The Commission nationale de l’informatique et des libertés (CNIL) has investigated car rental company, UBEEQO International, for GDPR violations. This is following a sweep conducted by CNIL in 2020 on new uses of geolocation-related technology.
UBEEQO International were found to be monitoring customers’ location on an almost permanent basis. Data relating to the geolocation of the rented vehicle was being collected:
- Every 500 meters when the vehicle was moving
- When the engine was switched on and off
- When the doors were opened and closed.
UBEEQO claimed that geolocation data is collected from cars rented by private individuals for different reasons, such as to:
- Ensure the maintenance and performance of the service (e.g. the vehicle is returned to the right place)
- Locate the vehicle in case of theft
- Give assistance to customers in the event of an accident.
Under GDPR law, personal data collection must be adequate, relevant, and limited to the purpose of processing. None of the purposes provided by the company justified the collection of data in such detail. It was determined that the collection of detailed geolocation data is an intrusion into the private life of users as it is likely to reveal their movements, the places they frequent, and all stops made during a journey. The company could offer an identical service without geolocating its customers in such detail.
Article 5(1)(e) requires personal data to be kept no longer than necessary for the purpose of processing. However, UBEEQO’s retention of records of geolocation data was found to be excessive. Records were kept for the duration of the commercial relationship with a customer and for another 3 years after the end of the vehicle hire. This does not correlate with the need to collect the data for the purpose of fleet management, locating stolen vehicles, or providing assistance to customers.
CNIL worked with other concerned European authorities including Belgium, Denmark, Spain, Italy and Germany to come to a decision. It was agreed a fine of €175,000 ($175,138 USD) should be imposed on UBEEQO. This took into account the activity of the company and their financial situation.
See more news about fines that have been imposed on companies for violating privacy laws.