Netflix – €4,750,000 Fine (Netherlands, 2024)

Netflix, the controller, requires its users, the data subjects, to create an account to have access to the controller's streaming services. When creating this account, data subjects have to provide personal data, such as name, date of birth, e-mail address, phone number and bank account number, to the controller. Additionally, when the data subjects stream movies and series from the controller, the controller processes data related to data subjects´ viewing behavior, in order to provide them with movies and series that might be of interest for them. noyb advanced a request for access on behalf of two data subjects and, after receiving a reply from the controller, noyb, representing these data subjects, filed a complaint before the Austrian DPA as the controller failed to adequately inform the data subjects about the processing of their data. The Austrian DPA transferred the case to the Dutch DPA, as the controller´s headquarters are in Amsterdam. When assessing the alleged violation of the information obligation and the right to access, four main points were considered by the DPA: 1. Legal Bases and purposes of processing personal data In its submissions, the controller listed eight data processing purposes which differed significantly from the ones in its privacy policy and its reply to the access request. The legal bases provided by the controller under Article 6(1) GDPR were “consent”, “contract”, “legal obligations” and “legitimate interest”. The DPA found that the controller did not provide the relevant information in an organized manner and failed to communicate properly which data it uses for “its offerings, analyzing target audiences and preventing fraud”. Furthermore, the controller failed to disclose what personal data it receives from third parties. Thus, the controller violated Article 13(1)(c) GDPR and Article 15(1)(a) GDPR. 2. Recipients of personal data The controller uses service providers that may process and disclose personal data of the data s