Personal Data.
- Legal / regulatory reasons: We may also share your Personal Data when we in good faith believe it is necessary for us to do so in order to comply with a legal or regulatory obligation (e.g. to tax or law enforcement authorities or trade unions), in order to investigate criminal or fraudulent activities, comply with our legal obligations, defend Spotify against claims or to protect Spotify’s or third parties’ rights and property, or based on your consent.
Where Personal Data collected within the EU and Switzerland is transferred to countries outside of the EU and Switzerland, in the absence of an adequacy decision by the EU Commission, appropriate safeguards are taken to protect the Personal Data, such as the Standard Contractual Clauses approved by the EU Commission. If you require a copy of the applicable set of Standard Contractual Clauses, please see our contact details in the end of this Policy. Where Personal Data is collected in other countries, Spotify will use other appropriate safeguards provided by applicable law.
How we protect your Personal Data
We are committed to protecting personal data of our Personnel. We have implemented appropriate technical and organizational measures to help protect the security of your personal data. These measures include appointment of a Data Protection Officer, implementation of internal controls of processing of personal data to ensure compliance with applicable law, and implementation of various policies including access, and retention policies to guard against unauthorized access and unnecessary retention of personal data in our systems. Access to Personal Data is strictly limited to authorized Spotify personnel who require access to perform their job functions, and to duly authorized third parties that are contractually required to keep your information confidential and secure.
When we collect personal data of Russian citizens, we record, systematize, accumulate, store, correct (update, alter), and retrieve such personal data using databases located on the territory of the Russian Federation.
How long we retain your Personal Data
We will delete your Personal Data when your employment or engagement ends unless there is a justified business reason or legal obligation to retain the Personal Data for a longer period, e.g. to pay out pensions, to protect ourselves against legal claims, to protect Spotify intellectual property, or for bookkeeping purposes. Where required by applicable law, we will retain your personal data for our own business reasons only subject to your consent.
To the extent required by applicable law, you may exercise the following rights in relation to your Personal Data:
- Access: Request access to your Personal Data.
- Rectification: Request that Spotify correct or amend Personal Data that is inaccurate.
- Erasure: Request that your Personal Data be deleted where it is no longer necessary for the purpose that it has been collected.
- Restriction of processing: Request that Spotify temporarily or permanently stop processing all or some of your Personal Data.
- Data portability: Request that you are provided with your Personal Data in a structured, commonly used and machine-readable format.
- Object to processing: Right to object to certain processing of your Personal Data where we are relying on a legitimate interest.
- Withdraw consent: To the extent any processing of your Personal Data is based on consent, you have the right to withdraw your consent at any time. However, a withdrawal of your consent will not affect the lawfulness of processing before the withdrawal.
You are also entitled to lodge a complaint about how we process your Personal Data with your relevant Data Protection Authority.
Please note that the rights in the bullet list above may be limited to certain categories of Personal Data and may not always be applicable. There may be instances where Spotify is prevented from honouring your request.
Data controller and contact details
Spotify AB, reg. no. 556703-7485, and/or the relevant Spotify entity in which you are employed or with which you have a contractor, consultancy or similar agreement, is the data controller for the processing of your Personal Data. If you have any questions, comments and requests regarding this Policy or the handling of your Personal Data, please reach out to [officeoftheDPO@spotify.com] or to your local Spotify HR department. You can also refer to the Privacy@Spotify Confluence page.
The HR function in conjunction with the Office of the DPO is responsible for overseeingcompliance with this Policy. This Policy is subject to change and will be reviewed and updatedregularly to comply with applicable new requirements, regulations, insights, strategies,processes or technologies. The latest version of this Policy is available at the Privacy@SpotifyConfluence page.