Cityscoot – €125,000 Fine (France, 2023)

The controller is Cityscoot, a company that rents out shared electric scooters via a mobile application. The controller operated cross-border processing operations but its main establishment was in France. In accordance with Article 56, the CNIL was therefore competent.For each purpose, the controller justified why it was necessary to collect location data every 30 seconds. For traffic offences, the collection was necessary to prove driver's identity and insurance purposes. It also argued that this could be useful for checking whether a scooter was actually at the location where an offence was recorded for potential disputes. For the purpose of handling customer complaints, the company argued that the collection of data every 30 seconds was necessary as the service is charged by the minute. It considered that this collection could be useful for complaints about overcharging due to an error in stopping the rental, parking in areas where parking is prohibited or loss of contact with the app because it allowed to check how long a scooter was stopped. Regarding the purpose of managing theft during rentals, the controller explained that the collection of location was not necessarly cross-referenced with the user's data and was therefore not personal data. However, it did not indicate how many scooters were found thanks to the collection of geolocation data. With regard to accident management, the company argued that the collection of geolocation every 30 seconds was necessary for reporting and insurance purposes and for providing assistance to the driver involved. In May 2020, the CNIL organised an investigation of the controller's website and mobile app. This investigation mainly highlighted three points. First, the company's scooters were equipped with electronic boxes containing a SIM card and a GPS geo-location system. This allowed location data to be collected every 30 seconds when the scooter was active and every 15 minutes when it was not. This data was collected