The Dutch Data Protection Authority has fined taxi company Uber €10 million for failing to disclose the full details of how long it keeps data on its European drivers, or to name the non-European countries in which it shares this data.

The DPA also found that Uber had obstructed its drivers’ efforts to exercise their right to privacy.

“Drivers have the right to know how Uber handles their personal data,” said DPA chairman Aleid Wolfsen. “Transparency is a fundamental part of protecting personal data. If you don’t know how your personal data is being handled, you can’t determine whether you are being put at a disadvantage or treated unfairly. And you can’t stand up for your rights.”

The DPA imposed the fine after more than 170 French drivers complained to the French human rights organisation Ligue des droits de l’Homme et du citoyen (LDH), which in turn submitted a complaint to the French data protection authority.

As Uber has its European headquarters in the Netherlands, this complaint was forwarded to the DPA.

The DPA said Uber had made it unnecessarily complicated for drivers to submit requests to view or receive copies of their personal data and the information that was available was difficult to interpret.

Nor did the company specify in its privacy terms and conditions how long Uber retains its drivers’ personal data or which specific security measures it takes when sending this information to entities in countries outside the EEA.

Uber has lodged a notice of objection to the DPA’s decision.