The Personal Data Protection Office imposes a record fine on the Glovo operator. It's about user data
According to the Personal Data Protection Office, the company violated the provisions of the GDPR by collecting personal data without an appropriate legal basis.
The rest of the article below the video:
As explained, Restaurant Partner Polska required sending identity documents in situations of suspected fraud, such as attempts to steal orders, use of counterfeit money or inconsistency of payment card details with user information.
The company argued that such actions were necessary, citing Art. 6 section 1 letter f GDPR, which allows the processing of data in the legitimate interest of the administrator.
Justification of the UODO's decision in the Glovo case
The President of the Personal Data Protection Office, Mirosław Wróblewski, did not accept this argument, emphasizing that the processing of personal data requires meeting one of the conditions specified in Art. 6 section 1 GDPR. In his opinion, invoking the “legitimate interest of the controller” was insufficient in the context of the wide range of data contained in identity documents. As indicated in the announcement, the company obtained full personal data, including name, surname, PESEL number, address, document series and number, as well as image.
Read also: The fast food giant has to pay a fortune! This costs McDonald's a record fine
According to the President of the Personal Data Protection Office copying identity documents should only be used in exceptional cases and by entities that have express rights to do so under the law. In this case, the company's action was assessed as disproportionate and violating the principles of personal data protection.
As a result, the office imposed a fine on the company of almost PLN 5.9 million.
“The President of the Personal Data Protection Office, Mirosław Wróblewski, imposed an administrative fine of PLN 5,898,064 on her for violating the provisions on the protection of personal data,” the office informs in a statement.
The scale of the breach and consequences for Glovo
The Office emphasized that the penalty takes into account both the nature and gravity of the violation, as well as its long duration – the practice has been taking place since July 2019. Additionally, the potentially wide scale of impact was indicated, because the Glovo application database includes over 3.4 million active users in Poland.
“The real risk of losing control over personal data and users' fears of identity theft” also influenced the amount of the fine.
Read also: A gigantic fine for DPD Polska. Over PLN 11 million in fines
The company was ordered to stop obtaining and processing scans and photos of identity documents of application users. An order was also issued to delete data already collected within 30 days of delivery of the decision.
