- Date of final decision: 7 July 2022
- Cross-border case or national case: Cross-border case
- If cross-border, LSA: France
- and CSAs: Belgium, Denmark, Germany (Baden-Württemberg, Berlin), Italy, Spain
- Controller: UBEEQO International
- Legal Reference: Data minimisation (Article 5.1.c GDPR), Retention period (Article 5.1.e GDPR), Information of individuals (Article 12 GDPR)
- Decision: Administrative fine
- Key words: Geolocation
Summary of the Decision
Origin of the case
As part of its priority control theme in 2020 relating to the new uses of geolocation data in the context of mobility, the CNIL, French Supervisory Authority (SA) controlled the company UBEEQO International, whose activity is the rental of vehicles for a short period. The investigations focused in particular on the data collected, the defined retention periods, the information provided to individuals and the security measures implemented.
- Failure to comply with the obligation to ensure data minimisation (Article 5.1.c of the GDPR).
- Failure to define and respect a proportionate data retention period (Article 5.1.e of the GDPR).
- Failure to inform individuals (Article 12 of the GDPR).
On the basis of these findings, the restricted committee - the CNIL's body in charge of issuing sanctions - in cooperation with the other European authorities concerned (in Belgium, Denmark, Spain, Italy and Germany) imposed a fine of EUR 175,000 on UBEEQO International, which was made public.
For further information:
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.