Uber B.V. – €4,240,000 Fine (Italy, 2022)

The Italian DPA launched an investigation into Uber B.V., with registered office in Amsterdam, and Uber Technologies Inc., with registered office in San Francisco, after the US parent company made public a data breach in 2017. The DPA found that the Dutch company Uber BV and the US company Uber Technologies were joint controllers, each responsible for violating the Italian Privacy Code (the Italian implementation of EU Directive 95/46/EC) against data subjects in Italy. During their inspections carried out at Uber Italy srl, the DPA found several violations, including inadequate privacy notice, personal data processed without consent and failure to notify the DPA about the data breach. The security incident, which occurred before the GDPR came into effect, involved the data of around 57 million data subjects worldwide, and had been sanctioned by the Dutch and British DPA on the basis of their respective national regulations. The personal data processed by Uber concerned personal and contact data (name, surname, telephone number, and e-mail), access credentials to the app, location data (those that appeared at the time of registration), and relations with other data subjects (sharing trips, introducing friends, profiling information). The controllers had also, without having obtained valid consent, processed the data of approximately 1,379,000 data subjects by profiling them on the basis of the so-called 'fraud risk', assigning them a qualitative rating (e.g., 'low') and a numerical parameter (from 1 to 100). Finally, the controllers had not complied with the obligation to notify the DPA of the processing of personal data for geolocation purposes, as required by the legislation in force before the GDPR came into effect. The DPA found violations related in particular to the inadequate privacy notice provided to data subjects (insofar as it lacks an indication of joint ownership of the processing) and 'formulated in a generic and approximate manner' with 'unclear a