Names and pictures are personal data, according to Article 4 GDPR – Definitions. By doing media processing of personal data – images, video feeds, and names in credits – you are processing personal data. If you are based in the EU, or if you offer goods and services to people in the EU, according to Article 3 GDPR - Territorial scope – GDPR applies to your personal data processing operations. The first step is to determine your role – controller or processor. If you are a processor, you need a Data Processing Agreement signed with the streaming service providers, where they mandate you to process these films based on their instructions.
If you are a controller, you need a purpose and a legal ground for processing, according to Article 6 GDPR - Lawfulness of processing. The actors and the crew have a contract with the movie production company, so they process their data based on Contractual Obligation, per Article 6.1.b GDPR – contractual obligation. The streaming service providers have a contract with the production company, and you have a contract with the streaming service providers, but the crew and actors are not part of your contract, so you cannot use Contractual Obligation. In my opinion, the best fit for a legal ground for processing would be Legitimate Interest, but in this case, you should perform a Legitimate Interest Assessment and you should inform the actors and the crew.
At Advisera, we have a great resource to help you, an EU GDPR Documentation Toolkit that contains all documents necessary to drive your GDPR-compliance efforts, which also contains templates for privacy notices, data subject access requests, data processing agreements, and so on.
Please check these links: