Fine of 4.750.000,00 EUR against Netflix for GDPR violations

Dutch Supervisory Authority fined Netflix for not properly informing customers. Netflix did not inform customers clearly enough in its privacy statement about what exactly Netflix does with those data (Article 5 (1)(a) and Article 12 (1) in conjunction with Article 13 (1)(c)(e) and (f); and Article 13(2)(a) GDPR).

The Dutch Supervisory Authority (SA) started this investigation following complaints from None of your business (noyb), an Austrian NGO that is committed to privacy. Those complaints were submitted to the Austrian data protection authority and forwarded to the Dutch SA, because Netflix has its main European establishment in the Netherlands.

The investigation shows that Netflix did not inform customers clearly enough in its privacy statement about what exactly Netflix does with those data (Article 5 (1)(a) and Article 12 (1) in conjunction with Article 13 (1)(c)(e) and (f); and Article 13(2)(a) GDPR).

Furthermore, customers did not receive sufficient information when they asked Netflix which data the company collects about them. (Article 5 (1)(a) and Article 12 (1); in conjunction with Article 15 (1)(a)(c) and (d) and Article 15 (2) GDPR). These are violations of the GDPR.

On several points, Netflix provided too little information to customers, or the information provided was unclear. The company was not clear enough about:

  • the purposes of and the legal basis for collecting and using personal data (Article 13 (1)(c) and Article 5 (1)(a) GDPR);
  • which personal data are shared by Netflix with other parties, and why precisely this is done (Article 13 (1)(e) and Article 15 (1)(c) GDPR);
  • how long Netflix retains the data (Article 13(2)(a) and Article 15 (1)(d) GDPR);
  • how Netflix ensures that personal data remain safe when the company transmits them to countries outside Europe Article 13 (1)(f) and Article 15 (2) GDPR).

The Dutch SA imposed a fine of 4 750 000,00 EUR against Netflix.

The decision is available here

(source: edpb.europa.eu/photo freepik.com)

Comments

Post a Comment

Top Stories

Ombudsman inquiry on Commission President’s text messages is a wake-up call for EU

Image
The European Ombudsman inquiry into the Commission’s handling of a request for text messages between its President and the CEO of a pharmaceutical company is a wake-up call for all EU institutions about ensuring accountability in an era of instant messaging. One year after the initial request by a journalist, the Commission has still not clarified whether messages reported to concern major vaccine procurement deals exist and whether the public is entitled to see them. The Ombudsman had asked the Commission, in a finding of maladministration in January, to conduct a more thorough search for the text messages. The Commission’s recent response failed to say whether it had looked directly and correctly for the text messages and if not, why not. While the response recognised that work-related text messages can be EU documents, it reiterated that the Commission’s internal policy is, in effect, not to register text messages. The Ombudsman has closed  the inquiry  and upheld...
Read more

Prohibiting contact between children and their mother in custody and contact rights case was unjustified (ECtHR)

Image
The case of X and Others v. Slovenia (application nos. 27746/22 and 28291/22) concerned custody decisions and contact rights following the separation of X from her children’s father in 2018. It also concerned the reassignment of X’s court case to a particular judge.  In Chamber's judgment in the case, the European Court of Human Rights held, unanimously, that there had been a violation of Article 6 § 1 (right to a fair trial) of the European Convention on Human Rights, as regards X’s right to a tribunal established by law, and violations of Article 8 (right to respect for private and family life) with respect both to:  - the applicant children, as regards the order to remove them from X’s (their mother’s) care in March 2020, their not being represented in the contact and custody proceedings, and their not being allowed contact with their mother;  - X, for not being allowed contact with her children.  The Court found in particular that the President of the District Co...
Read more

GDPR and rail transport: A customer’s gender identity is not necessary data for the purchase of a transport ticket

Image
In its judgment in Case C-394/23 (Mousse) the EU Court of Justice ruled that a rail transport customer’s gender identity is not necessary data for the purchase of a transport ticket. The collection of data regarding customers’ titles is not objectively indispensable, in particular where its purpose is to personalise commercial communication.  The association Mousse challenged, before the French data protection authority (the CNIL), [1] the practice of the French railway undertaking SNCF Connect whereby the latter systematically requires its customers to indicate their title (‘Monsieur’ or ‘Madame’) (‘Mr’ or ‘Ms’) when purchasing transport tickets online. That association takes the view that that requirement infringes the General Data Protection Regulation (GDPR), [2] in particular in the light of the principle of data minimisation, because an indication of the title, which corresponds to a gender identity, does not appear to be necessary for the purchase of a rail transport ticket....
Read more

Teresa Anjinho elected as new European Ombudsman

Image
Teresa Anjinho has been elected European Ombudsman by the European Parliament with 344 votes in favour. Ms Anjinho will take office on 27 February 2025. Ms Anjinho is a member of the supervisory committee of the European Anti-Fraud Office (OLAF) and a former Deputy Ombudsman of Portugal. She was also previously a Secretary of State for Justice and a Member of Parliament in Portugal. For more details, see  here . Welcoming the vote in the European Parliament, outgoing Ombudsman Emily O’Reilly, said: “I warmly congratulate Ms Anjinho on being elected European Ombudsman. This Office is key to ensuring the EU administration remains transparent and accountable to citizens and I wish her every success in the role. I also commend the hard work of the other candidates who participated in the election and wish them all the best.” Emily O’Reilly will remain European Ombudsman until the swearing-in ceremony for the new Ombudsman at the European Court of Justice on 27 February. ...
Read more