Authorities launched an investigation after a French Uber driver sent a complaint to the French privacy protection agency CNIL. As Uber BV is incorporated in the Netherlands, the CNIL transferred the handling of complaints to the Dutch Data Protection Authority.
The main complaints of drivers were, among others:
- There was a lack of transparency and appropriate disclosure regarding the retention period of personal information.
- Information request forms are hidden in various places on the website and cannot be accessed.
- The company did not disclose to which countries outside the EEA it would transfer personal information.
Data subject rights
Around the world, and particularly in Europe, data subjects have the right to know how their personal information is used. Because this is an important right, regulators expect companies to have clear privacy policies and publish them in an easily accessible format.
Your privacy policy must include the following:
- Types of personal or sensitive information about data subjects that will be collected and the purpose for which the information is collected.
- How long the personal data of the data subject will be stored and the reasons for storing the personal data.
- How data subjects can submit requests to exercise their rights under privacy laws (for example, a request to delete all information collected about a data subject), and the provision of a clear and accessible designated request form.
- Information about the transfer of personal information between countries/continents (if any) and what technical data security measures are in place to protect the information transferred between countries/continents;
Companies that receive requests for privacy protection or the exercise of rights regarding personal information must also respond appropriately within the deadline set by law.
[View source.]
