Garante per la protezione dei dati personali (Italy) - 9771142
|Garante per la protezione dei dati personali - 9771142|
|Authority:||Garante per la protezione dei dati personali (Italy)|
Art. 4 (1)(f), 13, 23, 28, 37, 38, 161, 162 (2bis), 163, 164bis (2) Codice Privacy
Uber Technologies Inc.
|National Case Number/Name:||9771142|
|European Case Law Identifier:||n/a|
|Original Source:||Garante Privacy (in IT)|
The Italian DPA fined Uber a total of €4,240,000 for violations relating to 1,500,000 data subjects in Italy, including lack of transparency and consent and failure to notify the DPA of a personal data breach.
English Summary[edit | edit source]
Facts[edit | edit source]
The Italian DPA launched an investigation into Uber B.V., with registered office in Amsterdam, and Uber Technologies Inc., with registered office in San Francisco, after the US parent company made public a data breach in 2017. The DPA found that the Dutch company Uber BV and the US company Uber Technologies were joint controllers, each responsible for violating the Italian Privacy Code (the Italian implementation of EU Directive 95/46/EC) against data subjects in Italy.
During their inspections carried out at Uber Italy srl, the DPA found several violations, including inadequate privacy notice, personal data processed without consent and failure to notify the DPA about the data breach.
The security incident, which occurred before the GDPR came into effect, involved the data of around 57 million data subjects worldwide, and had been sanctioned by the Dutch and British DPA on the basis of their respective national regulations. The personal data processed by Uber concerned personal and contact data (name, surname, telephone number, and e-mail), access credentials to the app, location data (those that appeared at the time of registration), and relations with other data subjects (sharing trips, introducing friends, profiling information).
The controllers had also, without having obtained valid consent, processed the data of approximately 1,379,000 data subjects by profiling them on the basis of the so-called 'fraud risk', assigning them a qualitative rating (e.g., 'low') and a numerical parameter (from 1 to 100). Finally, the controllers had not complied with the obligation to notify the DPA of the processing of personal data for geolocation purposes, as required by the legislation in force before the GDPR came into effect.
Holding[edit | edit source]
The DPA found violations related in particular to the inadequate privacy notice provided to data subjects (insofar as it lacks an indication of joint ownership of the processing) and 'formulated in a generic and approximate manner' with 'unclear and incomplete information' and 'not easy to understand'. Purposes of the processing were not well specified, the references to the rights of the data subjects were vague and incomplete, and it was not clear whether data subjects were obliged or not to provide their data, nor what the consequences of a possible refusal would be.
The DPA found the following violations:
1. Violation of article 13 Privacy Code, for failure to acquire the consent of the data subjects.
2. Violation of articles 37 and 163 Privacy Code, for failure to notify the DPA of the breach.
3. Violation of Article 164-bis (2) Privacy Code, because the violations committed relate to databases of particular relevance or size.
Consequently, the DPA fined Uber B.V. (Holland) and Uber Technologies Inc. (USA), €2,120,000 respectively (a total of €4,240,000), for violations relating to 1,5 million data subjects in Italy, including drivers and passengers.
In defining the amount of the sanctions, the DPA, in addition to the seriousness of the violations ascertained, also took into account the significant number of data subjects involved and the economic conditions of the company.
Comment[edit | edit source]
Although it does not involve current European legislation (GDPR), this decision is relevant with regard to the general principles on the data protection already contained in Directive 95/46/EC, harmonised in each EU Member State with national legislation: in Italy this legislation is represented by the 'Privacy Code'.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.