Rb. Amsterdam - C/13/687315 / HA RK 20-207
Rb. Amsterdam - C/13/687315 / HA RK 20-207 | |
---|---|
Court: | Rb. Amsterdam (Netherlands) |
Jurisdiction: | Netherlands |
Relevant Law: | Article 4(1) GDPR Article 4(4) GDPR Article 5(1)(a) GDPR Article 12(3) GDPR Article 12(6) GDPR Article 15 GDPR Article 15(1)(h) GDPR Article 15(1) GDPR Article 15(4) GDPR Article 20 GDPR Article 20(1) GDPR Article 22 GDPR Article 22(3) GDPR Article 35 GDPR Article 41(1) GDPR Article 3(1) Rome I Regulation Article 4 Brussels I (Recast) Regulation |
Decided: | 11.03.2021 |
Published: | 11.03.2021 |
Parties: | UBER B.V. |
National Case Number/Name: | C/13/687315 / HA RK 20-207 |
European Case Law Identifier: | Zoekresultaat - inzien document ECLI:NL:RBAMS:2021:1020 |
Appeal from: | |
Appeal to: | |
Original Language(s): | Dutch |
Original Source: | Rb. Amsterdam (in Dutch) |
Initial Contributor: | n/a |
The District Court of Amsterdam (Rb. Amsterdam) rejected several requests (except one) for further information under Article 15 GDPR. The requests were made by Uber Drivers against the controller, Uber, after they former claimed that Uber had insufficiently given effect to their right of access. The court clarified a question of the format for the right to data portability (Article 20 GDPR).
English Summary
Facts
The 10 plaintiffs are employees of the defendant, Uber, in the United Kingdom. The plaintiffs are part of the App for Drivers and Couriers Union (ADCU) which protects their interests as private drivers and couriers in the UK. ADCU is itself a member of International Alliance of App Transport Workers (IAATW). ADCU and IAATW want to create a database of the personal information of drivers at Uber.
The plaintiffs have made requests by email or via the Uber Driver App to access the data processed by Uber concerning them. Uber provided digital files in response to these requests.
The plaintiffs asked the court to review the digital files provided and to order Uber to provide explanation on a series of questions relating to the files given. The plaintiffs claimed that the files given were not complete as the data given did not contain the full information that they were entitled to.
The plaintiffs also claimed that the decision was automated within the scope of Article 22 and therefore Article 15(1)(h) applies.
They also claimed to have a right to data portability under Article 20(1) GDPR and that information should be provided in a structured, commonly used and machine-readable format. They claim that Uber only provided a small part of the data in the required format.
Dispute
The plaintiffs asked the court to order Uber to:
I. a) provide, within one month of notification and in a standard electronic form, access to:
(i) personal data which Uber processes, such as the "Driver’s Profile" including the records of Uber employees, "Tags", and "Report",
(ii) the purposes for processing, the categories of personal data, recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations and the storage period
(iii) in the event of transfer to a third country or to an international organisation; the appropriate safeguards applied by Uber pursuant to article 46 GDPR Uber
(iv) the existence of automated decision-making, including those laid down in Articles 22(1) and 22(4) GDPR (at least meaningful information about the logic underlying it, and the significance and the envisaged consequences of such processing).
II. provide personal data in a structured, common and machine-readable form, (e.g. as a CSV file or through an Application Programming Interface/"API"), in such a way that some of this data can be directly transmitted to another controller.
III. the foregoing and, under penalty of a fine of $10,000 for each day or part of a day that Uber fails to fully comply with one or more of the I and II and above.
Holding
Jurisdiction and applicable law
The district court of Amsterdam held that Dutch courts has jurisdiction. It considered that this was the case as Uber is based in Amsterdam and therefore Article 4 Brussels I (Recast) Regulation applies. The court found that law applicable is the law of The Netherlands under Article 3(1) Rome I Regulation.
Inadmissibility of the plaintiffs?
The Court outlined that the plaintiffs need to have made an access request to Uber and also requested for their data to be ported before seeking a court procedure. Additionally, the court outlined that a month should have passed as per Article 12(3) GDPR. The plaintiffs have a right to filed a complaint before a court as per Article 35 GDPR.
On that matter, the court found that Uber still has to responded to the access request by email after the plaintiffs had filed a petition before the court. It also held that the plaintiffs could not assess whether Uber had properly responded to their request as they had not received an answer at the time of filing the original petition in July 2020 (even if Uber had responded before the revised/ additional petition filed by the plaintiffs one month later - August 2020). Based on the dates of the email exchanges between the individual plaintiffs and Uber, the court found that the requests of Plaintiffs 1, 2, 3, 4, 5, 6, 8 and 9 were admissible.
However, the court found that Plaintiff 7 and 10's applications were inadmissible as the two plaintiffs had not responded to the request for identity verification (required under Article 12(6) GDPR). The court held that this was why the two plaintiffs (7 and 10) had not received a reply from Uber as required by Article 12(3) GDPR and hence, why they did not have the opportunity to submit their request to the court on the date of filing the procedure.
Interest in the application / abuse of the law?
The court held that, contrary to Uber's argument, an individual does not need to justify their access request. An individual can exercise this right under the GDPR without clarifying their particular interest. The only requirement for an access request is that the individual's personal data is processed. In any case, the court considered that the individual's wish to check the accuracy and lawfulness of their personal data to exercise further rights is a sufficient interest. There was no abuse of the law in this context.
The access request
The court outlined the purpose of Article 15 GDPR and the broad definition of personal data according to the CJEU (referring to Nowak and YS and MS) as well as past Dutch court decisions. The court also outlined the conditions under which an access request may be refused (citing Articles 15(4) and 41(1) GDPR) - i.e. if it is necessary for the protection of the rights and freedoms of others.
The court rejected the plaintiffs' claim that they didn't need to substantiate their request for further access because Uber has to process it in a transparency manner under Article 5(1)(a). Instead, the court held that the transparency principle does not achieve this. As per Recital 63 GDPR, Uber is entitled to ask for specifications on the personal data that the data subject requires in their access request. Given that the plaintiffs already received very large sets of personal data from Uber, it is for the plaintiffs to further specify the data that they request in an access request. The court specified that the plaintiffs cannot request passenger information as a result of a contractual obligation between drivers and passengers and the need to respect the passenger's privacy.
The court assessed distinct categories of personal data to determine whether the plaintiffs had a right of access to them and whether Uber had sufficiently given effect to that request:
- Driver's profile: the court held the drivers profiles were not profiles within the meaning of Article 4(4) GDPR ('profiling'). These were internal referrals and reports to Uber customer service employees. These profiles did not contain information about the data subject that the latter could themselves verify. Therefore, Uber did not have to provide access to that information as it is not personal data within the scope of the GDPR.
- Tags (labels generated by Uber to assess the driver's behavior): the court took the dictionary meaning of the word tag to outline that a tag is a 'name or phrase that is used to describe a person or thing in some way'. Therefore, the court was of the view that this could not be verified by the data subject for correctness and therefore is not subject to the right of access.
- Reports (based on feedback from passengers): the court found that this constituted personal data within the meaning of Article 4(1) GDPR (linked to an identifiable individual because of its content). However, the court found that Uber must respect the rights and freedoms of others under Article 15(4) GDPR. Therefore, it considered that the reports by Uber should be anonymised. The court deemed that Uber did not have to provide further access to the passengers details on the basis of a contractual relationship between the driver and passenger.
- Start and end location of a trip: the court found that Uber provided overviews of the details on the journey times and location of the trip. It deemed that it was sufficient for the purpose of an access request as it would otherwise potentially infringe the privacy rights of the passenger.
- Individual ratings: the court found that Uber provided an overview of this data to the plaintiffs in an anonymised manner. Again, the court considered that Uber must provide this data in a way that preserves the right to privacy of the passengers (i.e. by anonymising the information to ensure the passenger is not identifiable). However, Uber must provide that anonymised information in a right of access request. Therefore, the court orders Uber to provide access to individual rating of the applicants in those conditions.
- Driving behaviour, use of phone in the journey and percentage of accepted journeys: the plaintiffs claimed that Uber did not receive the full extent of the information from Uber on that matter. However, the court considered that the plaintiffs' requests on this matter was too vague. The plaintiffs' claim that the information was incomprehensible due to lack of information was insufficient in the court's eyes. The request was rejected.
- Upfront pricing system: the plaintiffs requested an explanation of how the upfront pricing system works and how the algorithm calculates the price. The court considered that only one plaintiff (currently still an employee) was subjected to this new system. Therefore the others could not request information on this system under Article 15 GDPR as it did not concern their personal data.
- Information about automated decision-making and profiling (Article 15(1)(h) GDPR): The court agreed with Uber's argument that it does not use automated decision-making within the meaning of Article 22. The court outlined that, whilst it is agreed by the parties that automated decisions are made by Uber, these do not fall within the requirements of Article 22 as there was not legal or otherwise significant effects on the data subject. This was the case even if the batched matching system and upfront pricing systems have some impact on the performance of the agreement between Uber and the driver. Therefore, the court rejected the request for further information under Article 15(1)(h).
- Request for additional information: As Uber provided further information on processing purposes, categories of data, recipients of data, retention periods and appropriate safeguards applied if transferred to third countries in its defense, the court considered that the question was already resolved.
The request to transfer data in a CSV file (data portability)
The court established (or "assumed") based on the EDPB guidelines that data that the controller has derived from the data provided by the data subject falls outside of the scope of Article 20 GDPR. The data that falls under Article 20 is less than under Article 15 GDPR. The court also considered that the format of the data provided under Article 20 must be "interpretrable and provide the data subject with the greatest possible degree of data portability". This could be any common public formats such as XML, JSON or CSV.
The court found that there is no automatic obligation to provide the data in a CSV file or by means of an API as argued by the plaintiffs. The court held that Uber did provide personal data in a format that allows transmission of the data to another data controller, except where Uber sent PDF files. The court therefore confirmed that PDF files do not constitute the correct format for the purpose of Article 20 as it is not structured or descriptive enough for the reuse of the data. However, the court considered that there was no reason to order Uber to provide the data ("zendesk" tickets; driver complaints; and invoices) that was provided in the PDF format in a CSV format as these data did not fall within the scope of Article 20 (not provided data by the data subject).
This request under Article 20 was therefore rejected.
Conclusion
The court considered that Uber only had to provide access to personal data regarding the individual ratings in an anonymised format (as mention above). The rest of the requests under Article 15 GDPR were rejected.
No penalty was imposed.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
DISTRICT COURT OF AMSTERDAM, THE Department of law case number / rekestnummer: C/13/687315 / HA-RA 20-207 Commission decision of 11 march 2021 in the case of the 1 [claimant 1] , lived in [city] (United Kingdom) 2. [petitioner 2] , lived in [city] (United Kingdom) 3. [tempter 3] , lived in [city] (United Kingdom) 4. [the applicant 4] , lived in [city] (United Kingdom) 5. [petitioner 5] , lived in [city] (United Kingdom) 6. [petitioner 6] , lived in [city] (United Kingdom) 7. [inquirer 7] , lived in [city] (United Kingdom) 8. [petitioner 8] , lived in [city] (United Kingdom) 9. [petitioner 9] , lived in [city] (United Kingdom) 10. [the applicant 10] , lived in [city] (United Kingdom) plaintiffs, a lawyer for mr. A. H. Ekker Amsterdam,the netherlands, at the limited liability company limited liability company UBER B. V. , Amsterdam, the netherlands, defendant, a lawyer for mr. G. H. Potjewijd Amsterdam, the netherlands. Applicants will be referred to collectively as also the [plaintiffs], and every one of [claimant 1] to [petitioner 2] , [tempter 3] , [petitioner 4] and [the applicant 5] , [petitioner 6], and [petitioner 7] , [petitioner 8] , [petitioner 9], and the [petitioner 10] which will be referred to as. The defendant will also have the Uber will be referred to as. 1 , The procedure is 1.1. In the course of the procedure, demonstrated by: - for the application, including attachments, received at the court registry on 20 July 2020, - the tussenbeschikking of the 24th of september 2020, in which there is an oral hearing is to be determined, - it is a revised / supplemental application, with attachments, received at the court registry on 21 August, 2020, - in the written statement, including attachments, received at the court registry on 4 december 2020, the official record of the hearing on december 16, 2020, and stated legal and other documents. 1.2. Then, after the arrest, decision, given the present. With the consent of the parties in this case are jointly dealt with the issue with the rekestnummer C/13/692003 / HA-RA 20-302 with some of the same plaintiffs, and the Uber a party. In that case, it is today, and the decision was taken. 2 The facts 2.1. Uber is an internationally operating group of companies that is, by means of its technology, online services, transport services. Uber is a wholly-owned subsidiary of Uber Technologies, Inc. based in San Francisco, United States of America. 2.2. The applicants are employed (or has been) as a private hire drivers (hereinafter referred to as truck drivers in the United Kingdom, with the ma(a), k(t), and the services of Uber. 2.3. Uber connects passengers with drivers. Passengers have to make use of the generic Uber App (hereinafter referred to as App), the drivers on the Uber Driver App (hereinafter referred to as: a Driver App. 2.4. The applicants that are connected to the App for Drivers and Couriers Union (hereinafter referred to as ADCU). ADCU) is a trade association that protects the interests of private-hire drivers and couriers in the United Kingdom. ADCU is a member of the International Alliance of App Transport Workers (hereinafter referred to as IAATW). Both of the organizations are using the digital rights of the platformwerkers. [the applicant 4] , [claimant 1], and the [petitioner 7) are, respectively, the president, the secretary-general and the president of the local chapter of the ADCU. 2.5 in. ADCU is supported by the Gps Info of the Exchange (hereinafter referred to as: (WHO). Anyone WHO is a not-for-profit organization that also for the purpose of providing for employees and self-employed workers in the information economy, access to the personal data which are at work upon them to be collected. [claimant 1] is the founder and executive director of the WHO. 2.6. ADCU and IAATW plan to create a database from scratch, which will be taken up by ANYONE. In this data-base will be the personal information of drivers will be listed. 2.7. In several countries, including the United Kingdom, and France, and its proceedings are pending between the drivers and Uber on the question of whether the existence of an employment relationship. 2.8 in. Applicants need to have each individual at different times, by e-mail to, or through, the App, and/or on the Driver App will ask for access to their Uber personal data is done. Uber, has, in response to the requests of a number of applicants for the digital files are provided. 2.9 in. Uber has a Privacy Statement (hereinafter the privacy policy) is developed, which provide general information about the data processing has been recorded. With the provision of the personal data of drivers, provide Uber with a note, ‘Guidance Notes’ as they are called, in which the categories of personal information that Uber is processed. Three 3. The dispute 3.1. The petitioners request that the court, after review, and in addition to the application in order to be enforceable by, to explain the decision: Uber recommend it to: I. a) within one month of notification of the decision, against reimbursement of the costs to the applicants, in a standard electronic form, access to: (i) each of them relates to personal data which it processes, such as the personal information, as described in the Guidance Notes, the ‘Driver’s Profile including the records of Uber employees, "Tags", and "Report", (ii) the processing purposes, the categories of personal data, recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations and the storage period of these data (iii) in the event of transfer to a third country or to an international organisation; the appropriate safeguards pursuant to article 46, AVG Uber in respect of such transfer is provided (iv) the existence of automated decision-making, including those laid down in article 22, paragraphs 1 and 4, AVG referred to the profiling, and, at least in those cases, meaningful information about the logic underlying it, and the significance and the envisaged consequences of such processing for the petitioners, II. within one month of notification of the decision of the personal information in a structured, common and machine-readable form, namely, as a CSV file, or through an Application Programming Interface (hereinafter referred to as "API"), in such a way that some of this data directly to another controller may be transmitted, III. the foregoing and, under penalty of a fine of $ 10,000 for each day or part of a day that Uber fails to fully comply with one or more of the I and II and above is recommended, IV. Uber to the judge in the court proceedings. 3.2. The ask (I) (i), (ii) and (iii) be based on article 15 (1) AVG - 1 (to the right). According to the petitioners, it has Uber is not complete and is not consistent with their inzageverzoeken respond to it. The digital data that Uber has not provided a which does not contain the full information that the applicants were entitled to. The Guidance Notes it appears that the Uber of 26 different categories of personal data processed, applicants will have at most of these categories have no access can be obtained. In addition, the data provided is limited to a period of a few months. Section 3.3. The request is (I) (iv) on the basis of article 15, paragraph 1, introductory wording and points (h) and article 22, AVG automated decision making and profiling). According to the petitioners, it appears from the statement, and the Driver App Uber to automated decision making and profiling run. In the application of the profiling, it must be Uber, on the basis of a consideration of 71 as time passes, the appropriate procedures and actions to take in order to be a subject fair and transparent processing service. Also, have a discriminatory impact of the profiling is to be avoided. In order to be able to assess whether or Uber to the use of the criteria set out in article 22 (3), AVG meets've petitioners ' interest in access to automated decision making and profiling, as well as information on the underlying logic, and the envisaged consequences of such processing. 3.4. On request, (II explain to the applicants, the following principles. On the basis of article 20 (1) AVG is, they have the right to provide the information in a structured, common and machine-readable format (gegevensoverdraagbaarheid or dataportabiliteit). Uber needs of applicants with the opportunity to view the data download and the other controller to be transmitted. In order to be able to achieve Uber, the personal data of the applicants were provided in a comma-delimited text file. Uber has only a very small part of the data in the file to‘format’(the quotation marks will be below, in particular to 4.76 e.v., can be omitted) is provided. 3.5 in. To comply with the request for the imposition of financial penalties, have the applicants at the foundation that is needed, because in the Uber to the access and transfer of your personal data is in default. The amount of the additional penalty payment, it is according to the petitioners are justified in the interest of the applicants and the financial strength of the Uber. 3.6. The petitioners argue that the next interest for their applications: - In a variety of foreign proceedings is the question of whether an employment relationship between the drivers and Uber to exist. Of interest here is the extent to which Uber management has, among other things, to exercise it by means of algorithms and automated decision-making process; - the British court has ruled that people have a right to a minimum wage and holiday allowance. In order to make their earnings to calculate to have the applicants have access to their data, as necessary; - the British court has ruled that people have a right to be protected from discrimination. In order to be able to determine whether or not there is a case of discrimination plaintiffs, insight is needed in the calculation of the rating in the Driver App; - the required data are necessary for the practice of collective bargaining and the protection of interests; - in making decisions about their license, if there are drivers to be assessed as to their suitability. Therefore, the applicants interest in the unrestricted access to their data; - the information requested will be available to ANYONE. 3.7. Uber leads the defence. Primarily, it shall request that the applicants were not to dismiss and in the alternative, the request to decline, with the conviction of the petitioners in the proceedings, including nakosten, plus legal rate of interest. 3.8 in. On the basis of the parties hereunder, to the extent relevant, in more detail. 4 evaluation Jurisdiction and applicable law 4.1. The district court shall be required to consider whether the Dutch court has jurisdiction and, if so, whether this court has jurisdiction of the requests, to be acquainted with. This is the case because Uber is in Amsterdam and is found in article 4, the Brussels I-bis Regulation 2 of this article and article 262 of the introductory wording and points (a, Rv, 3 ). 4.2. If the request is based on the security application of this European regulation is directly applicable. The fact that the parties are also provided (additional) on the basis of the law, the court that the parties ' implied choice of law, the application of the laws of the Netherlands as provided for in article 3, paragraph 1, of the Rome I Regulation. 4 4.3. Between the parties is not in dispute is that Uber has to be considered as the controller within the meaning of article 4, section 7 AVG. Applicants need not be admissible? 4.4. First of all, an answer to the question whether the applicants were seeking. 4.5. According to Uber, that is not the case at all. [inquirer 7] and has refused to identify themselves, creating the Uber of his identity has not been able to verify, and not at his request, and was able to respond to it. The other applicants ( [claimant 1] to [petitioner 2] , [tempter 3] , [petitioner 4] and [the applicant 5] , [petitioner 6], and [petitioner 8] , [petitioner 9], and the [petitioner 10] ) according to Uber, the petition will be submitted prior to Uber, at their request, to fully respond. That's what Uber is in conflict with the requirements laid down in article 35, paragraph 2, of the UAVG 5 which states that a person only after the response to the request, or at the end of the period to which the request should be responded to, an application procedure can begin. 4.6. To this end, the Uber of that, they have to answer the inzageverzoeken a phased-in approach to adopt. It provides, first, a selection of some of the processed personal data within the last 30 days, provided that the inzageverzoek to be fine-tuned. Upon receipt of the definition of the inzageverzoek provide the full set of personal data, which the data subject has requested it. Uber says that they are on two different dates in July, september, and October of 2020, it is fully at the inzageverzoeken of the applicants, reply, and that, on the basis of these data, and the applications is too early to be considered. In this case, they are based on the principle that the date of the original petition, as of July 20, 2020, in light of the national procesreglement application on behalf of the the courts, departments and teams, for a commercial, it also applies to applicants who are from the revised/supplementary petition on 21 August, 2020, as a party to this proceeding have been added. 4.7 in. The petitioners argue that they are the applications should be submitted prior to Uber, at their request, to respond. According to the applicants, in order to assess the acceptability, a distinction must be made between the persons in the original petition as of July 20, 2020, being the [claimant 1] to [petitioner 7] , [petitioner 8], and the [petitioner 10] the plaintiffs in the amended/supplemental petition on August 21, 2020, being the [petitioner 2] , [tempter 3] , [petitioner 4] and [the applicant 5] , [petitioner 6], and the [petitioner 9] . This is the latest applicants in the period from June 20, 2020 to July 15, 2020 to each and every one inzageverzoek done so, when the Uber-between July 20, 2020 August 7, 2020, to respond. Having regard to the date of the amended/supplemental petition on August 21st, 2020 and these are the applicants were accepted. From the date of submission of the application, has the Uber, on its own initiative communications to applicants are sent in response to a request. These messages can also be regarded as a response to the previous request, and is thus becoming the applicants. 4.8. In the assessment of the eligibility of the applicants, subject to the following principles. Applicants need to have the Uber prior to the procedure, asked for access to your personal data as referred to in article 15, AVG, and to reduce the transmission of the information referred to in article 20, AVG 2.8). Pursuant to article 12 (3) AVG should be the Uber of plaintiff within one month of receipt of such requests, will inform you about the action taken on these applications is given. If necessary, this period may be extended. In that case, Uber applicants within one month of the receipt of the request thereof, as it should be. Article 35 of the UAVG indicates the petitioners have the right to request the court to make the Uber we ask one out. In this article, the petition has to be filed within a period of six weeks from the receipt of the response from the controller; if the controller does not timely respond, there is no time limit. This system is based on the idea that the parties shall first seek to the requested data to (a) provide that the person responsible for a negative reaction, under penalty of inadmissibility, only a limited amount of time to the objections against it to the court. The system is also made to prevent the controller rauwelijks or for a long period of time after the request has been rejected, this shall be brought to trial (cf. court of appeal of Amsterdam, 5 november 2019, ECLI:NL:GHAMS:2019:3966). 4.9 in. The court found that Uber's request still has to respond by e-mail to the applicants (with the exception of the [petitioner 7], and the [petitioner 10] ): an e-mail with an encrypted file containing data and an e-mail with instructions and a password to access the file. In an e-mail with Uber in the digital file has been sent, the following is standard text included: “(...) If you feel this response does not meet your request, we will kindly take ask you to provide more detail about the data you want, and a period to which it relates. (...)” 4.10. This text may not be considered to be an announcement of Uber at a later time, a second data set may provide, or that they will have a more detailed explanation of the inzageverzoek of the plaintiffs wished to have. The petitioners, if the response from Uber, as an answer to their request, within the meaning of article 12, paragraph 3 of the AVG application. This means that the deadline for the application is to serve after the date of receipt of this response is to go for a walk. 4.11. Unlike Uber has argued, the plaintiffs in the amended/supplemental petition on August 21st, 2020 and is not the date of the original petition, as of July 20, 2020 and will be bound by it. It is true that the application procedure, from the time of submission of the application, on the 20th of July of 2020, pending, but when it is the applicants are still unable to assess whether Uber should make their request was responded to. After all, they still had no response from Uber to receive. It was only after the receiving of them were able to plaintiffs a judgment of their personal data, and to take their concerns against the right sought to be imposed. 4.12. The district court shall be hereinafter referred to as the eligibility of each applicant to discuss it. On the basis of the positions of the parties, their relation with statements by the applicants submitted copies of the e-mail correspondence between the applicants and Uber, the court will make the following findings. [claimant 1 and claimant 8] 4.13. As between the parties, it is clear that both the [claimant 1] , if [plaintiff 8] on July 19, 2020 to 4.9 above, emails, digital files, instructions, and a password in order to access the files, and have been received in response to requests from the 20th of June 2020. The application is as of July 20, 2020 and it is, therefore, not submitted too late. That's the Uber on the 20th of July 2020 for further info has been sent in respect of [the applicant 8] as announced, it is not enough to be non-responsive in the process. [petitioner 2] , [tempter 3] , [petitioner 4] and [the applicant 5] , [petitioner 6], and the [petitioner 9] 4.14. Uber has argued that [the applicant 2] on september 4, 2020 in response, at the request of the July 15, 2020. The applicants submitted to the productions, in respect of [the applicant 2] it appears, however, that in the Uber on the 7th of August 2020 to 4.9 above, e-mail the digital file instructions, and the password is on the applicant 2] and has been sent on in response to the request. 4.15. Uber has argued that [the applicant 3] on October 30, 2020 in response, at the request of the 23rd of June, 2020. The applicants submitted to the productions, in respect of [the applicant 3], however, is that Uber is on the 22nd of July 2020 for the with clause 4.9-mentioned e-mail has been sent in response to a request. 4.16. Between the parties is not in dispute that in the Uber on June 30, 2020, to 4.9 above, e-mail has been sent in response to a request to [petitioner 4] on June 22, 2020. Section 4.17. As between the parties, it is also not in dispute that in the Uber on the 20th of July 2020 for the with clause 4.9-mentioned e-mail has been sent to [petitioner 5] in response to his request, and on the 20th of June 2020. 4.18. Uber has argued that [the applicant 6] on October 30, 2020 in response, at the request of the July 10, 2020. Out of the applicants, in respect of [the applicant 6] in relation with the productions, however, revealed that Uber is on the 7th of August 2020 in the previous section 4.9 above your e-mail has been sent in response to a request. 4.19. Uber has argued that [the applicant 9] on October 9 2020 answers at the request of the 23rd of June, 2020. Out of the applicants, in respect of [the applicant 9] the production of the productions, however, revealed that Uber is on 21st July 2020 for the with clause 4.9-mentioned e-mail has been sent to [the applicant 9.] in response to the request. 4.20. The above-mentioned data, which the [petitioner 2] , [tempter 3] , [petitioner 4] and [the applicant 5] , [petitioner 6], and the [petitioner 9] in answer to their request, they are located prior to the date of August 21st, 2020 and that the revised/supplementary petition has been filed. This means that they will be receptive to their request. [inquirer 7], and the [petitioner 10] 4.21. Uber claims that it is a inzageverzoek of [the applicant of 7] , by e-mail, on the 21 of June 2020, but that [the applicant 7] and has not responded to the request for identity verification. In recital 64 of the AVG, the controller with all reasonable measures to establish the identity of a person who is to be made available on request. And the reason is reasonable doubt as to the identity, should additional information be required, as it follows from the provisions of article 12 (6) AVG. Because [petitioner 7] and has not responded to the request of the Uber and is, therefore, not to documents presented which allows Uber to his identity and was able to determine, it has Uber's position is that they do not have enough data to inzageverzoek to deal with. It is evident that [the applicant 7] at the time of submission of the inzageverzoek, it would have to be identified by logging into his Uber account, it can't help, because, on the basis of the following is and that he is the inzageverzoek by e-mail, June 21, 2020, has been sent to the Uber Data Protection Officer". In addition to this, in the following it will be shown that the inzageverzoek that the applicant 7] and it has done so by logging in to his Uber account and other information, related. 4.22. Both the [petitioner 7], as [plaintiff 10] a inzageverzoek is done using the "download your data" in to their Uber account. In response to this, the [petitioner 7] on 21 June 2020, and the [petitioner 10] on 5 July 2020, an e-mail from Uber will receive a link by which they are " Uber data for a period of seven days to be able to download them. At the hearing, it is by the Uber explained that a passenger is using the ‘download your data’ within the App to their personal data to download, but the drivers of the other functions and processes that are available to you. The petitioners have not attacked. In this state of things could not be determined which of the inzageverzoek of the [petitioner 7], and the [petitioner 10], and the subsequent response from the Uber that was related to the data used in this procedure is to be discussed, that is, the data that Uber has been in the Driver App. This leads to the conclusion that the applicant 7], and the [petitioner 10] prior to the procedure, Uber is not the answer, as referred to in article 12 (3), the AVG has been received. She had, at the date of the filing of the petition (July 20, 2020) have not been given the opportunity to request on the basis of article 35 of the UAVG to the court (see 4.8), and are, therefore, not be changed in the request. Conclusion 4.23. The above means that the [petitioner 7], and the [petitioner 10] which is non-responsive to their requests. Following the request of the [claimant 1] to [petitioner 8] , [claimant 2] , [tempter 3] , [petitioner 4] and [the applicant 5] , [petitioner 6], and the [petitioner 9] can be evaluated. She will always be the fact that applicants continue to be identified. The abuse of the law? Interest in the application? 4.24. Uber runs in the alternative, to be her defense that the plaintiffs, by their inzageverzoek an abuse of the right to create, within the meaning of article 3:13) BW 6 . Uber points out that, in the explanation of the application, it follows that the applicants have the right to use it for any purpose other than that for which it is given to you, i.e. in order to strengthen their bewijspositie in action against Uber, and their collective bargaining power with the creation of a database containing information from the driver. According to Uber, it appears that also in the fact that the [claimant 1 and claimant and 4 decision-making functions for the ADCU to hold, and repeat inzageverzoeken have made it since, respectively, by 2017, and in 2015 the services of Uber, and the Driver App for use. The application is in the best interests of the ADCU and IAATW of the lake. These goals do not correspond to the quality and performance of the right transparency for the processing of your personal data on behalf and for the control of the legality of them, according to Uber. 4.25. As the court states, first and foremost, a person shall not, in principle, no need to justify or prove why he's a inzageverzoek does the result of the AVG. The data subject can, for example, of the exercise of the right of access does not have a particular interest is whether or not the goal is to be noted that the inspection is trying to achieve. The simple fact is that to him, of the data to be processed is more than enough. This is not to say that it is a inzageverzoek never been abuse of power within the meaning of articles 3 and 13 of the BW able to yield (cf. The court in Amsterdam, november 10, 2005, ECLI:NL:GHAMS:2005:AU8223, and a conclusion (A)-(G Drijber to the High Council, december 21, 2018, 9 november 2018, ECLI:NL:PHR:2018:1273). That would be the case if the access is only being used for a purpose other than the inspection or the personal data is correct and lawful processing. It is up to the controller to prevent abuse of the power to the display. 4.26. In this case, plaintiffs argue that they have the accuracy and validity of their own personal data, want to control, inter alia, to the other a right to privacy in the subject. That is more than enough. The fact that the applicants and the union, to which it is connected is also another interest of obtaining the personal data, and to use it to get a clear view about their employment situation or evidence in a court case against Uber to collect them, it is not petitioners ' abuse of their rights to make it. The use of the abuse of rights, will also be rejected. The inzageverzoek 4.27. The inzageverzoek it is on the basis of article 15 (1), AVG.On the basis of this article is the subject of the personal data is being processed, the right to receive from the controller confirmation as to whether or not the processing of the personal data relating to him and, if that is the case, access to the personal data, and (among other things), the processing purposes, the categories of personal data, recipients or categories of recipients to whom the personal data have been or will be disclosed, and the period for which the personal data are expected to be stored or the criteria for that period of time-to be determined. 4.28. Article 15, AVG purpose, the data subject in order to ask about the personal data relating to him are collected, and how to verify the data is correct and lawful processing (see recital 63 of the AVERAGE). As time passes, the is the successor of the Directive, personal data is 7 , as implemented in the personal data protection Act of 8 . To the right was formally laid down in article 12 of the Directive on personal data protection. There is no indication that, in accordance with the AVG of the purpose and scope of this right of access in relation to the Directive on personal data to be changed. In the district court for the interpretation of the provisions of articles 15, AVG controlled access, therefore, following the decisions of the Court of justice of the court of Justice of the European Union (eu) (HvJEU), and the Council on the right of access under the vigeur of the Directive, personal data and data security. 4.29. The right of access, it is limited to personal information. The interpretation of the concept of ‘personal data’ it is, therefore, determines the scope and application of the right of access. On the basis of article 4 (1-AVG, is one of personal data and all information concerning an identified or identifiable natural person. The HvJEU a wide interpretation of the concept of ‘personal data’ is given. The HvJEU has ruled that the concept of personal data is not limited to, any sensitive or private information, but it is potential to extend to every species of information, both objective and subjective information in the form of opinions and reviews, as long as it's to him or her. The latter condition is satisfied if the information is, by reason of its content, purpose or consequence associated with a specific person, and that person is reasonably identifiable, to any other person (HvJEU, december 20, 2017, ECLI:EU:C:2017:994, [party] ). 4.30. Furthermore, it is relevant to the assessment of the application of the judgment of the HvJEU on July 17, 2014 (ECLI:EU:C:2014:2081, IND.). In this case, the HvJEU – short – considered to be a legal analysis of data may include, but is of the legal analysis, in and of itself, it cannot be regarded as "personal data" within the meaning of article 2, point (a) of the Directive on personal data protection. Other than the details that the factual basis for the legal analysis, the analysis itself is not made by the person to be checked for its accuracy, and will be corrected. In a judgment delivered on march 16, 2018 (ECLI:NL:HR:2018:365), the High Council, having regard to the considerations of the HvJEU in this case – ruled that the Directive on personal data which are, by the personal data protection Act have been implemented, the data subject shall be able to check whether their personal data is correct and lawful processing, in order to protect the rights of the data subject's right to respect for his or her personal data. Who is in control and can lead to the rectification, erasure or blocking of your data. The right of access extends also to the parts of the internal data to be shared are the personal thoughts and/or opinions of the staff of the controller or third parties, that are intended to be used only for internal consultations and deliberations of three statements, HR, 29 June 2007: ECLI:NL:HR:2007:AZ4663, AZ4664 and BA3529). 4.31. The controller (in this case, Uber), access may be refused if it is necessary for the protection of the rights and freedoms of others (article 15, paragraph 4, of the AVG, and article 41, paragraph 1, point (i UAVG). From the legislative history, it follows that the controller itself is to be understood as, among others, in this regard. This provision is an exception to rights, and, therefore, must be interpreted restrictively. Or, in a case of such a reason, which is a restriction or denial of the request must be led by the judge after a consideration of all the interests at stake are to be determined. By relying on this derogation laid down to rest in the declaration duty, in principle, to the controller (in this case, Uber). 4.32. The right of access, on the basis of the AVG is, in principle, ongeclausuleerd. Under certain circumstances, be allowed to, to be a inzageverzoek further demands will be made of it (cf. in the opinion of A-G, Wuisman to the High Council, march 25, 2016-January 15, 2016, ECLI:NL:PHR:2016:1) and the High Council of 25 march 2016, ECLI:NL:HR:2016:508). If a controller with a large amount of data relating to the data subject is being processed, the data subject prior to the disclosure of information request to specify the information or processing activities, the information set out in recital 63 of the AVERAGE). 4.33. With the implementation of the above-mentioned principles, review the district court's inzageverzoek of the petitioners is as follows. General application 4.34. The inzageverzoek of the categories of personal data is based on the Guidance Notes, which are Uber, the personal data given. The inzageverzoek it is, however, not to fall into these categories will be limited. The petitioners argue the point of view that they inzageverzoek no further need to justify, because of the Uber, on the basis of article 5, paragraph 1, under (a) the AVG personal data to be processed in a manner that is completely transparent. In this article, it is certain that by default personal data are to be processed in a manner that, in respect of the person it is transparent. In recital 39 of the AVG, it is recognised that the principles of transparency, with particular regard to the information of the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect to natural persons concerned and their right to confirmation and communication of personal data to be processed. 4.35. In the circumstances the petitioners, however, is not sufficient to rely on the principle of transparency. Uber may, in accordance with recital 63, as time passes, the request for a specification of the personal data, which the applicants wish to receive them, because they have a large amount of data to be processed. Furthermore, the applicants are already a large number of data from Uber to receive. A number of the applicants have, in the past, several inzageverzoeken done. If the [claimant 1] the six-inzageverzoeken be done, [the applicant 4] the five-inzageverzoeken, and the [petitioner 7] the four inzageverzoeken. While a data subject shall have the right, freely and at reasonable intervals, it should be able to say (see recital 63 of the AVERAGE), and the inzageverzoek on the basis of article 15, AVG, at any time, and, at times, may be made subject to an abuse of the law, had in view the amount of data that is already in use by Uber, it is provided in the way of the petitioners, is located in the application is to be specified in any of the information or processing activities of Uber, the application still applies. Because of this, it is a request for access to any personal data that is the Uber of applicants in processing generally, and more specifically, it is not sufficiently certain, will be rejected. 4.36. It is the inzageverzoek, in particular the categories of personal data, will be reviewed. In addition, the following shall apply. On the basis of the Uber data submitted by the applicants are not rejected, the court finds that, at this time, only the [petitioner 5] as a delivery driver make use of the services of Uber. [claimant 1 and claimant 4] for, respectively, in december 2016, and in June 2015 and is no longer active as a driver for Uber. The rest of the applicants, as of June 2018 ( [petitioner 9], and [tempter 3]) november 2019 ( [petitioner 2] ) march 2020 ( [petitioner 8] and in april 2020 to ( [petitioner 6] ) are no longer available. As a result, the right of access is limited to the period in which the applicants have benefited from the services provided by Uber using the Uber Driver App. 4.37. Some of the categories that will be judged, or Uber go, refuses to be made available at the request of the data to provide, as it is necessary for the protection of the rights and freedoms of the passengers in the Uber itself (article 15, paragraph 4, of the AVG, and article 41, paragraph 1, point (i UAVG). Other than the petitioners point out, it cannot be said that, in general, have the right to access the personal data of the passenger, because of the relationship between the driver's and the passenger's seat. Not to mention that it is a contractual obligation of the passenger to a driver, it can't be claimed against Uber, have to Uber to the provision of information to applicants, the right to privacy of the customer in the account. Guidance Notes 4.38. In the Guidance Notes for Uber are 26 categories of personal data that Uber is processed. According to the petitioners, they have, in the main part of the data is not insight, but they have not been disclosed in order to identify the specific categories concerned. Because of this, it is a request to Uber, to recommend, to the petitioners, relating to the personal data which are referred to in the Guidance Notes is to provide insufficiently clarified. This petition is therefore, dismissed. The Driver's Profile 4.39. According to the plaintiffs, did Uber not have full access to the documents in the ‘Driver’s Profile of the applicant. That's Uber profile of the drivers, tracks have to have the applicants were derived from single notes, internal notes, " of Uber, which are included in Zendesk, the customer service system of the Uber. Having regard to the above-mentioned [party's] case-law of the HvJEU argue for the petitioners is that the data to be shared by the employees of Uber in the user profile to be created to classify it as personal information. The petitioners argue that Uber is not entitled to resort to the exception in respect of the personal thoughts of the employees that are intended to be used only for internal discussion and consultation. Uber will use the notes are, in fact, the rate of the driver, and the processing of messages by the customer, according to the petitioners. 4.40. Uber argues that it is the Driver's Profile is not really a profile, which is used in the meaning of article 4 (4), AVG (see below 4.61). According to Uber refer to working with the inner notes to the requests of the drivers for other members to be dealt with. Internal notes are not to be treated as personal data as it in itself, not the data on the applicants hold. The notes may not be checked for its accuracy or will be corrected. To the extent that the internal notes or as a personal information need to be considered, it is the right of access in accordance with the Uber does not apply to the notes, which are the personal thoughts of the employees that are intended to be used only for internal discussion and consultation. 4.41. From the documents that the applicants have not submitted, it follows that the Uber and a number of internal notes of the [claimant 1] have provided to us. These internal notes, leads the court to conclude that it's going to be internal links, or communications customer service representatives from Uber. As well as the legal analysis contained in the above-mentioned [party's] case-law of the HvJEU, these notes from the customer service representatives of Uber, no information about the person that the person can be checked for accuracy. This leads to the fact that Uber is only liable for the information about the applicants, which are the actual basis of the notes, the shapes of providing, and do not use the internal notes as a whole. To the right of the petitioners has, in fact, only in respect of the relevant data, and does not cover the other information specified in the relevant notes are included. The petitioners have, however, not enough concrete detail in order to, the accuracy and the correctness of the data given in the relevant notes to the factual basis of this have been included, needs to check it out. In this section of the application, will therefore be rejected. Tags 4.42. According to the petitioners, that makes Uber's use of the labels ("tags") is in the customer service system that allows the behavior of the driver is to be assessed, such as the "inappropriate behavior" or " zombie tag. The petitioners point out that the tags have to be very negative, qualifications, and this can have major consequences for the drivers. 4.43. Uber claims that it is a tag to add to an entry in the customer service system in which messages can be categorized, so that the people with the right experience, then you are able to deal with them. According to Uber is also true for the tags, that is, there is no data of a personal nature, but it is a single note, which is the private thoughts of the individual employee, and is intended for internal discussion and consultation. 4.44. The comments from Uber, a tag is a description of a report, or in the stage of making the report is located. This is also in line with the literal meaning of the word in the tag. According to the Oxford Dictionary of English is a tag: "a name, or phrase, that is used to describe a person or thing in some way. Well, the same applies here as to 4.41, it is considered that such a designation by the data subject could not be verified as to their accuracy. The Tags are, as such, are not subject to the access right. This is a part of the inzageverzoek, will therefore be rejected. Report 4.45. The parties agree that a "report" based on the feedbackmeldingen the passengers on the respective driver will have, among others, ‘ recipe ’, and ‘ its professionalism ’. Feedback as a driver, and in so far as personal data within the meaning of article 4 (1-AVG, because of this it is which, because of its content, is linked to a specific person, and that person is reasonably identifiable for others. That is, between the parties is not in dispute. Uber, has, in response to the inzageverzoeken of the petitioners, Excel, statements, provided that the customer feedback about the drivers, it is anonymous. According to the petitioners, it has the Uber they do not have full access to the report is made. in the Excel summary reports are only general observations of the passenger, which is not to be traced back to the individual tracks. The petitioners argue that Uber, which information must be provided, since the driver is entitled to on the basis of the contractual relationship between the driver's and the passenger's seat. Information about the reports ‘ratings, and the start and end locations of the passengers are the result of the service provided to the driver to offer, according to the petitioners. 4.46. This note will not be followed. Uber will need to provide the information, to which the personal data of the applicants are recorded on the basis of article 15, paragraph 4, of the AVG for the rights and freedoms of others into account. Uber may, in the reports is anonymous in the sense that they are for the protection of the rights of third parties, to ensure that the statements regarding the drivers, cannot be traced back to the person who made the statements are made. After all, who the statement was not relevant to the assessment of the lawfulness of the processing of data, while the information of the person who's saying it has done damage that can result from the privacy and rights of the individual. The conclusion, therefore, is that Uber has no further access needs to provide in the report. The argument is that the plaintiffs, on the basis of the contractual relationship with the passenger has the right to have information on the passenger fails (see the previous section 4.37). The Start and end locations of the ride 4.47. The petitioners request the inspection, the start and end locations for each individual customer. They argue that Uber is wrongfully on it's point of view, is that in the transmission of such data is with the risk of identification of the passenger's size is too large. They argue that this is the case, it might be because they do not have the right deface or obscure any identifying information of the passenger, such as your name, address, email address, and phone number. The location data can, therefore, be at a stage to be attached, but not attached to an individually identifiable people, according to the petitioners. 4.48. The district court shall, on the basis of the applicants submitted documents that Uber surveys have provided information about drivers driving trips, the date on which the transfer is requested, the date and time at which the journey can be started at a time when the journey was completed, and the names and addresses of the start and end locations of the ride. That is more than enough. Here is the review of the lawfulness of the data processing, it is not relevant which of the passengers is to be transported, while the information about the passenger, is a violation that can result from the privacy and rights of the individual. Uber does not have access to provide information about the passengers, to prevent that the data is traceable to the customer. Individual ratings 4.49. Finally, petitioners 'interest in the inspection of the individual passengers' data ‘ratings. The Driver App is only an average of the ratings given to it. Applicants wishing to verify the accounts of drivers who have a low credit rating are disabled. In addition, many drivers are faced with discrimination and it would be an insight into the ratings could help you to get a better insight into the existence of discrimination, and unequal treatment. 4.50. Uber has argued that it is not the data of the individual ratings of the passengers to be able to provide for the protection of the right to privacy of the passengers. 4.51. It is up to the court, the applicants submitted documents revealed that Uber is under the name of "User feedback" to the part of petitioners ' access granted to the individual ratings as well as feedback, which is a passenger and a driver has to be given. Uber has access by means of a survey in which the number of stars that a passenger with a driver is included with the note, which the passenger may have been made. The Uber data are anonymized, and there is not a date, time, or location of the ride. The extent to which inspection of the individual ratings is provided vary by applicant. 4.52. As with the previously discussed categories that also applies in this case is that Uber's privacy or other rights of a passenger to comply with the provision of the information requested. Uber is free to do so (and that is using the User's feedback is also done by these data in anonymized form, to supply, in terms of Uber, to ensure that the data cannot be traced back to the passenger, who is the star rating and/or comment(s) has been made. After all, who has the rating it has been given, and/or comment(s) has been made, it is not relevant, as the information of the person who's saying it has done damage that can result from the privacy and rights of the individual. Uber to all of the applicants were held to be subject to the above conditions, to allow inspection of the individual ratings of the applicants. Behaviour, the use of a phone on its side, and the percentage of accepted rides 4.53. The petitioners argue that from the presentation of the software engineers from Uber to and from the statement it appears that the Uber transfer large amounts of data on driving behavior processes, such as GPS data and the information regarding the acceleration, and braking. Uber will use this data to after the occurrence of a security incident, to determine whether there are any penalties to be applied in respect of drivers. Uber has made this information to the applicants provided as is. 4.54. Uber claims that they have, in the past, information was collected about the behaviour and on the use of a phone while you are driving. The underlying data, Uber disclosed under the heading of ‘ detailed device data’ and ‘ safety reminder. In addition, Uber and the underlying data, which provides that the total of the driver, accept and reject rides calculation of the source as well as the report mentioned. The personal information that is input for the calculation of the false report, according to Uber to the applicants provided as is. This information enables the applicants to the source as well as the report easy to calculate, according to Uber. 4.55. The petitioners argue that the details of Uber and that to the extent that this data might have received, which is completely unintelligible in the absence of an explanation. 4.56. Now, Uber is already, in some degree, to the inzageverzoek have been met, it had been in the way of the petitioners is located in order to make clear what personal information they have access to demand. The way that the information provided is incomprehensible not be sufficient (see previous section 4.35). This is a part of the request is too general and ill-defined, and it will therefore be rejected. upfront pricing system 4.57. Finally, ask the applicants access to the new upfront pricing system in which Uber in the summer of 2020, will be introduced. Applicants will need to explain the workings of the system, and it needs to examine the way in which the algorithm works, the price will be calculated. 4.58. Uber argues that it's upfront pricing, system information can be found on the web site of the Uber. It follows, then, that the price is to be calculated on the basis of factors not related to the driver. 4.59. In general, it can be considered that the application of a system for determining the price, there is the processing of personal data, the purpose of which is to make decisions in the case of one person, namely, the determination of the rate. Only the [petitioner 5] at this time, if the driver's use of the services on the Uber (see the previous section 4.36). Having regard to the period of time that has passed since the rest of the applicants had been running for Uber, their personal data will not be due to the upfront pricing system to be processed. Furthermore, it is likely that the petitioners to inspect wishes for the Uber personal data to verify its accuracy and the lawfulness of the processing of these materials. Also, the notes in the back of this part of the application to the court for more than a desire of the petitioners, in order to identify the manner in which, and with the use of any of the algorithm in the Uber to the pricing comes in. This is for a purpose other than the purpose of the article 15, AVG purpose. This is a part of the application, will therefore be rejected. Information on automated decision making and profiling 4.60. The petitioners request the inspection, the existence of an automated decision-making and profiling, according to article 15, paragraph 1, point (h AVG. In this article, provided that the data subject shall have the right to receive from the controller confirmation as to the existence of an automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic underlying it, as well as the significance and envisaged consequences of such processing for the data subject. 4.61. To In article 4 (4) AVG profiling is defined as any form of automated processing of personal data, which, on the basis of the data some of the personal aspects of a natural person to be assessed, in particular, with the intended level, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements, to analyze or predict the future. 4.62. As a data subject must be informed about the existence of profiling and the consequences thereof, as set out in recital 60 of the AVERAGE). Article 15, AVG, the data subject shall have the right to obtain information about any personal data for the profiling can be used, including the types of information that is used to create a profile. 4.63. On the basis of article 22, AVG, and have the applicants will have the right, subject to certain exceptions, not to be subject to solely automated processing or profiling is based, the decision to which those effects are related, or that otherwise significantly affect you. From the exclusive on-site-based decision occurs when there is not a significant human involvement in the decision-making process. 4.64. In the commission's Guidelines on automated individual decision-making and profiling, it is 9 , it is noted that the threshold for a “substantial degree” is similar to the degree to which the person affected by a decision to which an effect has been associated with. The data processing will find a person in accordance with the guidelines, to an appreciable extent when the effects of handling large or important enough to deserve it. The decision has the potential to improve the situation, his behavior, or the choice of the individuals concerned at a substantial level, to meet; a long-lasting or permanent effects on the person concerned, or, in the worst case, to the exclusion and discrimination of people to guide you. In consideration of the 71-AVG are the examples of automated decision-making, referred to as automatic refusal of an online submitted the loan application and processing of job applications over the internet without the need of human intervention. 4.65. The petitioners state that they have as a result of the inzageverzoek, no information as to the existence of an automated decision-making and/or profiling. According to the petitioners, is that the information that Uber, in its statement about automated decision-making process, and on its web site, indicates incomplete, and in some cases, it may be incorrect. They do not refer, in this connection, note the following: - the Driver App gives you information on driving habits, the use of the phone on its side, and the percentage of accepted courses. It is the result of an analysis of the level of reliability, behavior, location, and movement, and should be considered when profiling; - the Driver's Profile, and that Uber maintains a profile in accordance with article 4 (4), AVG, as the Uber of this used to be the personal aspects of the applicants to evaluate, which may lead to negative ratings, such as ‘inappropriate behaviour’; - from a variety of sources, it follows that the Uber at the link of the drivers with passengers to make use of the different categories of personal data set out in its privacy policy, including the annuleringshistorie and the driver's face. 4.66. Uber argues that it is not an automated decision-making process in the context of article 22, AVG apply, and in any case, it is not the existence of a restricted form of it. Uber makes use of the automated data processing system for the allocation of the available tours using the ‘batched matching system. This system includes the nearest driver and passengers in a batch (as a group), and controls within the group, the optimum match (link) between a driver and a passenger. According to Uber, she can use the location, direction of travel, and the hustle and bustle of the traffic, and to geographical factors, and the estimated time of arrival at the pick-up point, the passenger and drivers via the Driver App, the customer's personal preferences. The system attaches to a passenger, not a driver, in case of a passenger, the driver, in the past, a review of one of five available star rating is appreciated. The driver will then be linked to one of the passengers in the batch . According to Uber, the automated allocation of the available tours have no legal effect, and that person will not be significantly affected, so it is not the existence of an automated decision-making process in the context of article 22, AVG. Also, they do not use a profile to be used in the meaning of article 4 (4) AVG. The Driver's profile is only one name that is in the customer service system is to be used. Her fraudebestrijdingsprocessen it is, moreover, is not the existence of an automated decision-making process, and because there is a need of human intervention. 4.67. As between the parties, it is clear that Uber is using data to make automated decisions. It follows from section 9 of ‘Automated decision making’, which is included in its privacy policy. It is, however, not be said that the existence of an automated decision-making process, as referred to in article 22, AVG. This is, after all, requires the presence of the effect, or that the person was otherwise significantly affected. The claim is, at this point, not much in detail. The petitioners argue that Uber is insufficient specific information is given about her, fraudebestrijdingsprocessen and it has been shown that there is significant human intervention. Otherwise, as in the case of rekestnummer C/13/692003 / HA-RA 20/302 that today's decision is adopted, the petitioners have not been disclosed, that the Uber with regard to them to conclude that they have been found guilty of fraud. The extent to which Uber is about them and the decisions taken on the basis of an automated decision-making is, therefore, not been sufficiently clarified. Even though it is obvious that the batched-matching system, and upfront pricing system will have a certain impact on the performance of the agreement between Uber and the driver, and found no evidence to suggest that there is a legal or significant effect , as specified in the Guidelines. Article 15, paragraph 1, point (h, AVG solely on the decisions of the request is (I) (iv) will be rejected. 4.68. To the extent that the petitioners to inspect the wishes their personal data that Uber has used it to create a profile within the meaning of article 4 section 4 of the AVG on-set, they have made this request, not enough taken place. This is a part of the application must therefore be rejected. The request for additional information 4.69. Further requests the applicants to examine the application of the personal data concerned, the categories of personal data, the recipients to whom the personal data have been provided, and the data retention period for the personal data, and, in the case of transfers of personal data to a recipient in a third country, what are the appropriate safeguards in Uber earlier in accordance with article 46, AVG is has taken it (see article 15, paragraph 1, introductory wording and points (a, b, c) and d), and (2) AVG. 4.70. Uber noted in its statement of additional information shall be provided in these areas. Further, referring Uber to the information that is contained in the relevant sections of its Privacy policy. In this narrative of Uber, have the applicants were not responded to. This state of affairs, the court, on the assumption that this is the part of the inzageverzoek be adequately answered in the negative. The ask (I) (ii) and (iii) it will, therefore, be rejected. It is a request to transfer data to a CSV file 4.71. The petitioners ask, in conclusion, that Uber will have to be ordered and the relevant information, to the extent that it falls within the scope of article 20, the AVG is, to them, is to provide, in the form of a comma-delimited text file, or through an API, so the data directly to another controller may be transmitted. 4.72. In accordance with article 20, paragraph 1 of the AVG, the data subject shall have the right to have the personal data to a controller provided in a structured, common and machine-readable form from this controller to get it without being bothered to be transferred to another controller. 4.73. In the Guidelines on the right to gegevensoverdraagbaarheid 10 , it is determined that the right of the goal of the position of the subject is to strengthen and provide more control over their data. The law is intended for the person ready to make the "lock-in", with the original controller and the service provided to the data subject of the channel. 4.74. Data processing is governed by the law on the gegevensoverdraagbaarheid needs to be based on the data subject's consent or on a contract to which the data subject is a party, and it needs to be automated to take place. The personal information that must be recorded are: (i) the personal data concerning the data subject; and (ii) the data provided by the data subject to a controller is provided. To the right of gegevensoverdraagbaarheid shall be without prejudice to the rights and freedoms of others. 4.75. The data provided by the person concerned has been provided to include, for example, account information, e-mail address, user's name, age, etc.). According to the Directives, must be covered under this supplied information will also be understood that the information available to the controller by the observation of the activity of the data subject is, for example, by the use of the service, or device, including your search history, and location information from or data analysis). From a letter written by the Commissioner, the [name of the president of the European Data Protection Board (EDPB), it appears that the opinion of the board (EDPB) is controversial. In the letter, she explained that, with the ADDITION beyond that, the Commission, the Council and the European Parliament within the legislative process has been reached. 11 The court is going to be there for this state of affairs is that the data that the controller by the data subject provided the data derived by the data analysis is not subject to the data, within the meaning of article 20, AVG covered. In article 20, AVG obligation to get to the data subject, the data in a specific way to provide it is, therefore, far less than the requirement, which is contained in article 15, AVG. 4.76. In recital 68 of the AVG, the format in which the information is to be provided to the interoperability of the data, which means that the data can be shared in a variety of ICT-based systems. According to the Directives, must be in the format, interpret the data as much as possible the extent of the gegevensoverdraagbaarheid have to offer. If there is a specific field with specific formats are common, and may be considered to be of major public file formats, such as XML, JSON, CSV. Under the machine-readable recital 21 of Directive 2013/37/EU on the re-use of public sector information) 12 is a file format defined by such a structure that the application software is easy-specific information, including the individual's actual statements, be able to identify, recognize and extract it. 4.77. With the application of the above principles to assess the court's request to transfer data to a CSV file, follow these steps. 4.78. According to the petitioners, they have only a small portion of their data in this format, but the bulk of the information is provided and available in seven different formats (PDF, Docx, JPEG, PNG, MP3, and WAV). The files are in PDF format have been provided, according to petitioners, is not machine-readable, this is because the file is not in a simple way, the data can be extracted. 4.79. Uber claims that they have the information that will be included within the scope of article 20 of the AVG of the petitioners has submitted together with the response of the inzageverzoeken. According to Uber to meet a CSV, XLS or PDF format-they provide personal information to meet the requirement of structured, common and machine-readable’, within the meaning of article 20, AVG is, and he is not obliged to make any and all personal data to the plaintiffs want a CSV file, or through an API to provide. 4.80. In accordance with article 20, AVG is not a requirement to use the data to a CSV file, or through an API to provide. With the exception of the information that has been provided in the PDF - format, it follows from the statements of the petitioners, is not that Uber, the personal data will be provided in a format which does not permit the data to a different controller to be transmitted. 4.81. From the Uber-provided an overview follows the personal information that is Uber available in PDF format, delivered to relate to "zendesk ticket’, ‘invoice’, ‘ - driver safety case’, and ‘the driver' documents’. Furthermore, it follows from the discussion of Uber is that a ‘driver ' documents’ in the documents, the driver has to provide. Uber does not provide this document in the same format as the one in which they have received, according to Uber. In the Guidelines, is in the PDF format, has noted that it is unlikely that this format will be sufficient structure, be descriptive of the data to re-use. It is, therefore, to the question of whether a PDF document when a structured format within the meaning of article 20, AVG, can be considered as well. In the opinion of the court, there is no reason for Uber to save in PDF format is provided, the categories of personal data to a comma-delimited text format, or similar format) to the applicants concerned. The types of " zendesk ticket’, ‘driver complaints’ and ‘invoices’ do not fall within the scope of article 20, AVG, as this data does not, by applicants themselves at Uber have been identified (refer to 4.72). In respect of the original documents, behold, the court has no reason to be Uber, to recommend, to this document in a different format, then PDF files to be transferred. From the explanation given by the petitioners, it follows that the request for the data to be transferred in a comma-delimited text file, as a result of the desire of the petitioners to get the data directly into a database for analysis, the bargaining power of the platformwerkers and to improve it. The background and purpose of the law dataportabiliteit was a "lock-in" to avoid this. In the case of the petitioners that will not soon be, because she is in the details, process for their own use and to analyze. For the request, (II, will therefore be rejected. Conclusion 4.82. The above means that the Uber inspection must be provided in the bottom of 4.52-mentioned personal data. At Uber for a sufficient time to do this is to give you will be the period in which the Uber of this information must be provided to be provided to two months from the date of service of this order. For the rest of the requests will be denied. Periodic penalty payments 4.83. The request and the payment of a penalty and will be rejected. At present, the trust is fair to say that Uber voluntarily submit to the command, in order to obtain access to and will comply, and shall use reasonable efforts to include relevant information. Uber, has, indeed, been rather partial access to personal data provided as is. Be enforceable by voorraadverklaring 4.84. Uber has requested that the decision is not enforceable as to declare that, because of the request of the applicants would have to meet, there is a risk that the secrets of the Uber, and of the privacy rights of any third party be severely compromised, and this effect will have an impact. Now, for the court, some of the specific parts of the request, assign, and Uber continue to have not commented on the manner in which the provision of access to conflict with a trade secret, and privacy rights of a third party, the court, in which Uber has acknowledged it is not in response to the decision, and be enforceable by to help. Costs 4.85. Each of the parties shall, at any point in the (un)equal. For that reason, the costs are to be recovered. 5 of The decision For the court: 5.1. declares that [the applicant 7], and the [petitioner 10] will not be changed at their request 5.2. orders Uber to get to it within two months from the notification of this decision, to [claimant 1] to [petitioner 2] , [tempter 3] , [petitioner 4] and [the applicant 5] , [petitioner 6], and [petitioner 8] and [the applicant of 9] in accordance with the provisions set forth above under 4.36 is given – a copy of or access to the supply of the under 4.52 above personal information in the manner specified, 5.3. agree with this decision, so far as is practicable in stock 5.4. compensation of the expenses of litigation between the parties, in such a way that each party has its own costs; 5.5 in. pointing to the lake, or otherwise request off. This decision has been taken by mr. D. J., van Leeuwen, mr. M. C. H. Broesterhuizen, and mr. M. L. S., Kalff, the judges will be assisted by mr. Z. S. Lintvelt, clerk of the court, and the public expressed on the 11th of march 2021.
- Rb. Amsterdam (Netherlands)
- Netherlands
- Article 4(1) GDPR
- Article 4(4) GDPR
- Article 5(1)(a) GDPR
- Article 12(3) GDPR
- Article 12(6) GDPR
- Article 15 GDPR
- Article 15(1)(h) GDPR
- Article 15(1) GDPR
- Article 15(4) GDPR
- Article 20 GDPR
- Article 20(1) GDPR
- Article 22 GDPR
- Article 22(3) GDPR
- Article 35 GDPR
- Article 41(1) GDPR
- 2021
- Dutch