Dutch DPA Fines Netflix €4.75 Million for GDPR Violations Over Data Transparency

The Dutch Data Protection Authority (DPA) on Wednesday fined video on-demand streaming service Netflix €4.75 million ($4.93 million) for not giving consumers enough information about how it used their data between 2018 and 2020.
An investigation launched by the DPA in 2019 found that the tech giant did not inform customers clearly enough in its privacy statement about what it does with the data it collects from its users. This includes email addresses, telephone numbers, payment details, as well as information about what customers watch on the platform.
"Furthermore, customers did not receive sufficient information when they asked Netflix which data the company collects about them," the DPA said, adding these constitute violations of the General Data Protection Regulation (GDPR).
Besides failing to clarify the purpose and legal basis for gathering the data, the company has also been accused of being unclear about what kinds of information are shared with third-parties and for what reasons, the data retention period, and the security guarantees when it comes to transmitting the information to countries outside of Europe.
Austrian privacy non-profit None of Your Business (noyb), which filed the complaint against Netflix in January 2019, said it's "happy" with the DPA's decision, while noting that it took almost five years to obtain it.
"Netflix didn't just fail to provide sufficient information about why it collects data and what it does with it," it said. "The company didn't even manage to provide a full copy of the complainant's data."
Although the company has since updated its privacy statement and improved the information it provides to users, it's objecting to the fine, the DPA added.
"A company like that, with a turnover of billions and millions of customers worldwide, has to explain properly to its customers how it handles their personal data," Dutch DPA chairman Aleid Wolfsen said. "That must be crystal clear. Especially if the customer asks about this. And that was not in order."
Noyb has also filed similar complaints against Amazon, Apple Music, Spotify, and YouTube, with the case against Spotify resulting in the music streamer facing a fine of around €5 million from the Swedish Data Protection Authority (IMY) in June 2023.
The development comes as the Irish Data Protection Commission (DPC) imposed a monetary penalty of €251 million (around $263 million) on Meta for a 2018 data breach that impacted 3 million users in the European Union.
CISA Mandates Cloud Security for Federal Agencies by 2025 Under Binding Directive 25-01
UAC-0125 Abuses Cloudflare Workers to Distribute Malware Disguised as Army+ App
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
InformationalInformation Disclosure - Suspicious Comments
InformationalRe-examine Cache-control Directives
Free online web security scanner