Penalty against Uber (NL)
In the fall of 2016, data was stolen from approximately 57 million customers, including approximately 174,000 Dutch citizens. Uber concealed this incident and paid the attackers $100,000.00, for the assurance that the data would be deleted. The Dutch data protection authority imposed a fine of €600,000 on the Group as a result of the incident.
The incident occurred before the GDPR came into force, therefore the fine was imposed under the Dutch Data Protection Act. As a result of this incident, the UK also fined the company £500,000, which was the maximum penalty under the UK Data Protection Act at the time. France also imposed a fine of € 400,000
Entscheidungsdatum:
27.11.2018
Land:
Netherlands
Art des Verstoßes:
Theft of Data
Betroffene Datensätze:
174 000
Waren sensible Daten betroffen?:
No
verhängte Geldstrafe:
€ 600,000,-
Violation of GDPR Paragraph:
25. Data protection by design and by default
32. Security of processing
33. Notification of a personal data breach to the supervisory authority
34. Communication of a personal data breach to the data subject
Quelle:
Press release of the Dutch data protection authority (English)