2026-03-16 13:15
publication
2026-03-16 13:15
The President of the Personal Data Protection Office imposed a fine of almost PLN 5.9 million on Restaurant Partner Polska, the operator of the Glovo platform, for illegally obtaining photos of identity cards of application users – the Office announced on Monday.
According to the Personal Data Protection Office, Restaurant Partner Polska, which runs the Glovo platform, violated the provisions on the protection of personal data because, without a legal basis, obtained scans and photos of identity cards of users of a mobile application used, among others, to order meals. “The President of the Personal Data Protection Office, Mirosław Wróblewski, imposed an administrative fine of PLN 5,898,064 on her for violating the provisions on the protection of personal data,” the Office said in a statement.
As established, in situations of suspected fraud the company anticipated additional verification and demanded that a scan or photo of the identity document be sentamong others in the event that the courier delivering the parcel reports an attempt by the customer to steal the order, use of counterfeit money, or inconsistency of payment card details with user data. A similar situation occurred when the courier suspected that the ordered shipment might contain illegal substances.
The Personal Data Protection Office explained that the company indicated that the legal basis was Art. 6 section 1 letter f GDPR – processing necessary for the purposes of the legitimate interest of the administrator. In this case, it is about verifying the identity of a person suspected of fraud, he said. The company also argued that the document was required in exceptional situations.
“The President of the Personal Data Protection Office did not share this argument. He emphasized that the processing of personal data requires meeting one of the conditions set out in Article 6(1) of the GDPR. In the opinion of the supervisory authority, the company's reference to the 'legitimate interest of the controller' was insufficient in the light of the wide scope of personal data contained in identity documents processed by it,” the Personal Data Protection Office pointed out, adding that the controller had violated Art. 6 section 1 GDPR.
According to the President of the Office, copying or recording identity documents should only be used in exceptional cases by “specific and statutorily authorized entities and in situations expressly provided for by law.”
As indicated in the announcement, the administrator obtained full personal data contained in the identity document – i.e. name, surname, maiden name, parents' names, date and place of birth, PESEL number, series and number of the document, date of issue and validity, address of residence, image and other information visible on the document.
The Personal Data Protection Office explained that the penalty imposed on the company “takes into account the nature and gravity of the violation” and its long duration, as the practice has been ongoing since July 2019. The “potentially wide scale of impact” was also taken into account, as the application's database includes over 3.4 million active users in Poland. The office also pointed to a “real risk (…) users' fear” of the application of losing control over data and identity theft.
The company was also ordered to stop obtaining and processing scans and photos of ID cards or passports of Glovo application users and to delete data collected in this way within 30 days of delivery of the decision. (PAP)
bpk/mmu/
