TomTom’s route planner takes an unplanned detour into oblivion

Navigation provider TomTom experienced a widespread cloud synchronization failure starting May 7, 2026, that erased saved user location data, recent destinations, and route history for thousands of account holders across its web, mobile, and hardware platforms. The outage left many users, including commercial drivers who rely on TomTom for work, unable to access critical saved places, with multiple reports of data disappearing in real time from connected devices.

User reports on TomTom’s official forums described blank My Places lists, failed cross-device syncing between the TomTomGo mobile app, TomTom MyDrive web portal, and integrated satnav units, and real-time deletion of saved location markers. One user reported watching all saved places vanish from the Android TomTomGo app immediately after opening it, while another confirmed the same data loss appeared on the MyDrive platform when accessed from a PC. TomTom acknowledged the incident in support communications shared by users, stating its teams are working to resolve synchronization failures, with unconfirmed user reports suggesting an Amazon Web Services (AWS) cloud service account issue contributed to the outage. TomTom has not publicly confirmed the root cause, nor has it responded to media inquiries about the incident’s scope.

Regulatory Action

As a Netherlands-based entity processing personal data of EU residents, TomTom is subject to the EU General Data Protection Regulation (GDPR), which has applied to all EU member states since May 25, 2018, and its Dutch implementing legislation, the Uitvoeringswet Algemene Verordening Gegevensbescherming (UAVG). Under Article 4(12) of GDPR, the accidental loss of personal data constitutes a personal data breach. Saved location data, including home addresses, workplaces, and frequently visited destinations, qualifies as personal data under Article 4(1) of GDPR, as this information is directly linked to identified natural persons via TomTom user accounts. The May 2026 outage therefore triggers mandatory compliance obligations for TomTom under existing data protection regulations, with oversight from the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), TomTom’s lead supervisory authority under GDPR.

What It Requires

TomTom must fulfill several statutory obligations following the confirmed personal data breach:

1. Breach Record Keeping: Under Article 33(1) of GDPR, TomTom must document all details of the breach, including the scope of affected data, the number of impacted users, the root cause of the failure, and remediation steps taken. This record must be made available to the supervisory authority upon request.
2. Supervisory Authority Notification: Article 33(1) requires data controllers to notify the lead supervisory authority of a personal data breach without undue delay, and no later than 72 hours after becoming aware of the breach. The notification must include the nature of the breach, contact details for TomTom’s data protection officer, the likely consequences of the breach, and proposed mitigation measures.
3. User Notification: Under Article 34(1), TomTom must notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms. For commercial drivers who lost access to work-critical saved locations, the risk of financial harm is clear, meeting the threshold for mandatory user notification. The notification must be written in clear, plain language, explain the nature of the breach, and provide recommendations for users to mitigate potential adverse effects.
4. Data Restoration and Remediation: TomTom must restore lost personal data where possible, as required under Article 16 of GDPR (right to rectification) and Article 20 (right to data portability). The company stated in support communications that most saved locations will be restored once the underlying issue is fixed, with only data added in the 7 days prior to the outage potentially lost permanently. TomTom must also remediate the backend infrastructure failure to prevent similar breaches, as required under Article 32 (security of processing) of GDPR. TomTom’s Privacy Policy outlines its standard data protection practices, though it does not specify timelines for breach notification.
5. Transparency Obligations: TomTom must update its public privacy policy and breach notification page to include details of the incident, as required under Article 13 and 14 of GDPR.
6. User Support Access: Multiple users reported difficulty reaching TomTom support during the outage, a failure that may constitute a violation of Article 13(1)(a) of GDPR, which requires data controllers to provide contact details for the controller and its data protection officer to allow users to exercise their rights. TomTom must restore accessible support channels to meet this obligation.

Compliance Timeline

GDPR sets strict statutory deadlines for each required action:

• Within 72 hours of breach awareness: TomTom must submit a complete breach notification to the Dutch Data Protection Authority. If the company became aware of the outage on May 7, 2026, the notification deadline falls on May 10, 2026.
• Without undue delay, no later than 48 hours after confirming high risk: TomTom must notify all affected users of the breach. For users facing high risk of harm, including commercial drivers, this notification must be sent as soon as the company confirms the scope of the breach.
• Within 1 month of user request: TomTom must respond to user requests for data restoration, erasure, or access under Articles 15-20 of GDPR.
• Ongoing: TomTom must maintain breach records for a period of 5 years under Dutch UAVG implementation rules, and provide quarterly updates to the supervisory authority on remediation progress if requested.

This incident follows TomTom’s announcement of a 10% workforce reduction in 2025, citing automation adoption. While the company has not linked the outage to reduced staffing, industry standards require cloud service providers to maintain adequate staffing for incident response and infrastructure maintenance to meet GDPR security obligations.

For businesses that rely on TomTom’s navigation services for commercial operations, this incident highlights the importance of maintaining offline backups of critical location data to avoid operational disruption during cloud outages. Compliance teams should review their own cloud service provider agreements to ensure breach notification obligations are clearly defined, and that statutory deadlines for regulatory reporting are met. TomTom’s response to this incident will serve as a test of its adherence to GDPR security and transparency requirements, with potential fines of up to 4% of global annual revenue or €20 million, whichever is higher, for failure to meet notification obligations.