UBER: Dutch data protection authority imposes €10 million fine
On December 11th 2023, in cooperation with the CNIL, the Dutch data protection authority fined Uber B.V. and Uber Technologies Inc. 10 million euros for several breaches of driver information.
Print the article
Email
Decrease the size of the font
Increase the size of the font
Uber is a company that publishes a platform that brings together chauffeur-driven cars (VTCs) and users.
The CNIL has received a collective complaint from the association La Ligue des droits de l'Homme, representing more than 170 drivers on the Uber platform, concerning the difficulties encountered in exercising their rights.
Cooperation with the CNIL throughout the procedure
Under the procedures for cooperation between authorities introduced by the General Data Protection Regulation (GDPR), it was the Dutch data protection authority that was competent to conduct the investigations in this case, as Uber has its main establishment in the Netherlands.
The CNIL cooperated closely with its counterpart throughout the procedure, as part of the checks and analysis of the evidence obtained, and then when examining the draft decision as part of the one-stop shop procedure.
The breaches identified
Following its investigations, the Dutch Data Protection Authority found that Uber B.V. and Uber Technologies (jointly responsible) had failed to fulfil their obligations:
by failing to provide the data requested under the right of access in an accessible format and by providing drivers with information about the processing operations carried out on them in English;
by not making the online form for exercising rights within the application used by drivers sufficiently accessible;
by providing incomplete information in their privacy statement about data transfers outside the European Union, as well as overly general information about data retention periods;
by not explicitly mentioning the right to data portability in their privacy statement.
The CNIL has informed the complainants of this decision in accordance with the provisions of the RGPD.
This decision reaffirms the importance of the obligation to provide transparent information and the need to ensure that the rights of data subjects are respected.
Texte reference
Read more
[FR] UBER : l’autorité néerlandaise de protection des données prononce une amende de 10 millions d’euros
Decision of the Dutch data protection (in English)
Decision of the Dutch data protection (in Dutch - full decision available)
Texte reference
Official texts
Article 12 of the GDPR (transparency)
Article 13 du RGPD (information des personnes)
Print the article
Decrease the size of the font
Increase the size of the font
Uber is a company that publishes a platform that brings together chauffeur-driven cars (VTCs) and users.
The CNIL has received a collective complaint from the association La Ligue des droits de l'Homme, representing more than 170 drivers on the Uber platform, concerning the difficulties encountered in exercising their rights.
Cooperation with the CNIL throughout the procedure
Under the procedures for cooperation between authorities introduced by the General Data Protection Regulation (GDPR), it was the Dutch data protection authority that was competent to conduct the investigations in this case, as Uber has its main establishment in the Netherlands.
The CNIL cooperated closely with its counterpart throughout the procedure, as part of the checks and analysis of the evidence obtained, and then when examining the draft decision as part of the one-stop shop procedure.
The breaches identified
Following its investigations, the Dutch Data Protection Authority found that Uber B.V. and Uber Technologies (jointly responsible) had failed to fulfil their obligations:
by failing to provide the data requested under the right of access in an accessible format and by providing drivers with information about the processing operations carried out on them in English;
by not making the online form for exercising rights within the application used by drivers sufficiently accessible;
by providing incomplete information in their privacy statement about data transfers outside the European Union, as well as overly general information about data retention periods;
by not explicitly mentioning the right to data portability in their privacy statement.
The CNIL has informed the complainants of this decision in accordance with the provisions of the RGPD.
This decision reaffirms the importance of the obligation to provide transparent information and the need to ensure that the rights of data subjects are respected.
Texte reference
Read more
[FR] UBER : l’autorité néerlandaise de protection des données prononce une amende de 10 millions d’euros
Decision of the Dutch data protection (in English)
Decision of the Dutch data protection (in Dutch - full decision available)
Texte reference
Official texts
Article 12 of the GDPR (transparency)
Article 13 du RGPD (information des personnes)
