AP (The Netherlands) - Decision of 11 December 2023 imposing administrative fine on Uber
From GDPRhub
| AP - Decision of 11 December 2023 imposing administrative fine on Uber | |
|---|---|
 | |
| Authority: | AP (The Netherlands) |
| Jurisdiction: | Netherlands |
| Relevant Law: | Article 12(1) GDPR Article 12(2) GDPR Article 13(1)(f) GDPR Article 13(2)(a) GDPR Article 13(2)(b) GDPR Article 15(1)(d) GDPR Article 15(2) GDPR Article 56 GDPR Article 60 GDPR Article 83 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 12.06.2020 |
| Decided: | 11.12.2023 |
| Published: | 31.01.2024 |
| Fine: | 10,000,000 EUR |
| Parties: | Uber Technologies Inc. and Uber B.V. Ligue des droits de l'Homme (LDH) |
| National Case Number/Name: | Decision of 11 December 2023 imposing administrative fine on Uber |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Dutch |
| Original Source: | autoriteitpersoonsgegevens.nl (in NL) |
| Initial Contributor: | co |
The Dutch DPA, in the context of an Article 60 GDPR decision, issued a fine in the amount of €10,000,000 on Uber for a lack of transparency in its privacy policy and for failing to allow data subjects to exercise their rights in an accessible manner, in violation of several GDPR provisions.
English Summary
Facts
The French human rights organisation Ligue des droits de l'Homme (LDH) filed a complaint with the French DPA (Commission Nationale de l'Informatique et des Libertés, CNIL), on behalf of 172 Uber drivers against Uber B.V. and its US-based parent company Uber Technologies Inc., as joint controllers. The drivers, as data subjects, were complaining about the lack of information provided by the controllers (hereinafter Uber) in violation of Articles 12, 13 and 15 GDPR and the limited accessibility to the form used to exercise their rights under the GDPR.
The CNIL then forwarded the complaint to the Dutch DPA (Autoriteit Persoonsgegevens, AP) as lead supervisory authority in the case according to Article 56 GDPR and initiated an Article 60 GDPR procedure. In the course of its investigations, the AP found several violations related to transparency and issued a report which it forwarded to Uber to submit its views.
Holding
Upon hearing the views of the controller and of the concerned supervisory authorities in the case, the AP issued its final decision on 11 December 2023.
First of all, the AP assessed the accessibility of Uber’s form for access requests and for exercising other data subjects' rights under the GDPR. In this respect, the AP found that the form available in the Uber app is not sufficiently easily accessible as it involves too many non-intuitive steps, contrary to the provision in Article 12(2) GDPR. This was also reinforced by the fact that, according to the investigations, the Uber app is the primary means of communication between Uber and its drivers, hence, at least there, the exercise of their rights should be facilitated. The AP clarified that a layered information structure can be used in such forms but there has to be a fair balance between the number of steps to be completed and the amount of information included in each step and on top of that, the steps should have clear and intuitive names. Using the steps named "Help", "Account and app issues" or "Account" and "Legal concerns" or "Legal, ethics, and compliance" to reach the form allowing drivers to exercise their GDPR rights cannot be considered obvious in the AP's view; putting it under "Privacy" would have been more intuitive and easy. Hence, the AP found a violation of Article 12(2) GDPR.
As regards the language of the form, the AP found that Uber provides information in a CSV file in response to access requests, without adding any guidance on how the information from such a file can be structured and interpreted. This, according to the AP and read in light of paragraph 11 of the EDPB Guidelines on Transparency under Regulation 2016/679, cannot be considered an easily accessible form as data subject would have to find the information themselves. In addition, the AP found that, after adding guidance on how to open and read the CSV files, Uber only provided such information in English. Since Uber offers services in many EU countries, not only in France, this negatively affects virtually all Uber drivers in Europe as it cannot be considered “clear and simple” language under Article 12(1) GDPR. Accordingly, the AP held that Uber failed to provide information in an easily accessible form, using clear and plain language, thereby violating Article 12(1) GDPR.
Further, the AP assessed the privacy policy of Uber first as regards retention periods, secondly with respect to transfers of personal data to third countries and lastly with respect to data portability. First, the AP held that Uber provided too general information regarding retention periods by merely stating that data will be stored for “as long as necessary”. In the AP’s view, it is true that mentioning all different retention periods would have resulted in an overly long privacy policy, but Uber should have at least indicated the criteria used to determine retention periods. Hence, the AP held that Uber violated Article 13(2)(a) GDPR and Article 15(1)(d) GDPR. Secondly, as regards transfers of personal data, the AP found that, by not mentioning the third countries to which personal data may be transferred nor the safeguards in place and where they can be accessed, Uber acted in violation of Article 13(1)(f) GDPR and Article 15(2) GDPR interpreted also in light of the above mentioned EDPB Guidelines. Thirdly, the privacy policy of Uber did not contain any reference to the possibility to exercise one’s right to data portability, thereby violating Article 13(2)(b) GDPR.
In light of the above, in accordance with Article 58(2)(i) GDPR and Article 83 GPDR, the AP considered it appropriate to impose an administrative fine against Uber. In the calculation of the fine, the AP took several facts into account as well as the EDPB Guidelines 04/2022 on the calculation of administrative fines under the GDPR. In the AP's view, this case involves two distinct sanctionable conducts ("plurality of action"), namely the failure to provide sufficient information in the privacy policy, which is a continuous conduct and the violations found with respect to the form for exercising one’s rights, which occurs only when a request is made. Hence, according to the AP, the violations are independent form one another and should be fined separately.
Taking into account mitigating factors, such as the fact that following the AP report issued by the AP in May 2022, Uber remedied some of the violations and considering the annual global turnover of Uber, the AP classified the gravity of the infringements as low and no substantive damage having been cause and decided to issue a fine in the amount of €5,000,000 for each offence, amounting to a total fine of €10,000,000 on Uber.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Dutch Data Protection Authority
PO Box93374,2509AJTheHague
Bezuidenhoutseweg30,2594AVTheHague
T0708888500-F0708888501
autoriteitpersoonsgegevens.nl
Confidential/Registered
Date Unmarked
December 11, 2023
Contact
Subject
Decision to impose an administrative fine on Uber
Dear ,
The Dutch Data Protection Authority (hereinafter: AP) is of the opinion that UberTechnologies Inc. and UberB.V.
(hereinafter collectively: Uber) has committed a number of violations of the General Data Protection Regulation
(AVG) has committed to transparency. It concerns the English language only
offering the guidance notes to drivers and it not in an easily accessible form
providing information in response to a request for access, which is contrary to Article 12, first paragraph, of the
GDPR. In addition, there is a digital form with which drivers exercise their right to inspect
being able to exercise data portability, not easy enough to reach in the driver app,
which is contrary to Article 12, second paragraph, of the GDPR. The information about the retention periods is also
the privacy statement is not sufficiently specific (Article 13, second paragraph, opening paragraph and Article 15, first
paragraph, subsection d, of the GDPR) and the information about transfers is not complete and meaning is sufficient (article
13, first paragraph, opening paragraph, subparagraph f, of the GDPR). Finally, in the privacy statement, Uber has the right to
data portability is not explicitly mentioned (Article 13(2)(b) of the GDPR).
For the commission of these violations, the AP jointly reports to Uber Technologies Inc. and Uber B.V.
administrative fines totaling €10,000,000.00.
1 Date Unmarked
December 11, 2023
1. Background investigation
Uber is an internationally operating company that, among other things, acts as an intermediary between
taxi drivers and passengers. Passengers use the general Uber App (for mobile
phones) or possibly a browser, drivers use the UberDriver App (hereinafter:
driver app).
To use the drivers app, creating an account for drivers is mandatory.
After a ride, drivers are assessed by their customers and paid by Uber for the delivered goods
services.
Uber has set up a digital form, which is accessible via the Uber website and via the drivers -
app, which drivers can use to request data portability with
regarding their personal data.Uber has also drawn up a privacy statement,
with which Uber provides insight into the processing of data by Uber.
On June 12, 2020, the Commission Nationaledel 'InformatiqueetdesLibertés (CNIL) filed a complaint
received from the French non-governmental organization LigueDesDroitsDeL'hommeEtDuCitoyen
(LDH) on behalf of 21 Uber drivers. Along the way, 151 Uber drivers have filed a complaint
connected, so that it serves on behalf of 172 complainants. On September 29, 2020, the LDHeen
additional complaint submitted to the CNIL. The complaints were forwarded by the CNIL to the AP, after which
the International Research Department of the AP has started an investigation and prepared a report.
2. Findings research report
The report found 5 violations with regard to transparency, namely:
1) The digital form with which a request for access can be made is not easy enough
accessible in the driver app (art. 12, paragraph 2, GDPR).
2) Uber does not provide a copy of the personal data in response to a request for access
easily accessible form, the guidance notes are not in one for (French)
driver understandable language (English) (art 12, paragraph 1, GDPR).
3) Uber does not provide sufficient specific information about the privacy statement
retention periods (art. 13, paragraph 2, a, GDPR, art. 15, paragraph 1, a and GDPR).
4) Uber does not specifically mention the names of the countries through which data is transferred in the privacy statement
data is also not transferred to the specific protection measures (art. 13, paragraph 1, f,
AVGenart.15, paragraph 2, GDPR).
5) Uber does not explicitly mention the right to data portability/data portability in it
privacy statement (art.13,2,b,GDPR).
2/23 Date Unmarked
December 11, 2023
The International Research Department has concluded in the research report that Uber
has committed the above violations from 25 May 2018 until the date of establishment of the
research report (June 30, 2022). On July 8, 2022, the research reports are intended to
enforcement sent to Uber.Uber submitted its written opinion by letter dated 15 September 2022
given the investigation reports the intention to enforce. On January 12, 2023, Uber announced its
This view has been orally explained. A report has been drawn up (appendix to this decision).
In accordance with Article 60 of the GDPR, the AP has submitted the draft decision to the supervisory authorities concerned
submitted.
3. Legal framework
The AP refers to the appendix to this decision, which contains the legal framework.
4. Assessment
4.1 Controller and authorityAP
Uber B.V. is the Dutch branch of Uber, Uber Technologies Inc. is located in the United States
andistheparentcompanyof,among others,UberB.V.JointsettingUberB.V.andUber
Technologies Inc. the purpose and means of processing data of the Uber
drivers in the European Economic Area (EEA). The (French) drivers have a
agreement withUberB.V.For requests regarding the rights of the data subject is roughly
distribution that Uber B.V. is responsible for the assessment of such requests and that Uber
TechnologiesInc.providesthetechnicalresourcesanddata.UberTechnologiesInc.isalso
the publisher of the drivers app.
In Uber's privacy statement, UberB.V. and UberTechnologies Inc. are also noted as
joint controller.The joint
processing responsibility is not disputed by Uber.
Uber offers its services in several Member States of the EU and processes Uber for these services
personal data. This means that data subjects have significant consequences in more than one Member State
experience of the processing of data by Uber. This is the case
cross-border processing (article 4, preambles under 23, suba and b, GDPR). Because the central
administration ofUber in the EEA is located atUberB.V,UberB.V.is regarded as the head office
within the meaning of article 4, opening words under 16, GDPR. The AP is competent to act as leading
supervisory authority (Article 56, first paragraph, GDPR).
3/23 Date Unattribute
December 11, 2023
4.2 Accessibility form for inspection requests
The investigation report established that the digital form with which drivers exercise their right to inspect
and being able to exercise data portability is not easy enough to reach in the
driver app because there are too many steps to go through and wording of the steps
does not intuitively lead to the form. Uber hereby facilitates the exercise of the aforementioned rights
data subjects are not sufficient and violates Article 12, paragraph 2, GDPR.
ViewpointUber
Uber indicates that the GDPR, legislative history, case law, guidelines and directives are not applicable
authoritative commentary follows exactly how many actions a person concerned is allowed to perform
request for access or transfer. This also applies to the argument from the AP date and the person concerned
intuition must be able to reach a page. Based on article 12, second paragraph, Uber has no certain
space to determine for yourself how it facilitates the right to access and data portability. TheAP
further introduces a new standard without substantiation by stating that the form is “sufficient
“must be easy” to find, according to Uber.
In the guidelines, the EDPB explains the transparency obligations so that they can be fulfilled by
“layered information structure”. The drivers may therefore be expected to have several
going through the steps. This is also the benchmark in consumer law. Drivers use it every day
from the menu in the app and a reasonable and average driver will be able to do this without any effort
to find the form, even if he has to click through it six times. In addition, Uberer points out that
drivers app is made for a smartphone with a small screen. Uber wants to prevent drivers
When using the app, I had to scroll through long menus and therefore chose menu paths.
Uber then indicates that the AP recognizes that Uber offers several ways to view or
to submit a transfer request, but according to Uber, the AP wrongly only looked at the
ways that Uber offers in the driver app. The AP has also wrongly used the route that via the
driver app redirects to the privacy statement on the website not taken into account. Uber
contradictsthenumberofstepstheAPcountedtogettotheform:Uberusesone
other counts ends up with a lower number of steps out.
Regarding the wording of the various steps, Uber indicates that “more obvious
lying” is not an existing criterion in the AV and it is subjective which route is most obvious
is.Positioning the form higher under a heading “privacy” is at the expense of others
menu options. Since February 2022, Uber has made adjustments to the routes in the driver app
to the form, but these adjustments are not included in the research report.
1Guidance on transparency in accordance with Regulation (EU) 2016/679
4/23Date Unattribute
December 11, 2023
Judgement
In the report assessed, the version of the drivers app must be shown schematically
The following steps are followed to reach the form for a request for inspection
submit data portability:Menu>Help>Accountandappissues>Legalconcerns>
RequestyourpersonalUberdata>Submitaprivacyinquiry>log in via “Signintogethelp” or “Submita
privacyinquirywithoutanUberaccount” which takes the driver to the form (route1).
The report also describes the route via a link in the privacy statement on the Uber website
opens, where you can also click on a link to “submitaprivacyinquiry” (route2). In the report
This route has not been considered further, because Uber drivers are in any case within their rights
must be facilitated via the drivers app (and in route 2 the app transfers to the website of
Uber).
The research has shown that the main interaction between Uber drivers takes place via
the drivers app. For this reason, the AP is of the opinion that in every case in the drivers app
drivers must be facilitated in the exercise of their rights within the meaning of Article 12, second
member, GDPR. In accordance with recital 59 of the GDPR, arrangements must be in place to
to enable the data subject to exercise his rights more easily. This entails that
arrangements should be consistent with the ways in which those involved are interacted with. DatUber
also offers the possibility to the driver through other means to request inspection
data portability does not alter the fact that drivers are in any case
drivers should be facilitated in the exercise of their rights. The AP is of the opinion
that route 2 to the request form in the investigation report has been wrongly left out of consideration
left because the privacy statement on the website is automatically opened via the driver app
this does not detract from facilitating the making of a request.Uber's view
Described routes that have been introduced in the drivers app since February 2022 are also
wrongly not included in the study because they do fall within the period studied
then go the route changed by Uber: Menu>Help>legal,ethicsandcompliance>requestyour
personalUberdata>log in or “Submitaprivacyinquirywhich will take the driver to the form
(route3).Uber has also pointed out in this connection the introduction of the Privacy Center on
February 17, 2022 has been introduced throughout Europe. The steps via the Privacy Center are as follows: Account
>securityandprivacy>privacycenter>Wouldyoulikeacopyofyourpersonaldata?>loginor“Submit
aprivacyinquirywithoutanaccount” which takes the driver to the form (route4). Next to it
points Uber to a fifth route via the Privacy Statement.
With regard to the number of steps to be completed in the different routes to complete the request form
To achieve this, the AP considers the following. From consideration 59 in the AVG, this follows in facilitating the account
must be taken into account for the convenience of the data subject in exercising his rights. The AP
2 Schematically shown: up to “legalconcerns” the same route as route 1>Privacynoticeinformation>PrivacyNotice
(select the correct language and jurisdiction) and then you arrive at the privacy statement where you can click on a link to
“submitaprivacyinquiry”.
3 Marginal numbers 30 to 32 of the research report.
4See alsoGuidance on transparency in accordance with Regulation (EU) 2016/679, paragraph 55.
5/23 Date Unattribute
December 11, 2023
endorses Uber's position that using a layered information structure is necessary to find it
information for those involved can make it easier under certain circumstances. This is it
case with the driver app that will often be used on smartphones with a screen
limited format, and in which a relatively large amount of information (on various topics) is offered.
At the same time, a layered information structure must be able to find information through
those involved are not hindered by having to click through unnecessarily often. Erzalduseen
balance must be found between the number of actions to be completed and the quantity
information offered per “step”. In addition, the wording of the steps to be completed
to be facilitating, which brings the person concerned to it simply and without further ado
desiredrequestformshouldbeguided.Adequatewordingofthevarious
steps to the form are indispensable in connection with the facilitation obligation. Placing (the route
to)the request form with which drivers can exercise their rights under the GDPR
under “Help”, “Accountandappissues”or“Account”and“Legalconcerns”or“Legal,ethics,and
compliance” is not obvious in the opinion of the AP. A direct placement under
for example, “Privacy” considers the AP simple and without fuss. The AP is related to routes 1 and 2
considers that the combination of the number of steps to be completed and the wording of such
setting a high threshold for those involved, so that Uber does not sufficiently facilitate its drivers.
In the opinion of the AP, this constitutes a violation of Article 12, paragraph 2, of the GDPR.
The AP also considers that this violation has been terminated since February 17, 2022 by the
introduction of the Privacy Center that contains the route 4 described above. By creating a
logical place with a clear name, Uber facilitates its drivers in exercising their rights
access and data portability.
4.3 Response to request for inspection: formal language
The AP has determined that Uber, in response to a request for access, provided information in a CSV file,
without Uber providing information about how information from such a file can be structured
are displayed. Because Uber does not provide the information in an easily accessible form,
it violates Article 12, first paragraph, GDPR. In addition, the AP has determined that Uber Article 12, first paragraph,
GDPR violates through the guidance notes, in which Uber provides further explanations when providing the information
indicates about the values in the CSV files, only in English. This violation touches
not only the French drivers, but almost all Uber drivers in Europe.
Form: viewUber
Uber states that the GDPR does not specifically prescribe which form meets the 'easy' standard
5
accessible' or on the basis of which criteria this can be determined. Also the explanation in the Guidelines
makes the standard not very concrete, and the AP cannot base a violation of the GDPR on that alone
guidelines. According to Uber on its website, the AP endorses that the GDPR does not prescribe which
wayinformationshouldbeprovided.CSVisjustaverysuitablefileformatforthe
5Guidance on transparency in accordance with Regulation (EU) 2016/679
6/23Date Unattribute
December 11, 2023
provision of information, because, unlike for example in a PDF format, further analysis
of the data is possible. Uber also states that the 'reasonable and average person involved' is the benchmark
should apply, and by this measure, the CSV files that Uber provides are easily accessible.
Uber states that CSV is a universal file format and is used by Windows operating systems
and Apple will basically open automatically in software that can display tables. Also like that
If not, Uber meets the 'easily accessible' standard because the person involved then simply
display of the file can be adjusted, possibly after consulting a search engine
instructions. Even when a CSV file is open in a text file, the information is still there
easily accessible. By requiring Uber to provide information in CSV
format explains how to open a file in many different software applications,
theAP introduces a new standard.
Form: assessment
The AP suggests that it does not consider that by providing information in a CSV file
can be met with the 'easily accessible' standard from Article 12, first paragraph, GDPR.Inde
Guidelines indicate the following regarding 'easily accessible': 'The element 'easy
accessible” means that the data subject does not have to search for that information himself; for the data subject
it must be immediately clear where and how this information can be found.' When the information is provided
In response to a request for access, this relates, for example, to the structure in which the information is contained
offered (such as the use of paragraphs).
In a CSV file, values from a table are stored as lines of text. The values are separated
through punctuation marks. When the information from a CSV file as lines of text and with that in mind
is displayed unstructured, the form in which the information is presented is not
easily accessible. Those involved cannot directly abstract the information from this. By a
Using a spreadsheet program, the information from a CSV file can be displayed in tabular form
displayed. A CSV file can be automatically opened in tabular form and
spreadsheet program, but this is not always the case, depending on the settings, for example. The
files that Uber provided to complainants contain a commal separator between them
values. This is not automatically usable as a list separator in all cases, for example in countries
or regions where a comma is also used as a decimal separator (such as the Netherlands
France).No information is provided byUbergregardingtheinformationfromtheCSVfiles
structuredcanbedisplayedifthefileisnotautomaticallyopenedintabularform:
the person concerned has to find this out for themselves. Uber has the information so it is not easy
accessible form and has violated Article 12, first paragraph, GDPR.
6Guidance on transparency in accordance with Regulation (EU) 2016/679, paragraph 11
7Uber has stated in its opinion that it has added an explanation to the guidance note on how CSV files can be
be opened, and also add a passage about it to the accompanying email containing UberCSV files
sends.
7/23Date Unattribute
December 11, 2023
Language:viewpointUber
By testing whether the guidance notes have been provided in an understandable language, the AP does not test, according to Uber
to the correct standard. Pursuant to Article 12, first paragraph, of the GDPR, the language must be 'clear
simple'. Uber takes the position that the guidance notes are in a clearly simple language
have been provided. Not a good but a fair command of English is sufficient for the guidance
noteto be able to understand.Uber skinny also assume that the French drivers are good
have a command of English, because French taxi drivers (and therefore also Uber drivers) are required
must have a VTC registration. To do this, an exam must be taken in which, among other things, the
English is tested at A2 level.
Language:review
Although the research report incorrectly exclusively uses the criterion 'understandable',
This is not different from the outcome of the assessment. Based on Article 12, first paragraph, GDPR, information must be provided
are provided in clear, simple language. This includes, among other things, when
the controller is aimed at data subjects who speak another language, including a translation
language must be provided. The requirement to use clear and simple language is narrow
related to comprehensibility. Uber should not assume that the French drivers have sufficient knowledge
ofEnglishto be able tounderstand theEnglishguidancenote.ThefactthatFrenchUber-
drivers must take an exam for their VTC registration, which includes English
level A2 is tested and this does not change this, because a bad score on the English part immediately
a good score on other exam components can be compensated. Pass it off with good results
the exam for a VTC registration therefore gives no indication of a command of English. 11
Even if this were the case, the AP is of the opinion that command of English is at level A2
insufficienttounderstandtheEnglishguidancenote.Toreadandunderstandatexton
12
A2 level, in accordance with the Common European Framework of Reference for Languages (CEFR), the
following standard: “I can read very short, simple texts. I can read specific, predictable information
find it in simple, everyday texts such as advertisements, leaflets, menus and timetables and I can
understand short, simple, personal letters.” The guidance notes concern a document of 26
pages explaining the various very specific table values, such as telematic data and
various device data. This exceeds the level of a very short and simple text such as
indicated by the CEFR. In this context, the AP also points to the fine imposed by the Swedish supervisory authority
13
authority (IMY) has imposed on Spotify, including for not providing technical information
log files in the language of those involved (but only in English).
8Guidance on transparency in accordance with Regulation (EU) 2016/679, paragraph 13
9See Guidelines on Transparency in accordance with Regulation (EU) 2016/679, paragraph 9
1See Arrêtédu6avril2017relatifauxprogrammesetàl'évaluationdesépreuvesdesonderzoeksd'accèsauxprofessionsdeconducteur
thetaxiettheconductorthevoiturethetransportavecdriver.FortheEnglishexampartyoumustatleast4ofthe20
multiple-choice questions must be answered correctly. To pass all seven exam components together, you must achieve at least an average
score of 10 out of 20.
11
12pA-2 level.
CommonEuropeanFrameworkofReferenceforLanguages,CouncilofEurope
1 Decree of 12 June 2023 with reference DI-2019-6696, see https://www.imy.se/globalassets/dokument/beslut/2023/beslut-tillsyn-
spotify.pdf
8/23 Date Unmarked
December 11, 2023
The controller must take sufficient measures to ensure that data subjects
understand the information. Due to the drivers, the guidance notes are only provided in English and not
in the local languages,Uber has violated article 12, first paragraph,GDPR.
Since June 29, 2022, Uber has offered guidance notes in several languages, including French.
4.4 Privacy statement: retention periods
In its response to a request for access, Uber refers to the privacy statement for the retention periods
the investigation report has determined that the information provided by Uber in the privacy statement about
the retention periods and in general, which means that Uber Article 13, second paragraph, under a, and Article 15, first paragraph,
violates GDPR.
ViewpointUber
Uber indicates that the explanation from the guidelines is insufficient to explain that
personal data will be kept for as long as necessary for the legitimate purpose of the processing
goes further than the GDPR prescribes. This is at odds with Article 5, first paragraph, sube, of the GDPR in which it
criterion for determining the retention period precisely as formulated by the AP may not constitute a violation
not base on the Guidelines alone. In addition, information must be provided on the basis of Article 12, first paragraph, GDPR
are presented in a concise and understandable manner. In the case of Uber, we speak of this as a multinational
different retention periods per processing per country, in certain countries per city, per category of
16
those involved and those deadlines are subject to change. Mentioning specific ones
retention periods would result in an expansion of the privacy statement by tens to hundreds
pages. Article 13, second paragraph, under a, GDPR also only writes before that retention periods must be
mentioned if that is possible, which for the aforementioned reason is not the case with Uber. Uber also states that the AP
based on the investigation report, it cannot be concluded that there has been a violation of Article 15, first paragraph, GDPR,
because the drivers receive information in different ways in response to a request for access
provided and is not included in the report. In addition, the guidelines against which the AP tests are included
not relevant to article 15 of the GDPR. In the assessment of the version of the privacy statement of
17
October 15, 2020, the AP wrongly did not include a passage in the assessment, while it
passage according to Uber meets the requirements that the AP tests.
14 File document 23: the privacy statement of October 12, 2019 and the privacy statement of September 1, 2021
15Guidance on transparency in accordance with Regulation (EU) 2016/679, page 45: explanation of Article 13, second paragraph undera
16G.
17For example, drivers, couriers, passengers.
File document 23, p.25: “Followinganaccountdeletionrequest,Uberdeletestheuser'saccountanddata,unlesstheymustbe
retainedduetolegalorregulatoryrequirements,forpurposesofsafety,security,andfraudprevention,orbecauseofanissuerelating
totheuser'saccountsuchasanoutstandingcreditoranunresolvedclaimordispute.Becausewearesubjecttolegalandregulatory
requirementsrelatingtodriversanddeliverypersons,thisgenerallymeansthatweretaintheiraccountanddataforaminimumof7
yearsafteradeletionrequest.Forridersanddeliveryrecipients,theirdataisgenerallydeletedwithin90daysofadeletionrequest,
exceptwhereretentionisnecessaryfortheabovereasons.”
9/23Date Unmarked
December 11, 2023
Judgement
In the version of the privacy statement dated 12 November 2019, Uber states that personal data (of
drivers) are kept as long as the user has an account. In addition, Uber information can be stored
store to the extent necessary for safety, security and fraud prevention purposes,
followed by an example.In the version of September 1, 2021, the information about the
In summary, retention periods indicate that Uber retains personal data for as long as necessary
for various purposes, followed by a statement that users (including drivers) can
request to delete their account, after which the data will be deleted unless they do so
kept longer for safety, security and fraud prevention purposes or account-related matters
because Uber is subject to laws and regulations relating to (among other things) drivers,
This generally means a retention period of at least seven years for both the account and the account
data after a request to delete the account, according to Uber's privacy statement.
Pursuant to Article 13, second paragraph, opening paragraph, GDPR, the controller must:
When obtaining the data, inform the data subject about the period during which the
personal data will be stored, or if that is not possible, the criteria for determining it
term. The AP notes that Uber does not provide any (concrete) information in both versions of the privacy statement
In the privacy statement of 1 September 2021, Uber mentions retention periods.
retention period of seven years, but this period is not formulated in sufficient concrete terms (this concerns
only minimum retention periods apply 'in general', although it is not clear under which
circumstances, this period may or may not apply) and relates exclusively to those cases
in which a request to delete an account has been made. Uber has, among other things, its opinion
indicated that there are many different retention periods. The AP notes that these
different retention periods are not mentioned in the privacy statement.
In its opinion, Uber has further indicated that, given the many different retention periods,
it is not possible to name all concrete retention periods and therefore it will suffice
mention the criteria for determining the periods. Name all specific retention periods
According to Uber, this would lead to a pages-long privacy statement, which is in conflict with Article 12, first paragraph,
GDPR. The AP agrees that Uber may suffice to mention the circumstances mentioned
of the criteria for determining the retention periods, but notes that this is the privacy statement
also not sufficiently mentioned. It is only mentioned in general terms and that personal data
be kept as long as necessary for certain purposes (as Uber does) cannot be equal
are required to name criteria for determining the retention period. The obligation to
The criteria for determining the retention period cannot be stated differently in the opinion of the AP
explained that data subjects must be able to determine the retention periods for their data
determine, the information provided by Uber is, therefore, too general in nature. The AP notes that
Uber article 13, second paragraph, at the end of paragraph, has violated the GDPR. The AP sees differently than in the
investigation report is stated, insufficient basis in the investigation findings for a violation of
article 15, first paragraph, preamble under d, to establish GDPR.
10/23 Date Unmarked
December 11, 2023
4.5 Privacy statement: transfer
In its response to a request for access, Uber refers to information about transfers to the earth
privacy statement. The research report established that the privacy statement does not mention the countries
outside the EEA are mentioned to which data transfers take place and which are specific
measures have been taken to this end, as a result of whichUber article 13, first paragraph, opening lines under f, and article 15,
second paragraph, GDPR has been violated.
ViewpointUber
Uber states that Article 13, first paragraph, opening words under f, GDPR does not require that transfer to countries mentioned
18
be.The interpretation of the EDPB the guidelines that are in accordance with the
principle of propriety, the information about transfers means it must be possible that this
means that it should generally be called the third country, incorrectly
principle of propriety, in view of the opening words, has already been filled in in Article 13, second paragraph, GDPR (as the AP
view understands: exhaustive in filled) and therefore not applicable to the first paragraph of article 13
GDPR.The interpretation of the EDP is in contradiction with the texts and system of Article 13, first and second
member, GDPR. In addition, the AP cannot base a violation solely on the guidelines. TheGuidelines
also only require that in general the third countries should be mentioned and it is for Uber
impossible to determine prior to processing to which specific countries
personal data is passed on. Uber would have to contact all 72 countries in which it offers its app
includeintheprivacystatementthiswillnotbemeaningorunderstandable.Thesameappliesto
mention all protection measures per country.Uber is also of the opinion that in view of the shared
processing responsibility of Uber B.V. and Uber Technologies Inc. in this context there is no claim
of transfer of personal data to third countries, because the processing and in view of Article 3, first
member, GDPR falls within the scope of the GDPR.
Article 15, second paragraph, GDPR does not require that the countries of transfer be mentioned and explained
guidance does not apply to Article 15. Uber also states that the AP is based on the
research report cannot conclude to a violation of Article 15, paragraph 2, GDPR, because the
drivers are provided with information in various ways in response to an inspection request
this is not included in the report. The versions of the privacy statement were assessed by the AP
more than meet the requirements set out in Article 13, first paragraph, subparagraph f, of the GDPR, including
because in all versions it was possible to click on 'Standard contractual clauses', after which a web page of
the European Commission's standard provisions could be downloaded.
Finally, Uber states that the AP wrongly does not have the privacy statement of 13 June 2022
included in her assessment.
Judgement
Article 13, first paragraph, opening paragraph, subparagraph f, GDPR requires in the first place that the
controller informs data subjects, where appropriate, that the
18Guidance on transparency in accordance with Regulation (EU) 2016/679, page 44.
11/23 Date Unmarked
December 11, 2023
the controller intends to pass on the data to a third party
country.The AP notes that Uber only mentions it in the various versions of the privacy statement
that Uber transfers personal data to a third country or countries. With regard to the
applicable safeguardsrequiredArticle 13, first paragraph, opening paragraphf, GDPR that must be
indicated whether or not there is an adequacy decision of the Commission, or any other
appropriate safeguards apply and how a copy of these can be obtained or where they are
can be consulted. The requirements set out in this provision are for the provision of information
so specific that those involved must be given access to detailed information about the
safeguards used to protect their data upon transfer. Inde
guidelines, the EDPB expresses this in such a way that it is in accordance with the principle of propriety
information should be as meaningful as possible. Anyone involved wants to be able to have more knowledge about it
which countries his data are transferred, then the foregoing entails that
regardingtransmissioncountriesarementioned.Ubermakesinthevariousversionsofthe
privacy statement only general terms and without giving definitive information about the
Various guarantees apply (for example in the privacy statement of 1 September
2021:“Wedosoinordertofulfilouragreementswithusers,suchasourTermsofUse,orbasedonusers'priorconsent,
adequacydecisionsfortherelevantcountries,orothertransfermechanismsasmaybeavailableunderapplicablelaw,such
astheStandardContractualClauses”) and does not indicate how a copy can be obtained or
where they can be consulted. This does not give those involved the opportunity to find out which
guarantees may be relevant to them and what exactly these guarantees entail (through the van
applicable, the guarantees can be consulted).Uber has thus referred to Article 13, first paragraph, opening words
underf, GDPR has been violated. Contrary to what Uber states in its opinion, the fact that
second paragraph of article 13 GDPR No further interpretation is given to the principle of propriety, the
applicability of the principle of propriety from Article 5, first paragraph, under a, GDPR to the first paragraph of
21
Article 13 GDPR not applicable.
With regard to Uber's response to a request for access, the AP is different than it appears
investigation report is stated, insufficient basis in the investigation findings for a violation of
Article 15, second paragraph, GDPR.
4.6 Privacy statement: data portability
The research report found that Uber in the privacy statement has the right to
data portability is not explicitly stated and therefore does not comply with Article 13, second paragraph,
salutationsunderb,GDPR.
19 Namely those of 25 May 2018, 12 November 2019, 1 September 2021 and the privacy statement of 13 June
2022 (file document 25).
20Guidance on transparency in accordance with Regulation (EU) 2016/679, page 44.
21See also recital 60 in the GDPR, in which the principle of propriety is mentioned in connection with obligations under the first
member of article 13GDPR.
12/23 Date Unmarked
December 11, 2023
ViewpointUber
According to Uber, Article 20, first paragraph, GDPR shows that the right to data portability consists of
two actions, namely obtaining (from Uber) and transferring (by the person concerned). Uberindicates
that the right to data portability is mentioned in the privacy statement, namely as
'receiving data'. Uber also explains in its privacy statement what the right to data portability is
deliberately without using complex terms (such as data portability). The guidelines 22
(which states that a distinction is made between the right to data portability and other rights
must be made), only provide an explanation and the AP cannot base a violation solely on this.
Finally, Uber states that the AP wrongly does not have the privacy statement of September 1, 2021
included in her assessment.
Judgement
Article 13, second paragraph, opening paragraph and subsection b, GDPR obliges the controller to comply
provision of data to inform the data subject, among other things, about the right to
data portability. The AP notes that Uber in the different versions of the
privacy statement does not explicitly mention the right to data portability.Uber's position
The AP follows that 'receiving data' informs you about the right to data portability
not, because it also has the consequences of receiving the data processed by Uber
indicate the right of access under Article 15 of the GDPR
Article 13, second paragraph, opening words and subsection b, GDPRGmtoinformabouttheright
Data portability naturally entails that this must be done separately and explicitly
are appointed. This is also explained in the guidelines. Through itupright
data portability does not separately and explicitly mention, Uber has article 13, second paragraph,
salutationsunderb,GDPRviolated.
As of November 3, 2022, Uber explicitly mentions the right to data portability
its privacy statement.The violation has thus ended.
5. Administrative fine
5.1 View of Uber
Uber has put forward in its opinion – in summary – that the investigation report does not
justifies remedial or sanction measures. Uber refers to its existing violation (from
the research report) data point of view. In addition, Uber is of the opinion that the Lexcerta principle applies
resistance to enforcement, because the provisions that the AP adheres to in the investigation report
Uber tests many things that are not clear and have crystallized and are therefore unforeseeable
22Guidelines on the right to data portability of WP29, pages 15 and 16.
23 Namely those of May 25, 2018, November 12, 2019 and September 1, 2021.
24See also the Guidelines on the right to data portability of WP29, pages 15 and 16.
13/23 Date Unmarked
December 11, 2023
According to Uber, a measure also leads to disproportionate consequences for Uber within the meaning of Article 3:4,
second paragraph, of the General Administrative Law Act (AWB), because Uber is constantly working on improving it
of its services and has always shown itself willing to work together with the AP. Finally, Uber
takes the position that they have wrongly not been given the opportunity to express their views
bring to the content of a proposed sanction decision. The intention to enforce that Uber
theAPhasreceivedthegeneralanddoesnotprovideUbertheopportunitytoexpressitsviewonthe
amount of the fine, the severity of the violations found and the ultimate
substantiation thereof.
5.1.1 Assessment of administrative fine
For this purpose, the AP has concluded that Uber has violated Article 12, first paragraph, GDPR by
information in the CSV files in an easily accessible form and in addition
the guidance notes are only provided in English. This took place in the period from 25 May 2018 to
June 29, 2022. Secondly, Uber has violated article 12, second paragraph, GDPR because the digital form
with which drivers can exercise their right to access and data portability, not
easy enough to reach in the driver app. This violation took place in the period from
May 25, 2018 to February 17, 2022.
Tenderde, the information provided by Uber about retention periods in the privacy statement is too general
therefore, as a result of which Uber has violated article 13, second paragraph, at the bottom of a, GDPR.
Uber article 13, first paragraph, opening paragraph f, violates GDPR because the information provided about
transfer at the end of the privacy statement is incomplete. The AP determines this for the period from 25 May 2018 to
the date of the investigation report (30 June 2022).
Finally, Uber has not explicitly mentioned the right to data portability
privacy statement, which leads to a violation of Article 13, second paragraph, opening words and subsection b, GDPR. This
took place from May 25, 2018 to November 3, 2022.
The AP therefore sees reason to use its authority under Article 58, second paragraph,
preamble, under i, in conjunction with article 83 GDPR and article 14, third paragraph, GDPR Implementation Act, to
to impose an administrative fine on Uber(UberTechnologiesInc.andUberB.V.together).
5.1.2 Occupational plexcerta principle
With regard to Uber's appeal to the lexcerta principle, which, among other things, is governed by:
Article 49 of the Charter of Fundamental Rights of the EU, the AP is considering the following. Such as
Administrative Jurisprudence Department of the Council of State has considered several times, the lex certa requires
principle of the legislator that, with a view to legal certainty, he should do so in as clear a manner as possible
describes prohibited conduct. It should not be lost sight of the fact that the legislators sometimes
2See, among others, the rulings of July 9, 2014, ECLI:NL:RVS:2014:2493, January 16, 2019, ECLI:NL:RVS:2019:109.
14/23 Date Unmarked
December 11, 2023
with a certain vagueness, consisting of the use of common terms, prohibited behaviors
describes to prevent conduct that is worthy of punishment outside the scope of that description
fall. This vagueness can be unavoidable, because it is not always possible to foresee how
protect interests will be violated in the future because, if this were foreseen, the
descriptionsofprohibitedbehaviorsandothersarerefinedandfollowed
clarity disappears and with it the importance of general clarity of legal damage
suffers. In other words, the lexcerta principle requires the legislator to ensure, with a view to legal certainty
26
describes the prohibited conduct as clearly as possible.
Uber's argument about the Lexcerta principle focuses on the violation noted by the AP
with regard to the accessibility of the form for inspection requests and the form of the
provision of information in relation to the CSV files. The AP is considered “easy
accessible form” within the meaning of Article 12, first paragraph, GDPR, which entails information that is in response to
an access request has been provided in a structured CSV file that must be able to be displayed
(if the file does not open automatically), without the person concerned having to figure out how to do this.
There is no conflict with the Lexcerta principle because the text of the provision is sufficiently clear.
27
This is even more true now that the Guidelines indicate that the element is “easily accessible”
means that the data subject does not have to find out that information himself; it has to be done for the data subject
it is immediately clear where and how to find this information. The fact that the concept is “easy
accessible” from Article 12, first paragraph GDPR requires an explanation based on the specific circumstances,
does not make the fact that an administrative fine imposed for violation of this provision is in conflict
with the lexcerta principle. With regard to the violation that concerns the accessibility of the form for
In the opinion of the AP, requests for access are also not in conflict with the Lexcerta principle. In view of the text
Article 12, second paragraph, of the GDPR requires the controller to exercise the right
of a data subject to facilitate access to his or her data. This standard is at the discretion of
the AP is sufficiently clear, insofar as measures taken by a controller meet those thresholds
for the exercise of that right are contrary to this. Due to the combination of the number
going through the steps and the wording of it, Uber sets such a high threshold for those involved,
that Uber does not sufficiently facilitate its drivers in this regard.
5.1.3 Opportunity to provide an opinion
Regarding Uber's position that they have not been given the opportunity to express injustice
to submit comments and inform them of the fine, the seriousness of the extent of the observed
violations and in the final substantiation, the AP considers the following. Article 4:8 nor
Article 5:50Awb (read in conjunction with Articles 5:48 and 5:53Awb) nor any other provision
the AP obliged to comment on the intention to impose an administrative fine
theseaspects. Uber has therefore not been wrongly given the opportunity to express her views on this
What is stated in the opinion can contribute to the AP's decision to proceed with
2Pronunciation of 26 October 2022, ECLI:NL:RVS:2022:3077.
2Guidance on transparency in accordance with Regulation (EU) 2016/679, paragraph 11
2CBb7May2019,ECLI:NL:CBB:2019:177
15/23 Date Unmarked
December 11, 2023
imposing an administrative fine, after which the AP is responsible for all those at that time
knownrelevant facts and circumstances determines the amount of the fine. For this reason, the AP has decided
her intention is not expressed about the aspects mentioned by Uber.
5.2 Systematics for determining the amount of the fine
TheEDPB agreed in the plenary meeting of 24 May 2023 to adopt the
Guidelines04/2022onthecalculationofadministrativefinesundertheGDPR(hereinafter:the
Guidelines). The Guidelines are directly applicable because they do not provide for transitional law
for procedures that were already underway at the time of approval of the Guidelines. The AP will include these
30
Guidelines then also apply to this case.
The Guidelines describe a methodology that will be considered successively:
1. which and how many acts and infringements are under assessment;
2. which starting amount is the starting point for calculating the fine for this;
3. whether mitigating or aggravating circumstances exist that require adjustment of the
amountexit2;
4. what maximum amounts apply to the violations and whether any increases from the previous ones
stepnotexceedthisamount;
5. whether the final amount of the calculated fine meets the requirements of effectiveness,
deterrence and proportionality, and adjustments where necessary.
These steps are followed in turn below.
5.3 Calculation of starting amount
5.3.1 Step 1: Establishing actions and determining infringements
To determine the starting amount of the fine, as described in the Guidelines first
to determine whether there is one or more sanctionable conduct.
The AP first noted that Uber, in response to a request for access
data subject, did not provide information on how the CSV file can be opened (including information from
the provided CSV file can be displayed in a structured way). The AP has next to it
found that Uber does not have the information about the data in the CSV file (the guidance notes).
provided the language of those involved, but only in English. As concluded above,
29
There is currently no Dutch translation of the Guidelines available. The Guidelines can be consulted at
30ttps://edpb.europa.eu/our-work-tools/general-guidance/guidelines-recommendations-best-practices_en>
See also https://www.autoriteitpersoonsgegevens.nl/actueel/nieuw-boetebeleid-voor-overstromenen-avg.
16/23 Date Unmarked
December 11, 2023
both points are in conflict with Uber's obligation to provide the data subject in an understandable manner
easily accessible forms in clear and simple language to inform, laid down in Article 12,
first paragraph of the GDPR. In addition, the AP has also established a violation of the second paragraph of
Article 12, namely because the digital form with which drivers exercise their right to inspect
data portability is not easy enough to reach in the drivers -
app.
The AP further found that Uber's privacy statement was deficient in three areas: i)
The information provided by Uber about retention periods and was general in nature to those involved
to determine the retention periods for their data;ii)the information did not
mention the various safeguards applicable to international transfers of personal data;
andiii)the right to data portability was not mentioned separately or expressly.These points
are contrary to Article 13, paragraph 1, paragraph 2, paragraph 2, paragraph 2, paragraph 1, and b, of the GDPR.
In the opinion of the AP, this case involves two distinct sanctions from each card
behaviors(“pluralityofaction”).TheAPfirstnotesthatthebehaviors
take place at a different point in time. Using an inadequate privacy statement
takes place after publication on an ongoing basis, while the information is provided in response to an information request
is provided after a driver has made a request for access. Secondly, it applies to the behaviour
do not necessarily address the same group of stakeholders. Not every driver who
consults the privacy statement, makes requests for access and vice versa.Tenderde(en
Finally, the AP takes into account that the violations can exist independently of each other and are not
causal connection with each other. That they are now dealt with together in one decision
because they came to the attention of the AP at the same time.
Now that Ubervanelkaarte has committed distinguishable sanctionable conduct, both are possible
conduct will be fined separately. The amounts in the following steps will then also be used for
both infringements to be determined.
5.3.2 Step 2: Determine the starting amount
As described in the Guidelines, the starting amount of the fine must then be
determined. This starting amount forms the starting point for further calculation in later steps, in which all
relevant facts and circumstances are taken into account. The Guidelines state that
the starting amount is determined on the basis of three elements: i) the categorization of the infringements
according to Article 83, fourth to sixth paragraphs, of the GDPR; ii) the seriousness of the infringements iii) the turnover of
the company. All three elements are discussed below.
Adi)Categorization of infringements according to Article 83, fourth to sixth paragraphs, of the GDPR
As stated in the Guidelines, almost all obligations of the controller
categorized in the provisions of Article 83, fourth to sixth paragraph, of the GDPR. The GDPR makes
17/23Date Unmarked
December 11, 2023
distinction between two types of infringements. On the one hand, the infringements that can be sanctioned on the basis of
Article 83, fourth paragraph, of the GDPR, for which a maximum fine of €10 million (or in the case of
a company, 2% of the annual turnover, if that is higher), on the other hand, the infringements that can be sanctioned
are pursuant to Article 83, fifth and sixth paragraph, of the GDPR, for which a maximum fine of
€20 million (or in the case of a company, 4% of the annual turnover, whichever is higher). With this
distinction, the legislator has provided for an abstract indication of the seriousness of the infringement:
the more serious the infringement, the higher the fine.
For the current violations of Article 12, first and second paragraph, Article 13, second paragraph, opening words
andundera, article 13, first paragraph, opening paragraph under f, and article 13, second paragraph, opening paragraph under b, GDPR may
an administrative fine of up to €20,000,000.00 (or in the case of a company,
4% of global annual turnover, whichever is higher). From this categorization it follows that the infringements of
these provisions are regarded as serious by the legislator.
Adii)Severityoftheinfringements
To determine the seriousness of the infringement, the Guidelines must be taken into account
with the nature and severity of the infringement, as well as with the intentional or negligent nature of the infringement
and the categories of data involved.
With regard to the nature of the violations, the AP notes that the controller
the person concerned must provide the information that is necessary to the person concerned
to ensure proper and transparent processing, taking into account the specific
circumstances and context in which the data are processed. The right to inspect,
as well as the right to understand and easily accessible information about the processing of
to receive personal data, necessary to enable data subjects to exercise their other rights
to practice on the basis of the GDPR. Providing transparent information at the end of the sentence of article 12,
first paragraph, GDPR is already of great importance for that reason. When the rights of those involved are not protected
complied with, this affects the right that those involved have to respect for their personal privacy
andtheprotectionoftheirpersonaldata.Therighttoinspectandtherighttounderstandand
to receive easily accessible information about the processing of data
In addition, those involved are of interest in standing up for or exercising rights other than those
under the GDPR, for example in civil proceedings. That is why it is also important that those involved
can make use of the aforementioned rights under the GDPR and that this is not unreasonable
barriers are raised.
When assessing the severity of the violations, first weigh the number (possible)
those involved. It is known to the AP that during the period of the violations, approximately 120,000 Uber-
drivers were active in Europe.
31
32uidelines04/2022onthecalculationofadministrativefinesundertheGDPR.
Recital 60 in the GDPR.
18/23Date Unmarked
December 11, 2023
Secondly, the AP takes this into account when assessing the severity of the violation
has committed the above-mentioned violations of the GDPR, but that it is not the case that Uber opts out
has in some way complied with its obligations under Article 12, first and second paragraph,
Article 13, second paragraph, opening paragraph, under a, Article 13, first paragraph, opening paragraph, under f, and Article 13, second paragraph,
heading under b, GDPR. For example, Uber has been involved in its privacy statement, although not completely
informed about the retention periods, but Uber has provided some information about this.
The same applies to the information about transfers in the privacy statement: although the AP is related to this
has found a violation, it cannot be said that Uber has completely failed to do so
transfer. With regard to Uber's response to an inspection request, it has not been established that
the requirements of Article 12, first paragraph, GDPR have not been met at all, but the violation is limited
focus on the language of the guidance notes and the accessibility of the CSV files. For both the language of
theguidancenotesastheaccessibilityoftheCSVfilesin addition,thisviolationdoesnotapply
there will actually be consequences for every driver who has requested inspection. The English language of
The guidance notes will not lead to less or no understanding of the content for every driver, so
There are also some Member States where English is the language. In addition, there will be smoke drivers who
CSV files do open automatically in tabular form. Furthermore, the AP has not found any violations
have resulted in (substantial) damage to those involved. Furthermore, this applies to the violation of
Article 12, second paragraph, of the GDPR states that it is not the case that Uber is involved and that it is entirely impossible
has made to exercise their right to access and data portability. In the opinion of
the AP speaks of negligence in committing the violations. TheAPweighsthatelementas
“neutral” with regard to the categories of data involved, the AP is involved
established that the processing of location data, these are personal data of
sensitive nature. Furthermore, the AP takes into account that it may be a challenge for Uber to
to provide comprehensive information about the rights of the data subject in a way that is understandable
those involved, which entails compromising to assess how the information can best be used
are displayed. It also appears from the investigation that during the view phase provided by Uber
information that U has taken many measures to improve and improve the procedures for those involved
tocontinueimproving.
The duration of the violations has been determined above for a significant period, namely the period
from May 25, 2018 to February 17, 2022, June 29, 2022 and November 3, 2022.
Adiii)Turnover of the company
The Guidelines are written before the starting amount of the fine must be set from the point of view of fairness
related to the size of the company. The size of the company is determined by the
based on turnover. For example, for a small company with a turnover of up to € 2 million, it becomes
starting amount in the rule is limited to 0.2 to 0.4% of the actual starting amount, and the starting amount increases
as the turnover of the company increases. If a company has a turnover of more
than €500 million, the fine is determined on a percentage of the annual turnover of the
3See in this connection, among others, CJEU 4 May 2023, ECLI:EU:C:2023:376.
19/23Date Unmarked
December 11, 2023
company. As a result, the size and turnover of the company are already discounted in the height
of the fine, so that the starting amount does not need to be adjusted on that basis.
As stated in recital 150 of the GDPR, when imposing a fine on a company,
the “undertaking” is regarded as an undertaking in accordance with Articles 101 and 102 of the
Treaty on the Functioning of the European Union. From established case law of the Court of Justice of
the European Union follows that an enterprise is “any entity that carries out an economic activity,
regardless of its legal formation and the manner in which it is financed.” So it's all about the economics
unityofthecompaniesnotthelegalentitieswithin.Different
companies or entities within the same economic unit can therefore work together
company within the meaning of the aforementioned provisions.
UberB.V.isindirectlya fullysubsidiaryofUberTechnologiesInc.Theymusttherefore
application of Article 83 of the GDPR, be counted as part of the same company.
As stated in the Guidelines, the turnover can be determined on the basis of the annual accounts of the
company over the previous financial year. Pursuant to Article 83, fourth to sixth paragraphs, of the
GDPR, the worldwide turnover in the previous financial year is taken into account. In view of this decision
was taken in 2023 and will be maintained in the financial year 2022.
35
UberTechnologies Inc. has published its annual accounts for 2022 on its website. On page 74isen
consolidated overview of the company is included. It is important to note that the global
36
turnover of the company in 2022 amounts to $ 31.877 billion. This corresponds to € 29.750 billion.
Determine starting amount
Pursuant to Article 83, fifth paragraph, of the GDPR, the fine amounts to a maximum of 4% of the annual turnover.
annual turnover, as stated, is € 29.750 billion, so that the maximum fine for each of the
violations amount to € 1.19 billion.
In view of what has been considered under (i) and (ii), the AP takes the position that the level of seriousness
of the infringements must be qualified as “low”. According to the Guidelines, this applies to infringements
at a low level of severity, the starting amount should be determined at a point between 0 and 10%
of the maximum fine. The general rule is that the serious the infringement within its own
category, the higher the starting amount will be.
The AP is of the opinion that, given the circumstances described, the infringements in question are of their own accord
severity. The starting point for calculating the fine must therefore be relatively low
3From an annual turnover of €500 million, 4% of the annual turnover is higher than €20 million, so that this percentage is
maximum fine must be taken into account (Article 83, fifth paragraph, opening words, of the GDPR).
3Consultat<https://investor.uber.com/financials/default.aspx>.
3The exchange rate determined by the ECB on the day of this decision is €0.9333 per US dollar (compare
<https://www.ecb.europa.eu/stats/policy_and_exchange_rates/euro_reference_exchange_rates/html/eurofxref-graph-
usd.en.html>).
20/23 Date Unmarked
December 11, 2023
compared to the starting amount. Taking all the foregoing into account, the AP sets the starting amount
case fixed at €5 million for each of the violations (€10 million in total). That corresponds to
0.42% of the applicable maximum fine.
5.4 Assessment of mitigating or aggravating circumstances
5.4.1 Step 3: Assess relevant circumstances
As stated in the Guidelines, it should then be assessed whether in the circumstances of the
case there is reason to set the fine higher or lower than that determined above
starting amount. The circumstances to be taken into account are stated in Article 83, second paragraph, opening words
under ato and with k, of the GDPR. The circumstances stated in that provision must each only be
be considered once. In the previous step, the nature, weight and duration of the
infringement (part a), the intentional or negligent nature of the infringement (part b) and categories
ofpersonaldata(partg).Therefore,thepartsctoandwithfenhtoandwithkremain.
The only applicable circumstance is the manner in which the AP became aware of the
infringement, in particular whether, and if so to what extent, the controller has reported the infringement
(part h). In this case, Uber did not report the infringements itself, but they were the subject of complaints
knowledge of the AP. This is, however, assessed as “neutral” according to the Guidelines and has
therefore no consequences for the amount of the fine to be imposed.
The other conditions are missing in this case because the conditions they refer to
referinthiscasedoesnotoccur.
5.5 Determining the amount of the fine
In paragraph 5.3.2 a starting amount of €5 million has been determined for each of the violations.
paragraph 5.4.1 it has been concluded that the only circumstance that can be considered further
taken, must be assessed as neutral. The conclusion is then also that the fine must be imposed
set at €5 million for each of the two violations (€10 million in total).
5.5.1 Step 4: Control exceedance for the infringements and the maximum amounts applicable
As mentioned, - also taking into account Uber's turnover - the violations found apply to
maximum fine of 4% of the worldwide annual turnover of the company. Considering the turnover of
Uber (€29.750 billion) is the legal maximum of the fine to be imposed, which is €1.19 billion per
offence.
21/23 Date Unmarked
December 11, 2023
Above, the fine amount for the violations found is set at €5 million per year
violation. This is well below the legal maximum, so that it cannot be exceeded
occurs.
5.5.2 Step 5: Assessment of effectiveness, proportionality and deterrence requirements
Finally, the AP assesses whether the fine is effective, proportionate and deterrent. Based on Article 49,
third paragraph of the Charter of Fundamental Rights of the EU and Articles 3:4 and 5:46, second paragraph, of the
Awb may not impose the administrative fine, given the circumstances of the specific case
disproportionate outcome.
Pursuant to Article 83, fifth paragraph, opening words under b, GDPR, the AP can apply for the above
violations may impose an administrative fine. As described in the Guidelines
a fine can be considered effective if it achieves the purpose for which it was imposed.
The aim may be to punish unlawful conduct on the one hand and to
to promote compliance with the applicable regulations. Given the nature, severity and duration of the infringement,
as well as the other factors from Article 83, second paragraph, GDPR as assessed in paragraphs 5.3.2 and 5.4
of this decision, the AP is of the opinion that an administrative fine is imposed under this
circumstancesbothgoalsareachievedandthereforeeffectiveanddeterrent.Theheightofthe
administrative fine, which is partly determined on the basis of Uber's turnover, the AP also considers
effective and deterrent.
The AP expects the fine to be proportionate to the seriousness of the violations and the size of the company.
Uber has indicated in its opinion that imposing a measure will have disproportionate consequences
leads for Uber, because Uber is constantly working on improving its services and is always prepared to take the time
has shown that it is willing to work together with the AP. The AP sees this as a reason for the fine
disproportionate. Both the compliance with the provisions of the GDPR and the granting of
After all, cooperation with the AP in the exercise of its powers is legally required
In the opinion of the AP, no such special circumstances have occurred in this context
that the fine would not be proportionate for the reasons mentioned by Uber.
22/23 Date Unmarked
December 11, 2023
6. Dictum
Fine
DeAPlitigatesUberB.V.andUberTechnologiesInc.jointly,forviolationofArticles12,
first and second paragraph, and Article 13, first paragraph, opening words under f, and second paragraph, opening words under a and b, of
the GDPR does not impose an administrative fine in the amount of €10,000,000.00 (in words: ten million euros). 37
Yours faithfully,
Dutch Data Protection Authority,
Mr.A.Wolfsen
Chair
Remedies clause
If you do not agree with this decision, you can submit it within six weeks after the date of dispatch
decides to submit an objection digitally or on paper to the Dutch Data Protection Authority.
Article 38 of the GDPR Implementation Act suspends the submission of an objection to the effect of the GDPR
decision to impose the administrative fine. State at least in your objection letter:
your name and address;
the date of your objection;
the reference mentioned in this letter (case number), or attach a copy of this decision;
the reason(s) why you do not agree with this decision;
your signature.
You can submit the objection letter digitally via the website. Go to www.autoriteitpersoonsgegevens.nl,
and at the bottom of the page, under the heading “Contact”, click on the link “Objection against a decision of the
AP”. From there you use the “Submit an objection” form.
Would you rather send the notice of objection by post? You can do so to the following address:
Dutch Data Protection Authority
Directorate of Legal Affairs & Legislative Advice, Objections department
PO Box93374
2509AJDENHAAG
37
The AP will hand over the claim to the Central Judicial Collection Agency (CJIB).
23/23
