technologyTechnology · 2023

Netflix International B.V.

Netflix failed to adequately inform subscribers about how their personal data was processed between 2018 and 2020, violating GDPR Arts. 13 and 14 transparency obligations. Netflix's privacy statements did not clearly explain which data was collected, for what purpose, how long it was retained, or with which third parties it was shared. The AP led the investigation as Netflix's EU headquarters are in Amsterdam, with the inquiry initiated following coordinated NOYB complaints filed across multiple EU jurisdictions.

Fine Imposed€4.8M

Authority

Autoriteit Persoonsgegevens

Stylebalanced

Avg. investigation18 mo

View authority profile

Regulation

Algemene Verordening Gegevensbescherming (Dutch GDPR Implementation)

Max fine€20M or 4% of global annual turnover (Tier 2); €10M or 2% (Tier 1)

Statusactive

Key Takeaways

GDPR transparency is a substantive obligation — privacy policies must specifically itemise data categories, processing purposes, retention periods, and third-party recipients, not merely state that data is processed.