The DPA has powers of subpoena. They can basically raid the place. Usually, companies don't want this to happen and they co-operate. How exactly did the DPA know that Uber processes all data in their central IT department in the US? Uber probably told them and didn't try to pretend they have any local hardware or entity in charge of it. That would be a stupid thing to lie about?
In any event the fine is mostly for not having adequate protections in place. Those protections? Better contracts between wholly-owned subsidiaries of Uber. So, not much protection at all! This is very much Uber shooting themselves in the foot by not doing their homework. Again.
The investigation report isn't included. It may surface if Uber decided to right the fine and take it to court. Or, if some-one takes an interest and tries to get it via the local 'freedom of information act' equivalent, though that might take just as long and will result in a heavily redacted version being made available.
In any event the fine is mostly for not having adequate protections in place. Those protections? Better contracts between wholly-owned subsidiaries of Uber. So, not much protection at all! This is very much Uber shooting themselves in the foot by not doing their homework. Again.
This is the DPA's press release: https://www.autoriteitpersoonsgegevens.nl/en/current/dutch-d...
The fine is here, and is 48 pages long, and in Dutch: https://www.autoriteitpersoonsgegevens.nl/documenten/boete-u...
The investigation report isn't included. It may surface if Uber decided to right the fine and take it to court. Or, if some-one takes an interest and tries to get it via the local 'freedom of information act' equivalent, though that might take just as long and will result in a heavily redacted version being made available.