The Dutch Data Protection Authority said Uber was collecting information of drivers from Europe, such as taxi licenses, location data, and in some cases criminal and medical data, and retaining them on servers in the US.

The fine is the highest penalty ever issued by the Dutch watchdog against any company, a spokesperson said by email. It’s also the biggest fine Uber received globally.

The ride-hailing service sent the sensitive data to its US headquarters for over two years without using data transfer tools aimed at protecting privacy, which meant the data were “insufficiently protected,” the watchdog said on Monday. Uber has ended the violation last year, the agency said.

The fine is “completely unjustified,” said Caspar Nixon, a spokesperson for Uber, in response to emailed questions. Uber’s data transfer process was compliant with European laws and the company will appeal against the decision, Nixon said.

Uber didn’t meet the requirements of European laws to “ensure the level of protection to the data with regard to transfers to the US. That is very serious,” Aleid Wolfsen, the Dutch data protection authority’s chairman, said in a statement.

The Dutch data protection authority began its investigation on Uber after more than 170 French drivers complained to a French human rights interest group. The probe was handled by the Dutch agency as Uber’s European headquarters is in the Netherlands.

This is the third penalty by the Dutch data protection authority on Uber. It was previously fined for not providing sufficient transparency about how long it retained data from European drivers and to which countries outside Europe this data was forwarded. In 2018, it was penalised for not informing the Dutch watchdog about a data breach in time.

The fines by European privacy watchdogs can amount to a maximum of 4% of the worldwide annual revenue of a business.