In the present case, the applicants who worked as ‘private hire drivers’ in UK has requested the Court to issue a provisionally enforceable decision and recommend Uber to allow applicants to inspect in a commonly used electronic form relating to:
- all personal data relating to them that it processes, including the personal data referred to in the Guidance Notes, the ‘Driver’s Profile’, including the notes of Uber employees, ‘Tags’ and ‘Reports’,
- processing purposes, the categories of personal data involved, the recipients or categories of recipients to whom the personal data has been or will be are provided, in particular recipients in third countries or international organizations and the retention period for these data,
- in the event of a transfer to a third country or an international organization, the appropriate safeguards in accordance with Article 46 GDPR that Uber has made regarding this transfer,
- existence of automated decision-making, including those referred to in Article 22 (1) and 4 GDPR, and at least in those cases, useful information about the underlying logic, importance and expected consequences of that processing for applicants.
The Court while perusing the arguments advanced held that in principle, a data subject does not have to motivate or substantiate why he is making a request for access under the GDPR. In exercising his right of access, the data subject does not have to show any particular interest or state the goal that he wants to achieve with the access. The mere fact that data about him is being processed is sufficient. This does not mean that a request for inspection can never constitute a misuse of powers within the meaning of Article 3:13 of the Dutch Civil Code. The fact that the applicants and the trade union to which they are affiliated also have a different interest in obtaining personal data, namely to use it to obtain clarity about their employment law position or to gather evidence in legal proceedings against Uber, does not mean that the applicants abuse their rights. Therefore, the court rejects appeal to abuse of rights.
The Court has assessed the petitioners’ request for access as follows:
Individual ratings:
Uber argues that it cannot provide individual passenger rating data to protect passengers’ privacy rights. The Court while requiring Uber to provide access to the individual ratings of applicants subject to certain conditions noted that Uber, under the name ‘User feedback’, granted access to individual ratings and the feedback that a passenger gave to a driver to (part of) the applicants.
Uber must also observe the (privacy) rights of passengers when providing the requested data. Uber can do this (and has done so via User feedback) by providing this data in an anonymous form, in the sense that Uber ensures that the data cannot be traced back to the passenger who gave the stars and / or the comment (and) has made. After all, who gave the assessment and / or made the comment (s) is irrelevant, while information about the person who made the statement may adversely affect the (privacy) rights of this person.
Driver’s Profile:
According to Uber, with the internal notes, customer service representatives refer driver requests to other employees to be fulfilled. The internal notes cannot be qualified as personal data, because they do not in themselves contain information about applicants.
The court infers from these internal notes that these are internal referrals or reports to Uber customer service employees. Like the legal analysis in the aforementioned [party] judgment of the CJEU, these notes from Uber’s customer service representatives do not contain information about the data subject that can be verified by the data subject themselves. However, the Applicants did not sufficiently specifically explain to what extent they wish to check the correctness and lawfulness of personal data included in the relevant notes as the factual basis thereof. Hence, the court rejected this part of the request.
Tags:
According to the applicants, Uber uses labels (‘tags’) in the customer service system that assess the driver’s behavior, such as ‘inappropriate behavior’ or ‘police tag’. The Applicants point out that these tags can contain very negative qualifications and can therefore have major consequences for drivers. However, the court denied this part of request stating that a tag is an indication of a report and such an indication cannot be subject to the right of inspection.
Reports:
‘Reports’ are based on feedback reports that passengers have given about the driver concerned about, among other things,’ navigation ‘and’ professionalism‘. Therefore, Uber is under an obligation to respect the rights and freedoms of others on the basis of Article 15 (4) of the GDPR while providing information containing personal data of applicants. Uber may anonymize the reports in the sense that, in order to protect those rights of third parties, it ensures that the statements about the drivers cannot be traced back to the person who made the statements.
Start and End of Ride:
The court establishes that Uber has provided overviews containing information about the journeys driven by drivers, namely the time at which the journey was requested, the time at which the journey was started, the time at which the journey started, trip has been completed and the coordinates of the start and end location of the trip. The Court noted that it is not relevant for the assessment of the lawfulness of the data processing which passenger was transported, while information about the passenger may infringe the (privacy) rights of this person. Uber does not have to provide access to passenger data to prevent this data from being traceable to the passenger.
Driving behavior, phone use during the ride and the percentage of accepted rides
The Applicants state that presentations by Uber software engineers and the privacy statement show that Uber processes large amounts of data about driving behavior, including GPS data and information about acceleration and braking behavior.
The Court while rejecting this request held that Uber has already complied to some extent with the request for access and mere remark that the information provided is incomprehensible is not enough.
Information about automated decision-making and profiling
Applicants request access to the existence of automated decision-making and profiling on the basis of Article 15 paragraph 1 h GDPR. This article stipulates that the data subject has the right to obtain from the controller information about the existence of automated decision-making, including profiling, and, at least in those cases, useful information about the underlying logic, as well as the importance and expected consequences. of that processing for the data subject.
The Court while rejecting the request noted that they have not sufficiently specified this request.