The Dutch data protection authority (AP) has issued €4.75 million fine for failing to provide sufficient information in its privacy statement and in its response to subject access requests concerning how it uses customer personal data in violation of the EU General Data Protection Regulation (GDPR)
Following an investigation, the AP found that Netflix was not clear enough about:
- The purposes of and the legal basis for collecting and using personal data,
- What data is shared with third parties and why,
- The length of time that Netflix retains the data,
- How the company ensure that the data it holds is protected when transferred outside Europe.
The fine was issued for violations of GDPR Articles 5(1)(a), Article 12(1), Article 13(1)(c),(e) and (f), Article 13(2)(a), and Article 15(1)(a),(c) and (d) Article 15(2).
In a statement responding to the news, Stefano Rossetti, data protection lawyer at NOYB, said, "We are happy with the DPA's decision to issue a fine against Netflix. However, it took almost five years to obtain it, and in a very simple case... The Dutch authority sides with noyb on many points of the complaint. At the moment, we are assessing if the decision considers all elements raised in our complaint."
What is this page?
You are reading a summary article on the Privacy Newsfeed, a free resource for DPOs and other professionals with privacy or data protection responsibilities helping them stay informed of industry news all in one place. The information here is a brief snippet relating to a single piece of original content or several articles about a common topic or thread. The main contributor is listed in the top left-hand corner, just beneath the article title.
The Privacy Newsfeed monitors over 300 global publications, of which more than 5,750 summary articles have been posted to the online archive dating back to the beginning of 2020. A weekly roundup is available by email every Friday.
