As the months go by, so do the sanctions imposed on start-ups turned colossuses.
This time it’s the Dutch supervisory authority responsible for overseeing the protection of personal data (the equivalent of our CNIL) that is confronting Uber, a key company in the VTC service, with its responsibilities and the RGPD.
Indeed, Uber is being rapped on the knuckles and condemned for lack of transparency in the personal data processing it implements.
And this time, it’s not the famous VTC company’s customers who are at the root of the affair but…its drivers!
In fact, no fewer than 170 French drivers (Cocorico) have contacted the Ligue des Droits de L’Homme (Human Rights League) to complain about their difficulty to obtain access to and/or copies of their personal data from the company.
Uber’s head office being in the Netherlands, the CNIL naturally forwarded the question to its Dutch counterpart.
And the latter did not disappoint the interests of our Gallic irreducibles.
The Dutch authority found that:
- Access to data was excessively complicated: the form provided was too difficult to access from the application.
- When data was communicated, it was grouped together in a table that was too difficult to interpret.
- The data retention period and the security measures in place when data is transferred outside the EEA were not mentioned in the privacy policy.
Given these shortcomings, and the fact that they concern 120,000 drivers established on European territory, the Netherlands struck hard by fining the company no less than 10 million euros on December 11!
This latest sanction is proof of what must not be done when it comes to data protection…
* “And 10 for Uber!”