Uber B.V. – €290,000,000 Fine (Netherlands, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Uber B.V. was fined EUR 290 million for not protecting the personal data of drivers in Europe when transferring it to the US. This is significant because it shows that companies must ensure strong privacy protections when handling personal data across borders. Small businesses should be careful about how they manage and transfer user data.
What happened
Uber B.V. transferred personal data of European drivers to the USA without adequate privacy safeguards.
Who was affected
European drivers who use the Uber app were affected by this data transfer.
What the authority found
The Dutch authority ruled that Uber did not have sufficient protections in place for transferring personal data to the US, violating GDPR requirements.
Why this matters
This ruling emphasizes the need for companies to implement strong data protection measures, especially when transferring data internationally. Small businesses should review their data transfer practices to ensure compliance.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Entities Involved
Uber B.V. (UBV) is a company based in the Netherlands and is part of the Uber group of companies. Uber Technologies Inc. (UTI) is based in the United States (US) and is the parent company of, among others, UBV (the controller). Drivers (the data subjects) make use of the Uber Driver App to offer rides to customers. Using this app required the creation of a driver account. Via their account, data subjects are rated by their customers after a ride and paid by Uber for services rendered. The data subjects located in the EEA entered into an agreement with UBV when they would make use of the app. For this, the controller used a centralised IT infrastructure and servers that are located in the US. Personal data of the the data subjects that are located in the EEA were therefore processed in the United States in two situations: 1. Through the driver app, the personal data of the data subjects, who are located within the EEA, are collected and stored on a platform physically located in the US. This includes account, location, criminal and health data, proof of identity and a cab license. 2. When data subjects want to exercise their rights under the GDPR, UBV is responsible for responding to these requests. However, as the personal data is stored in the US, UTI is responsible for making the personal data available to UBV in order to respond to requests. UBV and UTI previously entered into the controller-to-controller [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914 standard contractual clauses of the European Commission] ('SCCs') in their joint controllership agreement. However, the controllers removed the SCCs in their revision of their agreement, effective from 6 August 2021, as from the updated SCC by the European Commission it followed, according to the controller, that SCCs may not be used when a processing falls within the scope of the GDPR. The French DPA (“Commission Nationale de l'Informatique et des Libertés - CNIL”) received a complaint ag
Related Enforcement Actions (1)
Other enforcement actions involving Uber B.V. in NL
Details
Fine Date
22 July 2024
Authority
Autoriteit Persoonsgegevens
Fine Amount
€290,000,000
GDPRhub ID
gdprhub-8224About this data
Cite as: Cookie Fines. Uber B.V. - Netherlands (2024). Retrieved from cookiefines.eu
Last updated: