Fine of 4.750.000,00 EUR against Netflix for GDPR violations

Dutch Supervisory Authority fined Netflix for not properly informing customers. Netflix did not inform customers clearly enough in its privacy statement about what exactly Netflix does with those data (Article 5 (1)(a) and Article 12 (1) in conjunction with Article 13 (1)(c)(e) and (f); and Article 13(2)(a) GDPR).

The Dutch Supervisory Authority (SA) started this investigation following complaints from None of your business (noyb), an Austrian NGO that is committed to privacy. Those complaints were submitted to the Austrian data protection authority and forwarded to the Dutch SA, because Netflix has its main European establishment in the Netherlands.

The investigation shows that Netflix did not inform customers clearly enough in its privacy statement about what exactly Netflix does with those data (Article 5 (1)(a) and Article 12 (1) in conjunction with Article 13 (1)(c)(e) and (f); and Article 13(2)(a) GDPR).

Furthermore, customers did not receive sufficient information when they asked Netflix which data the company collects about them. (Article 5 (1)(a) and Article 12 (1); in conjunction with Article 15 (1)(a)(c) and (d) and Article 15 (2) GDPR). These are violations of the GDPR.

On several points, Netflix provided too little information to customers, or the information provided was unclear. The company was not clear enough about:

  • the purposes of and the legal basis for collecting and using personal data (Article 13 (1)(c) and Article 5 (1)(a) GDPR);
  • which personal data are shared by Netflix with other parties, and why precisely this is done (Article 13 (1)(e) and Article 15 (1)(c) GDPR);
  • how long Netflix retains the data (Article 13(2)(a) and Article 15 (1)(d) GDPR);
  • how Netflix ensures that personal data remain safe when the company transmits them to countries outside Europe Article 13 (1)(f) and Article 15 (2) GDPR).

The Dutch SA imposed a fine of 4 750 000,00 EUR against Netflix.

The decision is available here

(source: edpb.europa.eu/photo freepik.com)

Comments

Top Stories

MiCAR’s enforcement: An innovative crypto-friendly regulatory landscape

Ombudsman inquiry on Commission President’s text messages is a wake-up call for EU

Following the tragic death of lawyer Ebru Timtik, the CCBE calls on the EU and Turkish authorities to take urgent measures to prevent the death of lawyer Aytaç Ünsal

Intellectual property: the figurative sign consisting of the phrase ‘RUSSIAN WARSHIP, GO F* *K yourself’ in Russian and English cannot be registered as an EU trade mark

Prohibiting contact between children and their mother in custody and contact rights case was unjustified (ECtHR)