Ride-hailing company Uber Technologies was assessed a penalty of 10 million euros (U.S. $11 million) by the Dutch Data Protection Authority (DPA) for alleged privacy rights violations regarding the handling of European drivers’ personal data.

The penalty, announced Jan. 31, follows complaints raised by nearly 200 Uber drivers in France that made their way to the country’s DPA. The Dutch regulator then picked up the case, as Uber has its European headquarters in the Netherlands.

The Dutch DPA noted Uber lodged an objection to its decision.

The details: The Dutch DPA criticized Uber for:

  • Making it “unnecessarily complicated” for drivers to request to view their personal data;
  • Not clearly specifying retention periods for driver personal data in its privacy terms and conditions; and
  • Not being transparent as to which countries outside the European Economic Area received driver data from the company.

Regarding data access, the regulator said the form for Uber drivers to request to view their data was “spread across various menus” in its app and that the company stored access requests in a file that was not clearly arranged to honor such requests.

“Drivers have the right to know how Uber handles their personal data. However, Uber did not explain this with sufficient clarity,” said Dutch DPA Chairman Aleid Wolfsen in the regulator’s release. “It should have informed its drivers better and more diligently in this regard.”

Compliance considerations: The Dutch DPA said it reached its fine determination based on the severity of its findings and the size of Uber. At the time of the complaints, the company had about 120,000 drivers working across Europe.

The DPA said Uber has “now taken improvement measures in respect of the infringement,” though it did not specify any remedial actions.

Uber did not respond to a request for comment.