Geolocation of rental vehicles: UBEEQO INTERNATIONAL fined 175,000 euros
The CNIL imposed a penalty of 175,000 euros on the company UBEEQO INTERNATIONAL, in particular for having disproportionately infringed the privacy of its customers by geolocating them almost permanently.
The context
As part of its 2020 priority thematic area of investigations relating to the new uses of geolocation data in the context of mobility, the CNIL carried out investigations on the company UBEEQO INTERNATIONAL, which rents vehicles for a short period. The investigations focused in particular on the data collected, the defined retention periods, the information provided to individuals and the security measures implemented by the company.
During the investigations, the CNIL found that, when a vehicle was hired by a private individual, the company collected data relating to the geolocation of the rented vehicle every 500 meters when the vehicle was moving, when the engine was switched on and off, or when the doors were opened and closed. In addition, the company kept records of some of the geolocation data collected, for an excessive amount of time.
On the basis of these findings, the restricted committee - the CNIL's body in charge of issuing sanctions - in cooperation with the other European authorities concerned (Belgium, Denmark, Spain, Italy and Germany) imposed a fine of €175,000 on UBEEQO INTERNATIONAL and decided to make it public.
Sanctioned breaches
Failure to comply with the obligation to ensure data minimisation (Article 5.1.c of the GDPR)
The company argued that geolocation data of the vehicles were collected for different reasons:
- To ensure the maintenance and performance of the service (to make sure that the vehicle is returned to the right place, to monitor the state of the fleet, etc.);
- To locate the vehicle in case of theft;
- To give assistance to customers in the event of an accident.
After having analysed the use of geolocation data for each of the purposes put forward by UBEEQO INTERNATIONAL, the CNIL considers that none of these purposes justifies the collection of geolocation data in such detail.
Such a practice is indeed very intrusive in the private life of users insofar as it is likely to reveal their movements, their places of frequentation or even all the stops made during a journey.
According to the CNIL, the company could offer an identical service without geolocating its customers almost permanently. UBEEQO INTERNATIONAL has therefore failed to comply with the principle of data minimisation: data must be adequate, relevant and limited to the purpose for which they are processed and used.
Failure to define and respect a proportionate data retention period (Article 5.1.e of the GDPR)
Geolocation data were kept for the duration of the commercial relationship with a customer and then for three years after the end of the vehicle rental.
The CNIL considers that such a retention period is excessive as it does not correspond to the strict need of the company that collects the geolocation data in order to manage the fleet of vehicles, to find the car in case of theft or to give assistance to the customer.
In addition, personal data of users who had been inactive for more than eight years were still kept in the company's databases.
Failure to inform individuals (Article 12 of the GDPR)
The CNIL found that, during the registration process on the UBEEQO application, the relevant information on data processing was not sufficiently accessible to users.
The company brought the registration form into compliance during the procedure.