Background information
- Date of final decision: 26 November 2024
- Cross-border case
One-Stop-Shop Procedure: the decision was taken by national supervisory authorities following the One-Stop-Shop cooperation procedure (OSS). - LSA: Netherlands
- and CSAs: Austria (two data subjects from Austria lodged a complaint with the Austrian SA)
- Legal Reference (s): Article 5 (Principles relating to processing of personal data), Article 12 (Transparent information, communication and modalities for the exercise of the rights of the data subject), Article 13 (Information to be provided where personal data are collected from the data subject), Article 15 (Right to access by the data subject)
- Decision: administrative fine
- Key words: administrative fine, Transparency, Data subject rights, Exercise of data subject rights, User account,
Right to be informed
Summary of the Decision
Origin of the case
The Dutch Supervisory Authority (SA) started this investigation following complaints from None of your business (noyb), an Austrian NGO that is committed to privacy. Those complaints were submitted to the Austrian data protection authority and forwarded to the Dutch SA, because Netflix has its main European establishment in the Netherlands.
Key Findings
The investigation shows that Netflix did not inform customers clearly enough in its privacy statement about what exactly Netflix does with those data (Article 5 (1)(a) and Article 12 (1) in conjunction with
Article 13 (1)(c)(e) and (f); and Article 13(2)(a) GDPR). Furthermore, customers did not receive sufficient information when they asked Netflix which data the company collects about them. (Article 5 (1)(a) and Article 12 (1); in conjunction with Article 15 (1)(a)(c) and (d) and Article 15 (2) GDPR). These are violations of the GDPR.
On several points, Netflix provided too little information to customers, or the information provided was unclear. The company was not clear enough about:
- the purposes of and the legal basis for collecting and using personal data (Article 13 (1)(c) and Article 5 (1)(a) GDPR);
- which personal data are shared by Netflix with other parties, and why precisely this is done (Article 13 (1)(e) and Article 15 (1)(c) GDPR);
- how long Netflix retains the data (Article 13(2)(a) and Article 15 (1)(d) GDPR);
- how Netflix ensures that personal data remain safe when the company transmits them to countries outside Europe Article 13 (1)(f) and Article 15 (2) GDPR).
Decision
The Dutch SA imposed a fine of 4 750 000,00 EUR against Netflix.
For further information:
- national decision: Netflix fined for not properly informing customers (English), Boete Netflix voor niet goed informeren klanten (Dutch)
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.