Poland’s data protection authority (UODO) has imposed a fine of 5,898,064 złoty (approximately €1.4 million) on Glovo for unlawfully collecting and processing user ID scans.
Glovo Fined for Data Protection Violations
The President of UODO levied a penalty of 5,898,064 złoty against GLOVO, operating through Restaurant Partner Polska, for violating personal data protection regulations. The company acquired scans and photos of user identification documents without a legal basis.
Restaurant Partner Polska, the platform operator, obtained scans and photos of user IDs without a lawful foundation.
Investigation and Legal Basis Claims
The UODO investigation stemmed from a review of how Glovo processed user data within its mobile application, “Glovo – food and other deliveries.” The authority examined the legal grounds, purposes, and scope of data processing.
Glovo cited Article 6(1)(f) of the GDPR – processing necessary for legitimate interests – as its legal basis. However, the UODO determined that the company violated Article 6(1) GDPR by processing excessive data without a legal basis and inadequately for the stated purposes.
Reasons for the Penalty
The UODO penalized Glovo because, in suspected fraud cases, the company requested ID scans or photos, such as when a courier reported a potential theft by a customer, use of counterfeit money, or discrepancies in payment card data. Similar requests were made when couriers suspected illegal substances in deliveries.
Glovo argued that requesting documents was exceptional and preceded by data protection impact assessments and balancing tests, claiming it was for verifying the identity of a suspected fraudster.
UODO Rejects Glovo’s Arguments
The President of UODO disagreed, emphasizing that processing personal data requires fulfilling one of the conditions in Article 6(1) GDPR. The authority found that invoking “legitimate interest” was insufficient given the broad scope of personal data collected from the ID documents.
The UODO stated that copying or retaining ID documents should be limited to exceptional cases by legally authorized entities and as explicitly provided by law, such as the anti-money laundering and terrorism financing act, which only applies to designated institutions. Restaurant Partner Polska does not fall into this category.
Legal Framework and Data Minimization
The UODO also found that the law on electronic services does not provide a legal basis for processing full ID scans. Requesting such data was deemed unnecessary for concluding or fulfilling contracts.
The UODO emphasized that preventing fraud should not compromise the principle of data minimization, also considering the specific protection regime for first-category public documents like ID cards and passports.
Scope of the Violation and Corrective Measures
The UODO determined that Glovo processed excessive, unlawful, and inappropriate data, including names, dates of birth, PESEL numbers, document details, addresses, and images. This violated the principles of lawfulness, fairness, transparency, and data minimization (Article 5(1)(a) and (c) GDPR).
The lack of legal processing also violated the accountability principle (Article 5(2) GDPR). The fine of 5,898,064 złoty considered the severity and duration of the violation (since July 2019) and its potential impact on over 3.4 million Polish users, including the risk of data loss and identity theft.
The UODO ordered Glovo to cease collecting and processing ID scans/photos and to delete collected data within 30 days.