Bolt – Complaint Upheld (Estonia, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Bolt's app did not let a user change their phone number and failed to respond to their request for correction. This is important because it shows that companies must allow users to manage their personal information effectively.
What happened
A user of the Bolt app could not change their registered phone number and did not receive a timely response to their request.
Who was affected
A user of the Bolt app who wanted to update their phone number.
What the authority found
The authority upheld the complaint, stating that Bolt did not respond quickly enough to the user's request and lacked proper security measures.
Why this matters
This case highlights the need for companies to have user-friendly systems for managing personal data. Website operators should ensure they can respond to user requests efficiently.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
A data subject was a user of the Bolt app. They tried to change the phone number used, but the app didn’t provide for such a functionality. The data subject contacted the provider of the Bolt app (the controller) by sending emails asking for correction of their phone number in accordance with Article 16 GDPR. The controller didn’t reply. The data subject, represented by noby, lodged a complaint with the Austrian DPA (DSB), who forwarded the case to the Estonian DPA (AKI). During the proceedings, the controller stated that the user’s phone number served as a unique ID within the app’s system. Consequently, it was impossible to change the phone number used when first registering. The only available option was to delete the account and create a new one. In response, the DPA suggested to the controller it might update its system to allow for users changing their phone number in the app. Moreover, the DPA suggested the controller might answer the data subject’s request. As advised by the DPA, the controller updated the software and notified the DPA in August 2023. Also, the controller answered the requests of the data subject. The DPA upheld the complaint. The controller failed to reply to rectification request without undue delay, according to Article 12(3) GDPR. Eventually, the request was answerer but only after the DPA’s suggestion. However, as pointed out by the DPA, also during the proceedings the controller delayed to respond to the data subject. Furthermore, the controller didn’t implement appropriate organisational and technical measures under Article 32(1) GDPR in conjunction with Article 24(1) GDPR to ensure the confidentiality of personal data. In particular, the controller didn’t envisage measures to prevent third-parties from unauthorised access to personal data of other users. That was possible when the owner of the phone number assigned to the account changed in the meantime since the new owner could then access the account created by the previous
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Bolt in EE
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Bolt - Estonia (2024). Retrieved from cookiefines.eu
Last updated: