Uber: Italian SA finds breaches of the law on information and consent....
Uber: Italian SA finds breaches of the law on information and consent. Separate fining procedure started
From the newsletter of the Italian supervisory authority - Garante per la protezione dei dati personali
Uber: Italian SA finds breaches of the law on information and consent
Separate fining procedure started
An incomplete information notice, lack of valid consent to process the data, no information on user geo-location - these are the violations found by the Italian SA (Garante per la protezione dei dati personali) regarding Uber. A separate fining procedure is about to start and the case will be brought to the attention of the other EU SAs.
The Italian Garante had started investigating Uber in 2017 immediately the US headquarters of the company had reported an IT attack affecting the personal data of millions of people – including a considerable number of Italians.
The inspections carried out at the company’s Italian establishment to assess the national impact of that data breach highlighted several flaws in the processing of user data in Italy. Firstly, the privacy notice was incorrect and incomplete; for instance, contrary to the information provided in the notice, the data controller is not just Uber B.V. - a company incorporated under Dutch law - as the US parent company (Uber Technologies Inc.) has a say in deciding about the services available in Europe. Moreover, there were not enough details on the purposes of the processing and the data subjects’ rights were not spelled out; actually, it was unclear whether users were obliged or not to provide their personal data and what would happen if they withheld them. The Garante found that the company had processed passengers’ data without a valid consent in order to profile them on the basis of a fraud risk index.
Finally, the company did not comply with the obligation to notify the Garante of the processing carried out for geo-location purposes, which was set out in the law prior to the entry into force of the new EU GDPR (General Data Protection Regulation).
The Garante is about to start a separate fining procedure on the basis of the administrative breaches found following the inspection.
A copy of the decision by the Garante will also be forwarded to the Dutch SA, being the lead supervisory authority out of the EU SAs for the cross-border processing operations by Uber, in order to check whether the processing carried out by Uber currently is compliant with the GDPR.