A Swedish regulator has fined Spotify 58 million kroner (€5 million) for failing to properly inform users about how it uses the data it collects, Engadget reports.

According to the charges, the company violated the European Union’s General Data Protection Regulation (GDPR). The issue relates to the way the music streaming platform handles users’ personal data and customers’ access to the information.

While Spotify provides the data it has on request by an individual, the company has not been specific enough about how this data is used.

The Swedish Data Protection Authority (IMY) found that although Spotify provides users with personal data it processes on request, it “does not inform clearly enough about how this data is used by the company”. It also said Spotify should be more transparent “about how and for what purposes individuals’ personal data is processed”. The lack of clarity meant that “it was difficult for individuals to understand how their personal data was being processed and to check whether the processing of their personal data was lawful”, the IME added.

The regulator said it considered the issues to be of a “low level of seriousness” and noted that the music company had taken steps to address them. IMY set the fine based on these factors, as well as Spotify’s revenue and number of users. The decision on the fine was made with the help of other data protection authorities in the EU, given that Spotify has users in many countries.