Rb. Amsterdam - C/13/689705/HA RK 20-258

From GDPRhub
Rb. Amsterdam - C/13/689705/HA RK 20-258
Courts logo1.png
Court: Rb. Amsterdam (Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 15 GDPR
Article 20 GDPR
Decided: 11.03.2021
Published: 11.03.2021
Parties: Ola Netherlands BV
National Case Number/Name: C/13/689705/HA RK 20-258
European Case Law Identifier: ECLI:NL:RBAMS:2021:1019
Appeal from:
Appeal to:
Original Language(s): Dutch
Original Source: Rechtspraak.nl (in Dutch)
Initial Contributor: n/a

The Court of Amsterdam ruled in a case brought by the UK drivers that were using Ola Driver App to provide services. The case concerned the right to access personal data and the right to data portability. According to the Court, the request to order Ola to provide all personal data that falls within the scope of Article 20 GDPR is too general and so not specific that it must be rejected as insufficiently determined. The platform operator still has to provide anonymous access to ratings given by passengers, as well as to data on which the fraud probability score and the earning profile, forms of profiling, are based.

English Summary

Facts

The case was brought by 'private hire drivers' in the United Kingdom. They use the services of Ola through the Ola Driver App. The passengers they transport use the Ola Cabs App. The applicants are affiliated with the App Drivers & Couriers Union (ADCU). In the application, they requested to be allowed to inspect the following in a commonly used electronic form: all personal data relating to them that Ola processes, including the personal data as mentioned in the privacy statement and the accompanying documentation, the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations and the retention period for these data, the existence of automated decision making, including those referred to in Article 22, paragraph 1 and 4 GDPR provided for profiling, and at least in those cases, useful information on the underlying logic, as well as the importance of and the anticipated effects of such processing, in the event of a transfer to a third country or an international organization, the appropriate safeguards in accordance with Article 46 GDPR that Ola has in place regarding this transfer.

Additionally, the applicants requested Ola to provide personal data in a structured, commonly used and machine-readable form, namely as a CSV file, or by means of an Application Programming Interface ( API), in such a way that this data can be directly transmitted to another controller.

The requests were based on Article 15 paragraph 1 GDPR 1. According to the applicants, Ola did not provide full access to their personal data in response to their access requests. The privacy statement and accompanying documents show that Ola processes a large number of categories of personal data, but the applicants have not obtained access to many of these categories. Furthermore, the datasets received by them consist of inconsistent and incomplete data provision.

Another request was based on Article 20 paragraph 1 GDPR (data portability or data portability). According to the applicants, Ola should offer them the option of downloading the personal data directly and forwarding it to another controller. This can be achieved by using an Application Programming Interface (hereinafter: API) or a Trusted Third Party (TTP). The drivers requested Ola to provide the personal data in a CSV file, but Ola only provided a small part of the personal data in this file 'format.

Holding

The Court stated that in exercising his right of access, the data subject does not have to show any particular interest or state the goal that he wants to achieve with the access. The mere fact that data about him is being processed is sufficient. In this case, the applicants have stated that they wish to check the correctness and lawfulness of their own data and that this is a precondition for exercising other privacy rights. That is enough.

The request to transfer personal data in a certain format stems from the wish of the applicants to have this data entered directly in a WHO database for analysis with the aim of improving the negotiating position of platform workers. Recital 68 of the GDPR states that the right to data portability serves to strengthen the data subject's control over their own data. According to the Court, Ola rightly argues that an important aim of this right is to facilitate switching to another service provider and to prevent a so-called ' user lock-in' 'with the original controller. However, this does not mean that the intended purpose of the applicants - analysis of their own personal data or use for their own purposes - is excluded from the right to data portability.

Moreover, the Court stated that the controller (in this case Ola) can refuse access if this is necessary for the protection of the rights and freedoms of others. It follows from legal history that the controller himself is also understood to be 'others' in this context. This provision contains an exception to conferred rights and must therefore be interpreted restrictively. Whether in a specific case there is such a ground that should lead to a limitation or rejection of the application must be decided by the court after weighing up all the interests involved. When invoking this exception provision, the obligation to provide information rests in principle on the controller (in this case Ola).

In the context of the data portability request, the Court concluded that Article 20 GDPR does not automatically imply an obligation to provide the personal data in a CSV file or by means of an API. Ola has already provided personal data and applicants have insufficiently specified which further personal data the request relates to. According to the Court, the request to order Ola to provide all personal data that falls within the scope of Article 20 GDPR is too general and so not specific that it must be rejected as insufficiently determined.

Comment

Share your comments here!

Further Resources

The Ola & Uber judgments: for the first time a court recognises a GDPR right to an explanation for algorithmic decision-making:https://eulawanalysis.blogspot.com/2021/04/the-ola-uber-judgments-for-first-time.html

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

decision

COURT OF AMSTERDAM
Private Law Department

case number / application number: C / 13/689705 / HA RK 20-258

Order of 11 March 2021

in the case of

1[applicant 1],
residing in [residence] (United Kingdom),

2. [applicant 2] ,

residing in [residence] (United Kingdom),

3. [applicant 3] ,

residing in [residence] (United Kingdom),

applicants,

lawyer mr. AH Ekker in Amsterdam,

against

the private company with limited liability

OLA NETHERLANDS BV ,

Located in Amsterdam,

defendant,

attorney mr. JG Reus in Amsterdam.


The applicants will hereinafter also be jointly referred to as [applicants] and each individually [applicant 1], [applicant 2] and [applicant 3]. The defendant will also be referred to hereinafter as Ola.

1The procedure
1.1.
The course of the procedure is evidenced by:

-
the petition, with appendices, received at the registry on 9 September 2020,

-
the interim order of 22 October 2020, in which a meeting of the parties has been determined,

-
the revised petition, with annexes, received at the registry on October 20, 2020,

-
the statement of defense, with one appendix, received at the registry on 10 December 2020,

-
the official report of the oral hearing of 16 December 2020 and the (procedural) documents mentioned therein.

1.2.
Subsequently, after detention, a decision was taken today.

2The facts
2.1.
Ola is a parent company based in Bangalore (India). In 2010 she founded the division 'Ola Cabs'. Ola Cabs is a digital platform that facilitates the linking of a passenger and a (taxi) driver via an app.

2.2.
The [applicants] work as 'private hire drivers' (hereinafter: drivers) in the United Kingdom. They use the services of Ola through the Ola Driver App. The passengers they transport use the Ola Cabs App.

2.3.
[Applicants] are affiliated with the App Drivers & Couriers Union (hereinafter: ADCU). ADCU is a union that stands up for the interests of private hire drivers and couriers in the United Kingdom. ADCU is affiliated with the International Alliance of App Transport Workers (hereinafter: IAATW). Both organizations are committed to the digital rights of platform workers.

2.4.
ADCU is supported by Worker Info Exchange (hereinafter: WHO). WHO is a non-profit organization whose goal is to give information economy employees access to personal data collected about them during their work. ADCU and WIE intend to jointly set up a 'data trust' for drivers of Ola, among others, in which personal data are brought together for analysis purposes.

2.5.
In several countries, procedures are pending between companies that offer services via a digital platform and drivers as to whether there is an employment relationship.

2.6.
In separate requests dated 23 June 2020, [applicant 1] and [applicant 2] requested Ola to inspect their personal data that Ola processes and to make them available in a CSV file. [applicant 3] made a request for access on 5 August 2020. In response to these requests, Ola provided [applicants] with a number of digital files and copies of documents.

2.7.
Ola has drawn up a 'Privacy Policy' (hereinafter: the privacy statement) in which it has included general information about data processing. It also uses a document called 'How we process your data', which contains an overview of the categories of personal data that Ola processes.

3. The dispute

3.1.
After reviewing and supplementing the application, [applicants] request - in summary - that the court, by order to be declared enforceable:

I Ola recommends that within one month of service of the decision, against possible reimbursement of costs, the [applicants] should be allowed to inspect the following in a commonly used electronic form:


i) all personal data relating to them that it processes, including the personal data as mentioned in the privacy statement and the accompanying documentation,

(ii) the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations and the retention period for these data,

iii) the existence of automated decision making, including those referred to in Article 22, paragraph 1 and 4 AVG provided for profiling, and at least in those cases, useful information on the underlying logic, as well as the importance of and the anticipated effects of such processing for [applicant's ],

iv) in the event of a transfer to a third country or an international organization, the appropriate safeguards in accordance with Article 46 GDPR that Ola has in place regarding this transfer,

II Ola recommends that the personal data of [applicants] be provided to [applicants] in a structured, commonly used and machine-readable form, namely as a CSV file, or by means of an Application Programming Interface ( API), in such a way that this data can be directly transmitted to another controller,

III the foregoing under penalty of a penalty of € 2,000 per day or part of a day that Ola fails to comply with one or more of the orders referred to under I and II,

IV Ola orders the costs of the proceedings.

3.2.
The requests under I (i), (ii) and (iv) are based on Article 15 paragraph 1 GDPR 1 (right of inspection). According to [applicants], Ola did not provide full access to their personal data in response to their access requests. The privacy statement and accompanying documents show that Ola processes a large number of categories of personal data, but [applicants] have not obtained access to many of these categories. Furthermore, the datasets received by [applicants] testify to inconsistent and incomplete data provision.

3.3.
The request under I (iii) is based on Articles 15, paragraph 1, opening words and under h and 22 GDPR (automated decision-making and profiling). According to [applicants], Ola uses automated decision-making and profiling in the performance of the agreement with [applicants]. The explanation of this included in the privacy statement and the document 'How we process your data' is not complete. Under recital 71 of the GDPR, when applying profiling, Ola must apply appropriate procedures and take measures to ensure fair and transparent processing for the data subject. Discriminatory consequences of profiling must also be avoided. To be able to assess whether Ola complies with the requirements of Article 22 paragraph 3 GDPR when using it satisfies, the [applicants] have an interest in access to automated decision-making and profiling, information about the underlying logic and the expected consequences of that processing.

3.4.
The request under II is based on Article 20 paragraph 1 GDPR (data portability or data portability). According to [applicants], Ola should offer them the option of downloading the personal data directly and forwarding it to another controller. This can be achieved by using an Application Programming Interface (hereinafter: API) or a Trusted Third Party (TTP). [Applicants] requested Ola to provide the personal data in a CSV file, but Ola only provided a small part of the personal data in this file 'format' (the quotation marks are omitted below).

3.5.
The imposition of the penalty requested under III is justified, according to [applicants], because of the great interest of [applicants] in accessing and transferring their personal data and Ola's financial strength.

3.6.
[Applicants] state that they have the following interests in their requests:

-
Proceedings are being conducted in various countries regarding the question of whether there is an employment relationship between providers of 'Ride Hailing apps' and drivers. What is important here is the extent to which such providers have management control, which they exercise, among other things, by means of algorithms and automated decision-making;

-
the British court has ruled that drivers are entitled to a minimum wage and holiday allowance for each hour they are logged on a 'Ride Hailing platform'. In order to calculate their wages, [applicants] need access to their data;

-
the requested data is needed for drivers to organize and build collective bargaining power;

-
transparency about the data processing is necessary to represent the interests of drivers vis-à-vis platform providers;

-
When deciding on their license as a driver, drivers are assessed on their suitability, whereby their track record and behavior are relevant. Therefore, [applicants] have an interest in unrestricted access to their data;

-
the UK court has ruled that drivers are entitled to protection against discrimination. In order to determine whether there is discrimination or unequal treatment, drivers need access to the calculation of their 'rating' in the Ola Driver App;

-
the requested data will be made available to WHO.

3.7.
Ola puts forward a defense. It requests that [applicant 3] be declared inadmissible in his request for the transfer of data and furthermore that the requests be rejected, or (partly) allowed, taking into account the circumstances and guarantees mentioned by Ola, with the condemnation of [ applicants] in the legal costs (including subsequent costs), plus statutory interest.

3.8.
The arguments of the parties are discussed in more detail below, insofar as they are relevant.

4The assessment
Jurisdiction and Governing Law
4.1.
The court must investigate ex officio whether the Dutch court has jurisdiction and, if so, whether this court has relatively jurisdiction to hear the requests of [applicants]. This is the case because Ola is located in the Amsterdam district (Article 4 Brussels I bis Regulation 2 and Article 262 opening lines and under a Rv 3 ).

4.2.
Insofar as the requests of [applicants] are based on the GDPR, it is directly applicable as a European regulation. From the fact that the parties also base themselves (additionally) on Dutch law, the court infers that the parties implicitly made a choice of law for the application of Dutch law as referred to in Article 3 paragraph 1 of the Rome I Regulation. 4

4.3.
It is not disputed between the parties that Ola is to be regarded as the controller within the meaning of Article 4 under 7 GDPR .

No interest, abuse of rights?

4.4.
Ola argues that [applicants] have no interest of their own within the meaning of Article 3: 303 BW 5 in their requests in these proceedings, because this only serves the interests of ADCU or the general interests of drivers who use platform services.

4.5.
Ola further argues that with their requests [applicants] are abusing the law within the meaning of Section 3:13 of the Dutch Civil Code. According to Ola, the [applicants] use the right of access and the right to data portability for a purpose other than that for which it was given, namely to set up a data trust and to gather information to improve the legal position of drivers vis-à-vis Ola and other platforms.

4.6.
The court finds that a person is in principle no need to justify or explain why he makes an access request under the AVG. In exercising his right of access, the data subject does not have to show any particular interest or state the goal that he wants to achieve with the access. The mere fact that data about him is being processed is sufficient. This does not mean that a request for access can never constitute a misuse of powers within the meaning of Section 3:13 of the Dutch Civil Code (cf. , November 9, 2018, ECLI: NL: PHR: 2018: 1273). This may be the case if the right of access is only used for a purpose other than checking whether personal data are processed correctly and lawfully. It is up to the controller to demonstrate misuse of powers.

4.7.
In this case, [applicants] have stated that they wish to check the correctness and lawfulness of their own data and that this is a precondition for exercising other privacy rights. That is enough. Contrary to what Ola argues, the fact that [applicants] and the trade union with which they are affiliated also have a different interest in obtaining personal data, namely to use it to obtain clarity about their employment law position or evidence in legal proceedings against platforms not that [the applicants] abuse their rights. After all, it has not been established that [applicants] only wish to use the right of access for a purpose other than checking whether the personal data are processed correctly and lawfully.

4.8.
The request to transfer personal data in a certain format stems from the wish of [applicants] to have this data entered directly in a WHO database for analysis with the aim of improving the negotiating position of platform workers. Recital 68 of the GDPR states that the right to data portability serves to strengthen the data subject's control over their own data. In the Guidelines on the right to data portability 6it has been established that the purpose of this right is to strengthen the position of the data subject with regard to his own personal data and to give the data subject greater control over his data. It allows the data subject to easily move, copy or transfer personal data from one IT environment to another, without being hindered and regardless of whether they are their own systems, the systems of trusted third parties or those of new controllers. Ola rightly argues that an important aim of this right is to facilitate switching to another service provider and to prevent a so-called ' user lock-in'.'with the original controller. However, this does not mean that the intended purpose of [applicants] - analysis of their own personal data or use for their own purposes - is excluded from the right to data portability. There is no support for this in the development history of the GDPR , the considerations of the GDPR itself and the Guidelines. The appeal to abuse of the right to data portability is therefore rejected.

The request for access to personal data

4.9.
The access request is based on Article 15 paragraph 1 AVG . Pursuant to this article, the person whose personal data are processed has the right to obtain from the controller a decision whether or not to process personal data concerning him or not and, where that is the case, to inspect those personal data and from (under more) the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipients to whom the personal data have been or will be disclosed and the period during which the personal data are expected to be stored, or the criteria for determining that period.

4.10.
The purpose of Article 15 of the GDPR is to enable the data subject to become aware of the personal data that has been collected about him and to check whether that data is correct and has been processed lawfully (see recital 63 GDPR ). The GDPR is the successor to the Personal Data Directive 7 , as implemented in the Wbp 8 . The right of access was previously laid down in Article 12 of the Personal Data Directive. There are no indications that under the GDPR the objective and scope of this right of access has changed compared to the Personal Data Directive. The court will for the interpretation of the Article 15 GDPR regular access to access should therefore seek alignment with the rulings of the Court of Justice of the European Union (CJEU) and the Supreme Court on the right of access under the Personal Data Directive and the Wbp.

4.11.
The right of access is limited to personal data. The explanation of the term 'personal data' is therefore decisive for the scope of the right of access. Based on article 4 under 1 GDPRPersonal data is 'all information about an identified or identifiable natural person'. The CJEU gives a broad explanation of the term 'personal data'. The CJEU has considered that the concept of personal data is not limited to sensitive or personal information but potentially extends to any kind of information, both objective and subjective information in the form of opinions or assessments, provided that this information concerns the data subject. The latter condition is fulfilled when the information is linked to a specific person because of its content, purpose or effect and with which that person is reasonably identifiable to another person (CJEU 20 December 2017, ECLI: EU: C: 2017: 994, [party ]).

4.12.
Furthermore, relevant for the assessment of the request is the judgment of the CJEU of 17 July 2014 (ECLI: EU: C: 2014: 2081, IND). In this case, the CJEU - in brief - considered that a legal analysis may contain personal data, but the legal analysis itself cannot be qualified as personal data within the meaning of Article 2 under a of the Personal Data Directive. Unlike the data that can form the factual basis for the legal analysis, the analysis itself cannot be checked for accuracy by the data subject and corrected. In its judgment of 16 March 2018 (ECLI: NL: HR: 2018: 365), the Supreme Court - with reference to the considerations of the CJEU in this judgment - considered that the Personal Data Directive implemented by the Wbp, enables the data subject to verify that his / her personal data are accurate and have been lawfully processed, in order to protect the data subject's right to respect for his / her privacy. This check can then lead to rectification, erasure or blocking of the data.

In addition, the right of access does not extend to (parts of) internal notes that contain the personal thoughts and / or opinions of employees of the controller or third parties and that are exclusively intended for internal consultation and deliberation (three judgments from HR 29 June 2007: ECLI : NL: HR: 2007: AZ4663, AZ4664 and BA3529).

4.13.
The controller (in this case Ola) can refuse access if this is necessary for the protection of the rights and freedoms of others (article 15 paragraph 4 AVG and Article 41 paragraph 1 sub i UAVG 9 ). It follows from legal history that the controller himself is also understood to be 'others' in this context. This provision contains an exception to conferred rights and must therefore be interpreted restrictively. Whether in a specific case there is such a ground that should lead to a limitation or rejection of the application must be decided by the court after weighing up all the interests involved. When invoking this exception provision, the obligation to provide information rests in principle on the controller (in this case Ola).

4.14.
In principle, the right of access under the GDPR is unconditional. Under certain circumstances, further requirements may be imposed on a request for access (cf. AG Wuisman's conclusion before Supreme Court 25 March 2016, ECLI: NL: PHR: 2016: 1 and Supreme Court 25 March 2016, ECLI: NL: HR: 2016: 508 ). Where a controller processes a large amount of data concerning the data subject, he should be able to request the data subject, prior to the provision of the information, to specify which information or which processing activities the request relates to (recital 63 of the GDPR ).

4.15.
Applying the aforementioned principles, the court assesses the request for access by [applicants] as follows.

The general request

4.16.
[Applicants] wish to inspect all personal data relating to them that Ola processes. The [applicants] take the position that they do not need to explain this request in more detail, because Ola must offer full transparency in the personal data it processes on the basis of Article 5 (1) (a) of the GDPR .

4.17.
This article provides that personal data must be processed in a manner that is transparent with regard to the data subject. Recital 39 of the GDPR states that the principle of transparency concerns in particular informing data subjects about the identity of the controller and the purposes of the processing, as well as further information to ensure fair and transparent processing in relation to natural persons concerned and their right to receive confirmation and notification of their personal data being processed. In the given circumstances, it is not enough for [applicants] to rely on the principle of transparency. Ola is allowed in accordance with Recital 63 of the GDPRask for a specification of the personal data that [applicants] wish to receive, because it processes a large amount of data. In addition, Ola has already provided a large number of personal data to [applicants]. In view of this, it would have been for [the applicants] to specify in more detail which information or processing activities of Ola are still related to the request. They have insufficiently done this. As a result, the request of [applicants] for access to all personal data that Ola of [applicants] processes is too general and so not specific that it is rejected as insufficient.

4.18.
[Applicants] have included in their speech notes for the oral hearing a table with a number of data in which they request access. There is no explanation of these data. As a result, the court cannot determine whether it concerns personal data within the meaning of Article 4 under 1 GDPR . Moreover, Ola has not been able to defend itself adequately against the request for access to these data, which is contrary to due process. The court will therefore disregard the data mentioned in the table.

4.19.
After this, the request for access will be assessed in specifically mentioned categories of personal data. These categories are mentioned in Ola's privacy statement and the document 'How we process your data'. For each category it will be assessed whether Ola rightly refuses to grant access to the requested data, because this is necessary for the protection of the rights and freedoms of passengers or Ola herself (Article 15 (4) GDPRand article 41 paragraph 1 sub i UAVG). Contrary to what [the applicants] argue, it cannot be said that they generally have the right to access passenger data because of the contractual relationship between the driver and the passenger. Apart from the fact that any contractual obligation of a passenger towards a driver cannot be invoked towards Ola, Ola must also respect the privacy rights of the passenger when providing information to [applicants].

Customer transactions, booking cancellation history and booking acceptance history

4.20.
According to [applicants], Ola did not provide adequate access to the categories 'customer transactions, booking cancellation history and booking acceptance history', because access to the 'driver ID, unique trip ID, timestamp for start & finish, GPS for start & finish' and 'upfront pricing' are missing. Furthermore, the datasets received by [applicants] differ. They wish to receive at least the following data: 'dispatch record, jobs offered, time of offer, time of driver acceptance / rejection, passenger cancellation, driver cancellation, completion, time out of offer'.

4.21.
Ola argues that a driver can view the requested data in the Ola Driver App. With regard to customer transactions, a driver can view financial information in the Ola Driver App, but passenger details are not provided to protect the passenger's privacy rights.

4.22.
[Applicants] have insufficiently disputed that the requested personal data can be viewed and downloaded via the Ola Driver App. In this state of affairs, the court assumes that [applicants] have access to the requested personal data. Ola does not have to provide the details of the passengers who have made transactions with the driver. These data are not relevant for the assessment by [applicants] of the lawfulness of the processing, while information about the person who carried out the transaction may adversely affect the (privacy) rights of this person. This part of the request will therefore be rejected.


Ratings

4.23.
[Applicants] wish to inspect the 'rating history' and the ratings given by individual passengers. According to [the applicants], these data determine the quantity and quality of the journeys offered to them and poor ratings can lead to the deactivation of drivers' accounts. [Applicants] argue that the risk of passenger identification when this data is provided is minimal, because drivers do not have directly identifying passenger data. As a result, the rating data cannot be linked to an individual traceable person, according to [applicants]

4.24.
Ola argues that a driver can view his current rating based on the ratings given by passengers in the Ola Driver App. It further argues that it cannot provide individual ratings given by passengers in order to protect the (privacy) rights of passengers. In addition, according to Ola, a rating is a given that does not qualify for correction, so that a rating does not fall under the scope of the right of inspection.

4.25.
Contrary to what Ola argues, a rating or assessment of a driver is personal data within the meaning of Article 4 under 1 GDPR, because this is information that is associated with a particular person because of its content, and that person is reasonably identifiable therewith to another. This means that Ola must provide access to the requested rating data insofar as this data cannot be viewed in the Ola Driver App. However, Ola must observe the (privacy) rights of passengers when providing the requested information. Ola must ensure that the data cannot be traced back to the passenger who has given the rating, for example by providing this data in an anonymous form. After all, who has given the rating is irrelevant, while information about the person who has given the rating may infringe the (privacy) rights of this person.


GPS data

4.26.
[applicants] request access to the complete GPS data of each trip. They argue that they only received the GPS data of the start and end of the journeys they carried out in a certain period, while Ola has the full GPS data. Furthermore, the GPS data are not provided with date and time, as a result of which the data provided is incomprehensible to [applicants]. Access to GPS data is essential for [applicants] in order to be able to analyze how much time is spent on journeys and unpaid kilometers. The rate is also determined on the basis of GPS data.

4.27.
Ola argues that access to the full GPS data of each trip is not necessary to be able to check whether the processing of that data is correct. It provided [applicants] with tables in which the location data and other relevant journey information are included. In doing so, Ola has fulfilled its obligation by providing an overview of the processed data in an understandable form. With the information provided, [applicants] must be able to verify the lawfulness of the processing. Furthermore, (raw) GPS data are not eligible for correction as referred to in the IND judgment. In addition, [applicants] have access to their driving history in the Ola Driver App and Ola has given access to the times when [applicants] are 'on-duty' or 'off-duty'have reported. On the basis of the information obtained, [applicants] can analyze how much time they spent on journeys and on unpaid kilometers. If Ola had to provide more information, the interests of others would be at stake, according to Ola.

4.28.
Location data can be qualified as personal data (see article 4 part 1 GDPR). After all, these data can be traced back to a person, especially if these data are combined with other data. This is also not in dispute between the parties. As with the previously discussed category of rating data, it also applies here that for the assessment of the lawfulness of the data processing it is not relevant which passenger was transported, while information about the passenger may infringe the (privacy) rights of this person. Ola therefore does not have to provide access to the location and movement data of passengers to prevent this data from being traceable to the passenger. It further follows from the information provided by Ola to [applicants] that [applicants] obtained access to the date and time of the journey, the start and end location of the journey, the distance of the journey and the price of the journey. Partly in view of the fact that [the applicants] have access to their ride history via the Ola Driver App, [the applicants] have not sufficiently explained in detail what other information they wish to view. In addition, they did not substantiate Ola's assertion that GPS data do not qualify for correction. This part of the request will therefore be rejected.


Device data

4.29.
[Applicants] argue that Ola has not provided full access to 'device data'. This data is important because it includes 'in app messages' and location data.

4.30.
Ola argues that it has already provided access to location data (see above under 4.27). It also provided the processed data from mobile devices and other peripheral equipment of the [applicants]. It processes technical information about a driver's mobile phone and battery status in order to provide services. According to Ola, this information only applies to the device and cannot be classified as personal data, so that she does not have to provide that information.

4.31.
In section 4.28 it has already been considered that Ola does not need to provide further access to the location data. What [applicants] mean by 'in app messages' has not been explained. Now that [the applicants] argue that data on 'device data' is missing, it would have been their way to further specify the missing data (see 4.17 above). Failure to do so makes this part of the request too general and will therefore be rejected.

The request for information about automated decision-making and profiling

4.32.
[Applicants] request access to the existence of automated decision-making and profiling on the basis of Article 15 paragraph 1 opening lines and under h GDPR . This article provides that the data subject has the right to obtain from the controller an information about the existence of automated decision-making, including profiling, and, at least in those cases, useful information about the underlying logic, as well as the importance and expected consequences. of that processing for the data subject.

4.33.
The parties differ on the scope of the right of access with regard to automated decision-making and profiling. The rights and obligations included in the GDPR concern different categories of automated processing of personal data. The following categories are identified in the Guidelines on automated individual decision-making and profiling 10 :

-
general profiling without decision-making;

-
decision-making based on profiling that is not exclusively automated;

-
exclusively automated decision-making, including profiling, which has legal consequences or which otherwise significantly affects the data subject.

4.34.
In all cases, the controller must provide data subjects with concise, transparent, comprehensible and easily accessible information about the processing of their personal data pursuant to Article 12 (1) of the GDPR .

Profiling

4.35.
In Article 4 part 4 GDPR , profiling is defined as any form of automated processing of personal data in which certain personal aspects of a person are evaluated on the basis of personal data, in particular with regard to his professional performance, economic situation, health, personal preferences, interests, analyze or predict reliability, behavior, location or movements.

4.36.
A data subject must be informed of the existence of profiling and its consequences (recital 60 of the GDPR ). Article 15 GDPR gives the data subject the right to obtain information about any personal data used for profiling, including the categories of data used to create a profile. Pursuant to Article 15 (3) GDPR , the controller is obliged to provide the data used as input to create the profile. In addition, he must provide access to information about the profile and data about the segments into which the data subject is classified. This right may not prejudice the rights and freedoms of others (Article 15, paragraph 4GDPR ). This includes the business secret or intellectual property and in particular the copyright that protects the underlying software (recital 63 GDPR ).

Automated decision-making

4.37.
Pursuant to Article 22 GDPR , [applicants] have the right, subject to a number of exceptions, not to be subject to a decision based solely on automated processing or profiling, which has legal consequences for them or which otherwise significantly affects them. A decision based solely on automated processing exists if there is no meaningful human intervention in the decision-making process.

4.38.
The Guidelines state that the threshold for “significant extent” should be comparable to the extent to which the data subject is affected by a decision that has legal effect. According to the Guidelines, data processing affects someone significantly when the effects of the processing are large or significant enough to merit attention. The decision must have the potential to significantly affect the circumstances, behavior or choices of the individuals involved; have a long-term or permanent effect on the data subject; or, in extreme cases, lead to the exclusion or discrimination of persons. In recital 71 GDPR cited as examples of automated decision-making: automatic refusal of a credit application submitted online or processing of applications via the Internet without human intervention.

4.39.
Automated decision-making is permitted, among other things, if the decision in question is necessary for the conclusion or performance of an agreement between the data subject and a controller or is based on the express consent of the data subject (Article 22, paragraph 2, opening words and under a and c GDPR ). In that case, the controller must still take appropriate measures, including at least the right to human intervention, the right of the data subject to make his point of view known and the right to challenge the decision (Article 22 (3) GDPR and recital 71 GDPR ).

4.40.
Automated decision-making in the context of an agreement or on the basis of consent is about transparency about the extent to which automated decision-making plays a role in the implementation of the agreement. The data subject must be aware of the possible use of automated decision-making and profiling when entering into the agreement. 11

4.41.
Article 15, paragraph 1, opening words and under h of the GDPR obliges the controller to provide 'useful information about the underlying logic, as well as the importance and expected consequences of the processing'. These terms are not defined in the GDPR. The Guidelines state that the point is that the data subject can understand the underlying idea of ​​the decision or on the basis of which criteria that decision was taken. The concepts of 'interest' and 'expected consequences' indicate that information must be provided about the intended or future processing and about how the automated decision-making could affect the data subject. With due observance of the explanation in the Guidelines, the court understands by 'useful information about the underlying logic' that the main assessment criteria and their role are communicated to the data subject in the automated decision, so that he can understand on the basis of which criteria that decision is has been taken and is able to verify the correctness and lawfulness of the data processing.

4.42.
Applying the aforementioned principles, the court assesses the request of [applicants] as follows.

4.43.
There is (rightly) no dispute between the parties that Ola is entitled to use automated decision-making and profiling insofar as this is necessary for the execution of the agreement between Ola and [applicants]. Furthermore, it is not in dispute that Ola uses personal data. to make automated decisions. In the document 'How we process your data', Ola explained in which decisions she uses automated decision-making and profiling and which (personal) data she uses for this. [Applicants] argue that the information provided by Ola is incomplete. According to [applicants], information about automated decision-making and profiling that Ola uses in the processes mentioned below is lacking.

Fraud probability score

4.44.
[Applicants] take the position that the 'fraud probality score' is a form of profiling within the meaning of Article 4 part 4 GDPR . Ola argues that the 'fraud probability score' is an internal data that is used to enforce rules and agreements, which Ola does not have to provide access to. The score is an estimate of the likelihood that a data subject will act fraudulently. According to Ola, information about the score falls outside the scope of the right of access in accordance with the reasoning of the IND judgment. To the extent that the information requested does fall under the access law, Ola relies on the exception in Article 15 paragraph 4 AVG and Article 41 paragraph 1 sub i UAVG protection (integrity), its services and its enforcement.

4.45.
Application of the 'fraud probability score' constitutes profiling within the meaning of Article 4, part 4, of the GDPR . After all, automated processing of the personal data of [applicants] creates a risk profile with which a prediction is made about their behavior and reliability. However, [the applicants] have not asserted, nor has it been shown, that automated decisions have been taken with regard to them on the basis of this risk profile. The court therefore assumes that there is no automated decision-making within the meaning of Article 22 GDPR. This does not detract from the fact that Ola must provide access to the personal data of [applicants] that it used to draw up the risk profile and must provide information about the segments into which [applicants] have been classified, so that [applicants] can check whether those data are correct. (see above under 4.36).

4.46.
Ola's appeal to the exception of paragraph 4 of Article 15 GDPR is unsuccessful. Ola should have stated on the basis of what important interest it refuses access to the personal data and why that interest outweighs the right of [applicants] to access the requested data. Ola has insufficiently done this. It has not made it clear to what extent providing access to the processed personal data offers [applicants] insight into its working method and enforcement policy and the system it uses for this purpose, which would allow [applicants] to circumvent certain security measures.

Earning profile

4.47.
According to Ola, the 'earning profile' is a profile (aspect) that is based on a combination of different parameters, such as turnover, attendance, the number of hours a driver is logged in per day and the score. Based on this, Ola can give bonuses to certain drivers.

4.47.
Although the possibility of obtaining a bonus will have some influence on the driver's behavior, there has been no evidence of legal or significant effect as referred to in the Guidelines. Article 22 (1) GDPR is therefore not applicable. In general, however, it must be assumed that the application of a bonus system involves processing of personal data if the purpose thereof is to take decisions with regard to one person, namely whether or not to award a bonus. Furthermore, there is profiling within the meaning of article 4 part 4 GDPR, because the driver's professional performance is evaluated. This means that Ola must allow access to the personal data of [applicants] that it used to draw up the profile and provide information about the segments into which [applicants] have been classified, so that [applicants] can check whether those data are correct ( see above under 4.36).


Guardian

4.48.
Ola uses the Guardian system to detect irregularities. With this system, Ola monitors journeys to promote the safety of drivers and passengers. Ola has explained the operation of this system as follows. If a passenger is dropped off earlier or there is an unannounced interim stop, an employee will contact the passenger and sometimes the driver to verify that everything is in order. No automatic decision is taken if the system detects an irregularity and the decision has no legal or other significant consequences. That is why, according to Ola, there is no automated decision-making within the meaning of Article 22 paragraph 1 GDPR .

4.49.
[Applicants] contest the explanation of the system provided by Ola. According to [applicants], it follows from a press release that the system is based on artificial intelligence and machine learning. In the opinion of the court, this does not yet mean that there is an automated decision-making process as referred to in Article 22 paragraph 1 GDPR . Moreover, this requires that there are also legal consequences or that [applicants] are otherwise significantly affected by the automated decision. There is no explanation on this point. The court therefore assumes that there is no automated decision-making within the meaning of Article 22 paragraph 1 GDPR . Now article 15 paragraph 1 under h GDPRrelates only to such decisions, this part of the request is rejected. Ola must, however, provide access to the personal data of [applicants] that have been processed by the Guardian system.

Assigning rides

4.50.
It has been established between the parties that the decision to allocate a ride to a driver is taken automatically via Ola's matching system. Ola rightly argues that such a decision does not fall under the scope of Article 22 GDPR . Although it is obvious that this decision will have some influence on the performance of the agreement between Ola and the driver, it has not been found that there is a legal consequence or a significant effect as referred to in the Guidelines. Now article 15, paragraph 1, opening words and under h GDPRrelates only to such decisions, this part of the request is rejected. Ola has provided information about the personal data processed by the matching system in the document 'How we process your data'. That information is sufficient. There is no ground to oblige Ola to provide more or different information about this system.

Imposing discounts and fines

4.51.
The foregoing is different with regard to Ola's automated decision-making process that determines that rides are not valid and that consequently imposes discounts or fines ('penalties and deductions'). It follows from Ola's explanation of this decision-making process that no human intervention takes place prior to such a decision. Contrary to what Ola argues, the decision to impose a discount or fine has effects that are important enough to merit attention and that significantly affect the behavior or choices of the person concerned as referred to in the Guidelines. After all, such a decision leads to a sanction that affects the rights of [applicants] under the agreement with Ola. This means that Ola is prohibited from subjecting [applicants] to such decision-making, unless this is necessary for the performance of the agreement between Ola and [applicants], or Ola has obtained explicit permission from [applicants] for this. However, Ola has not stated, nor has it been shown that this is the case. The court therefore assumes that an exception to the prohibition as referred to in article 22, paragraph 2GDPR does not occur. This means that it is not possible to answer the question whether Ola has taken appropriate safeguards within the meaning of paragraph 3 of Article 22 GDPR .

4.52.
The foregoing means that Ola must provide [applicants] with information that makes the choices made, data used and assumptions on the basis of which the automated decision is made transparent and verifiable. Ola must communicate the main assessment criteria and their role in the automated decision to [applicants], so that they can understand the criteria on the basis of which the decisions were taken and they are able to check the correctness and lawfulness of the data processing (see above under 4.41).


Processing purposes and transfer to a third country outside the European Union

4.53.
Furthermore, the [applicants] request access to the processing purposes of the personal data, the categories of personal data concerned, the recipients to whom the personal data have been disclosed, the retention period for the personal data and, if personal data is transferred to recipients in third countries, which appropriate guarantees Ola has taken for this in accordance with Article 46 GDPR (see Article 15, paragraph 1, opening words and under a, b, c and d and paragraph 2 of the GDPR ).

4.54.
Ola has provided further information on these subjects in her privacy statement, her response to the requests for access by [applicants] and in her defense. [applicants] no longer responded to this. The court therefore assumes that this part of the request for access has been adequately answered.


The request to transfer data

4.55.
Finally, [applicants] request that Ola be ordered to provide them with the data concerning them, insofar as they fall within the scope of Article 20 GDPR , in the form of a CSV file, or by means of an API or a TTP so that the data can be transferred to the WHO database.

4.56.
Ola argues that this request should be rejected because it is insufficiently determined and therefore does not meet the requirements of Article 278 DCCP. It further argues that Article 20 GDPR does not prescribe the provision of data in a CSV file or by means of an API, but only a format that is 'machine-readable'. In addition, she argues that the request should be rejected because she has already provided the information falling under the limited scope of the right to data portability to [applicants]. Finally, she relies on the protection of the rights and freedoms of others , including passengers and Ola herself (Article 20 (4) GDPR ).

4.57.
Pursuant to Article 20 GDPR , the data subject has the right to obtain the personal data that he has provided to a controller in a structured, commonly used and machine-readable format from the controller and to transmit it without hindrance. Data processing that falls under the right to data portability must be based on the consent of the data subject or on an agreement to which the data subject is a party and must be automated. The personal data to be included are (i) personal data about the data subject and (ii) data provided by the data subject to a controller. The right to data portability should be without prejudice to the rights and freedoms of others.

4.58.
It follows from recital 68 of the GDPR that the format in which this data is provided must allow for the interoperability of the data, that is, that this data can be exchanged between different ICT systems.

According to the Guidelines, the format must be interpretable and provide the data subject with the greatest possible degree of data portability. If no specific formats are common within a particular industry, common public formats, such as XML, JSON and CSV, can be assumed. Machine-readable in recital 21 of Directive 2013/37 / EU 12 means a file format structured in such a way that software applications can easily identify, recognize and extract specific data, including individual factual statements.

4.59.
The court concludes on the basis of the above considerations that Article 20 GDPR does not automatically imply an obligation to provide the personal data in a CSV file or by means of an API. It does not follow from the assertions of [applicants] that Ola provided the personal data concerning them in a format that makes it impossible to transmit these data to another controller.

4.60.
Furthermore, as with the previously discussed request for access (see above under 4.17), it is also the case here that Ola has already provided personal data and [applicants] have insufficiently specified which further personal data the request relates to. The request to order Ola to provide all personal data that falls within the scope of Article 20 GDPR is too general and so not specific that it must be rejected as insufficiently determined.

4.61.
Ola's other defenses against the request for the transfer of personal data, including the defense that [applicant 3] is inadmissible because he did not make a request to do so prior to these proceedings, no longer need to be discussed.

Conclusion

4.62.
The foregoing means that Ola must provide access to the (personal) data referred to above under 4.25, 4.45, 4.47, 4.49 and 4.52. In order to give Ola sufficient time for this, the period within which Ola must provide this information will be set at two months after notification of this decision. For the rest, the requests will be rejected.

Penalty

4.63.
The requested penalty will be rejected. For the time being, the trust is justified that Ola will voluntarily comply with the inspection order and will endeavor to provide the relevant personal data. After all, Ola has previously provided partial access to personal data.

Process costs

4.64.
Each of the parties has been (un) right on some point. Therefore, the litigation costs will be compensated.

5The decision
The court

5.1.
recommends Ola to provide the [Applicants] with a copy or inspection of the (personal) data referred to above under 4.25, 4.45, 4.47, 4.49 and 4.52 within two months after notification of this decision, in the manner stated therein,

5.2.
declares this decision provisionally enforceable so far,

5.3.
compensates the legal costs between the parties, in the sense that each party bears its own costs;

5.4.
rejects the more or different requested.

This decision was issued by mr. OJ van Leeuwen, mr. MCH Broesterhuizen and mr. MLS Kalff, judges, assisted by mr. ZS Lintvelt, registrar, and pronounced in public on 11 March 2021.

1Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC ( hereinafter: GDPR ).

2Regulation (EU) No 1215/2012 of the European Parliament and of the Council of 12 December 2012 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters (recast), OJ 2012, L 351/1 (hereinafter: Brussels I bis Regulation).

3Code of Civil Procedure (Rv).

4Regulation (EC) No 593/2008 of the European Parliament and of the Council of 17 June 2008 on the law applicable to contractual obligations (Rome I (https://www.navigator.nl/document/openCitation/id5aba9745150ee0c2ddda46a806a77ad5 )), PbEG 2008, L 177/6.

5Civil Code.

6Guidelines on the right to data portability of the Data Protection Working Party Article 29, April 5, 2017, WP 242 rev. 01 (hereinafter: Guidelines). This group, now called the European Data Protection Board, consists of representatives of the national data protection regulators.

7Directive 95/46 / EC of the European Parliament and of the Council of 24 October 1995 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, also known as the Privacy Directive.

8Personal Data Protection Act (Wbp).

9General Data Protection Regulation Implementation Act.

10Guidelines on automated individual decision-making and profiling for the purposes of Regulation (EU) 2016/679 of the Article 29 Working Party on Data Protection, 3 October 2017, last amended on 6 February 2018 (hereinafter: Guidelines).

11Explanatory Memorandum to UAVG, TK 2017-2018, 34 851, no. 3, p. 46.

12Directive 2013/37 / EU of the European Parliament and of the Council of 26 June 2013 amending Directive 2003/98 / EC on the re-use of public sector information.