CNIL (France) - SAN-2023-003
CNIL - SAN-2023-003 | |
---|---|
Authority: | CNIL (France) |
Jurisdiction: | France |
Relevant Law: | Article 5(1)(c) GDPR Article 28(3) GDPR Article 56 GDPR Article 82 of Loi Informatique et liberté |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 13.05.2020 |
Decided: | 16.03.2023 |
Published: | |
Fine: | 125,000 EUR |
Parties: | Cityscoot |
National Case Number/Name: | SAN-2023-003 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | French |
Original Source: | CNIL (in FR) |
Initial Contributor: | ls |
The CNIL fined a scooter rental company €125,000 for various privacy violations. In particular, it considered that the collection of geolocation data every 30 second was not necessary for the purposes put forward by the controller.
English Summary
Facts
The controller was Cityscoot, a company that rents out shared electric scooters via a mobile application.
The controller operated cross-border processing operations but its main establishment was in France. In accordance with Article 56, the CNIL was therefore competent. In May 2020, the CNIL organised an investigation of the controller's website and mobile app. This investigation mainly highlighted three points.
(1) The investigation firstly showed that the company's scooters were equipped with electronic boxes containing a SIM card and a GPS geolocation system. This allowed location data to be collected every 30 seconds when the scooter was active and every 15 minutes when it was not. This data was collected by the company for the following purposes: managing traffic offences, handling customer complaints, user support (in order to call for help in case of a user's fall), claims and theft management. For each purpose, the controller justified why it was necessary to collect location data every 30 seconds.
- Regarding the purpose of managing traffic offences, the company believes that the collection of geolocation data every 30 seconds was necessary for proof of driver identity and insurance purposes. It also argued that this could be useful for checking whether a scooter was actually at the location where an offence was recorded for potential disputes.
- For the purpose of handling customer complaints, the company argued that the collection of data every 30 seconds was necessary as the service is charged by the minute. It considered that this collection could be useful for complaints about overcharging due to an error in stopping the rental, parking in areas where parking is prohibited or loss of contact with the app because it allowed to check how long a scooter was stopped.
- Regarding the purpose of managing theft during rentals, the controller explained that the collection of location was not necessarly cross-referenced with the user's data and was therefore not personal data. However, it did not indicate how many scooters were found thanks to the collection of geolocation data.
- With regard to accident management, the company argued that the collection of geolocation every 30 seconds was necessary for reporting and insurance purposes and for providing assistance to the driver involved.
(2) The investigation also showed that the controller used 15 processors on the basis of contracts that did not contain all the information required by the GDPR. For example, one of the contracts did not mention the processor's obligation to make available to the controller all the information to demonstrate compliance with the obligations laid down. Another contract did not mention the purpose of the data processing or its duration.
(3) The controller did not provide information and did not have a consent banner for cookies on his website. He argued that he falled under an exemption under national law.
Holding
(1) The CNIL began by pointing out that geolocation data, when a scooter is rented, constitute personal data. It refered to the EDPB guidelines 01/2020 and considered that this is sensitive data in the common sense of the term, even though it is not covered by Article 9. On the other hand, when the scooter is not rented, the data is not personal.
The CNIL then analysed the relevance and necessity of the data collection for each purpose.
- Regarding the management of traffic offences, the CNIL considered that it was sufficient to know the date and time of the start and end of the rental and the date and time of the offence to meet this purpose. It also considered that the collection of data from all scooters every 30 seconds was excessive for this purpose insofar as it did not concern all users and only served an incidental purpose in the event that a user wished to contest an offence.
- For the handling of customer complaints, it considered that the collection of information every 30 seconds was not necessary for the purpose. It explained that less intrusive mechanisms could be used, such as triggering geolocation when the user requests help on the application or sending a text message to confirm that the user has ended the rental.
- Concerning the management of thefts during rentals, the CNIL considered that even if the controller did not cross-reference geolocation data with user data, the possibility of doing this reconciliation between the different databases justified that the scooter position data be subject to the RGPD. In this case, the CNIL considered that the permanent collection was excessive to achieve the purpose of managing thefts. It considered that geolocation should, for example, be collected from the declaration of theft.
- For accident management, the DPA considered that geolocation should be activated only when an accident occurs/is reported and not permanently. It was therefore not necessary to collect the geolocation of scooters every 30 seconds to provide assistance in the event of an accident.
The CNIL concluded that none of the purposes justified collecting location data every 30 seconds, in violation of Article 5(1)(c).
(2) As regards the relationship between the controller and its processors, the CNIL considered that the contracts were too incomplete and found a clear breach of Article 28(3).
(3) The CNIL considered that the controller could not rely on the exemption under domestic law and therefore had to inform and collect the consent of users to place cookies under Article 82 of the Data Protection Act. The controller therefore violated this provision.
Consequently, the CNIL found a violation of Articles 5(1)(c) and 28(3) GDPR and imposed a fine of €100,000. For the violation of Article 82 of the Data Protection Act it imposed a fine of €25,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.