Authorities opened an investigation after Uber drivers in France sent complaints to the French privacy protection commission, the CNIL. The CNIL transferred the handling of the complaints to the Dutch Data Protection Authority, since Uber BV is incorporated in the Netherlands.
The drivers’ main complaints were, inter alia:
- There was a lack of transparency and due disclosure about the retention period of their personal information.
- Information request forms are hidden in various places on the website and are inaccessible.
- The company failed to disclose to which countries outside the EEA it transfers personal information.
Rights of Data Subjects
Around the world in general, and in Europe in particular, data subjects have the right to know how their personal information is being used. Since this is an important right, regulatory authorities expect corporations to formulate and publish a clear privacy policy in an accessible format.
The privacy policy must include the following:
- The types of personal or sensitive information about data subjects that are being collected and the purpose for collecting the information.
- The retention period of the data subjects’ personal information and the reason for retaining the personal information.
- How a data subject can submit a request to exercise his rights by virtue of privacy protection laws (for example, a request to delete all information collected about him), and the provision of a clear and accessible designated request form.
- Information about transfers of personal information between countries or between continents (if any), and what technological data security measures are in place to safeguard information being transferred between countries/continents
Corporations receiving requests to exercise rights relating to privacy protection and personal information must also issue an adequate response within the time frames prescribed by law.
[View source.]