Fine of 4.750.000,00 EUR against Netflix for GDPR violations

Dutch Supervisory Authority fined Netflix for not properly informing customers. Netflix did not inform customers clearly enough in its privacy statement about what exactly Netflix does with those data (Article 5 (1)(a) and Article 12 (1) in conjunction with Article 13 (1)(c)(e) and (f); and Article 13(2)(a) GDPR).

The Dutch Supervisory Authority (SA) started this investigation following complaints from None of your business (noyb), an Austrian NGO that is committed to privacy. Those complaints were submitted to the Austrian data protection authority and forwarded to the Dutch SA, because Netflix has its main European establishment in the Netherlands.

The investigation shows that Netflix did not inform customers clearly enough in its privacy statement about what exactly Netflix does with those data (Article 5 (1)(a) and Article 12 (1) in conjunction with Article 13 (1)(c)(e) and (f); and Article 13(2)(a) GDPR).

Furthermore, customers did not receive sufficient information when they asked Netflix which data the company collects about them. (Article 5 (1)(a) and Article 12 (1); in conjunction with Article 15 (1)(a)(c) and (d) and Article 15 (2) GDPR). These are violations of the GDPR.

On several points, Netflix provided too little information to customers, or the information provided was unclear. The company was not clear enough about:

  • the purposes of and the legal basis for collecting and using personal data (Article 13 (1)(c) and Article 5 (1)(a) GDPR);
  • which personal data are shared by Netflix with other parties, and why precisely this is done (Article 13 (1)(e) and Article 15 (1)(c) GDPR);
  • how long Netflix retains the data (Article 13(2)(a) and Article 15 (1)(d) GDPR);
  • how Netflix ensures that personal data remain safe when the company transmits them to countries outside Europe Article 13 (1)(f) and Article 15 (2) GDPR).

The Dutch SA imposed a fine of 4 750 000,00 EUR against Netflix.

The decision is available here

(source: edpb.europa.eu/photo freepik.com)

Comments

Post a Comment

Top Stories

Ombudsman inquiry on Commission President’s text messages is a wake-up call for EU

Image
The European Ombudsman inquiry into the Commission’s handling of a request for text messages between its President and the CEO of a pharmaceutical company is a wake-up call for all EU institutions about ensuring accountability in an era of instant messaging. One year after the initial request by a journalist, the Commission has still not clarified whether messages reported to concern major vaccine procurement deals exist and whether the public is entitled to see them. The Ombudsman had asked the Commission, in a finding of maladministration in January, to conduct a more thorough search for the text messages. The Commission’s recent response failed to say whether it had looked directly and correctly for the text messages and if not, why not. While the response recognised that work-related text messages can be EU documents, it reiterated that the Commission’s internal policy is, in effect, not to register text messages. The Ombudsman has closed  the inquiry  and upheld...
Read more

Consumer credit agreements: In the event of failure to comply with the obligation to provide information, a bank may be deprived of its right to interest

Image
The Court of Justice in its Judgment in Case C-472/23 (Lexitor) regarding the consumer credit agreements, ruled that, in the event of failure to comply with the obligation to provide information, a bank may be deprived of its right to interest.  This may be the case even where the individual seriousness of the infringement of that obligation and its consequences for the consumer are likely to vary from case to case. Lexitor is a Polish debt collection agency to which a consumer assigned rights arising from a credit agreement concluded with a bank. That company claims that the bank failed to fulfil its obligation to provide information to the consumer when the agreement was concluded. It brought an action before a Polish court seeking payment from the bank of a sum of money corresponding to the interest and charges paid by that consumer.  In supports of its claim, Lexitor submits, first, that the annual percentage rate of charge (APRC [1]) was overstated; in its view, one of th...
Read more

Prohibiting contact between children and their mother in custody and contact rights case was unjustified (ECtHR)

Image
The case of X and Others v. Slovenia (application nos. 27746/22 and 28291/22) concerned custody decisions and contact rights following the separation of X from her children’s father in 2018. It also concerned the reassignment of X’s court case to a particular judge.  In Chamber's judgment in the case, the European Court of Human Rights held, unanimously, that there had been a violation of Article 6 § 1 (right to a fair trial) of the European Convention on Human Rights, as regards X’s right to a tribunal established by law, and violations of Article 8 (right to respect for private and family life) with respect both to:  - the applicant children, as regards the order to remove them from X’s (their mother’s) care in March 2020, their not being represented in the contact and custody proceedings, and their not being allowed contact with their mother;  - X, for not being allowed contact with her children.  The Court found in particular that the President of the District Co...
Read more

DORA’s main provisions and their impact on CASPs

Image
written by Efi Thoma, Lawyer, LL.B. | LL.M. | IMES The  Digital Operational Resilience Act (DORA)  is part of the European Union's broader effort to ensure a safe and resilient digital financial ecosystem. DORA applies to a wide range of financial institutions, including banks, insurers, investment firms, and CASPs (Crypto-Asset Service Providers)  which are directly related to the rapidly growing sector of crypto-assets. DORA  is a key regulatory framework adopted by the European Union (EU) to enhance the operational resilience of financial institutions and markets, particularly in the face of increasing reliance on information technology (IT) systems and digital tools. The EU Regulation, which was introduced as part of the EU's Digital Finance Package, aims to ensure that financial institutions can withstand and recover from a variety of disruptions, including cyber attacks, system failures, and other digital operational risks. DORA applies to a broad range o...
Read more

ECtHR elects a new Vice-President of the Court and two new Section Presidents

Image
The European Court of Human Rights has elected on 23.9.2024 a new Vice-President of the Court – Judge Ivana Jelić (elected in respect of Montenegro). She will take up her duties on 1 November 2024.  The Court has also elected at the same date two new Section Presidents – Judges Lado Chanturia (elected in respect of Georgia) and Ioannis Ktistakis (elected in respect of Greece). They will also take up their duties on 1 November 2024. Ivana Jelić was born on 17 March 1975 in Podgorica, Montenegro and was elected Judge of the European Court of Human Rights on 12 July 2018. Lado Chanturia was born on 14 April 1963 in Tsalenjikha, Georgia, was elected Judge of the European Court of Human Rights on 8 January 2018 and is Vice-President of Section since 18 May 2023. Ioannis Ktistakis was born on 3 January 1971 in Thebes, Greece and was elected Judge of the European Court of Human Rights on 8 March 2021. (source/photo: echr.coe.int) Read more here
Read more