Close this search box.
AI-based solution designed to automate personal data discovery and classification
Discover personal data across multiple systems in the cloud or on-premise
Turn data subjects request into an automated workflow with a clear insight into data every step of the way
Collaborate with stakeholders and manage DPIA and LIA in real-time with Assessment Automation
Privacy portal allows customers to communicate their requests and preferences at any time
Introducing end-to end automation of personal data removal

Latest Blog posts

Learn the terms

General Data Protection Regulation

Here you can find the official content of the Regulation (EU) 2016/679 (General Data Protection Regulation) in the current version. All Articles of the GDPR are linked with suitable recitals.

Latest papers

Dutch Data Protection Authority Imposes €10 Million Fine on Uber

10 million gdpr fine uber

The Dutch Data Protection Authority (the Autoriteit Persoonsgegevens) imposed a fine of 10 million euros on Uber B.V. and Uber Technologies Inc. for multiple violations related to driver information.

In case you haven’t come across it, Uber is a multinational company that operates a ride-sharing platform connecting riders with drivers using their own vehicles. The platform is accessible through a mobile app, which allows users to request rides and track the location of their assigned driver.

Cooperation between CNIL and Dutch DPA

The CNIL has received a collective complaint from the association La Ligue des droits de l’Homme, representing over 170 French drivers on the Uber platform, citing challenges faced in exercising their rights.

Working in tandem with the CNIL throughout the process, the Dutch Data Protection Authority took charge of the investigations under the guidelines of the General Data Protection Regulation (GDPR) based on Uber’s primary establishment being in the Netherlands.

The CNIL played a key role in checking and analyzing the evidence. This joint effort continued during the review of the draft decision as part of the one-stop-shop procedure.

Identified Breaches

The DPA discovered that Uber made it unnecessarily complex for drivers to request access to or copies of their personal data. Despite the existence of a form within the app, it was located deep within the app, spread across various menus, and could have been placed in a more user-friendly location.

Furthermore, in its privacy terms and conditions, Uber failed to specify how long it retains drivers’ personal data (data retention period) and the specific security measures employed when transmitting this information to entities outside the European Economic Area (EEA). 

The DPA also found that Uber had obstructed its drivers from exercising their privacy rights. The identified violations include:

  • Failing to provide requested data in an accessible format under the right of access and providing information about processing operations only in English.
  • Insufficient accessibility of the online form for exercising rights within the application used by drivers.
  • Incomplete information in their privacy statement regarding data transfers outside the EEA, and offering overly general details about data retention periods.
  • Not explicitly mentioning the right to data portability in their privacy statement.

Related content: What are 8 Data Subject rights according to the GDPR

To conclude

Companies are obligated to provide all necessary information and respond to any data subject request in a timely manner (in most cases, within 30 days), but also remove any potential obstacles that would prevent people from exercising their rights.

This decision highlights the significance of providing transparent information and emphasizes the importance of facilitating individuals in exercising their rights.

It goes beyond merely having a submission form for data rights; it stresses the need to ensure that the process is easily accessible, straightforward, and user-friendly.

This adds an additional layer of consideration for companies when developing their privacy processes, applications, systems, and procedures with privacy at the forefront.

Read the decision of Dutch data protection authority: Uber fined €10 million for infringement of privacy regulations.

Request a Data Privacy Manager demo

Let us navigate you through the Data Privacy Manager solution and showcase functionalities that will help you overcome your compliance challenges.

Scroll to Top