Our remarks • Individual ratings: Uber was ordered provide an Request for access anonymized overview of individual ratings. • A data subject does not have to provide a reason or • Driving behavior and use of phone during trips: justification for submitting an access request under The drivers’ requests were too vague, and their the GDPR. In this case, the Uber drivers did not need claim was incomprehensible due to a lack of to specify a particular interest or state the purpose information. they wished to achieve with the inspection. The • Upfront pricing system: Only one plaintiff was mere fact that personal data was being processed subjected to this new system, so the others could not was sufficient. request information about it under GDPR, Article 15. • A data controller is on the other hand entitled • Automated decision-making and profiling: to ask for specifications on the type of personal The Court agreed with Uber’s argument that the data that the data subject requests access to. company does not use automated decision- This is especially the case if the data subject has making under Article 22, even though Uber uses submitted a general request for access. automated decisions. Therefore, the Court rejected • When providing access, the data controller also has the request for further information under Article to observe the rights to privacy of others than the 15(1)(h). See also “Automated decision making” in data subject submitting the request. For example, this section. when providing access, Uber was required to • Request for additional information: As Uber anonymize the reports based on feedback from provided further information on processing passengers in order to respect the rights and purposes, categories of data, recipients of data, freedoms of the passengers. retention periods, and appropriate safeguards in its defense, the Court considered the question already Data portability resolved. • The right to data portability means that the data subject has the right to receive a copy of their Right to data portability (GDPR, Article 20) personal data from a company and transfer it to The Court ordered Uber to provide the data covered by another company in a format that can be easily the request for data portability in another format than read by machines. It is normally viewed as being PDF. However, it did not have to be a CVS file. useful for customers, for example, if they want to change bank or telephone operator, but the case Automated decision-making (GDPR, Article 22) shows that it also can be relevant in employment The Court found that their anti-fraud process did not based relationships. constitute automated decision-making as there was • If there are no specific common formats within a human intervention. certain industry, then there is no obligation for the The automatic decision that happened in the ”batch data controller to provide the data in a certain matching system” was an automated decision, but type of file, as long as they provide the data in any did not impose on the drivers any legal consequences commonly used public formats like XML, JSON, CSV. or significant effect. Therefore, it was not covered by • Providing personal data in PDF-files is not a way GPDR, Article 22(2) and Uber did not have to provide the of complying with the right to data portability as information mentioned in 15(1)(h). the personal data in such a file is not structured or descriptive enough for the reuse of the data. 38