Tunisia: App-based delivery and rideshare companies accused of violating data protection law and failure to protect users privacy & personal information; incl. co. responses
On July 15, the National Authority for the Protection of Personal Data (INPDP) of Tunisia issued a statement regarding the privacy of user information.
According to the statement, “The Bolt application is in violation of the legislation regarding user data. They made no requests or statements to the Authority. In fact, if they process consumers’ personal information, they must first submit a processing request to the INPDP."
Due to the foreign nature of the Bolt app, the data is stored abroad. Nevertheless, according to the Head of INPDP, Bolt Tunisia should have obtained licence to transfer foreign data.
The statement adds that “Examination of the company’s contractual document with its customers reveals that the applicable regulation on the protection of personal data is the General Regulation for the protection of European personal data, which is not legally valid given that the service is provided by a Tunisian company to people within the country’s borders. This involves processing their personal data in conformity with Law №63 of 2004 on the protection of personal data. The request for this service is made via an information application on the mobile phone, and it is carried out in order to process the users personal data. Therefore, the business and its workers or operators are expected to comply with Organic Law №63 of 2004.”
The INPDP also confirmed that other app-based delivery and rideshare companies including Yassir, Glovo, Jumia and InDriver violate the Data Protection law and consumers’ personal information.
Business & Human Rights Resource Centre invited the companies singled out in the statement by the National Authority for the Protection of Personal Data, featured below, to respond. Bolt and Yassir have provided the below response, while Jumia, Glovo did not respond. InDriver told us they cannot comment publicly on the allegations of violating data protection law and customer's privacy as per their policy and therefore were unable to provide a response.