UBEEQO INTERNATIONAL

Kuvaus

The French DPA (CNIL) has fined the company UBEEQO INTERNATIONAL EUR 175,000. The vehicle rental company had collected geolocation data on rented vehicles at every 500 meters. The company stated that they had collected the data to monitor the condition of the fleet, to locate the vehicle in case of theft, and to assist customers in case of an accident, among other reasons. However, the DPA found that none of these purposes justified the collection of geolocation data in such detail. For this reason, the DPA found a violation of the principle of data minimization pursuant to Art. 5 (1) c) GDPR. The DPA also found that the company had stored the vehicle data for an excessively long period of time. The data was kept for the duration of the business relationship with a customer and then for another three years after the termination of the vehicle rental. In addition, personal data of users who had been inactive for more than eight years were still stored in the company's databases. The CNIL found that this long retention constituted a violation of Art. 5 (1) e) GDPR. Finally, the DPA found that users were not adequately informed during the registration process on the company portal, and that the company thus violated Art. 12 GDPR.