AP (The Netherlands) - Decision of 11 December 2023 imposing administrative fine on Uber
AP - Decision of 11 December 2023 imposing administrative fine on Uber | |
---|---|
Authority: | AP (The Netherlands) |
Jurisdiction: | Netherlands |
Relevant Law: | Article 12(1) GDPR Article 12(2) GDPR Article 13(1)(f) GDPR Article 13(2)(a) GDPR Article 13(2)(b) GDPR Article 15(1)(d) GDPR Article 15(2) GDPR Article 56 GDPR Article 60 GDPR Article 83 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 12.06.2020 |
Decided: | 11.12.2023 |
Published: | 31.01.2024 |
Fine: | 10,000,000 EUR |
Parties: | Uber Technologies Inc. and Uber B.V. Ligue des droits de l'Homme (LDH) |
National Case Number/Name: | Decision of 11 December 2023 imposing administrative fine on Uber |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Dutch |
Original Source: | autoriteitpersoonsgegevens.nl (in NL) |
Initial Contributor: | co |
The Dutch DPA, in the context of an Article 60 GDPR decision, issued a fine in the amount of €10,000,000 on Uber for a lack of transparency in its privacy policy and for failing to allow data subjects to exercise their rights in an accessible manner, in violation of several GDPR provisions.
English Summary
Facts
The French human rights organisation Ligue des droits de l'Homme (LDH) filed a complaint with the French DPA (Commission Nationale de l'Informatique et des Libertés, CNIL), on behalf of 172 Uber drivers against Uber B.V. and its US-based parent company Uber Technologies Inc., as joint controllers. The drivers, as data subjects, were complaining about the lack of information provided by the controllers (hereinafter Uber) in violation of Articles 12, 13 and 15 GDPR and the limited accessibility to the form used to exercise their rights under the GDPR.
The CNIL then forwarded the complaint to the Dutch DPA (Autoriteit Persoonsgegevens, AP) as lead supervisory authority in the case according to Article 56 GDPR and initiated an Article 60 GDPR procedure. In the course of its investigations, the AP found several violations related to transparency and issued a report which it forwarded to Uber to submit its views.
Holding
Upon hearing the views of the controller and of the concerned supervisory authorities in the case, the AP issued its final decision on 11 December 2023.
First of all, the AP assessed the accessibility of Uber’s form for access requests and for exercising other data subjects' rights under the GDPR. In this respect, the AP found that the form available in the Uber app is not sufficiently easily accessible as it involves too many non-intuitive steps, contrary to the provision in Article 12(2) GDPR. This was also reinforced by the fact that, according to the investigations, the Uber app is the primary means of communication between Uber and its drivers, hence, at least there, the exercise of their rights should be facilitated. The AP clarified that a layered information structure can be used in such forms but there has to be a fair balance between the number of steps to be completed and the amount of information included in each step and on top of that, the steps should have clear and intuitive names. Using the steps named "Help", "Account and app issues" or "Account" and "Legal concerns" or "Legal, ethics, and compliance" to reach the form allowing drivers to exercise their GDPR rights cannot be considered obvious in the AP's view; putting it under "Privacy" would have been more intuitive and easy. Hence, the AP found a violation of Article 12(2) GDPR.
As regards the language of the form, the AP found that Uber provides information in a CSV file in response to access requests, without adding any guidance on how the information from such a file can be structured and interpreted. This, according to the AP and read in light of paragraph 11 of the EDPB Guidelines on Transparency under Regulation 2016/679, cannot be considered an easily accessible form as data subject would have to find the information themselves. In addition, the AP found that, after adding guidance on how to open and read the CSV files, Uber only provided such information in English. Since Uber offers services in many EU countries, not only in France, this negatively affects virtually all Uber drivers in Europe as it cannot be considered “clear and simple” language under Article 12(1) GDPR. Accordingly, the AP held that Uber failed to provide information in an easily accessible form, using clear and plain language, thereby violating Article 12(1) GDPR.
Further, the AP assessed the privacy policy of Uber first as regards retention periods, secondly with respect to transfers of personal data to third countries and lastly with respect to data portability. First, the AP held that Uber provided too general information regarding retention periods by merely stating that data will be stored for “as long as necessary”. In the AP’s view, it is true that mentioning all different retention periods would have resulted in an overly long privacy policy, but Uber should have at least indicated the criteria used to determine retention periods. Hence, the AP held that Uber violated Article 13(2)(a) GDPR and Article 15(1)(d) GDPR. Secondly, as regards transfers of personal data, the AP found that, by not mentioning the third countries to which personal data may be transferred nor the safeguards in place and where they can be accessed, Uber acted in violation of Article 13(1)(f) GDPR and Article 15(2) GDPR interpreted also in light of the above mentioned EDPB Guidelines. Thirdly, the privacy policy of Uber did not contain any reference to the possibility to exercise one’s right to data portability, thereby violating Article 13(2)(b) GDPR.
In light of the above, in accordance with Article 58(2)(i) GDPR and Article 83 GPDR, the AP considered it appropriate to impose an administrative fine against Uber. In the calculation of the fine, the AP took several facts into account as well as the EDPB Guidelines 04/2022 on the calculation of administrative fines under the GDPR. In the AP's view, this case involves two distinct sanctionable conducts ("plurality of action"), namely the failure to provide sufficient information in the privacy policy, which is a continuous conduct and the violations found with respect to the form for exercising one’s rights, which occurs only when a request is made. Hence, according to the AP, the violations are independent form one another and should be fined separately.
Taking into account mitigating factors, such as the fact that following the AP report issued by the AP in May 2022, Uber remedied some of the violations and considering the annual global turnover of Uber, the AP classified the gravity of the infringements as low and no substantive damage having been cause and decided to issue a fine in the amount of €5,000,000 for each offence, amounting to a total fine of €10,000,000 on Uber.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Dutch Data Protection Authority PO Box93374,2509AJTheHague Bezuidenhoutseweg30,2594AVTheHague T0708888500-F0708888501 autoriteitpersoonsgegevens.nl Confidential/Registered Date Unmarked December 11, 2023 Contact Subject Decision to impose an administrative fine on Uber Dear , The Dutch Data Protection Authority (hereinafter: AP) is of the opinion that UberTechnologies Inc. and UberB.V. (hereinafter collectively: Uber) has committed a number of violations of the General Data Protection Regulation (AVG) has committed to transparency. It concerns the English language only offering the guidance notes to drivers and it not in an easily accessible form providing information in response to a request for access, which is contrary to Article 12, first paragraph, of the GDPR. In addition, there is a digital form with which drivers exercise their right to inspect being able to exercise data portability, not easy enough to reach in the driver app, which is contrary to Article 12, second paragraph, of the GDPR. The information about the retention periods is also the privacy statement is not sufficiently specific (Article 13, second paragraph, opening paragraph and Article 15, first paragraph, subsection d, of the GDPR) and the information about transfers is not complete and meaning is sufficient (article 13, first paragraph, opening paragraph, subparagraph f, of the GDPR). Finally, in the privacy statement, Uber has the right to data portability is not explicitly mentioned (Article 13(2)(b) of the GDPR). For the commission of these violations, the AP jointly reports to Uber Technologies Inc. and Uber B.V. administrative fines totaling €10,000,000.00. 1 Date Unmarked December 11, 2023 1. Background investigation Uber is an internationally operating company that, among other things, acts as an intermediary between taxi drivers and passengers. Passengers use the general Uber App (for mobile phones) or possibly a browser, drivers use the UberDriver App (hereinafter: driver app). To use the drivers app, creating an account for drivers is mandatory. After a ride, drivers are assessed by their customers and paid by Uber for the delivered goods services. Uber has set up a digital form, which is accessible via the Uber website and via the drivers - app, which drivers can use to request data portability with regarding their personal data.Uber has also drawn up a privacy statement, with which Uber provides insight into the processing of data by Uber. On June 12, 2020, the Commission Nationaledel 'InformatiqueetdesLibertés (CNIL) filed a complaint received from the French non-governmental organization LigueDesDroitsDeL'hommeEtDuCitoyen (LDH) on behalf of 21 Uber drivers. Along the way, 151 Uber drivers have filed a complaint connected, so that it serves on behalf of 172 complainants. On September 29, 2020, the LDHeen additional complaint submitted to the CNIL. The complaints were forwarded by the CNIL to the AP, after which the International Research Department of the AP has started an investigation and prepared a report. 2. Findings research report The report found 5 violations with regard to transparency, namely: 1) The digital form with which a request for access can be made is not easy enough accessible in the driver app (art. 12, paragraph 2, GDPR). 2) Uber does not provide a copy of the personal data in response to a request for access easily accessible form, the guidance notes are not in one for (French) driver understandable language (English) (art 12, paragraph 1, GDPR). 3) Uber does not provide sufficient specific information about the privacy statement retention periods (art. 13, paragraph 2, a, GDPR, art. 15, paragraph 1, a and GDPR). 4) Uber does not specifically mention the names of the countries through which data is transferred in the privacy statement data is also not transferred to the specific protection measures (art. 13, paragraph 1, f, AVGenart.15, paragraph 2, GDPR). 5) Uber does not explicitly mention the right to data portability/data portability in it privacy statement (art.13,2,b,GDPR). 2/23 Date Unmarked December 11, 2023 The International Research Department has concluded in the research report that Uber has committed the above violations from 25 May 2018 until the date of establishment of the research report (June 30, 2022). On July 8, 2022, the research reports are intended to enforcement sent to Uber.Uber submitted its written opinion by letter dated 15 September 2022 given the investigation reports the intention to enforce. On January 12, 2023, Uber announced its This view has been orally explained. A report has been drawn up (appendix to this decision). In accordance with Article 60 of the GDPR, the AP has submitted the draft decision to the supervisory authorities concerned submitted. 3. Legal framework The AP refers to the appendix to this decision, which contains the legal framework. 4. Assessment 4.1 Controller and authorityAP Uber B.V. is the Dutch branch of Uber, Uber Technologies Inc. is located in the United States andistheparentcompanyof,among others,UberB.V.JointsettingUberB.V.andUber Technologies Inc. the purpose and means of processing data of the Uber drivers in the European Economic Area (EEA). The (French) drivers have a agreement withUberB.V.For requests regarding the rights of the data subject is roughly distribution that Uber B.V. is responsible for the assessment of such requests and that Uber TechnologiesInc.providesthetechnicalresourcesanddata.UberTechnologiesInc.isalso the publisher of the drivers app. In Uber's privacy statement, UberB.V. and UberTechnologies Inc. are also noted as joint controller.The joint processing responsibility is not disputed by Uber. Uber offers its services in several Member States of the EU and processes Uber for these services personal data. This means that data subjects have significant consequences in more than one Member State experience of the processing of data by Uber. This is the case cross-border processing (article 4, preambles under 23, suba and b, GDPR). Because the central administration ofUber in the EEA is located atUberB.V,UberB.V.is regarded as the head office within the meaning of article 4, opening words under 16, GDPR. The AP is competent to act as leading supervisory authority (Article 56, first paragraph, GDPR). 3/23 Date Unattribute December 11, 2023 4.2 Accessibility form for inspection requests The investigation report established that the digital form with which drivers exercise their right to inspect and being able to exercise data portability is not easy enough to reach in the driver app because there are too many steps to go through and wording of the steps does not intuitively lead to the form. Uber hereby facilitates the exercise of the aforementioned rights data subjects are not sufficient and violates Article 12, paragraph 2, GDPR. ViewpointUber Uber indicates that the GDPR, legislative history, case law, guidelines and directives are not applicable authoritative commentary follows exactly how many actions a person concerned is allowed to perform request for access or transfer. This also applies to the argument from the AP date and the person concerned intuition must be able to reach a page. Based on article 12, second paragraph, Uber has no certain space to determine for yourself how it facilitates the right to access and data portability. TheAP further introduces a new standard without substantiation by stating that the form is “sufficient “must be easy” to find, according to Uber. In the guidelines, the EDPB explains the transparency obligations so that they can be fulfilled by “layered information structure”. The drivers may therefore be expected to have several going through the steps. This is also the benchmark in consumer law. Drivers use it every day from the menu in the app and a reasonable and average driver will be able to do this without any effort to find the form, even if he has to click through it six times. In addition, Uberer points out that drivers app is made for a smartphone with a small screen. Uber wants to prevent drivers When using the app, I had to scroll through long menus and therefore chose menu paths. Uber then indicates that the AP recognizes that Uber offers several ways to view or to submit a transfer request, but according to Uber, the AP wrongly only looked at the ways that Uber offers in the driver app. The AP has also wrongly used the route that via the driver app redirects to the privacy statement on the website not taken into account. Uber contradictsthenumberofstepstheAPcountedtogettotheform:Uberusesone other counts ends up with a lower number of steps out. Regarding the wording of the various steps, Uber indicates that “more obvious lying” is not an existing criterion in the AV and it is subjective which route is most obvious is.Positioning the form higher under a heading “privacy” is at the expense of others menu options. Since February 2022, Uber has made adjustments to the routes in the driver app to the form, but these adjustments are not included in the research report. 1Guidance on transparency in accordance with Regulation (EU) 2016/679 4/23Date Unattribute December 11, 2023 Judgement In the report assessed, the version of the drivers app must be shown schematically The following steps are followed to reach the form for a request for inspection submit data portability:Menu>Help>Accountandappissues>Legalconcerns> RequestyourpersonalUberdata>Submitaprivacyinquiry>log in via “Signintogethelp” or “Submita privacyinquirywithoutanUberaccount” which takes the driver to the form (route1). The report also describes the route via a link in the privacy statement on the Uber website opens, where you can also click on a link to “submitaprivacyinquiry” (route2). In the report This route has not been considered further, because Uber drivers are in any case within their rights must be facilitated via the drivers app (and in route 2 the app transfers to the website of Uber). The research has shown that the main interaction between Uber drivers takes place via the drivers app. For this reason, the AP is of the opinion that in every case in the drivers app drivers must be facilitated in the exercise of their rights within the meaning of Article 12, second member, GDPR. In accordance with recital 59 of the GDPR, arrangements must be in place to to enable the data subject to exercise his rights more easily. This entails that arrangements should be consistent with the ways in which those involved are interacted with. DatUber also offers the possibility to the driver through other means to request inspection data portability does not alter the fact that drivers are in any case drivers should be facilitated in the exercise of their rights. The AP is of the opinion that route 2 to the request form in the investigation report has been wrongly left out of consideration left because the privacy statement on the website is automatically opened via the driver app this does not detract from facilitating the making of a request.Uber's view Described routes that have been introduced in the drivers app since February 2022 are also wrongly not included in the study because they do fall within the period studied then go the route changed by Uber: Menu>Help>legal,ethicsandcompliance>requestyour personalUberdata>log in or “Submitaprivacyinquirywhich will take the driver to the form (route3).Uber has also pointed out in this connection the introduction of the Privacy Center on February 17, 2022 has been introduced throughout Europe. The steps via the Privacy Center are as follows: Account >securityandprivacy>privacycenter>Wouldyoulikeacopyofyourpersonaldata?>loginor“Submit aprivacyinquirywithoutanaccount” which takes the driver to the form (route4). Next to it points Uber to a fifth route via the Privacy Statement. With regard to the number of steps to be completed in the different routes to complete the request form To achieve this, the AP considers the following. From consideration 59 in the AVG, this follows in facilitating the account must be taken into account for the convenience of the data subject in exercising his rights. The AP 2 Schematically shown: up to “legalconcerns” the same route as route 1>Privacynoticeinformation>PrivacyNotice (select the correct language and jurisdiction) and then you arrive at the privacy statement where you can click on a link to “submitaprivacyinquiry”. 3 Marginal numbers 30 to 32 of the research report. 4See alsoGuidance on transparency in accordance with Regulation (EU) 2016/679, paragraph 55. 5/23 Date Unattribute December 11, 2023 endorses Uber's position that using a layered information structure is necessary to find it information for those involved can make it easier under certain circumstances. This is it case with the driver app that will often be used on smartphones with a screen limited format, and in which a relatively large amount of information (on various topics) is offered. At the same time, a layered information structure must be able to find information through those involved are not hindered by having to click through unnecessarily often. Erzalduseen balance must be found between the number of actions to be completed and the quantity information offered per “step”. In addition, the wording of the steps to be completed to be facilitating, which brings the person concerned to it simply and without further ado desiredrequestformshouldbeguided.Adequatewordingofthevarious steps to the form are indispensable in connection with the facilitation obligation. Placing (the route to)the request form with which drivers can exercise their rights under the GDPR under “Help”, “Accountandappissues”or“Account”and“Legalconcerns”or“Legal,ethics,and compliance” is not obvious in the opinion of the AP. A direct placement under for example, “Privacy” considers the AP simple and without fuss. The AP is related to routes 1 and 2 considers that the combination of the number of steps to be completed and the wording of such setting a high threshold for those involved, so that Uber does not sufficiently facilitate its drivers. In the opinion of the AP, this constitutes a violation of Article 12, paragraph 2, of the GDPR. The AP also considers that this violation has been terminated since February 17, 2022 by the introduction of the Privacy Center that contains the route 4 described above. By creating a logical place with a clear name, Uber facilitates its drivers in exercising their rights access and data portability. 4.3 Response to request for inspection: formal language The AP has determined that Uber, in response to a request for access, provided information in a CSV file, without Uber providing information about how information from such a file can be structured are displayed. Because Uber does not provide the information in an easily accessible form, it violates Article 12, first paragraph, GDPR. In addition, the AP has determined that Uber Article 12, first paragraph, GDPR violates through the guidance notes, in which Uber provides further explanations when providing the information indicates about the values in the CSV files, only in English. This violation touches not only the French drivers, but almost all Uber drivers in Europe. Form: viewUber Uber states that the GDPR does not specifically prescribe which form meets the 'easy' standard 5 accessible' or on the basis of which criteria this can be determined. Also the explanation in the Guidelines makes the standard not very concrete, and the AP cannot base a violation of the GDPR on that alone guidelines. According to Uber on its website, the AP endorses that the GDPR does not prescribe which wayinformationshouldbeprovided.CSVisjustaverysuitablefileformatforthe 5Guidance on transparency in accordance with Regulation (EU) 2016/679 6/23Date Unattribute December 11, 2023 provision of information, because, unlike for example in a PDF format, further analysis of the data is possible. Uber also states that the 'reasonable and average person involved' is the benchmark should apply, and by this measure, the CSV files that Uber provides are easily accessible. Uber states that CSV is a universal file format and is used by Windows operating systems and Apple will basically open automatically in software that can display tables. Also like that If not, Uber meets the 'easily accessible' standard because the person involved then simply display of the file can be adjusted, possibly after consulting a search engine instructions. Even when a CSV file is open in a text file, the information is still there easily accessible. By requiring Uber to provide information in CSV format explains how to open a file in many different software applications, theAP introduces a new standard. Form: assessment The AP suggests that it does not consider that by providing information in a CSV file can be met with the 'easily accessible' standard from Article 12, first paragraph, GDPR.Inde Guidelines indicate the following regarding 'easily accessible': 'The element 'easy accessible” means that the data subject does not have to search for that information himself; for the data subject it must be immediately clear where and how this information can be found.' When the information is provided In response to a request for access, this relates, for example, to the structure in which the information is contained offered (such as the use of paragraphs). In a CSV file, values from a table are stored as lines of text. The values are separated through punctuation marks. When the information from a CSV file as lines of text and with that in mind is displayed unstructured, the form in which the information is presented is not easily accessible. Those involved cannot directly abstract the information from this. By a Using a spreadsheet program, the information from a CSV file can be displayed in tabular form displayed. A CSV file can be automatically opened in tabular form and spreadsheet program, but this is not always the case, depending on the settings, for example. The files that Uber provided to complainants contain a commal separator between them values. This is not automatically usable as a list separator in all cases, for example in countries or regions where a comma is also used as a decimal separator (such as the Netherlands France).No information is provided byUbergregardingtheinformationfromtheCSVfiles structuredcanbedisplayedifthefileisnotautomaticallyopenedintabularform: the person concerned has to find this out for themselves. Uber has the information so it is not easy accessible form and has violated Article 12, first paragraph, GDPR. 6Guidance on transparency in accordance with Regulation (EU) 2016/679, paragraph 11 7Uber has stated in its opinion that it has added an explanation to the guidance note on how CSV files can be be opened, and also add a passage about it to the accompanying email containing UberCSV files sends. 7/23Date Unattribute December 11, 2023 Language:viewpointUber By testing whether the guidance notes have been provided in an understandable language, the AP does not test, according to Uber to the correct standard. Pursuant to Article 12, first paragraph, of the GDPR, the language must be 'clear simple'. Uber takes the position that the guidance notes are in a clearly simple language have been provided. Not a good but a fair command of English is sufficient for the guidance noteto be able to understand.Uber skinny also assume that the French drivers are good have a command of English, because French taxi drivers (and therefore also Uber drivers) are required must have a VTC registration. To do this, an exam must be taken in which, among other things, the English is tested at A2 level. Language:review Although the research report incorrectly exclusively uses the criterion 'understandable', This is not different from the outcome of the assessment. Based on Article 12, first paragraph, GDPR, information must be provided are provided in clear, simple language. This includes, among other things, when the controller is aimed at data subjects who speak another language, including a translation language must be provided. The requirement to use clear and simple language is narrow related to comprehensibility. Uber should not assume that the French drivers have sufficient knowledge ofEnglishto be able tounderstand theEnglishguidancenote.ThefactthatFrenchUber- drivers must take an exam for their VTC registration, which includes English level A2 is tested and this does not change this, because a bad score on the English part immediately a good score on other exam components can be compensated. Pass it off with good results the exam for a VTC registration therefore gives no indication of a command of English. 11 Even if this were the case, the AP is of the opinion that command of English is at level A2 insufficienttounderstandtheEnglishguidancenote.Toreadandunderstandatexton 12 A2 level, in accordance with the Common European Framework of Reference for Languages (CEFR), the following standard: “I can read very short, simple texts. I can read specific, predictable information find it in simple, everyday texts such as advertisements, leaflets, menus and timetables and I can understand short, simple, personal letters.” The guidance notes concern a document of 26 pages explaining the various very specific table values, such as telematic data and various device data. This exceeds the level of a very short and simple text such as indicated by the CEFR. In this context, the AP also points to the fine imposed by the Swedish supervisory authority 13 authority (IMY) has imposed on Spotify, including for not providing technical information log files in the language of those involved (but only in English). 8Guidance on transparency in accordance with Regulation (EU) 2016/679, paragraph 13 9See Guidelines on Transparency in accordance with Regulation (EU) 2016/679, paragraph 9 1See Arrêtédu6avril2017relatifauxprogrammesetàl'évaluationdesépreuvesdesonderzoeksd'accèsauxprofessionsdeconducteur thetaxiettheconductorthevoiturethetransportavecdriver.FortheEnglishexampartyoumustatleast4ofthe20 multiple-choice questions must be answered correctly. To pass all seven exam components together, you must achieve at least an average score of 10 out of 20. 11 12pA-2 level. CommonEuropeanFrameworkofReferenceforLanguages,CouncilofEurope 1 Decree of 12 June 2023 with reference DI-2019-6696, see https://www.imy.se/globalassets/dokument/beslut/2023/beslut-tillsyn- spotify.pdf 8/23 Date Unmarked December 11, 2023 The controller must take sufficient measures to ensure that data subjects understand the information. Due to the drivers, the guidance notes are only provided in English and not in the local languages,Uber has violated article 12, first paragraph,GDPR. Since June 29, 2022, Uber has offered guidance notes in several languages, including French. 4.4 Privacy statement: retention periods In its response to a request for access, Uber refers to the privacy statement for the retention periods the investigation report has determined that the information provided by Uber in the privacy statement about the retention periods and in general, which means that Uber Article 13, second paragraph, under a, and Article 15, first paragraph, violates GDPR. ViewpointUber Uber indicates that the explanation from the guidelines is insufficient to explain that personal data will be kept for as long as necessary for the legitimate purpose of the processing goes further than the GDPR prescribes. This is at odds with Article 5, first paragraph, sube, of the GDPR in which it criterion for determining the retention period precisely as formulated by the AP may not constitute a violation not base on the Guidelines alone. In addition, information must be provided on the basis of Article 12, first paragraph, GDPR are presented in a concise and understandable manner. In the case of Uber, we speak of this as a multinational different retention periods per processing per country, in certain countries per city, per category of 16 those involved and those deadlines are subject to change. Mentioning specific ones retention periods would result in an expansion of the privacy statement by tens to hundreds pages. Article 13, second paragraph, under a, GDPR also only writes before that retention periods must be mentioned if that is possible, which for the aforementioned reason is not the case with Uber. Uber also states that the AP based on the investigation report, it cannot be concluded that there has been a violation of Article 15, first paragraph, GDPR, because the drivers receive information in different ways in response to a request for access provided and is not included in the report. In addition, the guidelines against which the AP tests are included not relevant to article 15 of the GDPR. In the assessment of the version of the privacy statement of 17 October 15, 2020, the AP wrongly did not include a passage in the assessment, while it passage according to Uber meets the requirements that the AP tests. 14 File document 23: the privacy statement of October 12, 2019 and the privacy statement of September 1, 2021 15Guidance on transparency in accordance with Regulation (EU) 2016/679, page 45: explanation of Article 13, second paragraph undera 16G. 17For example, drivers, couriers, passengers. File document 23, p.25: “Followinganaccountdeletionrequest,Uberdeletestheuser'saccountanddata,unlesstheymustbe retainedduetolegalorregulatoryrequirements,forpurposesofsafety,security,andfraudprevention,orbecauseofanissuerelating totheuser'saccountsuchasanoutstandingcreditoranunresolvedclaimordispute.Becausewearesubjecttolegalandregulatory requirementsrelatingtodriversanddeliverypersons,thisgenerallymeansthatweretaintheiraccountanddataforaminimumof7 yearsafteradeletionrequest.Forridersanddeliveryrecipients,theirdataisgenerallydeletedwithin90daysofadeletionrequest, exceptwhereretentionisnecessaryfortheabovereasons.” 9/23Date Unmarked December 11, 2023 Judgement In the version of the privacy statement dated 12 November 2019, Uber states that personal data (of drivers) are kept as long as the user has an account. In addition, Uber information can be stored store to the extent necessary for safety, security and fraud prevention purposes, followed by an example.In the version of September 1, 2021, the information about the In summary, retention periods indicate that Uber retains personal data for as long as necessary for various purposes, followed by a statement that users (including drivers) can request to delete their account, after which the data will be deleted unless they do so kept longer for safety, security and fraud prevention purposes or account-related matters because Uber is subject to laws and regulations relating to (among other things) drivers, This generally means a retention period of at least seven years for both the account and the account data after a request to delete the account, according to Uber's privacy statement. Pursuant to Article 13, second paragraph, opening paragraph, GDPR, the controller must: When obtaining the data, inform the data subject about the period during which the personal data will be stored, or if that is not possible, the criteria for determining it term. The AP notes that Uber does not provide any (concrete) information in both versions of the privacy statement In the privacy statement of 1 September 2021, Uber mentions retention periods. retention period of seven years, but this period is not formulated in sufficient concrete terms (this concerns only minimum retention periods apply 'in general', although it is not clear under which circumstances, this period may or may not apply) and relates exclusively to those cases in which a request to delete an account has been made. Uber has, among other things, its opinion indicated that there are many different retention periods. The AP notes that these different retention periods are not mentioned in the privacy statement. In its opinion, Uber has further indicated that, given the many different retention periods, it is not possible to name all concrete retention periods and therefore it will suffice mention the criteria for determining the periods. Name all specific retention periods According to Uber, this would lead to a pages-long privacy statement, which is in conflict with Article 12, first paragraph, GDPR. The AP agrees that Uber may suffice to mention the circumstances mentioned of the criteria for determining the retention periods, but notes that this is the privacy statement also not sufficiently mentioned. It is only mentioned in general terms and that personal data be kept as long as necessary for certain purposes (as Uber does) cannot be equal are required to name criteria for determining the retention period. The obligation to The criteria for determining the retention period cannot be stated differently in the opinion of the AP explained that data subjects must be able to determine the retention periods for their data determine, the information provided by Uber is, therefore, too general in nature. The AP notes that Uber article 13, second paragraph, at the end of paragraph, has violated the GDPR. The AP sees differently than in the investigation report is stated, insufficient basis in the investigation findings for a violation of article 15, first paragraph, preamble under d, to establish GDPR. 10/23 Date Unmarked December 11, 2023 4.5 Privacy statement: transfer In its response to a request for access, Uber refers to information about transfers to the earth privacy statement. The research report established that the privacy statement does not mention the countries outside the EEA are mentioned to which data transfers take place and which are specific measures have been taken to this end, as a result of whichUber article 13, first paragraph, opening lines under f, and article 15, second paragraph, GDPR has been violated. ViewpointUber Uber states that Article 13, first paragraph, opening words under f, GDPR does not require that transfer to countries mentioned 18 be.The interpretation of the EDPB the guidelines that are in accordance with the principle of propriety, the information about transfers means it must be possible that this means that it should generally be called the third country, incorrectly principle of propriety, in view of the opening words, has already been filled in in Article 13, second paragraph, GDPR (as the AP view understands: exhaustive in filled) and therefore not applicable to the first paragraph of article 13 GDPR.The interpretation of the EDP is in contradiction with the texts and system of Article 13, first and second member, GDPR. In addition, the AP cannot base a violation solely on the guidelines. TheGuidelines also only require that in general the third countries should be mentioned and it is for Uber impossible to determine prior to processing to which specific countries personal data is passed on. Uber would have to contact all 72 countries in which it offers its app includeintheprivacystatementthiswillnotbemeaningorunderstandable.Thesameappliesto mention all protection measures per country.Uber is also of the opinion that in view of the shared processing responsibility of Uber B.V. and Uber Technologies Inc. in this context there is no claim of transfer of personal data to third countries, because the processing and in view of Article 3, first member, GDPR falls within the scope of the GDPR. Article 15, second paragraph, GDPR does not require that the countries of transfer be mentioned and explained guidance does not apply to Article 15. Uber also states that the AP is based on the research report cannot conclude to a violation of Article 15, paragraph 2, GDPR, because the drivers are provided with information in various ways in response to an inspection request this is not included in the report. The versions of the privacy statement were assessed by the AP more than meet the requirements set out in Article 13, first paragraph, subparagraph f, of the GDPR, including because in all versions it was possible to click on 'Standard contractual clauses', after which a web page of the European Commission's standard provisions could be downloaded. Finally, Uber states that the AP wrongly does not have the privacy statement of 13 June 2022 included in her assessment. Judgement Article 13, first paragraph, opening paragraph, subparagraph f, GDPR requires in the first place that the controller informs data subjects, where appropriate, that the 18Guidance on transparency in accordance with Regulation (EU) 2016/679, page 44. 11/23 Date Unmarked December 11, 2023 the controller intends to pass on the data to a third party country.The AP notes that Uber only mentions it in the various versions of the privacy statement that Uber transfers personal data to a third country or countries. With regard to the applicable safeguardsrequiredArticle 13, first paragraph, opening paragraphf, GDPR that must be indicated whether or not there is an adequacy decision of the Commission, or any other appropriate safeguards apply and how a copy of these can be obtained or where they are can be consulted. The requirements set out in this provision are for the provision of information so specific that those involved must be given access to detailed information about the safeguards used to protect their data upon transfer. Inde guidelines, the EDPB expresses this in such a way that it is in accordance with the principle of propriety information should be as meaningful as possible. Anyone involved wants to be able to have more knowledge about it which countries his data are transferred, then the foregoing entails that regardingtransmissioncountriesarementioned.Ubermakesinthevariousversionsofthe privacy statement only general terms and without giving definitive information about the Various guarantees apply (for example in the privacy statement of 1 September 2021:“Wedosoinordertofulfilouragreementswithusers,suchasourTermsofUse,orbasedonusers'priorconsent, adequacydecisionsfortherelevantcountries,orothertransfermechanismsasmaybeavailableunderapplicablelaw,such astheStandardContractualClauses”) and does not indicate how a copy can be obtained or where they can be consulted. This does not give those involved the opportunity to find out which guarantees may be relevant to them and what exactly these guarantees entail (through the van applicable, the guarantees can be consulted).Uber has thus referred to Article 13, first paragraph, opening words underf, GDPR has been violated. Contrary to what Uber states in its opinion, the fact that second paragraph of article 13 GDPR No further interpretation is given to the principle of propriety, the applicability of the principle of propriety from Article 5, first paragraph, under a, GDPR to the first paragraph of 21 Article 13 GDPR not applicable. With regard to Uber's response to a request for access, the AP is different than it appears investigation report is stated, insufficient basis in the investigation findings for a violation of Article 15, second paragraph, GDPR. 4.6 Privacy statement: data portability The research report found that Uber in the privacy statement has the right to data portability is not explicitly stated and therefore does not comply with Article 13, second paragraph, salutationsunderb,GDPR. 19 Namely those of 25 May 2018, 12 November 2019, 1 September 2021 and the privacy statement of 13 June 2022 (file document 25). 20Guidance on transparency in accordance with Regulation (EU) 2016/679, page 44. 21See also recital 60 in the GDPR, in which the principle of propriety is mentioned in connection with obligations under the first member of article 13GDPR. 12/23 Date Unmarked December 11, 2023 ViewpointUber According to Uber, Article 20, first paragraph, GDPR shows that the right to data portability consists of two actions, namely obtaining (from Uber) and transferring (by the person concerned). Uberindicates that the right to data portability is mentioned in the privacy statement, namely as 'receiving data'. Uber also explains in its privacy statement what the right to data portability is deliberately without using complex terms (such as data portability). The guidelines 22 (which states that a distinction is made between the right to data portability and other rights must be made), only provide an explanation and the AP cannot base a violation solely on this. Finally, Uber states that the AP wrongly does not have the privacy statement of September 1, 2021 included in her assessment. Judgement Article 13, second paragraph, opening paragraph and subsection b, GDPR obliges the controller to comply provision of data to inform the data subject, among other things, about the right to data portability. The AP notes that Uber in the different versions of the privacy statement does not explicitly mention the right to data portability.Uber's position The AP follows that 'receiving data' informs you about the right to data portability not, because it also has the consequences of receiving the data processed by Uber indicate the right of access under Article 15 of the GDPR Article 13, second paragraph, opening words and subsection b, GDPRGmtoinformabouttheright Data portability naturally entails that this must be done separately and explicitly are appointed. This is also explained in the guidelines. Through itupright data portability does not separately and explicitly mention, Uber has article 13, second paragraph, salutationsunderb,GDPRviolated. As of November 3, 2022, Uber explicitly mentions the right to data portability its privacy statement.The violation has thus ended. 5. Administrative fine 5.1 View of Uber Uber has put forward in its opinion – in summary – that the investigation report does not justifies remedial or sanction measures. Uber refers to its existing violation (from the research report) data point of view. In addition, Uber is of the opinion that the Lexcerta principle applies resistance to enforcement, because the provisions that the AP adheres to in the investigation report Uber tests many things that are not clear and have crystallized and are therefore unforeseeable 22Guidelines on the right to data portability of WP29, pages 15 and 16. 23 Namely those of May 25, 2018, November 12, 2019 and September 1, 2021. 24See also the Guidelines on the right to data portability of WP29, pages 15 and 16. 13/23 Date Unmarked December 11, 2023 According to Uber, a measure also leads to disproportionate consequences for Uber within the meaning of Article 3:4, second paragraph, of the General Administrative Law Act (AWB), because Uber is constantly working on improving it of its services and has always shown itself willing to work together with the AP. Finally, Uber takes the position that they have wrongly not been given the opportunity to express their views bring to the content of a proposed sanction decision. The intention to enforce that Uber theAPhasreceivedthegeneralanddoesnotprovideUbertheopportunitytoexpressitsviewonthe amount of the fine, the severity of the violations found and the ultimate substantiation thereof. 5.1.1 Assessment of administrative fine For this purpose, the AP has concluded that Uber has violated Article 12, first paragraph, GDPR by information in the CSV files in an easily accessible form and in addition the guidance notes are only provided in English. This took place in the period from 25 May 2018 to June 29, 2022. Secondly, Uber has violated article 12, second paragraph, GDPR because the digital form with which drivers can exercise their right to access and data portability, not easy enough to reach in the driver app. This violation took place in the period from May 25, 2018 to February 17, 2022. Tenderde, the information provided by Uber about retention periods in the privacy statement is too general therefore, as a result of which Uber has violated article 13, second paragraph, at the bottom of a, GDPR. Uber article 13, first paragraph, opening paragraph f, violates GDPR because the information provided about transfer at the end of the privacy statement is incomplete. The AP determines this for the period from 25 May 2018 to the date of the investigation report (30 June 2022). Finally, Uber has not explicitly mentioned the right to data portability privacy statement, which leads to a violation of Article 13, second paragraph, opening words and subsection b, GDPR. This took place from May 25, 2018 to November 3, 2022. The AP therefore sees reason to use its authority under Article 58, second paragraph, preamble, under i, in conjunction with article 83 GDPR and article 14, third paragraph, GDPR Implementation Act, to to impose an administrative fine on Uber(UberTechnologiesInc.andUberB.V.together). 5.1.2 Occupational plexcerta principle With regard to Uber's appeal to the lexcerta principle, which, among other things, is governed by: Article 49 of the Charter of Fundamental Rights of the EU, the AP is considering the following. Such as Administrative Jurisprudence Department of the Council of State has considered several times, the lex certa requires principle of the legislator that, with a view to legal certainty, he should do so in as clear a manner as possible describes prohibited conduct. It should not be lost sight of the fact that the legislators sometimes 2See, among others, the rulings of July 9, 2014, ECLI:NL:RVS:2014:2493, January 16, 2019, ECLI:NL:RVS:2019:109. 14/23 Date Unmarked December 11, 2023 with a certain vagueness, consisting of the use of common terms, prohibited behaviors describes to prevent conduct that is worthy of punishment outside the scope of that description fall. This vagueness can be unavoidable, because it is not always possible to foresee how protect interests will be violated in the future because, if this were foreseen, the descriptionsofprohibitedbehaviorsandothersarerefinedandfollowed clarity disappears and with it the importance of general clarity of legal damage suffers. In other words, the lexcerta principle requires the legislator to ensure, with a view to legal certainty 26 describes the prohibited conduct as clearly as possible. Uber's argument about the Lexcerta principle focuses on the violation noted by the AP with regard to the accessibility of the form for inspection requests and the form of the provision of information in relation to the CSV files. The AP is considered “easy accessible form” within the meaning of Article 12, first paragraph, GDPR, which entails information that is in response to an access request has been provided in a structured CSV file that must be able to be displayed (if the file does not open automatically), without the person concerned having to figure out how to do this. There is no conflict with the Lexcerta principle because the text of the provision is sufficiently clear. 27 This is even more true now that the Guidelines indicate that the element is “easily accessible” means that the data subject does not have to find out that information himself; it has to be done for the data subject it is immediately clear where and how to find this information. The fact that the concept is “easy accessible” from Article 12, first paragraph GDPR requires an explanation based on the specific circumstances, does not make the fact that an administrative fine imposed for violation of this provision is in conflict with the lexcerta principle. With regard to the violation that concerns the accessibility of the form for In the opinion of the AP, requests for access are also not in conflict with the Lexcerta principle. In view of the text Article 12, second paragraph, of the GDPR requires the controller to exercise the right of a data subject to facilitate access to his or her data. This standard is at the discretion of the AP is sufficiently clear, insofar as measures taken by a controller meet those thresholds for the exercise of that right are contrary to this. Due to the combination of the number going through the steps and the wording of it, Uber sets such a high threshold for those involved, that Uber does not sufficiently facilitate its drivers in this regard. 5.1.3 Opportunity to provide an opinion Regarding Uber's position that they have not been given the opportunity to express injustice to submit comments and inform them of the fine, the seriousness of the extent of the observed violations and in the final substantiation, the AP considers the following. Article 4:8 nor Article 5:50Awb (read in conjunction with Articles 5:48 and 5:53Awb) nor any other provision the AP obliged to comment on the intention to impose an administrative fine theseaspects. Uber has therefore not been wrongly given the opportunity to express her views on this What is stated in the opinion can contribute to the AP's decision to proceed with 2Pronunciation of 26 October 2022, ECLI:NL:RVS:2022:3077. 2Guidance on transparency in accordance with Regulation (EU) 2016/679, paragraph 11 2CBb7May2019,ECLI:NL:CBB:2019:177 15/23 Date Unmarked December 11, 2023 imposing an administrative fine, after which the AP is responsible for all those at that time knownrelevant facts and circumstances determines the amount of the fine. For this reason, the AP has decided her intention is not expressed about the aspects mentioned by Uber. 5.2 Systematics for determining the amount of the fine TheEDPB agreed in the plenary meeting of 24 May 2023 to adopt the Guidelines04/2022onthecalculationofadministrativefinesundertheGDPR(hereinafter:the Guidelines). The Guidelines are directly applicable because they do not provide for transitional law for procedures that were already underway at the time of approval of the Guidelines. The AP will include these 30 Guidelines then also apply to this case. The Guidelines describe a methodology that will be considered successively: 1. which and how many acts and infringements are under assessment; 2. which starting amount is the starting point for calculating the fine for this; 3. whether mitigating or aggravating circumstances exist that require adjustment of the amountexit2; 4. what maximum amounts apply to the violations and whether any increases from the previous ones stepnotexceedthisamount; 5. whether the final amount of the calculated fine meets the requirements of effectiveness, deterrence and proportionality, and adjustments where necessary. These steps are followed in turn below. 5.3 Calculation of starting amount 5.3.1 Step 1: Establishing actions and determining infringements To determine the starting amount of the fine, as described in the Guidelines first to determine whether there is one or more sanctionable conduct. The AP first noted that Uber, in response to a request for access data subject, did not provide information on how the CSV file can be opened (including information from the provided CSV file can be displayed in a structured way). The AP has next to it found that Uber does not have the information about the data in the CSV file (the guidance notes). provided the language of those involved, but only in English. As concluded above, 29 There is currently no Dutch translation of the Guidelines available. The Guidelines can be consulted at 30ttps://edpb.europa.eu/our-work-tools/general-guidance/guidelines-recommendations-best-practices_en> See also https://www.autoriteitpersoonsgegevens.nl/actueel/nieuw-boetebeleid-voor-overstromenen-avg. 16/23 Date Unmarked December 11, 2023 both points are in conflict with Uber's obligation to provide the data subject in an understandable manner easily accessible forms in clear and simple language to inform, laid down in Article 12, first paragraph of the GDPR. In addition, the AP has also established a violation of the second paragraph of Article 12, namely because the digital form with which drivers exercise their right to inspect data portability is not easy enough to reach in the drivers - app. The AP further found that Uber's privacy statement was deficient in three areas: i) The information provided by Uber about retention periods and was general in nature to those involved to determine the retention periods for their data;ii)the information did not mention the various safeguards applicable to international transfers of personal data; andiii)the right to data portability was not mentioned separately or expressly.These points are contrary to Article 13, paragraph 1, paragraph 2, paragraph 2, paragraph 2, paragraph 1, and b, of the GDPR. In the opinion of the AP, this case involves two distinct sanctions from each card behaviors(“pluralityofaction”).TheAPfirstnotesthatthebehaviors take place at a different point in time. Using an inadequate privacy statement takes place after publication on an ongoing basis, while the information is provided in response to an information request is provided after a driver has made a request for access. Secondly, it applies to the behaviour do not necessarily address the same group of stakeholders. Not every driver who consults the privacy statement, makes requests for access and vice versa.Tenderde(en Finally, the AP takes into account that the violations can exist independently of each other and are not causal connection with each other. That they are now dealt with together in one decision because they came to the attention of the AP at the same time. Now that Ubervanelkaarte has committed distinguishable sanctionable conduct, both are possible conduct will be fined separately. The amounts in the following steps will then also be used for both infringements to be determined. 5.3.2 Step 2: Determine the starting amount As described in the Guidelines, the starting amount of the fine must then be determined. This starting amount forms the starting point for further calculation in later steps, in which all relevant facts and circumstances are taken into account. The Guidelines state that the starting amount is determined on the basis of three elements: i) the categorization of the infringements according to Article 83, fourth to sixth paragraphs, of the GDPR; ii) the seriousness of the infringements iii) the turnover of the company. All three elements are discussed below. Adi)Categorization of infringements according to Article 83, fourth to sixth paragraphs, of the GDPR As stated in the Guidelines, almost all obligations of the controller categorized in the provisions of Article 83, fourth to sixth paragraph, of the GDPR. The GDPR makes 17/23Date Unmarked December 11, 2023 distinction between two types of infringements. On the one hand, the infringements that can be sanctioned on the basis of Article 83, fourth paragraph, of the GDPR, for which a maximum fine of €10 million (or in the case of a company, 2% of the annual turnover, if that is higher), on the other hand, the infringements that can be sanctioned are pursuant to Article 83, fifth and sixth paragraph, of the GDPR, for which a maximum fine of €20 million (or in the case of a company, 4% of the annual turnover, whichever is higher). With this distinction, the legislator has provided for an abstract indication of the seriousness of the infringement: the more serious the infringement, the higher the fine. For the current violations of Article 12, first and second paragraph, Article 13, second paragraph, opening words andundera, article 13, first paragraph, opening paragraph under f, and article 13, second paragraph, opening paragraph under b, GDPR may an administrative fine of up to €20,000,000.00 (or in the case of a company, 4% of global annual turnover, whichever is higher). From this categorization it follows that the infringements of these provisions are regarded as serious by the legislator. Adii)Severityoftheinfringements To determine the seriousness of the infringement, the Guidelines must be taken into account with the nature and severity of the infringement, as well as with the intentional or negligent nature of the infringement and the categories of data involved. With regard to the nature of the violations, the AP notes that the controller the person concerned must provide the information that is necessary to the person concerned to ensure proper and transparent processing, taking into account the specific circumstances and context in which the data are processed. The right to inspect, as well as the right to understand and easily accessible information about the processing of to receive personal data, necessary to enable data subjects to exercise their other rights to practice on the basis of the GDPR. Providing transparent information at the end of the sentence of article 12, first paragraph, GDPR is already of great importance for that reason. When the rights of those involved are not protected complied with, this affects the right that those involved have to respect for their personal privacy andtheprotectionoftheirpersonaldata.Therighttoinspectandtherighttounderstandand to receive easily accessible information about the processing of data In addition, those involved are of interest in standing up for or exercising rights other than those under the GDPR, for example in civil proceedings. That is why it is also important that those involved can make use of the aforementioned rights under the GDPR and that this is not unreasonable barriers are raised. When assessing the severity of the violations, first weigh the number (possible) those involved. It is known to the AP that during the period of the violations, approximately 120,000 Uber- drivers were active in Europe. 31 32uidelines04/2022onthecalculationofadministrativefinesundertheGDPR. Recital 60 in the GDPR. 18/23Date Unmarked December 11, 2023 Secondly, the AP takes this into account when assessing the severity of the violation has committed the above-mentioned violations of the GDPR, but that it is not the case that Uber opts out has in some way complied with its obligations under Article 12, first and second paragraph, Article 13, second paragraph, opening paragraph, under a, Article 13, first paragraph, opening paragraph, under f, and Article 13, second paragraph, heading under b, GDPR. For example, Uber has been involved in its privacy statement, although not completely informed about the retention periods, but Uber has provided some information about this. The same applies to the information about transfers in the privacy statement: although the AP is related to this has found a violation, it cannot be said that Uber has completely failed to do so transfer. With regard to Uber's response to an inspection request, it has not been established that the requirements of Article 12, first paragraph, GDPR have not been met at all, but the violation is limited focus on the language of the guidance notes and the accessibility of the CSV files. For both the language of theguidancenotesastheaccessibilityoftheCSVfilesin addition,thisviolationdoesnotapply there will actually be consequences for every driver who has requested inspection. The English language of The guidance notes will not lead to less or no understanding of the content for every driver, so There are also some Member States where English is the language. In addition, there will be smoke drivers who CSV files do open automatically in tabular form. Furthermore, the AP has not found any violations have resulted in (substantial) damage to those involved. Furthermore, this applies to the violation of Article 12, second paragraph, of the GDPR states that it is not the case that Uber is involved and that it is entirely impossible has made to exercise their right to access and data portability. In the opinion of the AP speaks of negligence in committing the violations. TheAPweighsthatelementas “neutral” with regard to the categories of data involved, the AP is involved established that the processing of location data, these are personal data of sensitive nature. Furthermore, the AP takes into account that it may be a challenge for Uber to to provide comprehensive information about the rights of the data subject in a way that is understandable those involved, which entails compromising to assess how the information can best be used are displayed. It also appears from the investigation that during the view phase provided by Uber information that U has taken many measures to improve and improve the procedures for those involved tocontinueimproving. The duration of the violations has been determined above for a significant period, namely the period from May 25, 2018 to February 17, 2022, June 29, 2022 and November 3, 2022. Adiii)Turnover of the company The Guidelines are written before the starting amount of the fine must be set from the point of view of fairness related to the size of the company. The size of the company is determined by the based on turnover. For example, for a small company with a turnover of up to € 2 million, it becomes starting amount in the rule is limited to 0.2 to 0.4% of the actual starting amount, and the starting amount increases as the turnover of the company increases. If a company has a turnover of more than €500 million, the fine is determined on a percentage of the annual turnover of the 3See in this connection, among others, CJEU 4 May 2023, ECLI:EU:C:2023:376. 19/23Date Unmarked December 11, 2023 company. As a result, the size and turnover of the company are already discounted in the height of the fine, so that the starting amount does not need to be adjusted on that basis. As stated in recital 150 of the GDPR, when imposing a fine on a company, the “undertaking” is regarded as an undertaking in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union. From established case law of the Court of Justice of the European Union follows that an enterprise is “any entity that carries out an economic activity, regardless of its legal formation and the manner in which it is financed.” So it's all about the economics unityofthecompaniesnotthelegalentitieswithin.Different companies or entities within the same economic unit can therefore work together company within the meaning of the aforementioned provisions. UberB.V.isindirectlya fullysubsidiaryofUberTechnologiesInc.Theymusttherefore application of Article 83 of the GDPR, be counted as part of the same company. As stated in the Guidelines, the turnover can be determined on the basis of the annual accounts of the company over the previous financial year. Pursuant to Article 83, fourth to sixth paragraphs, of the GDPR, the worldwide turnover in the previous financial year is taken into account. In view of this decision was taken in 2023 and will be maintained in the financial year 2022. 35 UberTechnologies Inc. has published its annual accounts for 2022 on its website. On page 74isen consolidated overview of the company is included. It is important to note that the global 36 turnover of the company in 2022 amounts to $ 31.877 billion. This corresponds to € 29.750 billion. Determine starting amount Pursuant to Article 83, fifth paragraph, of the GDPR, the fine amounts to a maximum of 4% of the annual turnover. annual turnover, as stated, is € 29.750 billion, so that the maximum fine for each of the violations amount to € 1.19 billion. In view of what has been considered under (i) and (ii), the AP takes the position that the level of seriousness of the infringements must be qualified as “low”. According to the Guidelines, this applies to infringements at a low level of severity, the starting amount should be determined at a point between 0 and 10% of the maximum fine. The general rule is that the serious the infringement within its own category, the higher the starting amount will be. The AP is of the opinion that, given the circumstances described, the infringements in question are of their own accord severity. The starting point for calculating the fine must therefore be relatively low 3From an annual turnover of €500 million, 4% of the annual turnover is higher than €20 million, so that this percentage is maximum fine must be taken into account (Article 83, fifth paragraph, opening words, of the GDPR). 3Consultat<https://investor.uber.com/financials/default.aspx>. 3The exchange rate determined by the ECB on the day of this decision is €0.9333 per US dollar (compare <https://www.ecb.europa.eu/stats/policy_and_exchange_rates/euro_reference_exchange_rates/html/eurofxref-graph- usd.en.html>). 20/23 Date Unmarked December 11, 2023 compared to the starting amount. Taking all the foregoing into account, the AP sets the starting amount case fixed at €5 million for each of the violations (€10 million in total). That corresponds to 0.42% of the applicable maximum fine. 5.4 Assessment of mitigating or aggravating circumstances 5.4.1 Step 3: Assess relevant circumstances As stated in the Guidelines, it should then be assessed whether in the circumstances of the case there is reason to set the fine higher or lower than that determined above starting amount. The circumstances to be taken into account are stated in Article 83, second paragraph, opening words under ato and with k, of the GDPR. The circumstances stated in that provision must each only be be considered once. In the previous step, the nature, weight and duration of the infringement (part a), the intentional or negligent nature of the infringement (part b) and categories ofpersonaldata(partg).Therefore,thepartsctoandwithfenhtoandwithkremain. The only applicable circumstance is the manner in which the AP became aware of the infringement, in particular whether, and if so to what extent, the controller has reported the infringement (part h). In this case, Uber did not report the infringements itself, but they were the subject of complaints knowledge of the AP. This is, however, assessed as “neutral” according to the Guidelines and has therefore no consequences for the amount of the fine to be imposed. The other conditions are missing in this case because the conditions they refer to referinthiscasedoesnotoccur. 5.5 Determining the amount of the fine In paragraph 5.3.2 a starting amount of €5 million has been determined for each of the violations. paragraph 5.4.1 it has been concluded that the only circumstance that can be considered further taken, must be assessed as neutral. The conclusion is then also that the fine must be imposed set at €5 million for each of the two violations (€10 million in total). 5.5.1 Step 4: Control exceedance for the infringements and the maximum amounts applicable As mentioned, - also taking into account Uber's turnover - the violations found apply to maximum fine of 4% of the worldwide annual turnover of the company. Considering the turnover of Uber (€29.750 billion) is the legal maximum of the fine to be imposed, which is €1.19 billion per offence. 21/23 Date Unmarked December 11, 2023 Above, the fine amount for the violations found is set at €5 million per year violation. This is well below the legal maximum, so that it cannot be exceeded occurs. 5.5.2 Step 5: Assessment of effectiveness, proportionality and deterrence requirements Finally, the AP assesses whether the fine is effective, proportionate and deterrent. Based on Article 49, third paragraph of the Charter of Fundamental Rights of the EU and Articles 3:4 and 5:46, second paragraph, of the Awb may not impose the administrative fine, given the circumstances of the specific case disproportionate outcome. Pursuant to Article 83, fifth paragraph, opening words under b, GDPR, the AP can apply for the above violations may impose an administrative fine. As described in the Guidelines a fine can be considered effective if it achieves the purpose for which it was imposed. The aim may be to punish unlawful conduct on the one hand and to to promote compliance with the applicable regulations. Given the nature, severity and duration of the infringement, as well as the other factors from Article 83, second paragraph, GDPR as assessed in paragraphs 5.3.2 and 5.4 of this decision, the AP is of the opinion that an administrative fine is imposed under this circumstancesbothgoalsareachievedandthereforeeffectiveanddeterrent.Theheightofthe administrative fine, which is partly determined on the basis of Uber's turnover, the AP also considers effective and deterrent. The AP expects the fine to be proportionate to the seriousness of the violations and the size of the company. Uber has indicated in its opinion that imposing a measure will have disproportionate consequences leads for Uber, because Uber is constantly working on improving its services and is always prepared to take the time has shown that it is willing to work together with the AP. The AP sees this as a reason for the fine disproportionate. Both the compliance with the provisions of the GDPR and the granting of After all, cooperation with the AP in the exercise of its powers is legally required In the opinion of the AP, no such special circumstances have occurred in this context that the fine would not be proportionate for the reasons mentioned by Uber. 22/23 Date Unmarked December 11, 2023 6. Dictum Fine DeAPlitigatesUberB.V.andUberTechnologiesInc.jointly,forviolationofArticles12, first and second paragraph, and Article 13, first paragraph, opening words under f, and second paragraph, opening words under a and b, of the GDPR does not impose an administrative fine in the amount of €10,000,000.00 (in words: ten million euros). 37 Yours faithfully, Dutch Data Protection Authority, Mr.A.Wolfsen Chair Remedies clause If you do not agree with this decision, you can submit it within six weeks after the date of dispatch decides to submit an objection digitally or on paper to the Dutch Data Protection Authority. Article 38 of the GDPR Implementation Act suspends the submission of an objection to the effect of the GDPR decision to impose the administrative fine. State at least in your objection letter: your name and address; the date of your objection; the reference mentioned in this letter (case number), or attach a copy of this decision; the reason(s) why you do not agree with this decision; your signature. You can submit the objection letter digitally via the website. Go to www.autoriteitpersoonsgegevens.nl, and at the bottom of the page, under the heading “Contact”, click on the link “Objection against a decision of the AP”. From there you use the “Submit an objection” form. Would you rather send the notice of objection by post? You can do so to the following address: Dutch Data Protection Authority Directorate of Legal Affairs & Legislative Advice, Objections department PO Box93374 2509AJDENHAAG 37 The AP will hand over the claim to the Central Judicial Collection Agency (CJIB). 23/23