The CNIL sentenced the Cityscoot company to one fine of 125,000 euros for having geolocated its customers almost permanently, without their prior consent.
The CNIL noted that Cityscoot collected geolocation data from its customers' scooters, including when they were not being rented. This data was kept for a period of 18 months.
The CNIL considered that this practice caused a disproportionate invasion of the privacy of Cityscoot customers. The authority also noted that the company had not put in place sufficient security measures to protect this data.
Cityscoot has taken corrective measures since the CNIL was issued formal notice. The company has notably implemented a geolocation system which only collects data when the scooters are being rented. The data is also kept for a maximum period of 7 days.
Here are the specific shortcomings noted by the CNIL:
- Geolocation of scooters almost permanently, without prior consent from customers,
- Retention of geolocation data for a period of 18 months,
- Lack of sufficient security measures to protect geolocation data.
This sanction is a warning for companies that collect geolocation data. Companies must ensure that the collection of this data is justified by a legitimate purpose and that the data is processed transparently and securely.
The sanction imposed on Cityscoot by the CNIL is an example of the need to respect the GDPR (General Data Protection Regulation) in terms of customer geolocation, and how the platform Data Comply One (formerly Mission RGPD) could have helped avoid these sanctions by providing specific solutions to each breach.
Source of control
The CNIL has chosen to control mobile applications, a priority theme. Each year, the CNIL targets 3 subjects related to personal data.
Control type
Specific shortcomings noted by the CNIL
Article 5.1.c GDPR – Minimization of collection: The collection of geolocation data was unjustified, and it could have been avoided while providing the same service to users. The collection of this data was therefore excessive.
Article 28.3 GDPR – Supervision of relations with subcontractors: Three contracts with subcontractors did not contain the required GDPR notices.
Article 82 LIL – User information: Cityscoot used reCAPTCHA (Google) without first informing users or obtaining their consent to collect information stored on their equipment or enter information there.
How Data Comply One (formerly Mission RGPD) could have avoided these sanctions
- Article 5.1.c GDPR – Minimization of collection : With Data Comply One (formerly Mission RGPD), Cityscoot could have documented in the register of purposes, carried out an automatic analysis of the risks associated with data processing, and used integrated impact analyzes to assess the relevance of data collection.
- Article 28.3 GDPR – Supervision of relations with subcontractors : The Data Comply One platform (formerly Mission RGPD) offers a compliance audit of subcontractors, as well as models of mentions to be integrated into contracts (DPA).
- Article 82 LIL – User information : With Data Comply One (formerly Mission GDPR), Cityscoot could have used information notice templates for online data collection forms and implemented a privacy policy.
With Data Comply One (formerly Mission RGPD), CityScoot could have prepared for an inspection by the CNIL thanks to a dedicated practical sheet about this and control simulations carried out during expert support.
In summary, Data Comply One (formerly Mission RGPD) is one all-in-one solution which brings together all the tools necessary to guarantee GDPR compliance and avoid such sanctions.
Through effective compliance and ongoing monitoring, businesses can maintain compliance over time and avoid errors, breaches and non-conformities. This guarantees the tranquility and there serenity necessary to comply with constantly evolving rules.
