AP (The Netherlands) - Netflix
From GDPRhub
| AP - Netflix | |
|---|---|
 | |
| Authority: | AP (The Netherlands) |
| Jurisdiction: | Netherlands |
| Relevant Law: | Article 6(1) GDPR Article 13(1)(c) GDPR Article 13(1)(e) GDPR Article 13(2) GDPR Article 15(1)(a) GDPR Article 15(1)(c) GDPR Article 15(1)(d) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 26.11.2024 |
| Published: | |
| Fine: | 4,750,000 EUR |
| Parties: | Netflix |
| National Case Number/Name: | Netflix |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Dutch |
| Original Source: | Autoriteit Persoonsgegevens (in NL) |
| Initial Contributor: | elu |
Netflix was fined €4,750,000 for failing to provide customers with adequate information about how their personal data was processed. This was the case for inquiries about the privacy policy, as well as data subjects' access requests.
English Summary
Facts
Netflix, the controller, requires its users, the data subjects, to create an account to have access to the controller's streaming services. When creating this account, data subjects have to provide personal data, such as name, date of birth, e-mail address, phone number and bank account number, to the controller. Additionally, when the data subjects stream movies and series from the controller, the controller processes data related to data subjects´ viewing behavior, in order to provide them with movies and series that might be of interest for them.
noyb advanced a request for access on behalf of two data subjects and, after receiving a reply from the controller, noyb, representing these data subjects, filed a complaint before the Austrian DPA as the controller failed to adequately inform the data subjects about the processing of their data. The Austrian DPA transferred the case to the Dutch DPA, as the controller´s headquarters are in Amsterdam.
Holding
When assessing the alleged violation of the information obligation and the right to access, four main points were considered by the DPA:
1. Legal Bases and purposes of processing personal data
In its submissions, the controller listed eight data processing purposes which differed significantly from the ones in its privacy policy and its reply to the access request. The legal bases provided by the controller under Article 6(1) GDPR were “consent”, “contract”, “legal obligations” and “legitimate interest”. The DPA found that the controller did not provide the relevant information in an organized manner and failed to communicate properly which data it uses for “its offerings, analyzing target audiences and preventing fraud”. Furthermore, the controller failed to disclose what personal data it receives from third parties. Thus, the controller violated Article 13(1)(c) GDPR and Article 15(1)(a) GDPR.
2. Recipients of personal data
The controller uses service providers that may process and disclose personal data of the data subjects. However, the controller´s privacy notice and the controller´s reply to the access request did not contain the names of such recipients, while, in its submissions, the controller presented this information. Such failure to disclose relevant information both in the privacy notice and in the reply to the request for access was a violation of Article 13(1)(e) GDPR and Article 15(1)(c) GDPR.
3. Retention periods
In its privacy policy and in the controller´s reply to the access request, the controller provides that they will retain the data subject´s personal data as “permitted by laws and regulation”, but fails to mention specifically the duration of such retention in its privacy policy and in its reply to the access request. Hence, the DPA found a violation of Article 13(2)(a) GDPR and Article 15(1)(d) GDPR.
4. International transfers
The controller did not specify in its privacy notice which rights data subjects have when their personal data is transferred outside the EEA. No reference to the specific countries outside the EEA was made and no reference to either adequacy decisions or appropriate safeguards was made. Thus, the DPA found a violation of Article 15(2) GDPR.
Imposition of the fine
In determining the amount of a fine, the following factors were considered.
First, one must identify the sanctionable behaviors, namely not informing customers sufficiently, first, in its privacy policy, and, second, in response to the data subjects´ access request.
Second, the starting amount of the fine must be established. In the case at hand, the following elements were considered: the gravity of the breach which fell within the scope of Article 83(5) GDPR and the annual turnover of the data subject of €30,733 billion, as well as the non-involvement of special categories of data. According to Article 83(5) GDPR, the maximum amount of the fine is €20 million or 4% of the annual turnover of the controller, whichever is higher, in this case the maximum possible fine is €1,229 billion.
The DPA considers that, according to the Guidelines 04/2022 for the calculation of administrative fines under the GDPR, the DPA found it appropriate to impose a fine of €4,750,000 for the violation of Article 13(1)(c), (e) and (f) and 2(a) GDPR, Article 12(1) GDPR, Article 15(1)(a)(c) and (d) and (2) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Personal Data Authority PO Box 93374, 2509 AJ The Hague Hoge Nieuwstraat 8, 2514 EL The Hague T 070 8888 500 - F 088 0712140 autoriteitpersoonsgegevens.nl
Decision imposing administrative fine for violating the AVG
Dear Members of the Executive Board,
The Personal Data Authority (hereinafter: the AP) has decided to impose an administrative fine of€
4,750,000 (in words: four million seven hundred and fifty thousand euros) on Netflix International B.V.
(hereinafter: Netflix) for failing to provide its customers with sufficiently clear information; first, in its
privacy statement and second, in response to inspection requests about 1) purposes and bases of
processing personal data 2) recipients of personal data; 3) retention periods; and 4) international
transfers. This constitutes a violation of Article 5(1(a) of the General Data Protection Regulation ("the
AVG") in conjunction with Article 12(1, Article 131)(c), (e), and (f), and (2(a), and Article 15,
introductory and first paragraphs (a), (c) and (d), and (2), AVG.
This decision the administrative fine. To this end, it deals successively with the reason, the facts
established and the proceedings, the violation and the amount of the fine. Finally, the dictum follows.
1. Reason for research
1. Netflix is a streaming service that provides digital entertainment such as series, movies and games.
Netflix customers can watch movies and series from Netflix through their TV, tablet, smartphone
and on their computer (using an Internet browser). To these services, Netflix customers must register
and create an account for a fee. For this registration, they provide personal data to Netflix, such as
their (first) name, date of birth, e-mail address, phone number and a bank account number. After
registration, the customer can watch movies and series from Netflix. This viewing behavior is relevant
to Netflix because it allows Netflix to serve its customers with movies and series they find interesting.
Therefore, Netflix also processes data about its customers' viewing behavior.
2. Netflix has created a privacy statement that allows it to provide insight to customers about how
personal data is processed. Netflix has also established a "help center" where customers can ask
questions and make requests, such as to access their personal data.
3. Such a request for access was made by None Of Your Business (hereinafter NOYB1) on behalf of two
data subjects. Netflix's response to this, prompted NOYB to file complaints2 against Netflix with the
Austrian privacy authority (the Datenschutzbehörde) on behalf of the two data subjects. NOYB
complained that Netflix did not adequately inform its customers who made a request for access about
the processing of their personal data. The Datenschutzbehörde forwarded the complaints to the AP,
after which the AP's International Investigation Division launched an investigation and issued a report.3
The AP regrets that this investigation took a long time and apologizes to both complainants and
Netflix.
2. Findings research report and process sequence
4. On the premise that conclusions in the study report that are not part of the assessment framework of
the present decision (obviously) fall outside the domain of this decision. This means that no judgment is
rendered on the degree of correctness of those conclusions in this decision.
5. Regarding the privacy statement, it follows from the investigative report that Netflix failed
to meet its disclosure obligation because Netflix does not provide sufficient information
about:
a. The purposes and basis for processing personal data;
b. parties personal data from data subjects;
c. the retention period of personal data; and
d. safeguards when transferring personal data to third countries.
6. Regarding the access requests, it follows from the investigation report that Netflix failed to
comply with its information obligations in that Netflix:
a. per purpose does not provide specific enough information about the basis of
processing, purposes and processing of personal data;
b. does not specify what personal data of data subjects were provided for what purposes
and to what recipients;
c. does not provide sufficient information about the retention period of personal data; and
d. provides insufficient information on safeguards when transferring personal data to
third countries.
7. The International Investigation Division concluded in the investigation report that Netflix failed to
provide sufficient information in its privacy notice and thereby violated Article 12(1) in conjunction
with Article 131) and (2) of the AVG in the period from May 25, 2018 to July 30, 2020. The
International Investigation Division also concluded in the investigation report that Netflix did not
respond to requests for access with sufficient specificity and thereby violated Article 12(1) AVG in
conjunction with Article 151) and (2) AVG in the period from OCTOBER 25, 2018 to November 19,
2019.
8. The investigation report was to Netflix by letter dated March 24, 2022. Netflix, by letter dated
May 17, 2022 provided a view on the investigation report. On July 7, 2022, Netflix presented its views
orally. A report of this was made.
3. Legal framework
9. The AP refers to the annex to this decision, which the legal framework.
4. Viewpoint Netflix
10. Netflix the following views on the report.
11. Netflix argues that the transparency obligations that follow from the AVG contain open standards.
According to Netflix, however, the AP appears to be adopting a more stringent interpretation of
those obligations. Although those obligations are in the European Data Protection Board's
Guidelines4 ("EDPB Guidelines"), according to Netflix, a controller has a certain degree of freedom to
convey processing of personal data and the information to be provided for that purpose at an
appropriate level of transparency.
12. Netflix believes that it has aligned its practices with those obligations and (thus) complies with the
aforementioned four information obligations. The AP's (stringent) approach leads to legal uncertainty
for Netflix because it remains in the dark as to how to proceed.
13. In support of its position that Netflix has met the disclosure requirements, Netflix the following.
14. Netflix disagrees with the AP that its subscription service offering would involve "complex, technical
or unexpected data processing" as defined in the EDPB guidelines. Netflix has a business model that is ;
it is a subscription service that provides personalized access to series, among other things. Therefore,
according to Netflix, there is no obligation to describe the main consequences of processing personal
data. Moreover, the personalized nature of Netflix services is already emphasized in the registration
process. Indeed, that process consists of signing up for the services by Netflix. The must provide
personal and payment information and agree to the terms and conditions Netflix uses in its services.
15. Netflix also argues that, since May 2018, it has been providing extensive and understandable language
via its "help center" explaining, for example, how Netflix's so-called recommendation system works.
According to Netflix, the use of personal data in connection with recommendations is uncomplicated
and consistent. It also follows from this, according to Netflix, that it complies with its information
obligations.
16. Regarding its privacy statement, Netflix states that it has tailored that statement to the TV User Interface
(hereinafter TV UI) because most customers use television as a platform for watching movies and
series. For the sake of uniformity and transparency of information, Netflix uses the same information on
TV UI on other platforms (mobile, tablet, Internet browser) as well. While TV UI has more limited
functionality than an Internet browser in that regard, that does not its privacy statement. Netflix
believes that its privacy notice is designed to be detailed without too long or complicated. Moreover,
Netflix points out that it makes references in the text of the privacy statement to sections with more
specific information on a particular topic. With this practice, Netflix has provided sufficient
information in its privacy notice, in a layered manner (as required by the EDPB Guidelines), and thus
has complied with the disclosure requirements.
17. Netflix also argues that it does not have to include an exhaustive list of processing operations in its
privacy statement. Article 23(1) AVG in conjunction with Article 41 AVG Implementation Act
(hereinafter: UAVG) provides that space if including that information could lead to circumvention of
security or anti-fraud measures.
18. Netflix also believes that an obligation to name recipients of personal data in the privacy notice
does not follow from Article 13(1) AVG. Therefore, it believes it is sufficient merely name
categories of recipients.
19. Finally, Netflix refers to its privacy statement reminding customers to contact 's Privacy Team with any
questions about the use of personal data, cookies or similar technologies. According to Netflix, there is
limited use of obtaining information about international transfers, but in cases where this information
has been requested, Netflix has met its transparency obligation.
5. Review
5.1. Controller and authority AP
20. Netflix is a data controller (Article 4, introductory phrase and under 7, AVG). Indeed, Netflix has its
headquarters in Amsterdam5 while it follows from its privacy statement that it is a data controller for the
benefit of all companies within that Netflix group of companies for the processing of personal data in
the European Union (hereinafter: EU).6 Netflix offers its services in several EU member states and for
these services Netflix processes personal data of data subjects. This means that data subjects in more
than one Member State are substantially affected Netflix's processing of personal data. This amounts to
cross-border processing (Article 4, opening words and 23(b) AVG).
21. Given Netflix's domicile and given its role as a data controller, the AP is competent to act as the lead
supervisory authority (Article 56(1) AVG).
5.2. Information obligation and right of inspection
22. In this case, the topics of "information obligation" and "right of " relate to the following four sub-
sections, namely: 1) bases and purposes of processing personal data, 2) recipients of personal data, 3)
retention periods, and 4) international transfers. The remaining eight sub-sections, as contained in
Articles 13 and 15 AVG, remain outside the scope of this . This case is limited to the aforementioned
four subsections. Below, in generic , Netflix's privacy notice is , followed by an assessment per subpart
for both the right of data subjects to receive information when personal data is collected from them
(Article 13 AVG) and the right of inspection (Article 15 AVG).
5.2.1. Assessment of bases and purposes of processing personal data
23. The AP found that Netflix's privacy notice lists personal data and the way Netflix collects this personal
data. These include: data that data subjects provide themselves, data that Netflix collects
automatically, data from other companies with which data subjects have a relationship and data from other sources. Next, Netflix lists
the purposes it the data collected. In doing so, Netflix uses a number of examples to flesh out these
purposes. One of these is communicating about Netflix's services about such things as special offers,
promotional announcements and new content. Netflix concludes this by listing the bases for collecting
personal data and some references to further named purposes. It is established that Netflix names four
bases of Article 6(1) AVG for processing personal data, namely, "consent," "agreement," "legal
obligation" and "legitimate interest."
24. Netflix has submitted documents showing that it has categorized eight purposes, which further of
several subparts.7 These purposes are more extensive than the purposes Netflix has in its privacy notice.
Upon request, Netflix has provided insight into which personal data have been processed for which
purposes and with which basis(s).8 In this context, data subjects must be informed of both the fact that a
processing takes place and its purposes.9 This means that in its privacy statement, Netflix must in any
case make transparent and understandable the relationship between the processing of personal data and
the purposes for which the personal data are processed. The AP recognizes the provision of
information based on a TV UI entails limitations. The information to be provided will usually be
visualized in the form of plain text and the possibility of using links to sub pages, at least at the time of
interest, was limited. In addition, operating the TV UI with a remote control has limitations compared
to other devices such as a computer, tablet or smartphone. Although the AP takes the aforementioned
circumstances into account, the AP finds that Netflix failed to provide certain information either
completely or in a well-organized manner. Among other things, Netflix failed in this case to disclose
what data it uses for recommending its offerings, analyzing target audiences and preventing fraud.
Furthermore, Netflix failed to disclose what personal data it receives from third parties (referred to as
"partners" in the privacy notice) to the geographic locations of data subjects. Although Netflix has made
use of the discretion available to a data controller by the relevant information in the privacy statement
in a narrative manner, it have recognized that disconnecting personal data from the purposes for
which these personal data are processed has the effect that the information provided is not in line with
providing information in a concise, transparent, understandable and easily accessible form and in clear
and simple language (Article 12(1) AVG). Considering the privacy notice and the way information about
the required information was , Netflix violated Article 13(1(c) and Article 151)(a) AVG. This means that
NOYB's complaint on this point is well-founded.
5.2.2. Assessment of personal data recipients
25. The AP notes that it follows from Netflix's privacy statement that it uses service providers (who in the
advertising market, among other things) and that they may process and disclose personal data of
Netflix customers.
26. Netflix's privacy notice does not provide the names of those recipients, while information provided by
Netflix to the AP shows that, as far as online advertising services are concerned, it does have this
data.10
27. Article 13 chapeau and first paragraph (e) AVG indicates that in appropriate cases, the controller shall
provide information to data subjects about who the recipients or categories of personal data are. The
AVG (recital 58) states that it is difficult for a data subject to understand by whom and for what purpose
their personal data is collected when it comes to information such as that from online advertising
services. According to the principle of propriety, Netflix must provide information about recipients that
is most to data subjects. Given this, the AP fails to see why Netflix did not disclose the names of
recipients, which incidentally limited in number, in its privacy notice. The AP believes that Netflix
should done so and provided this information in the event of a request for access. Netflix wrongfully
failed to do so, and by doing so Netflix violated the AVG (Article 13(1)(e) and Article 15(1)(c)).
NOYB's complaint on this part is therefore founded.
28. The AP notes that Netflix amended its privacy notice on July 7, 2022 by adding a link to a "help
article" containing a list of recipients of personal data. By doing so, Netflix ended its violation of the
AVG on the "recipients of personal data" section.
5.2.3. Review of retention periods
29. Netflix's privacy statement reflects that data subjects' personal data will be retained as required or
permitted by laws and regulations. Here Netflix mentions some examples such as retaining personal
data to comply with data subjects' choices and billing and administration purposes. No specific
retention periods are mentioned in the privacy statement.
30. Upon request, Netflix provided the AP with a table listing the personal data that are retained and the
specific retention periods applicable to them.11 The AP that Netflix failed to include these periods in its
privacy statement. The AP did not find that Netflix would have had to take disproportionate measures
to do so.
31. The AP believes that Netflix did not provide the periods during which personal data are retained - in
its privacy notice and in response to inspection requests - to data subjects in a proper and transparent
manner. In doing so, Netflix acted in violation of the AVG (Article 13(2(a) and Article 15(1)(d)). Also
on this part, NOYB's complaint is founded.
32. Netflix's argument that the AP's own privacy notice on this section also only mentions the retention of
personal data in accordance with applicable laws and regulations does not change this. On the AP's
website, the AP's processing register can be consulted and names the retention periods. Moreover, the
AP's privacy statement has been brought into line with the AVG.
5.2.4. Assessment of international transfer of personal data
33. The AP finds that it follows from Netflix's privacy statement that when it transfers personal data to
countries outside the European Economic Area (EEA), it acts in accordance with the applicable privacy
laws of those countries. The AP further finds that it follows from information by Netflix to the AP
upon request that Netflix may process personal data in 12 countries outside the EU for the purposes of
making payments, customer service and scaling and improving the availability of its services.
34. In the AP's view, Netflix failed to include in its privacy statement what rights data subjects have when
their personal data is outside the EEA. Netflix also failed to name in its privacy notice the countries
outside the EEA to which data subjects' personal data are . Netflix also failed to make a reference to any
adequacy decisions and did not name whether (in the relevant case) there are suitable or appropriate
safeguards and how data subjects can those safeguards.
35. In view of this, the AP concludes that the information Netflix included in its privacy statement at least
until July 31, 2020, does not meet the requirements of the AVG (Article 131)(f)). The AP also adds that
Netflix failed to provide sufficient information on safeguards for transfers of personal data to third
during requests for inspection between Oct. 25, 2018, and Nov. 19, 2019. By doing so, Netflix also acted
in violation of the AVG (Article 15(2) so NOYB's complaint on this part is well-founded to that extent.
36. The AP notes that as of July 7, 2022, Netflix updated its privacy notice on this point by including a
link to the European 's website. Visitors to that website are directed to a question-and-answer
document that includes data subjects' rights when there is an international transfer of personal data.
Also, as of July 7, 2022, Netflix has included a link to a "help article" in its privacy statement that lists
the countries to which personal data is . Although Netflix has included a list of countries to which
personal data may be transferred, this does not comply with Article 13, first paragraph (f) AVG and Article 15, second paragraph, AVG are met, because it does not show what
appropriate or suitable safeguards are in place for the intended transfers.
5.3. Care principle
37. Netflix argues that the AP violated due diligence by not giving Netflix an opportunity to respond to
the draft investigation report.
38. The AP notes that the investigation report was to Netflix on March 24, 2022. Netflix was then given
the opportunity to submit its views on that report. Netflix made use of this opportunity by submitting
both a written opinion and an oral explanation of that opinion to the . In the AP's view, therefore, there
no violation of the principle of due care.
5.4. Conclusion
39. The AP concludes that Netflix did not inform its customers sufficiently clearly; first in its privacy
statement and second in response to inspection requests about 1) bases and purposes of processing
personal data; 2) recipients of personal data; 3) retention periods; and 4) international transfers. In
doing so, Netflix violated Article 5(1)(a) in conjunction with Article 12(1) AVG and Article 131)(c),
(e) and (f) and (2(a) AVG in the period between May 25, 2018 and July 30, 2020. Netflix also violated
Article 5(1)(a), in conjunction with Article 121) of the AVG and Article 151)(a), (c) and (d), and (2) of
the AVG in the period between OCTOBER 25, 2018 to
Nov. 19, 2019. For these violations, the AP will impose a fine on Netflix. The amount of the fine will be
determined next.
6. Administrative fine
6.1. Penalty power
40. The AP is authorized to impose an administrative fine under Article 58(2) opening words and under i, in
conjunction with Article 83 AVG and read in conjunction with Article 14(3) UAVG. It follows from the
case law of the Court of Justice of the European Union (hereinafter: ) that it follows from the wording
of Article 83(2) AVG that infringements of the provisions of the AVG committed by the controller in a
culpable manner - i.e., infringements committed intentionally or negligently - may result in an
administrative fine being on the controller on the of that article.12
12 ECJ EU December 5, 2023, C-683/21, ECLI:EU:C:2023:949 (NVSC) paragraphs 73 and 83; ECJ EU December 5, 2023, C-807/21, ECLI:EU:C:2023:950
(Deutsche Wohnen) points 68 and 76.
6.2. Systematic determination of penalty level
41. The EDPB agreed to the final text of the Guidelines 04/2022 for the calculation of administrative fines
under the AVG (hereinafter, the Guidelines) at its plenary meeting on May 24, 2023.13 The AP will
apply these Guidelines to this .14
42. The Guidelines describe the following method for calculating administrative fines for AVG
violations:
1. map which and how many acts and violations are up for review;
2. determine the starting amount for further calculation of the fine;
3. consider whether there are extenuating or aggravating circumstances that call for
increasing or decreasing the fine;
4. ascertain the maximum amounts applicable to the violations and whether those maximum
amounts are not exceeded as a result of increases applied in previous or subsequent steps;
5. Check whether the calculated final amount of the fine meets the requirements of
effectiveness, deterrence and proportionality, and if necessary adjust the fine accordingly.
43. These steps are in sequence below.
6.3. Penalty amount calculation
6.3.1. Step 1: Identify acts and violations
44. First, it must be determined whether there is one or more behaviors that should sanctioned.
Previously, it was ruled in 5.4 that Netflix did not inform its customers sufficiently clearly in its
privacy statement and in response to inspection requests about 1) bases and purposes of processing
personal data; 2) recipients of personal data;
3) retention periods; and 4) international retransmission. Given this, Netflix has committed two
distinct sanctionable behaviors. These behaviors consist of not informing customers sufficiently
clearly; first in the privacy statement and second in response to access requests. This means that this case
involves two culpable behaviors for which the AP can impose fines.
6.3.2. Step 2: Determine starting amount
45. Next, the starting amount of the fine level must be . This amount is the starting point for further
calculation in later steps, taking account all relevant facts and circumstances. The starting amount is
determined using three elements:
6.3.3. Step 3: Assess other relevant circumstances
59. According to the Guidelines on the calculation of administrative fines, it must then be considered
whether the circumstances of the case justify setting the fine higher or lower than the starting amount
determined above. The circumstances to be taken into account are listed in Article 83, second paragraph,
opening words and points a to k, AVG. The circumstances listed in that provision must each be only
once. In the previous step - as far as applicable - the nature, gravity and duration of the breach (part a),
the intentional or negligent nature of the breach (part b) and the categories of personal data (part g)
have already been taken account. This leaves parts c through f and h through k.
60. In this case, the AP weighs that Netflix responded to the access requests in a timely manner by providing
collected personal data as well as data on viewing behavior, search history, IP addresses, payments,
devices and interactions with Netflix, among other things. Further, along with said data, Netflix also a
copy of its privacy notice. After this data, NOYB filed complaints with the Datenschutzbehörde on
behalf of data subjects, while Netflix was under the impression that it had data subjects' requests to
their satisfaction. Also, shortly after receiving the investigation report, Netflix terminated the breach
on the "recipients of personal data" sections. Netflix thus did not wait for the 's decision, but instead
energetically completed the available information and made it available to users of its service in multiple
languages. The foregoing circumstances, the long duration of the AP's handling of this case and the AP's
failure to respond to Netflix's willingness to proceed with amending its privacy statement, are grounds
for the AP to reduce the amount of the fine to be determined below from the perspective of
proportionality (para. 97 Guidelines on the calculation of administrative fines).
6.3.4. Step 4: relevant maximum amounts
61. Given Netflix's turnover, a maximum fine level of
€1.229 billion or 4% of annual sales apply. It has been considered above that in this case the gravity of
the infringement should be at a low level. According to the Guidelines, for low-level infringements, the
starting amount should be set at a point between 0 and 10% of the fine cap. This means that the range
of the amount to be imposed is between 0% and 10% of €1.229 billion. This corresponds to an amount
between €0 and €122.9 million. Taking into account all relevant facts and circumstances mentioned
above, the AP sets the starting amount at
€2.5 million per violation. Now that two violations have been found, the starting amount will be €5
million. This amount is well below the maximum fine level of 4% of Netflix's worldwide annual sales.
6.3.5. Step 5: Assessment requirements of effectiveness, proportionality and deterrence
62. Finally, it must be assessed whether the fine is effective, proportionate and dissuasive. It follows
from Article 49(3) of the Charter of Fundamental Rights of the EU and Articles 3:4 and 5:46(2) of
the Awb that the administrative fine should not lead to a disproportionate outcome given the
circumstances of the case.
63. As in the Guidelines, the imposition of a fine can be considered effective if it achieves the purpose for
which it was . That purpose may be to punish unlawful conduct, on the one hand, and to promote
compliance with applicable regulations, on the other. Considering the nature, severity and duration of
the breach, as well as the other factors from Article 83(2) AVG as assessed above and taking into
account the mitigating circumstance above in Section 6.3.3, the AP considers that the imposition of an
administrative fine under these circumstances achieves both purposes and therefore effective and
dissuasive. The amount of the administrative fine, which was partly determined based on Netflix's
turnover, the AP also considers effective and dissuasive.
64. The AP considers a fine of€ 4,750,000 to be proportionate given the seriousness of the violations
and the size of the company. In the AP's view, there is no evidence of special circumstances that
would the fine disproportionate.
7. Dictum
65. The AP is imposing a fine on Netflix for violation of Section 5(1)(a), in conjunction with Section 121)
of the AVG, and Section 13(1)(c), (e), and (f) and (2(a) of the AVG, respectively, and Section 5(1)(a), in
conjunction with Section 121) of the AVG, and Section 151)(a), (c), and (d), and
second paragraph, AVG an administrative fine in the amount of: four million, seven hundred and fifty thousand euros).
Sincerely, Personal Data Authority, Mr. A. Wolfsen chairman
