Penalty against Uber (FR)
In the fall of 2016, data was stolen from about 57 million customers, including about 1.4 million French people. Uber concealed this incident and paid the attackers $100,000.00, for the assurance that the data would be deleted. The French data protection authority CNIL imposed a fine of €400,000 on the Group as a result of the incident. French data protection law stipulates that data protection breaches must be reported to the competent supervisory authority within 72 hours. This provision is also found in Article 33 (1) of the GDPR. Uber has deliberately ignored this reporting obligation.
The incident occurred before the GDPR came into force, so the fine was imposed under the French Data Protection Act, which provides for a maximum fine of three million euros. As a result of this incident, the UK also fined the company £500,000, which was the maximum penalty under the UK Data Protection Act at the time.
Entscheidungsdatum:
19.12.2018
Land:
France
Art des Verstoßes:
Theft of Data
Betroffene Datensätze:
1 400 000
Waren sensible Daten betroffen?:
No
verhängte Geldstrafe:
€ 400,000,-
Violation of GDPR Paragraph:
unknown
Quelle:
Communication from the French data protection authority CNIL (French)