Uber is making the headlines again – this time because four of its UK drivers are taking legal action claiming that it is falling short of complying with its obligations under the General Data Protection Regulation (GDPR).
Under the GDPR, individuals have the right to make a data subject access request (DSAR) which is effectively the right to access their personal data held by any company or person — including their employer. The recipient has one month to respond to a DSAR (or three months in certain limited circumstances).
Here, the drivers have claimed that Uber has breached the GDPR for repeatedly failing to provide them with the personal data requested under their DSARs, including the duration of time they were logged on to the application (which drivers say would allow them to calculate any potential monies owed in holiday pay and back pay claims), GPS data, performance data, trip ratings and profiling information. The drivers have said that the requests were made back in July 2018 and have complained that Uber’s response has been “delayed, inconsistent, incomplete and mostly unintelligible”.
To respond to a DSAR, employers will likely need to sift through vast amounts of information to find data relating to a particular individual, whilst also ensuring that the privacy of others is protected. It is no surprise therefore that DSARs are often dreaded by employers. However, responding to them does not have to be a painful process. Here is a recent article setting out some top tips to guide employers through the process, including how technology can help in this process.
This complaint is made against the backdrop of another ongoing high-profile case against Uber, where some UK drivers (including some of those who have made the current complaint) are pursuing a challenge – now to be heard by the Supreme Court – to be legally acknowledged as workers of the company and therefore entitled to rights such as paid holiday and the minimum wage.
Irrespective of whether Uber is in breach of the GDPR, Uber’s response is and will be under the spotlight. In the words of the one of the lawyers representing the drivers, it will be a “…stress-test of Uber’s commitment to data protection”. Reputational damage can financially cripple a company. For this reason alone it is more important than ever for employers to comply with the GDPR given the increased media attention in this area.