CNIL (France) - SAN-2023-003

From GDPRhub
Revision as of 16:18, 3 April 2023 by Ls (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=France |DPA-BG-Color= |DPAlogo=LogoFR.png |DPA_Abbrevation=CNIL |DPA_With_Country=CNIL (France) |Case_Number_Name=SAN-2023-003 |ECLI= |Origin...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CNIL - SAN-2023-003
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 5(1)(c) GDPR
Article 28(3) GDPR
Article 56 GDPR
Article 82 of Loi Informatique et liberté
Type: Investigation
Outcome: Violation Found
Started: 13.05.2020
Decided: 16.03.2023
Published:
Fine: 125,000 EUR
Parties: Cityscoot
National Case Number/Name: SAN-2023-003
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: CNIL (in FR)
Initial Contributor: ls

The CNIL fined a scooter rental company 125,000 for various privacy violation. In particular, it considered that the collection of geolocation data every 30 second was not necessary for the purposes put forward by the controller.

English Summary

Facts

The controller was Cityscoot, a company that rents out shared electric scooters via a mobile application.

The controller operated cross-border processing operations but its main establishment was in France. In accordance with Article 56, the CNIL was therefore competent. In May 2020, the CNIL organised an inspection of the controller's website and mobile application. This investigation mainly highlighted three points.

(1) The investigation firstly showed that the company's scooters are equipped with electronic boxes containing a SIM card and a GPS geolocation system. This allowed location data to be collected every 30 seconds when the scooter was active and every 15 minutes when it was not. This data was collected by the company for the following purposes: processing traffic violations, processing customer complaints, user support (in order to call for help in case of a user's fall), claims and theft management.

Regarding the purpose of managing customer complaints, the company argued that the collection of data every 30 seconds was necessary as the service is charged by the minute. It considered that this could be useful for complaints about overcharging due to an error in stopping the rental, parking in areas where parking is prohibited or loss of contact with the application because it allows to check how long a scooter is stopped.

Regarding the purpose of managing traffic offences, the company believes that the collection of geolocation data every 30 seconds was necessary for proof of driver identity and insurance purposes. It also argued that this could be useful for checking whether a scooter was actually at the location where an offence was recorded for potential disputes.

Regarding the purpose of managing theft during rentals, the controller explained that the collection of data does not mean that this data is cross-referenced with the user's data. However, it did not indicate how many scooters were found thanks to the collection of geolocation data.

With regard to accident management, the company argued that the collection of geolocation every 30 seconds is necessary for reporting and insurance purposes and for providing assistance to the driver involved.

(2) The investigation also showed that the controller used 15 processors on the basis of contracts that did not contain all the information required by the GDPR. For example, one of the contracts did not mention the processor's obligation to make available to the controller all the information to demonstrate compliance with the obligations laid down. Another contract did not mention the purpose of the data processing or its duration. 

(3) The controller did not provide information and did not have a consent banner for cookies on his website. He argued that he falled under an exemption under national law.

Holding

(1) The CNIL began by pointing out that geolocation data, when a scooter is rented, constitute personal data. It refers to the EDPB guidelines 01/2020 and considers that this is sensitive data in the common sense of the term, even though it is not covered by Article 9. On the other hand, when the scooter is not rented, the data is not personal.

The CNIL then analysed the relevance and necessity of the data collection for each purpose.

For the management of customer complaints, it considered that the collection of information every 30 seconds was not necessary for the purpose. It explained that less intrusive mechanisms could be used, such as triggering geolocation when the user requests help on the application or sending a text message to confirm that the user has ended the rental.

Regarding the management of traffic offences, the CNIL considered that it was sufficient to know the date and time of the start and end of the rental and the date and time of the offence to meet this purpose. It also considered that the collection of data from all scooters every 30 seconds was excessive for this purpose insofar as it did not concern all users and only served an incidental purpose in the event that a user wished to contest an offence.

Concerning the management of thefts during rentals, the CNIL considered that even if the controller did not cross-reference geolocation data with user data, the possibility of doing this reconciliation between the different databases justifies that the scooter position data be subject to the RGPD. In this case, the CNIL considered that the permanent collection was excessive to achieve the purpose of managing thefts. It considered that geolocation should, for example, be collected from the declaration of theft.

For accident management, the DPA considered that geolocation should be activated only when an accident occurs and not permanently. It was therefore not necessary to collect the geolocation of scooters every 30 seconds to provide assistance in the event of an accident.

The CNIL concluded that none of the purposes justified collecting location data every 30 seconds, in violation of Article 5(1)(c).

(2) As regards the relationship between the controller and its processors, the CNIL considered that the contracts were too incomplete and found a clear breach of Article 28(3).

(3) The CNIL considered that the controller could not rely on the exemption under domestic law and therefore had to inform and collect the consent of users to place cookies under Article 82 of the Data Protection Act. The controller therefore violated this provision.

Consequently, the CNIL found a violation of Articles 5(1)(c) and 28(3) GDPR and imposed a fine of €100,000. For the violation of Article 82 of the Data Protection Act it imposed a fine of €25,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.