AP (The Netherlands) - Decision of 11 December 2023 imposing administrative fine on Uber

From GDPRhub
AP - Decision of 11 December 2023 imposing administrative fine on Uber
LogoNL.png
Authority: AP (The Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 12(1) GDPR
Article 12(2) GDPR
Article 13(1)(f) GDPR
Article 13(2)(a) GDPR
Article 13(2)(b) GDPR
Article 15(1)(d) GDPR
Article 15(2) GDPR
Article 56 GDPR
Article 60 GDPR
Article 83 GDPR
Type: Complaint
Outcome: Upheld
Started: 12.06.2020
Decided: 11.12.2023
Published: 31.01.2024
Fine: 10,000,000 EUR
Parties: Uber Technologies Inc. and Uber B.V.
Ligue des droits de l'Homme (LDH)
National Case Number/Name: Decision of 11 December 2023 imposing administrative fine on Uber
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: autoriteitpersoonsgegevens.nl (in NL)
Initial Contributor: co

The Dutch DPA, in the context of an Article 60 GDPR decision, issued a fine in the amount of €10,000,000 on Uber for a lack of transparency in its privacy policy and for failing to allow data subjects to exercise their rights in an accessible manner, in violation of several GDPR provisions.

English Summary

Facts

The French human rights organisation Ligue des droits de l'Homme (LDH) filed a complaint with the French DPA (Commission Nationale de l'Informatique et des Libertés, CNIL), on behalf of 172 Uber drivers against Uber B.V. and its US-based parent company Uber Technologies Inc., as joint controllers. The drivers, as data subjects, were complaining about the lack of information provided by the controllers (hereinafter Uber) in violation of Articles 12, 13 and 15 GDPR and the limited accessibility to the form used to exercise their rights under the GDPR.

The CNIL then forwarded the complaint to the Dutch DPA (Autoriteit Persoonsgegevens, AP) as lead supervisory authority in the case according to Article 56 GDPR and initiated an Article 60 GDPR procedure. In the course of its investigations, the AP found several violations related to transparency and issued a report which it forwarded to Uber to submit its views.

Holding

Upon hearing the views of the controller and of the concerned supervisory authorities in the case, the AP issued its final decision on 11 December 2023.

First of all, the AP assessed the accessibility of Uber’s form for access requests and for exercising other data subjects' rights under the GDPR. In this respect, the AP found that the form available in the Uber app is not sufficiently easily accessible as it involves too many non-intuitive steps, contrary to the provision in Article 12(2) GDPR. This was also reinforced by the fact that, according to the investigations, the Uber app is the primary means of communication between Uber and its drivers, hence, at least there, the exercise of their rights should be facilitated. The AP clarified that a layered information structure can be used in such forms but there has to be a fair balance between the number of steps to be completed and the amount of information included in each step and on top of that, the steps should have clear and intuitive names. Using the steps named "Help", "Account and app issues" or "Account" and "Legal concerns" or "Legal, ethics, and compliance" to reach the form allowing drivers to exercise their GDPR rights cannot be considered obvious in the AP's view; putting it under "Privacy" would have been more intuitive and easy. Hence, the AP found a violation of Article 12(2) GDPR.

As regards the language of the form, the AP found that Uber provides information in a CSV file in response to access requests, without adding any guidance on how the information from such a file can be structured and interpreted. This, according to the AP and read in light of paragraph 11 of the EDPB Guidelines on Transparency under Regulation 2016/679, cannot be considered an easily accessible form as data subject would have to find the information themselves. In addition, the AP found that, after adding guidance on how to open and read the CSV files, Uber only provided such information in English. Since Uber offers services in many EU countries, not only in France, this negatively affects virtually all Uber drivers in Europe as it cannot be considered “clear and simple” language under Article 12(1) GDPR. Accordingly, the AP held that Uber failed to provide information in an easily accessible form, using clear and plain language, thereby violating Article 12(1) GDPR.

Further, the AP assessed the privacy policy of Uber first as regards retention periods, secondly with respect to transfers of personal data to third countries and lastly with respect to data portability. First, the AP held that Uber provided too general information regarding retention periods by merely stating that data will be stored for “as long as necessary”. In the AP’s view, it is true that mentioning all different retention periods would have resulted in an overly long privacy policy, but Uber should have at least indicated the criteria used to determine retention periods. Hence, the AP held that Uber violated Article 13(2)(a) GDPR and Article 15(1)(d) GDPR. Secondly, as regards transfers of personal data, the AP found that, by not mentioning the third countries to which personal data may be transferred nor the safeguards in place and where they can be accessed, Uber acted in violation of Article 13(1)(f) GDPR and Article 15(2) GDPR interpreted also in light of the above mentioned EDPB Guidelines. Thirdly, the privacy policy of Uber did not contain any reference to the possibility to exercise one’s right to data portability, thereby violating Article 13(2)(b) GDPR.

In light of the above, in accordance with Article 58(2)(i) GDPR and Article 83 GPDR, the AP considered it appropriate to impose an administrative fine against Uber. In the calculation of the fine, the AP took several facts into account as well as the EDPB Guidelines 04/2022 on the calculation of administrative fines under the GDPR. In the AP's view, this case involves two distinct sanctionable conducts ("plurality of action"), namely the failure to provide sufficient information in the privacy policy, which is a continuous conduct and the violations found with respect to the form for exercising one’s rights, which occurs only when a request is made. Hence, according to the AP, the violations are independent form one another and should be fined separately.

Taking into account mitigating factors, such as the fact that following the AP report issued by the AP in May 2022, Uber remedied some of the violations and considering the annual global turnover of Uber, the AP classified the gravity of the infringements as low and no substantive damage having been cause and decided to issue a fine in the amount of €5,000,000 for each offence, amounting to a total fine of €10,000,000 on Uber.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

Dutch Data Protection Authority
                                                        PO Box93374,2509AJTheHague

                                                        Bezuidenhoutseweg30,2594AVTheHague
                                                        T0708888500-F0708888501
                                                        autoriteitpersoonsgegevens.nl
Confidential/Registered













Date Unmarked
December 11, 2023

                          Contact




Subject
Decision to impose an administrative fine on Uber





Dear ,


The Dutch Data Protection Authority (hereinafter: AP) is of the opinion that UberTechnologies Inc. and UberB.V.
(hereinafter collectively: Uber) has committed a number of violations of the General Data Protection Regulation
(AVG) has committed to transparency. It concerns the English language only
offering the guidance notes to drivers and it not in an easily accessible form
providing information in response to a request for access, which is contrary to Article 12, first paragraph, of the

GDPR. In addition, there is a digital form with which drivers exercise their right to inspect
being able to exercise data portability, not easy enough to reach in the driver app,
which is contrary to Article 12, second paragraph, of the GDPR. The information about the retention periods is also
the privacy statement is not sufficiently specific (Article 13, second paragraph, opening paragraph and Article 15, first
paragraph, subsection d, of the GDPR) and the information about transfers is not complete and meaning is sufficient (article

13, first paragraph, opening paragraph, subparagraph f, of the GDPR). Finally, in the privacy statement, Uber has the right to
data portability is not explicitly mentioned (Article 13(2)(b) of the GDPR).

For the commission of these violations, the AP jointly reports to Uber Technologies Inc. and Uber B.V.
administrative fines totaling €10,000,000.00.









                                                                                             1 Date Unmarked

   December 11, 2023


1. Background investigation


   Uber is an internationally operating company that, among other things, acts as an intermediary between
   taxi drivers and passengers. Passengers use the general Uber App (for mobile
   phones) or possibly a browser, drivers use the UberDriver App (hereinafter:
   driver app).


   To use the drivers app, creating an account for drivers is mandatory.
   After a ride, drivers are assessed by their customers and paid by Uber for the delivered goods
   services.


   Uber has set up a digital form, which is accessible via the Uber website and via the drivers -
   app, which drivers can use to request data portability with
   regarding their personal data.Uber has also drawn up a privacy statement,
   with which Uber provides insight into the processing of data by Uber.


   On June 12, 2020, the Commission Nationaledel 'InformatiqueetdesLibertés (CNIL) filed a complaint
   received from the French non-governmental organization LigueDesDroitsDeL'hommeEtDuCitoyen
   (LDH) on behalf of 21 Uber drivers. Along the way, 151 Uber drivers have filed a complaint
   connected, so that it serves on behalf of 172 complainants. On September 29, 2020, the LDHeen

   additional complaint submitted to the CNIL. The complaints were forwarded by the CNIL to the AP, after which
   the International Research Department of the AP has started an investigation and prepared a report.



2. Findings research report

   The report found 5 violations with regard to transparency, namely:


       1) The digital form with which a request for access can be made is not easy enough
          accessible in the driver app (art. 12, paragraph 2, GDPR).
       2) Uber does not provide a copy of the personal data in response to a request for access
          easily accessible form, the guidance notes are not in one for (French)

          driver understandable language (English) (art 12, paragraph 1, GDPR).
       3) Uber does not provide sufficient specific information about the privacy statement
          retention periods (art. 13, paragraph 2, a, GDPR, art. 15, paragraph 1, a and GDPR).
       4) Uber does not specifically mention the names of the countries through which data is transferred in the privacy statement

          data is also not transferred to the specific protection measures (art. 13, paragraph 1, f,
          AVGenart.15, paragraph 2, GDPR).
       5) Uber does not explicitly mention the right to data portability/data portability in it
          privacy statement (art.13,2,b,GDPR).






                                                                                            2/23 Date Unmarked
    December 11, 2023



    The International Research Department has concluded in the research report that Uber
    has committed the above violations from 25 May 2018 until the date of establishment of the
    research report (June 30, 2022). On July 8, 2022, the research reports are intended to

    enforcement sent to Uber.Uber submitted its written opinion by letter dated 15 September 2022
    given the investigation reports the intention to enforce. On January 12, 2023, Uber announced its
    This view has been orally explained. A report has been drawn up (appendix to this decision).

    In accordance with Article 60 of the GDPR, the AP has submitted the draft decision to the supervisory authorities concerned

    submitted.


 3. Legal framework


    The AP refers to the appendix to this decision, which contains the legal framework.


 4. Assessment


4.1 Controller and authorityAP

    Uber B.V. is the Dutch branch of Uber, Uber Technologies Inc. is located in the United States
    andistheparentcompanyof,among others,UberB.V.JointsettingUberB.V.andUber
    Technologies Inc. the purpose and means of processing data of the Uber

    drivers in the European Economic Area (EEA). The (French) drivers have a
    agreement withUberB.V.For requests regarding the rights of the data subject is roughly
    distribution that Uber B.V. is responsible for the assessment of such requests and that Uber
    TechnologiesInc.providesthetechnicalresourcesanddata.UberTechnologiesInc.isalso
    the publisher of the drivers app.


    In Uber's privacy statement, UberB.V. and UberTechnologies Inc. are also noted as
    joint controller.The joint
    processing responsibility is not disputed by Uber.


    Uber offers its services in several Member States of the EU and processes Uber for these services
    personal data. This means that data subjects have significant consequences in more than one Member State
    experience of the processing of data by Uber. This is the case
    cross-border processing (article 4, preambles under 23, suba and b, GDPR). Because the central
    administration ofUber in the EEA is located atUberB.V,UberB.V.is regarded as the head office

    within the meaning of article 4, opening words under 16, GDPR. The AP is competent to act as leading
    supervisory authority (Article 56, first paragraph, GDPR).






                                                                                            3/23 Date Unattribute
    December 11, 2023





4.2 Accessibility form for inspection requests


    The investigation report established that the digital form with which drivers exercise their right to inspect
    and being able to exercise data portability is not easy enough to reach in the
    driver app because there are too many steps to go through and wording of the steps

    does not intuitively lead to the form. Uber hereby facilitates the exercise of the aforementioned rights
    data subjects are not sufficient and violates Article 12, paragraph 2, GDPR.


    ViewpointUber
    Uber indicates that the GDPR, legislative history, case law, guidelines and directives are not applicable
    authoritative commentary follows exactly how many actions a person concerned is allowed to perform
    request for access or transfer. This also applies to the argument from the AP date and the person concerned

    intuition must be able to reach a page. Based on article 12, second paragraph, Uber has no certain
    space to determine for yourself how it facilitates the right to access and data portability. TheAP
    further introduces a new standard without substantiation by stating that the form is “sufficient
    “must be easy” to find, according to Uber.


    In the guidelines, the EDPB explains the transparency obligations so that they can be fulfilled by
    “layered information structure”. The drivers may therefore be expected to have several
    going through the steps. This is also the benchmark in consumer law. Drivers use it every day

    from the menu in the app and a reasonable and average driver will be able to do this without any effort
    to find the form, even if he has to click through it six times. In addition, Uberer points out that
    drivers app is made for a smartphone with a small screen. Uber wants to prevent drivers
    When using the app, I had to scroll through long menus and therefore chose menu paths.


    Uber then indicates that the AP recognizes that Uber offers several ways to view or
    to submit a transfer request, but according to Uber, the AP wrongly only looked at the

    ways that Uber offers in the driver app. The AP has also wrongly used the route that via the
    driver app redirects to the privacy statement on the website not taken into account. Uber
    contradictsthenumberofstepstheAPcountedtogettotheform:Uberusesone
    other counts ends up with a lower number of steps out.


    Regarding the wording of the various steps, Uber indicates that “more obvious
    lying” is not an existing criterion in the AV and it is subjective which route is most obvious
    is.Positioning the form higher under a heading “privacy” is at the expense of others

    menu options. Since February 2022, Uber has made adjustments to the routes in the driver app
    to the form, but these adjustments are not included in the research report.




    1Guidance on transparency in accordance with Regulation (EU) 2016/679



                                                                                             4/23Date Unattribute

December 11, 2023



Judgement
In the report assessed, the version of the drivers app must be shown schematically
The following steps are followed to reach the form for a request for inspection

submit data portability:Menu>Help>Accountandappissues>Legalconcerns>
RequestyourpersonalUberdata>Submitaprivacyinquiry>log in via “Signintogethelp” or “Submita
privacyinquirywithoutanUberaccount” which takes the driver to the form (route1).

The report also describes the route via a link in the privacy statement on the Uber website
opens, where you can also click on a link to “submitaprivacyinquiry” (route2). In the report
This route has not been considered further, because Uber drivers are in any case within their rights

must be facilitated via the drivers app (and in route 2 the app transfers to the website of
Uber).


The research has shown that the main interaction between Uber drivers takes place via
the drivers app. For this reason, the AP is of the opinion that in every case in the drivers app
drivers must be facilitated in the exercise of their rights within the meaning of Article 12, second

member, GDPR. In accordance with recital 59 of the GDPR, arrangements must be in place to
to enable the data subject to exercise his rights more easily. This entails that
arrangements should be consistent with the ways in which those involved are interacted with. DatUber

also offers the possibility to the driver through other means to request inspection
data portability does not alter the fact that drivers are in any case
drivers should be facilitated in the exercise of their rights. The AP is of the opinion

that route 2 to the request form in the investigation report has been wrongly left out of consideration
left because the privacy statement on the website is automatically opened via the driver app
this does not detract from facilitating the making of a request.Uber's view

Described routes that have been introduced in the drivers app since February 2022 are also
wrongly not included in the study because they do fall within the period studied
then go the route changed by Uber: Menu>Help>legal,ethicsandcompliance>requestyour

personalUberdata>log in or “Submitaprivacyinquirywhich will take the driver to the form
(route3).Uber has also pointed out in this connection the introduction of the Privacy Center on
February 17, 2022 has been introduced throughout Europe. The steps via the Privacy Center are as follows: Account

>securityandprivacy>privacycenter>Wouldyoulikeacopyofyourpersonaldata?>loginor“Submit
aprivacyinquirywithoutanaccount” which takes the driver to the form (route4). Next to it
points Uber to a fifth route via the Privacy Statement.


With regard to the number of steps to be completed in the different routes to complete the request form
To achieve this, the AP considers the following. From consideration 59 in the AVG, this follows in facilitating the account

must be taken into account for the convenience of the data subject in exercising his rights. The AP


2 Schematically shown: up to “legalconcerns” the same route as route 1>Privacynoticeinformation>PrivacyNotice
(select the correct language and jurisdiction) and then you arrive at the privacy statement where you can click on a link to
“submitaprivacyinquiry”.
3 Marginal numbers 30 to 32 of the research report.
4See alsoGuidance on transparency in accordance with Regulation (EU) 2016/679, paragraph 55.




                                                                                          5/23 Date Unattribute
    December 11, 2023



    endorses Uber's position that using a layered information structure is necessary to find it
    information for those involved can make it easier under certain circumstances. This is it
    case with the driver app that will often be used on smartphones with a screen

    limited format, and in which a relatively large amount of information (on various topics) is offered.
    At the same time, a layered information structure must be able to find information through
    those involved are not hindered by having to click through unnecessarily often. Erzalduseen
    balance must be found between the number of actions to be completed and the quantity

    information offered per “step”. In addition, the wording of the steps to be completed
    to be facilitating, which brings the person concerned to it simply and without further ado
    desiredrequestformshouldbeguided.Adequatewordingofthevarious

    steps to the form are indispensable in connection with the facilitation obligation. Placing (the route
    to)the request form with which drivers can exercise their rights under the GDPR
    under “Help”, “Accountandappissues”or“Account”and“Legalconcerns”or“Legal,ethics,and
    compliance” is not obvious in the opinion of the AP. A direct placement under

    for example, “Privacy” considers the AP simple and without fuss. The AP is related to routes 1 and 2
    considers that the combination of the number of steps to be completed and the wording of such
    setting a high threshold for those involved, so that Uber does not sufficiently facilitate its drivers.
    In the opinion of the AP, this constitutes a violation of Article 12, paragraph 2, of the GDPR.


    The AP also considers that this violation has been terminated since February 17, 2022 by the
    introduction of the Privacy Center that contains the route 4 described above. By creating a
    logical place with a clear name, Uber facilitates its drivers in exercising their rights

    access and data portability.



4.3 Response to request for inspection: formal language

    The AP has determined that Uber, in response to a request for access, provided information in a CSV file,
    without Uber providing information about how information from such a file can be structured

    are displayed. Because Uber does not provide the information in an easily accessible form,
    it violates Article 12, first paragraph, GDPR. In addition, the AP has determined that Uber Article 12, first paragraph,
    GDPR violates through the guidance notes, in which Uber provides further explanations when providing the information
    indicates about the values in the CSV files, only in English. This violation touches

    not only the French drivers, but almost all Uber drivers in Europe.

    Form: viewUber
    Uber states that the GDPR does not specifically prescribe which form meets the 'easy' standard
                                                                                                5
    accessible' or on the basis of which criteria this can be determined. Also the explanation in the Guidelines
    makes the standard not very concrete, and the AP cannot base a violation of the GDPR on that alone
    guidelines. According to Uber on its website, the AP endorses that the GDPR does not prescribe which
    wayinformationshouldbeprovided.CSVisjustaverysuitablefileformatforthe


    5Guidance on transparency in accordance with Regulation (EU) 2016/679



                                                                                              6/23Date Unattribute

December 11, 2023



provision of information, because, unlike for example in a PDF format, further analysis
of the data is possible. Uber also states that the 'reasonable and average person involved' is the benchmark
should apply, and by this measure, the CSV files that Uber provides are easily accessible.
Uber states that CSV is a universal file format and is used by Windows operating systems

and Apple will basically open automatically in software that can display tables. Also like that
If not, Uber meets the 'easily accessible' standard because the person involved then simply
display of the file can be adjusted, possibly after consulting a search engine

instructions. Even when a CSV file is open in a text file, the information is still there
easily accessible. By requiring Uber to provide information in CSV
format explains how to open a file in many different software applications,

theAP introduces a new standard.

Form: assessment

The AP suggests that it does not consider that by providing information in a CSV file
can be met with the 'easily accessible' standard from Article 12, first paragraph, GDPR.Inde
Guidelines indicate the following regarding 'easily accessible': 'The element 'easy

accessible” means that the data subject does not have to search for that information himself; for the data subject
it must be immediately clear where and how this information can be found.' When the information is provided
In response to a request for access, this relates, for example, to the structure in which the information is contained
offered (such as the use of paragraphs).


In a CSV file, values from a table are stored as lines of text. The values are separated
through punctuation marks. When the information from a CSV file as lines of text and with that in mind

is displayed unstructured, the form in which the information is presented is not
easily accessible. Those involved cannot directly abstract the information from this. By a
Using a spreadsheet program, the information from a CSV file can be displayed in tabular form

displayed. A CSV file can be automatically opened in tabular form and
spreadsheet program, but this is not always the case, depending on the settings, for example. The
files that Uber provided to complainants contain a commal separator between them

values. This is not automatically usable as a list separator in all cases, for example in countries
or regions where a comma is also used as a decimal separator (such as the Netherlands
France).No information is provided byUbergregardingtheinformationfromtheCSVfiles

structuredcanbedisplayedifthefileisnotautomaticallyopenedintabularform:
the person concerned has to find this out for themselves. Uber has the information so it is not easy
accessible form and has violated Article 12, first paragraph, GDPR.






6Guidance on transparency in accordance with Regulation (EU) 2016/679, paragraph 11
7Uber has stated in its opinion that it has added an explanation to the guidance note on how CSV files can be
be opened, and also add a passage about it to the accompanying email containing UberCSV files
sends.




                                                                                            7/23Date Unattribute
December 11, 2023




Language:viewpointUber
By testing whether the guidance notes have been provided in an understandable language, the AP does not test, according to Uber

to the correct standard. Pursuant to Article 12, first paragraph, of the GDPR, the language must be 'clear
simple'. Uber takes the position that the guidance notes are in a clearly simple language
have been provided. Not a good but a fair command of English is sufficient for the guidance

noteto be able to understand.Uber skinny also assume that the French drivers are good
have a command of English, because French taxi drivers (and therefore also Uber drivers) are required

must have a VTC registration. To do this, an exam must be taken in which, among other things, the
English is tested at A2 level.


Language:review
Although the research report incorrectly exclusively uses the criterion 'understandable',

This is not different from the outcome of the assessment. Based on Article 12, first paragraph, GDPR, information must be provided
are provided in clear, simple language. This includes, among other things, when

the controller is aimed at data subjects who speak another language, including a translation
language must be provided. The requirement to use clear and simple language is narrow
related to comprehensibility. Uber should not assume that the French drivers have sufficient knowledge

ofEnglishto be able tounderstand theEnglishguidancenote.ThefactthatFrenchUber-
drivers must take an exam for their VTC registration, which includes English

level A2 is tested and this does not change this, because a bad score on the English part immediately
a good score on other exam components can be compensated. Pass it off with good results
the exam for a VTC registration therefore gives no indication of a command of English. 11

Even if this were the case, the AP is of the opinion that command of English is at level A2
insufficienttounderstandtheEnglishguidancenote.Toreadandunderstandatexton
                                                                                       12
A2 level, in accordance with the Common European Framework of Reference for Languages (CEFR), the
following standard: “I can read very short, simple texts. I can read specific, predictable information

find it in simple, everyday texts such as advertisements, leaflets, menus and timetables and I can
understand short, simple, personal letters.” The guidance notes concern a document of 26
pages explaining the various very specific table values, such as telematic data and

various device data. This exceeds the level of a very short and simple text such as
indicated by the CEFR. In this context, the AP also points to the fine imposed by the Swedish supervisory authority
                                        13
authority (IMY) has imposed on Spotify, including for not providing technical information
log files in the language of those involved (but only in English).



8Guidance on transparency in accordance with Regulation (EU) 2016/679, paragraph 13
9See Guidelines on Transparency in accordance with Regulation (EU) 2016/679, paragraph 9
1See Arrêtédu6avril2017relatifauxprogrammesetàl'évaluationdesépreuvesdesonderzoeksd'accèsauxprofessionsdeconducteur
thetaxiettheconductorthevoiturethetransportavecdriver.FortheEnglishexampartyoumustatleast4ofthe20
multiple-choice questions must be answered correctly. To pass all seven exam components together, you must achieve at least an average
score of 10 out of 20.
11
12pA-2 level.
 CommonEuropeanFrameworkofReferenceforLanguages,CouncilofEurope
1 Decree of 12 June 2023 with reference DI-2019-6696, see https://www.imy.se/globalassets/dokument/beslut/2023/beslut-tillsyn-
spotify.pdf



                                                                                            8/23 Date Unmarked
    December 11, 2023



    The controller must take sufficient measures to ensure that data subjects

    understand the information. Due to the drivers, the guidance notes are only provided in English and not
    in the local languages,Uber has violated article 12, first paragraph,GDPR.


    Since June 29, 2022, Uber has offered guidance notes in several languages, including French.



4.4 Privacy statement: retention periods


    In its response to a request for access, Uber refers to the privacy statement for the retention periods
    the investigation report has determined that the information provided by Uber in the privacy statement about

    the retention periods and in general, which means that Uber Article 13, second paragraph, under a, and Article 15, first paragraph,
    violates GDPR.


    ViewpointUber
    Uber indicates that the explanation from the guidelines is insufficient to explain that
    personal data will be kept for as long as necessary for the legitimate purpose of the processing

    goes further than the GDPR prescribes. This is at odds with Article 5, first paragraph, sube, of the GDPR in which it
    criterion for determining the retention period precisely as formulated by the AP may not constitute a violation

    not base on the Guidelines alone. In addition, information must be provided on the basis of Article 12, first paragraph, GDPR
    are presented in a concise and understandable manner. In the case of Uber, we speak of this as a multinational
    different retention periods per processing per country, in certain countries per city, per category of
                16
    those involved and those deadlines are subject to change. Mentioning specific ones
    retention periods would result in an expansion of the privacy statement by tens to hundreds
    pages. Article 13, second paragraph, under a, GDPR also only writes before that retention periods must be

    mentioned if that is possible, which for the aforementioned reason is not the case with Uber. Uber also states that the AP
    based on the investigation report, it cannot be concluded that there has been a violation of Article 15, first paragraph, GDPR,

    because the drivers receive information in different ways in response to a request for access
    provided and is not included in the report. In addition, the guidelines against which the AP tests are included
    not relevant to article 15 of the GDPR. In the assessment of the version of the privacy statement of
                                                    17
    October 15, 2020, the AP wrongly did not include a passage in the assessment, while it
    passage according to Uber meets the requirements that the AP tests.




    14 File document 23: the privacy statement of October 12, 2019 and the privacy statement of September 1, 2021
    15Guidance on transparency in accordance with Regulation (EU) 2016/679, page 45: explanation of Article 13, second paragraph undera

    16G.
    17For example, drivers, couriers, passengers.
      File document 23, p.25: “Followinganaccountdeletionrequest,Uberdeletestheuser'saccountanddata,unlesstheymustbe
    retainedduetolegalorregulatoryrequirements,forpurposesofsafety,security,andfraudprevention,orbecauseofanissuerelating
    totheuser'saccountsuchasanoutstandingcreditoranunresolvedclaimordispute.Becausewearesubjecttolegalandregulatory
    requirementsrelatingtodriversanddeliverypersons,thisgenerallymeansthatweretaintheiraccountanddataforaminimumof7
    yearsafteradeletionrequest.Forridersanddeliveryrecipients,theirdataisgenerallydeletedwithin90daysofadeletionrequest,
    exceptwhereretentionisnecessaryfortheabovereasons.”



                                                                                               9/23Date Unmarked
December 11, 2023



Judgement
In the version of the privacy statement dated 12 November 2019, Uber states that personal data (of
drivers) are kept as long as the user has an account. In addition, Uber information can be stored
store to the extent necessary for safety, security and fraud prevention purposes,
followed by an example.In the version of September 1, 2021, the information about the

In summary, retention periods indicate that Uber retains personal data for as long as necessary
for various purposes, followed by a statement that users (including drivers) can
request to delete their account, after which the data will be deleted unless they do so
kept longer for safety, security and fraud prevention purposes or account-related matters

because Uber is subject to laws and regulations relating to (among other things) drivers,
This generally means a retention period of at least seven years for both the account and the account
data after a request to delete the account, according to Uber's privacy statement.

Pursuant to Article 13, second paragraph, opening paragraph, GDPR, the controller must:

When obtaining the data, inform the data subject about the period during which the
personal data will be stored, or if that is not possible, the criteria for determining it
term. The AP notes that Uber does not provide any (concrete) information in both versions of the privacy statement
In the privacy statement of 1 September 2021, Uber mentions retention periods.

retention period of seven years, but this period is not formulated in sufficient concrete terms (this concerns
only minimum retention periods apply 'in general', although it is not clear under which
circumstances, this period may or may not apply) and relates exclusively to those cases
in which a request to delete an account has been made. Uber has, among other things, its opinion

indicated that there are many different retention periods. The AP notes that these
different retention periods are not mentioned in the privacy statement.

In its opinion, Uber has further indicated that, given the many different retention periods,
it is not possible to name all concrete retention periods and therefore it will suffice

mention the criteria for determining the periods. Name all specific retention periods
According to Uber, this would lead to a pages-long privacy statement, which is in conflict with Article 12, first paragraph,
GDPR. The AP agrees that Uber may suffice to mention the circumstances mentioned
of the criteria for determining the retention periods, but notes that this is the privacy statement

also not sufficiently mentioned. It is only mentioned in general terms and that personal data
be kept as long as necessary for certain purposes (as Uber does) cannot be equal
are required to name criteria for determining the retention period. The obligation to
The criteria for determining the retention period cannot be stated differently in the opinion of the AP

explained that data subjects must be able to determine the retention periods for their data
determine, the information provided by Uber is, therefore, too general in nature. The AP notes that
Uber article 13, second paragraph, at the end of paragraph, has violated the GDPR. The AP sees differently than in the
investigation report is stated, insufficient basis in the investigation findings for a violation of
article 15, first paragraph, preamble under d, to establish GDPR.







                                                                                       10/23 Date Unmarked
    December 11, 2023



4.5 Privacy statement: transfer

    In its response to a request for access, Uber refers to information about transfers to the earth

    privacy statement. The research report established that the privacy statement does not mention the countries
    outside the EEA are mentioned to which data transfers take place and which are specific
    measures have been taken to this end, as a result of whichUber article 13, first paragraph, opening lines under f, and article 15,
    second paragraph, GDPR has been violated.


    ViewpointUber
    Uber states that Article 13, first paragraph, opening words under f, GDPR does not require that transfer to countries mentioned
                                                       18
    be.The interpretation of the EDPB the guidelines that are in accordance with the
    principle of propriety, the information about transfers means it must be possible that this
    means that it should generally be called the third country, incorrectly
    principle of propriety, in view of the opening words, has already been filled in in Article 13, second paragraph, GDPR (as the AP

    view understands: exhaustive in filled) and therefore not applicable to the first paragraph of article 13
    GDPR.The interpretation of the EDP is in contradiction with the texts and system of Article 13, first and second
    member, GDPR. In addition, the AP cannot base a violation solely on the guidelines. TheGuidelines
    also only require that in general the third countries should be mentioned and it is for Uber

    impossible to determine prior to processing to which specific countries
    personal data is passed on. Uber would have to contact all 72 countries in which it offers its app
    includeintheprivacystatementthiswillnotbemeaningorunderstandable.Thesameappliesto
    mention all protection measures per country.Uber is also of the opinion that in view of the shared

    processing responsibility of Uber B.V. and Uber Technologies Inc. in this context there is no claim
    of transfer of personal data to third countries, because the processing and in view of Article 3, first
    member, GDPR falls within the scope of the GDPR.


    Article 15, second paragraph, GDPR does not require that the countries of transfer be mentioned and explained
    guidance does not apply to Article 15. Uber also states that the AP is based on the
    research report cannot conclude to a violation of Article 15, paragraph 2, GDPR, because the

    drivers are provided with information in various ways in response to an inspection request
    this is not included in the report. The versions of the privacy statement were assessed by the AP
    more than meet the requirements set out in Article 13, first paragraph, subparagraph f, of the GDPR, including
    because in all versions it was possible to click on 'Standard contractual clauses', after which a web page of

    the European Commission's standard provisions could be downloaded.

    Finally, Uber states that the AP wrongly does not have the privacy statement of 13 June 2022
    included in her assessment.


    Judgement
    Article 13, first paragraph, opening paragraph, subparagraph f, GDPR requires in the first place that the
    controller informs data subjects, where appropriate, that the


    18Guidance on transparency in accordance with Regulation (EU) 2016/679, page 44.



                                                                                             11/23 Date Unmarked

    December 11, 2023



    the controller intends to pass on the data to a third party
    country.The AP notes that Uber only mentions it in the various versions of the privacy statement
    that Uber transfers personal data to a third country or countries. With regard to the

    applicable safeguardsrequiredArticle 13, first paragraph, opening paragraphf, GDPR that must be
    indicated whether or not there is an adequacy decision of the Commission, or any other
    appropriate safeguards apply and how a copy of these can be obtained or where they are

    can be consulted. The requirements set out in this provision are for the provision of information
    so specific that those involved must be given access to detailed information about the
    safeguards used to protect their data upon transfer. Inde

    guidelines, the EDPB expresses this in such a way that it is in accordance with the principle of propriety
    information should be as meaningful as possible. Anyone involved wants to be able to have more knowledge about it
    which countries his data are transferred, then the foregoing entails that

    regardingtransmissioncountriesarementioned.Ubermakesinthevariousversionsofthe
    privacy statement only general terms and without giving definitive information about the
    Various guarantees apply (for example in the privacy statement of 1 September

    2021:“Wedosoinordertofulfilouragreementswithusers,suchasourTermsofUse,orbasedonusers'priorconsent,
    adequacydecisionsfortherelevantcountries,orothertransfermechanismsasmaybeavailableunderapplicablelaw,such
    astheStandardContractualClauses”) and does not indicate how a copy can be obtained or

    where they can be consulted. This does not give those involved the opportunity to find out which
    guarantees may be relevant to them and what exactly these guarantees entail (through the van
    applicable, the guarantees can be consulted).Uber has thus referred to Article 13, first paragraph, opening words

    underf, GDPR has been violated. Contrary to what Uber states in its opinion, the fact that
    second paragraph of article 13 GDPR No further interpretation is given to the principle of propriety, the
    applicability of the principle of propriety from Article 5, first paragraph, under a, GDPR to the first paragraph of
                         21
    Article 13 GDPR not applicable.

    With regard to Uber's response to a request for access, the AP is different than it appears

    investigation report is stated, insufficient basis in the investigation findings for a violation of
    Article 15, second paragraph, GDPR.



4.6 Privacy statement: data portability


    The research report found that Uber in the privacy statement has the right to
    data portability is not explicitly stated and therefore does not comply with Article 13, second paragraph,
    salutationsunderb,GDPR.




    19 Namely those of 25 May 2018, 12 November 2019, 1 September 2021 and the privacy statement of 13 June
    2022 (file document 25).
    20Guidance on transparency in accordance with Regulation (EU) 2016/679, page 44.
    21See also recital 60 in the GDPR, in which the principle of propriety is mentioned in connection with obligations under the first
    member of article 13GDPR.




                                                                                              12/23 Date Unmarked

    December 11, 2023



    ViewpointUber
    According to Uber, Article 20, first paragraph, GDPR shows that the right to data portability consists of
    two actions, namely obtaining (from Uber) and transferring (by the person concerned). Uberindicates
    that the right to data portability is mentioned in the privacy statement, namely as

    'receiving data'. Uber also explains in its privacy statement what the right to data portability is
    deliberately without using complex terms (such as data portability). The guidelines 22
    (which states that a distinction is made between the right to data portability and other rights

    must be made), only provide an explanation and the AP cannot base a violation solely on this.
    Finally, Uber states that the AP wrongly does not have the privacy statement of September 1, 2021
    included in her assessment.


    Judgement
    Article 13, second paragraph, opening paragraph and subsection b, GDPR obliges the controller to comply

    provision of data to inform the data subject, among other things, about the right to
    data portability. The AP notes that Uber in the different versions of the
    privacy statement does not explicitly mention the right to data portability.Uber's position

    The AP follows that 'receiving data' informs you about the right to data portability
    not, because it also has the consequences of receiving the data processed by Uber
    indicate the right of access under Article 15 of the GDPR
    Article 13, second paragraph, opening words and subsection b, GDPRGmtoinformabouttheright

    Data portability naturally entails that this must be done separately and explicitly
    are appointed. This is also explained in the guidelines. Through itupright
    data portability does not separately and explicitly mention, Uber has article 13, second paragraph,

    salutationsunderb,GDPRviolated.

    As of November 3, 2022, Uber explicitly mentions the right to data portability

    its privacy statement.The violation has thus ended.



5. Administrative fine

5.1 View of Uber


    Uber has put forward in its opinion – in summary – that the investigation report does not
    justifies remedial or sanction measures. Uber refers to its existing violation (from

    the research report) data point of view. In addition, Uber is of the opinion that the Lexcerta principle applies
    resistance to enforcement, because the provisions that the AP adheres to in the investigation report
    Uber tests many things that are not clear and have crystallized and are therefore unforeseeable


    22Guidelines on the right to data portability of WP29, pages 15 and 16.

    23 Namely those of May 25, 2018, November 12, 2019 and September 1, 2021.
    24See also the Guidelines on the right to data portability of WP29, pages 15 and 16.




                                                                                              13/23 Date Unmarked
      December 11, 2023



      According to Uber, a measure also leads to disproportionate consequences for Uber within the meaning of Article 3:4,
      second paragraph, of the General Administrative Law Act (AWB), because Uber is constantly working on improving it
      of its services and has always shown itself willing to work together with the AP. Finally, Uber

      takes the position that they have wrongly not been given the opportunity to express their views
      bring to the content of a proposed sanction decision. The intention to enforce that Uber
      theAPhasreceivedthegeneralanddoesnotprovideUbertheopportunitytoexpressitsviewonthe
      amount of the fine, the severity of the violations found and the ultimate

      substantiation thereof.

5.1.1 Assessment of administrative fine


      For this purpose, the AP has concluded that Uber has violated Article 12, first paragraph, GDPR by
      information in the CSV files in an easily accessible form and in addition

      the guidance notes are only provided in English. This took place in the period from 25 May 2018 to
      June 29, 2022. Secondly, Uber has violated article 12, second paragraph, GDPR because the digital form
      with which drivers can exercise their right to access and data portability, not
      easy enough to reach in the driver app. This violation took place in the period from

      May 25, 2018 to February 17, 2022.

      Tenderde, the information provided by Uber about retention periods in the privacy statement is too general
      therefore, as a result of which Uber has violated article 13, second paragraph, at the bottom of a, GDPR.

      Uber article 13, first paragraph, opening paragraph f, violates GDPR because the information provided about
      transfer at the end of the privacy statement is incomplete. The AP determines this for the period from 25 May 2018 to
      the date of the investigation report (30 June 2022).


      Finally, Uber has not explicitly mentioned the right to data portability
      privacy statement, which leads to a violation of Article 13, second paragraph, opening words and subsection b, GDPR. This
      took place from May 25, 2018 to November 3, 2022.


      The AP therefore sees reason to use its authority under Article 58, second paragraph,
      preamble, under i, in conjunction with article 83 GDPR and article 14, third paragraph, GDPR Implementation Act, to
      to impose an administrative fine on Uber(UberTechnologiesInc.andUberB.V.together).


5.1.2 Occupational plexcerta principle

      With regard to Uber's appeal to the lexcerta principle, which, among other things, is governed by:

      Article 49 of the Charter of Fundamental Rights of the EU, the AP is considering the following. Such as
      Administrative Jurisprudence Department of the Council of State has considered several times, the lex certa requires
      principle of the legislator that, with a view to legal certainty, he should do so in as clear a manner as possible

      describes prohibited conduct. It should not be lost sight of the fact that the legislators sometimes


      2See, among others, the rulings of July 9, 2014, ECLI:NL:RVS:2014:2493, January 16, 2019, ECLI:NL:RVS:2019:109.



                                                                                              14/23 Date Unmarked

      December 11, 2023



      with a certain vagueness, consisting of the use of common terms, prohibited behaviors
      describes to prevent conduct that is worthy of punishment outside the scope of that description
      fall. This vagueness can be unavoidable, because it is not always possible to foresee how
      protect interests will be violated in the future because, if this were foreseen, the

      descriptionsofprohibitedbehaviorsandothersarerefinedandfollowed
      clarity disappears and with it the importance of general clarity of legal damage
      suffers. In other words, the lexcerta principle requires the legislator to ensure, with a view to legal certainty
                                                                   26
      describes the prohibited conduct as clearly as possible.

      Uber's argument about the Lexcerta principle focuses on the violation noted by the AP

      with regard to the accessibility of the form for inspection requests and the form of the
      provision of information in relation to the CSV files. The AP is considered “easy
      accessible form” within the meaning of Article 12, first paragraph, GDPR, which entails information that is in response to

      an access request has been provided in a structured CSV file that must be able to be displayed
      (if the file does not open automatically), without the person concerned having to figure out how to do this.
      There is no conflict with the Lexcerta principle because the text of the provision is sufficiently clear.
                                         27
      This is even more true now that the Guidelines indicate that the element is “easily accessible”
      means that the data subject does not have to find out that information himself; it has to be done for the data subject
      it is immediately clear where and how to find this information. The fact that the concept is “easy
      accessible” from Article 12, first paragraph GDPR requires an explanation based on the specific circumstances,

      does not make the fact that an administrative fine imposed for violation of this provision is in conflict
      with the lexcerta principle. With regard to the violation that concerns the accessibility of the form for
      In the opinion of the AP, requests for access are also not in conflict with the Lexcerta principle. In view of the text

      Article 12, second paragraph, of the GDPR requires the controller to exercise the right
      of a data subject to facilitate access to his or her data. This standard is at the discretion of
      the AP is sufficiently clear, insofar as measures taken by a controller meet those thresholds

      for the exercise of that right are contrary to this. Due to the combination of the number
      going through the steps and the wording of it, Uber sets such a high threshold for those involved,
      that Uber does not sufficiently facilitate its drivers in this regard.


5.1.3 Opportunity to provide an opinion


      Regarding Uber's position that they have not been given the opportunity to express injustice
      to submit comments and inform them of the fine, the seriousness of the extent of the observed
      violations and in the final substantiation, the AP considers the following. Article 4:8 nor

      Article 5:50Awb (read in conjunction with Articles 5:48 and 5:53Awb) nor any other provision
      the AP obliged to comment on the intention to impose an administrative fine
      theseaspects. Uber has therefore not been wrongly given the opportunity to express her views on this

      What is stated in the opinion can contribute to the AP's decision to proceed with

      2Pronunciation of 26 October 2022, ECLI:NL:RVS:2022:3077.
      2Guidance on transparency in accordance with Regulation (EU) 2016/679, paragraph 11
      2CBb7May2019,ECLI:NL:CBB:2019:177




                                                                                               15/23 Date Unmarked
      December 11, 2023



      imposing an administrative fine, after which the AP is responsible for all those at that time

      knownrelevant facts and circumstances determines the amount of the fine. For this reason, the AP has decided
      her intention is not expressed about the aspects mentioned by Uber.



 5.2 Systematics for determining the amount of the fine

      TheEDPB agreed in the plenary meeting of 24 May 2023 to adopt the

      Guidelines04/2022onthecalculationofadministrativefinesundertheGDPR(hereinafter:the
      Guidelines). The Guidelines are directly applicable because they do not provide for transitional law
      for procedures that were already underway at the time of approval of the Guidelines. The AP will include these
                                               30
      Guidelines then also apply to this case.

      The Guidelines describe a methodology that will be considered successively:


          1. which and how many acts and infringements are under assessment;
          2. which starting amount is the starting point for calculating the fine for this;
          3. whether mitigating or aggravating circumstances exist that require adjustment of the

             amountexit2;
          4. what maximum amounts apply to the violations and whether any increases from the previous ones
             stepnotexceedthisamount;

          5. whether the final amount of the calculated fine meets the requirements of effectiveness,
             deterrence and proportionality, and adjustments where necessary.

      These steps are followed in turn below.



 5.3 Calculation of starting amount


5.3.1 Step 1: Establishing actions and determining infringements


      To determine the starting amount of the fine, as described in the Guidelines first
      to determine whether there is one or more sanctionable conduct.


      The AP first noted that Uber, in response to a request for access
      data subject, did not provide information on how the CSV file can be opened (including information from
      the provided CSV file can be displayed in a structured way). The AP has next to it
      found that Uber does not have the information about the data in the CSV file (the guidance notes).

      provided the language of those involved, but only in English. As concluded above,

      29
       There is currently no Dutch translation of the Guidelines available. The Guidelines can be consulted at
      30ttps://edpb.europa.eu/our-work-tools/general-guidance/guidelines-recommendations-best-practices_en>
       See also https://www.autoriteitpersoonsgegevens.nl/actueel/nieuw-boetebeleid-voor-overstromenen-avg.



                                                                                               16/23 Date Unmarked
      December 11, 2023


      both points are in conflict with Uber's obligation to provide the data subject in an understandable manner

      easily accessible forms in clear and simple language to inform, laid down in Article 12,
      first paragraph of the GDPR. In addition, the AP has also established a violation of the second paragraph of
      Article 12, namely because the digital form with which drivers exercise their right to inspect
      data portability is not easy enough to reach in the drivers -

      app.

      The AP further found that Uber's privacy statement was deficient in three areas: i)
      The information provided by Uber about retention periods and was general in nature to those involved

      to determine the retention periods for their data;ii)the information did not
      mention the various safeguards applicable to international transfers of personal data;
      andiii)the right to data portability was not mentioned separately or expressly.These points
      are contrary to Article 13, paragraph 1, paragraph 2, paragraph 2, paragraph 2, paragraph 1, and b, of the GDPR.


      In the opinion of the AP, this case involves two distinct sanctions from each card
      behaviors(“pluralityofaction”).TheAPfirstnotesthatthebehaviors
      take place at a different point in time. Using an inadequate privacy statement
      takes place after publication on an ongoing basis, while the information is provided in response to an information request

      is provided after a driver has made a request for access. Secondly, it applies to the behaviour
      do not necessarily address the same group of stakeholders. Not every driver who
      consults the privacy statement, makes requests for access and vice versa.Tenderde(en
      Finally, the AP takes into account that the violations can exist independently of each other and are not

      causal connection with each other. That they are now dealt with together in one decision
      because they came to the attention of the AP at the same time.

      Now that Ubervanelkaarte has committed distinguishable sanctionable conduct, both are possible
      conduct will be fined separately. The amounts in the following steps will then also be used for

      both infringements to be determined.

5.3.2 Step 2: Determine the starting amount


      As described in the Guidelines, the starting amount of the fine must then be
      determined. This starting amount forms the starting point for further calculation in later steps, in which all
      relevant facts and circumstances are taken into account. The Guidelines state that
      the starting amount is determined on the basis of three elements: i) the categorization of the infringements

      according to Article 83, fourth to sixth paragraphs, of the GDPR; ii) the seriousness of the infringements iii) the turnover of
      the company. All three elements are discussed below.

      Adi)Categorization of infringements according to Article 83, fourth to sixth paragraphs, of the GDPR


      As stated in the Guidelines, almost all obligations of the controller
      categorized in the provisions of Article 83, fourth to sixth paragraph, of the GDPR. The GDPR makes




                                                                                              17/23Date Unmarked
December 11, 2023



distinction between two types of infringements. On the one hand, the infringements that can be sanctioned on the basis of

Article 83, fourth paragraph, of the GDPR, for which a maximum fine of €10 million (or in the case of
a company, 2% of the annual turnover, if that is higher), on the other hand, the infringements that can be sanctioned
are pursuant to Article 83, fifth and sixth paragraph, of the GDPR, for which a maximum fine of
€20 million (or in the case of a company, 4% of the annual turnover, whichever is higher). With this

distinction, the legislator has provided for an abstract indication of the seriousness of the infringement:
the more serious the infringement, the higher the fine.


For the current violations of Article 12, first and second paragraph, Article 13, second paragraph, opening words
andundera, article 13, first paragraph, opening paragraph under f, and article 13, second paragraph, opening paragraph under b, GDPR may
an administrative fine of up to €20,000,000.00 (or in the case of a company,

4% of global annual turnover, whichever is higher). From this categorization it follows that the infringements of
these provisions are regarded as serious by the legislator.


Adii)Severityoftheinfringements

To determine the seriousness of the infringement, the Guidelines must be taken into account
with the nature and severity of the infringement, as well as with the intentional or negligent nature of the infringement

and the categories of data involved.

With regard to the nature of the violations, the AP notes that the controller

the person concerned must provide the information that is necessary to the person concerned
to ensure proper and transparent processing, taking into account the specific
circumstances and context in which the data are processed. The right to inspect,
as well as the right to understand and easily accessible information about the processing of

to receive personal data, necessary to enable data subjects to exercise their other rights
to practice on the basis of the GDPR. Providing transparent information at the end of the sentence of article 12,
first paragraph, GDPR is already of great importance for that reason. When the rights of those involved are not protected

complied with, this affects the right that those involved have to respect for their personal privacy
andtheprotectionoftheirpersonaldata.Therighttoinspectandtherighttounderstandand
to receive easily accessible information about the processing of data

In addition, those involved are of interest in standing up for or exercising rights other than those
under the GDPR, for example in civil proceedings. That is why it is also important that those involved
can make use of the aforementioned rights under the GDPR and that this is not unreasonable
barriers are raised.


When assessing the severity of the violations, first weigh the number (possible)
those involved. It is known to the AP that during the period of the violations, approximately 120,000 Uber-

drivers were active in Europe.


31
32uidelines04/2022onthecalculationofadministrativefinesundertheGDPR.
 Recital 60 in the GDPR.



                                                                                         18/23Date Unmarked
December 11, 2023



Secondly, the AP takes this into account when assessing the severity of the violation
has committed the above-mentioned violations of the GDPR, but that it is not the case that Uber opts out
has in some way complied with its obligations under Article 12, first and second paragraph,

Article 13, second paragraph, opening paragraph, under a, Article 13, first paragraph, opening paragraph, under f, and Article 13, second paragraph,
heading under b, GDPR. For example, Uber has been involved in its privacy statement, although not completely
informed about the retention periods, but Uber has provided some information about this.
The same applies to the information about transfers in the privacy statement: although the AP is related to this

has found a violation, it cannot be said that Uber has completely failed to do so
transfer. With regard to Uber's response to an inspection request, it has not been established that
the requirements of Article 12, first paragraph, GDPR have not been met at all, but the violation is limited

focus on the language of the guidance notes and the accessibility of the CSV files. For both the language of
theguidancenotesastheaccessibilityoftheCSVfilesin addition,thisviolationdoesnotapply
there will actually be consequences for every driver who has requested inspection. The English language of
The guidance notes will not lead to less or no understanding of the content for every driver, so

There are also some Member States where English is the language. In addition, there will be smoke drivers who
CSV files do open automatically in tabular form. Furthermore, the AP has not found any violations
have resulted in (substantial) damage to those involved. Furthermore, this applies to the violation of
Article 12, second paragraph, of the GDPR states that it is not the case that Uber is involved and that it is entirely impossible

has made to exercise their right to access and data portability. In the opinion of
the AP speaks of negligence in committing the violations. TheAPweighsthatelementas
“neutral” with regard to the categories of data involved, the AP is involved
established that the processing of location data, these are personal data of

sensitive nature. Furthermore, the AP takes into account that it may be a challenge for Uber to
to provide comprehensive information about the rights of the data subject in a way that is understandable
those involved, which entails compromising to assess how the information can best be used
are displayed. It also appears from the investigation that during the view phase provided by Uber

information that U has taken many measures to improve and improve the procedures for those involved
tocontinueimproving.


The duration of the violations has been determined above for a significant period, namely the period
from May 25, 2018 to February 17, 2022, June 29, 2022 and November 3, 2022.

Adiii)Turnover of the company


The Guidelines are written before the starting amount of the fine must be set from the point of view of fairness
related to the size of the company. The size of the company is determined by the
based on turnover. For example, for a small company with a turnover of up to € 2 million, it becomes

starting amount in the rule is limited to 0.2 to 0.4% of the actual starting amount, and the starting amount increases
as the turnover of the company increases. If a company has a turnover of more
than €500 million, the fine is determined on a percentage of the annual turnover of the



3See in this connection, among others, CJEU 4 May 2023, ECLI:EU:C:2023:376.



                                                                                        19/23Date Unmarked
December 11, 2023



company. As a result, the size and turnover of the company are already discounted in the height
of the fine, so that the starting amount does not need to be adjusted on that basis.


As stated in recital 150 of the GDPR, when imposing a fine on a company,
the “undertaking” is regarded as an undertaking in accordance with Articles 101 and 102 of the

Treaty on the Functioning of the European Union. From established case law of the Court of Justice of
the European Union follows that an enterprise is “any entity that carries out an economic activity,
regardless of its legal formation and the manner in which it is financed.” So it's all about the economics

unityofthecompaniesnotthelegalentitieswithin.Different
companies or entities within the same economic unit can therefore work together
company within the meaning of the aforementioned provisions.


UberB.V.isindirectlya fullysubsidiaryofUberTechnologiesInc.Theymusttherefore
application of Article 83 of the GDPR, be counted as part of the same company.


As stated in the Guidelines, the turnover can be determined on the basis of the annual accounts of the
company over the previous financial year. Pursuant to Article 83, fourth to sixth paragraphs, of the

GDPR, the worldwide turnover in the previous financial year is taken into account. In view of this decision
was taken in 2023 and will be maintained in the financial year 2022.

                                                                          35
UberTechnologies Inc. has published its annual accounts for 2022 on its website. On page 74isen
consolidated overview of the company is included. It is important to note that the global
                                                                                           36
turnover of the company in 2022 amounts to $ 31.877 billion. This corresponds to € 29.750 billion.

Determine starting amount


Pursuant to Article 83, fifth paragraph, of the GDPR, the fine amounts to a maximum of 4% of the annual turnover.
annual turnover, as stated, is € 29.750 billion, so that the maximum fine for each of the

violations amount to € 1.19 billion.

In view of what has been considered under (i) and (ii), the AP takes the position that the level of seriousness

of the infringements must be qualified as “low”. According to the Guidelines, this applies to infringements
at a low level of severity, the starting amount should be determined at a point between 0 and 10%
of the maximum fine. The general rule is that the serious the infringement within its own

category, the higher the starting amount will be.
The AP is of the opinion that, given the circumstances described, the infringements in question are of their own accord
severity. The starting point for calculating the fine must therefore be relatively low


3From an annual turnover of €500 million, 4% of the annual turnover is higher than €20 million, so that this percentage is
maximum fine must be taken into account (Article 83, fifth paragraph, opening words, of the GDPR).
3Consultat<https://investor.uber.com/financials/default.aspx>.
3The exchange rate determined by the ECB on the day of this decision is €0.9333 per US dollar (compare
<https://www.ecb.europa.eu/stats/policy_and_exchange_rates/euro_reference_exchange_rates/html/eurofxref-graph-
usd.en.html>).




                                                                                       20/23 Date Unmarked

      December 11, 2023


      compared to the starting amount. Taking all the foregoing into account, the AP sets the starting amount
      case fixed at €5 million for each of the violations (€10 million in total). That corresponds to

      0.42% of the applicable maximum fine.


 5.4 Assessment of mitigating or aggravating circumstances


5.4.1 Step 3: Assess relevant circumstances

      As stated in the Guidelines, it should then be assessed whether in the circumstances of the

      case there is reason to set the fine higher or lower than that determined above
      starting amount. The circumstances to be taken into account are stated in Article 83, second paragraph, opening words
      under ato and with k, of the GDPR. The circumstances stated in that provision must each only be
      be considered once. In the previous step, the nature, weight and duration of the
      infringement (part a), the intentional or negligent nature of the infringement (part b) and categories

      ofpersonaldata(partg).Therefore,thepartsctoandwithfenhtoandwithkremain.

      The only applicable circumstance is the manner in which the AP became aware of the
      infringement, in particular whether, and if so to what extent, the controller has reported the infringement

      (part h). In this case, Uber did not report the infringements itself, but they were the subject of complaints
      knowledge of the AP. This is, however, assessed as “neutral” according to the Guidelines and has
      therefore no consequences for the amount of the fine to be imposed.

      The other conditions are missing in this case because the conditions they refer to

      referinthiscasedoesnotoccur.


 5.5 Determining the amount of the fine


      In paragraph 5.3.2 a starting amount of €5 million has been determined for each of the violations.
      paragraph 5.4.1 it has been concluded that the only circumstance that can be considered further
      taken, must be assessed as neutral. The conclusion is then also that the fine must be imposed
      set at €5 million for each of the two violations (€10 million in total).


5.5.1 Step 4: Control exceedance for the infringements and the maximum amounts applicable

      As mentioned, - also taking into account Uber's turnover - the violations found apply to

      maximum fine of 4% of the worldwide annual turnover of the company. Considering the turnover of
      Uber (€29.750 billion) is the legal maximum of the fine to be imposed, which is €1.19 billion per
      offence.






                                                                                             21/23 Date Unmarked
      December 11, 2023


      Above, the fine amount for the violations found is set at €5 million per year

      violation. This is well below the legal maximum, so that it cannot be exceeded
      occurs.


5.5.2 Step 5: Assessment of effectiveness, proportionality and deterrence requirements

      Finally, the AP assesses whether the fine is effective, proportionate and deterrent. Based on Article 49,
      third paragraph of the Charter of Fundamental Rights of the EU and Articles 3:4 and 5:46, second paragraph, of the
      Awb may not impose the administrative fine, given the circumstances of the specific case

      disproportionate outcome.

      Pursuant to Article 83, fifth paragraph, opening words under b, GDPR, the AP can apply for the above
      violations may impose an administrative fine. As described in the Guidelines

      a fine can be considered effective if it achieves the purpose for which it was imposed.
      The aim may be to punish unlawful conduct on the one hand and to
      to promote compliance with the applicable regulations. Given the nature, severity and duration of the infringement,
      as well as the other factors from Article 83, second paragraph, GDPR as assessed in paragraphs 5.3.2 and 5.4

      of this decision, the AP is of the opinion that an administrative fine is imposed under this
      circumstancesbothgoalsareachievedandthereforeeffectiveanddeterrent.Theheightofthe
      administrative fine, which is partly determined on the basis of Uber's turnover, the AP also considers
      effective and deterrent.


      The AP expects the fine to be proportionate to the seriousness of the violations and the size of the company.
      Uber has indicated in its opinion that imposing a measure will have disproportionate consequences
      leads for Uber, because Uber is constantly working on improving its services and is always prepared to take the time
      has shown that it is willing to work together with the AP. The AP sees this as a reason for the fine

      disproportionate. Both the compliance with the provisions of the GDPR and the granting of
      After all, cooperation with the AP in the exercise of its powers is legally required
      In the opinion of the AP, no such special circumstances have occurred in this context
      that the fine would not be proportionate for the reasons mentioned by Uber.



















                                                                                             22/23 Date Unmarked
    December 11, 2023




6. Dictum

    Fine

    DeAPlitigatesUberB.V.andUberTechnologiesInc.jointly,forviolationofArticles12,
    first and second paragraph, and Article 13, first paragraph, opening words under f, and second paragraph, opening words under a and b, of
    the GDPR does not impose an administrative fine in the amount of €10,000,000.00 (in words: ten million euros). 37


    Yours faithfully,
    Dutch Data Protection Authority,




    Mr.A.Wolfsen
    Chair



    Remedies clause
    If you do not agree with this decision, you can submit it within six weeks after the date of dispatch
    decides to submit an objection digitally or on paper to the Dutch Data Protection Authority.

    Article 38 of the GDPR Implementation Act suspends the submission of an objection to the effect of the GDPR
    decision to impose the administrative fine. State at least in your objection letter:

         your name and address;

         the date of your objection;
         the reference mentioned in this letter (case number), or attach a copy of this decision;
         the reason(s) why you do not agree with this decision;

         your signature.

    You can submit the objection letter digitally via the website. Go to www.autoriteitpersoonsgegevens.nl,
    and at the bottom of the page, under the heading “Contact”, click on the link “Objection against a decision of the

    AP”. From there you use the “Submit an objection” form.

    Would you rather send the notice of objection by post? You can do so to the following address:

       Dutch Data Protection Authority

       Directorate of Legal Affairs & Legislative Advice, Objections department
       PO Box93374
       2509AJDENHAAG


    37
      The AP will hand over the claim to the Central Judicial Collection Agency (CJIB).




                                                                                             23/23