The Commission nationale de l’informatique et des libertés (CNIL) has investigated car rental company, UBEEQO International, for GDPR violations. This is following a sweep conducted by CNIL in 2020 on new uses of geolocation-related technology.
Excessive Collection
UBEEQO International were found to be monitoring customers’ location on an almost permanent basis. Data relating to the geolocation of the rented vehicle was being collected:
- Every 500 meters when the vehicle was moving
- When the engine was switched on and off
- When the doors were opened and closed.
UBEEQO claimed that geolocation data is collected from cars rented by private individuals for different reasons, such as to:
- Ensure the maintenance and performance of the service (e.g. the vehicle is returned to the right place)
- Locate the vehicle in case of theft
- Give assistance to customers in the event of an accident.
Under GDPR law, personal data collection must be adequate, relevant, and limited to the purpose of processing. None of the purposes provided by the company justified the collection of data in such detail. It was determined that the collection of detailed geolocation data is an intrusion into the private life of users as it is likely to reveal their movements, the places they frequent, and all stops made during a journey. The company could offer an identical service without geolocating its customers in such detail.
GDPR
Article 13 of the GDPR requires data subjects to be informed of the details of processing in a clear and accessible manner. This was not provided by UBEEQO at the time of service registration. The registration page did not allow users direct access to the privacy policy. Also, information relating to data protection was not provided separately from other information, it was among the general conditions of use.
Article 5(1)(e) requires personal data to be kept no longer than necessary for the purpose of processing. However, UBEEQO’s retention of records of geolocation data was found to be excessive. Records were kept for the duration of the commercial relationship with a customer and for another 3 years after the end of the vehicle hire. This does not correlate with the need to collect the data for the purpose of fleet management, locating stolen vehicles, or providing assistance to customers.
Decision
CNIL worked with other concerned European authorities including Belgium, Denmark, Spain, Italy and Germany to come to a decision. It was agreed a fine of €175,000 ($175,138 USD) should be imposed on UBEEQO. This took into account the activity of the company and their financial situation.
See more news about fines that have been imposed on companies for violating privacy laws.