Fine of 4.750.000,00 EUR against Netflix for GDPR violations

Dutch Supervisory Authority fined Netflix for not properly informing customers. Netflix did not inform customers clearly enough in its privacy statement about what exactly Netflix does with those data (Article 5 (1)(a) and Article 12 (1) in conjunction with Article 13 (1)(c)(e) and (f); and Article 13(2)(a) GDPR).

The Dutch Supervisory Authority (SA) started this investigation following complaints from None of your business (noyb), an Austrian NGO that is committed to privacy. Those complaints were submitted to the Austrian data protection authority and forwarded to the Dutch SA, because Netflix has its main European establishment in the Netherlands.

The investigation shows that Netflix did not inform customers clearly enough in its privacy statement about what exactly Netflix does with those data (Article 5 (1)(a) and Article 12 (1) in conjunction with Article 13 (1)(c)(e) and (f); and Article 13(2)(a) GDPR).

Furthermore, customers did not receive sufficient information when they asked Netflix which data the company collects about them. (Article 5 (1)(a) and Article 12 (1); in conjunction with Article 15 (1)(a)(c) and (d) and Article 15 (2) GDPR). These are violations of the GDPR.

On several points, Netflix provided too little information to customers, or the information provided was unclear. The company was not clear enough about:

  • the purposes of and the legal basis for collecting and using personal data (Article 13 (1)(c) and Article 5 (1)(a) GDPR);
  • which personal data are shared by Netflix with other parties, and why precisely this is done (Article 13 (1)(e) and Article 15 (1)(c) GDPR);
  • how long Netflix retains the data (Article 13(2)(a) and Article 15 (1)(d) GDPR);
  • how Netflix ensures that personal data remain safe when the company transmits them to countries outside Europe Article 13 (1)(f) and Article 15 (2) GDPR).

The Dutch SA imposed a fine of 4 750 000,00 EUR against Netflix.

The decision is available here

(source: edpb.europa.eu/photo freepik.com)

Comments

Post a Comment

Popular posts from this blog

Ombudsman inquiry on Commission President’s text messages is a wake-up call for EU

Image
The European Ombudsman inquiry into the Commission’s handling of a request for text messages between its President and the CEO of a pharmaceutical company is a wake-up call for all EU institutions about ensuring accountability in an era of instant messaging. One year after the initial request by a journalist, the Commission has still not clarified whether messages reported to concern major vaccine procurement deals exist and whether the public is entitled to see them. The Ombudsman had asked the Commission, in a finding of maladministration in January, to conduct a more thorough search for the text messages. The Commission’s recent response failed to say whether it had looked directly and correctly for the text messages and if not, why not. While the response recognised that work-related text messages can be EU documents, it reiterated that the Commission’s internal policy is, in effect, not to register text messages. The Ombudsman has closed  the inquiry  and upheld...
Read more

Prohibiting contact between children and their mother in custody and contact rights case was unjustified (ECtHR)

Image
The case of X and Others v. Slovenia (application nos. 27746/22 and 28291/22) concerned custody decisions and contact rights following the separation of X from her children’s father in 2018. It also concerned the reassignment of X’s court case to a particular judge.  In Chamber's judgment in the case, the European Court of Human Rights held, unanimously, that there had been a violation of Article 6 § 1 (right to a fair trial) of the European Convention on Human Rights, as regards X’s right to a tribunal established by law, and violations of Article 8 (right to respect for private and family life) with respect both to:  - the applicant children, as regards the order to remove them from X’s (their mother’s) care in March 2020, their not being represented in the contact and custody proceedings, and their not being allowed contact with their mother;  - X, for not being allowed contact with her children.  The Court found in particular that the President of the District Co...
Read more

Air passenger rights: A boarding pass may be sufficient to prove a confirmed reservation on a flight

Image
According to the Judgment of the European Court of Justice in Case C-20/24, a boarding pass may be sufficient to prove a confirmed reservation on a flight. Payment by a third party of the price of the package tour, including a flight, does not exclude the right to compensation in the event of long delay of a flight.  An air carrier offering charter flights concluded a contract with a tour operator. Under that contract, the carrier operated, on specific dates, flights for which that tour operator, after paying for the flights, sold tickets to air passengers. Two air passengers participated in a package tour, including a flight from Tenerife to Warsaw, the arrival of which was delayed by more than 22 hours. The contract relating to the package tour was concluded between a third company, on behalf of those passengers, and that tour operator. The passengers concerned claimed compensation from the air carrier under EU law. [1]  The latter refused to pay that compensation. It argued...
Read more

The Swiss authorities failed in their positive obligation to protect the life of a woman from violence by her partner (ECtHR)

Image
In the case of N.D. v. Switzerland, the European Court of Human Rights held that there had been a violation of the right to life in a case involving violence against a woman by her partner. The applicant, who had been unaware of her partner’s criminal record, was kidnapped by him from her home after informing him that she wished to end their relationship. She was then falsely imprisoned over an 11-hour period and subjected to rape and ill-treatment. To this day, the applicant suffers from the psychological after-effects of the treatment inflicted on her. The Court found that the authorities had not done all that could reasonably have been expected of them to avert the real and immediate risk to the applicant’s life, of which they had been or ought to have been aware. It noted that there had been neither an adequate assessment of the risk to the applicant’s life nor operational measures which might have had a real chance of altering the course of events or mitigating the da...
Read more

The “Green Maze”: Environmental Obligations for Cement Companies in Greece and Cyprus

Image
Written by Efi Thoma * The cement industry plays a crucial role in the infrastructure development of both Greece and Cyprus. However, this essential sector also carries a significant environmental footprint. From quarrying raw materials to the energy-intensive production process, cement companies face increasing scrutiny and stringent legal obligations aimed at mitigating their impact on the environment. This article delves into the key environmental issues and the pertinent legal frameworks in Greece and Cyprus that cement manufacturers must navigate. Both Greece and Cyprus, as members of the European Union, are bound by a substantial body of EU environmental law. This includes cornerstone directives such as the Environmental Impact Assessment (EIA) Directive, the Industrial Emissions Directive (IED), the Waste Framework Directive, and legislation addressing climate change and biodiversity. These EU regulations are transposed into national law in both countries, forming the bedrock ...
Read more