The Privacy Guarantor fined Uber for a total of 4 million and 240 thousand euros. The private transport company has received two fines of 2 million and 120 thousand euros each, for having violated the provisions on data processing against over one and a half million Italian users, including drivers and passengers.
Information unsuitable, processing of data without consent and failure to communicate with the Authority for the protection of personal data, these are the violations found by the Guarantor against both the Dutch Uber Bv, which holds the technology to make the Uber app work, and towards Uber technologies, the parent company of the company based in San Francisco. Both have been fined for being the data controllers and therefore responsible for the violations of the Privacy Code committed against Italian users.
The investigations on the companies started following a data breach suffered by Uber in 2017. The cyber attack took place before the full application of the European regulation on the protection of personal data (GDPR), involving the data of about 57 million users around the world. Among the personal information stolen from Uber were the personal and contact details of users and staff - such as telephone number, name, surname and email - app login credentials, location data and relationships with others users.
With the checks that took place following the report of the data breach, the Guarantor found that Uber had an information on the processing of data "formulated in a generic and approximate manner", with "unclear and incomplete information" and "not easy to understand". In fact, the information did not specify either the purposes of the data processing, or whether or not users were obliged to provide them or what the consequences of any refusal were.
Furthermore, references to user rights were vague and incomplete and, without having acquired valid and clear consent, Uber processed the data of approximately 2 million passengers profiling them on the basis of the so-called "risk of fraud" and assigning them qualitative judgments and numerical parameters. Finally, the multinational has not complied with the obligation to notify the Authority of the processing of data for geolocation.
Information unsuitable, processing of data without consent and failure to communicate with the Authority for the protection of personal data, these are the violations found by the Guarantor against both the Dutch Uber Bv, which holds the technology to make the Uber app work, and towards Uber technologies, the parent company of the company based in San Francisco. Both have been fined for being the data controllers and therefore responsible for the violations of the Privacy Code committed against Italian users.
The investigations on the companies started following a data breach suffered by Uber in 2017. The cyber attack took place before the full application of the European regulation on the protection of personal data (GDPR), involving the data of about 57 million users around the world. Among the personal information stolen from Uber were the personal and contact details of users and staff - such as telephone number, name, surname and email - app login credentials, location data and relationships with others users.
With the checks that took place following the report of the data breach, the Guarantor found that Uber had an information on the processing of data "formulated in a generic and approximate manner", with "unclear and incomplete information" and "not easy to understand". In fact, the information did not specify either the purposes of the data processing, or whether or not users were obliged to provide them or what the consequences of any refusal were.
Furthermore, references to user rights were vague and incomplete and, without having acquired valid and clear consent, Uber processed the data of approximately 2 million passengers profiling them on the basis of the so-called "risk of fraud" and assigning them qualitative judgments and numerical parameters. Finally, the multinational has not complied with the obligation to notify the Authority of the processing of data for geolocation.