Polish Regulator Fines Glovo Operator $1.5 Million Over Collection of Customer ID Scans

Key Takeaways

• Unauthorized Collection of Identity Documents: Poland’s data protection regulator fined Restaurant Partner Polska $1.5 million (PLN 5,898,064) after finding the Glovo platform operator collected scans and photos of users’ identity documents without a valid legal basis.
• GDPR Principles Violated: Regulators determined the company breached Articles 5 and 6 of the GDPR, including the principles of lawfulness, transparency, and data minimization, by collecting far more personal data than necessary for fraud prevention.
• Legitimate Interest Argument Rejected: The regulator ruled that relying on Article 6(1)(f) was insufficient to justify requesting full identity documents, which contain extensive personal data including PESEL numbers, addresses, and photographs.
• Large-Scale Data Processing Concerns: The unlawful processing had been taking place since July 2019 and potentially affected more than 3.4 million Glovo users in Poland, raising concerns about the scale of the privacy risk.
• Order to Stop the Practice and Delete Data: The regulator ordered the company to stop requesting ID scans from users and delete all identity document data collected through the practice within 30 days.

Deep Dive

Mirosław Wróblewski, President of Poland’s Personal Data Protection Office (UODO), imposed an administrative fine of $1.5 million (PLN 5,898,064) on Restaurant Partner Polska, the company responsible for operating the Glovo platform in Poland. The decision follows an inspection examining how personal data from users of the “Glovo – food delivery and other” app was processed.

The investigation focused on the company’s practice of requesting scans or photographs of identity documents when suspected fraud occurred on the platform. According to the regulator, these requests were made in situations reported by couriers or platform staff, including attempted order theft, suspected use of counterfeit currency, discrepancies between payment card details and user information, or suspicions that a delivery might contain illegal substances.

Restaurant Partner Polska argued that these requests were lawful under Article 6(1)(f) of the GDPR, which allows data processing when it is necessary for the legitimate interests of the controller. The company said identity document requests were used only in exceptional cases and were preceded by both a data protection impact assessment and a balancing test.

The regulator disagreed.

In its decision, the Personal Data Protection Office concluded that collecting full identity documents from users went far beyond what was necessary to address suspected fraud. The authority emphasized that identity cards and passports contain a wide range of sensitive personal information and that processing such data requires a clear legal basis.

According to the regulator, the documents collected by the company contained extensive personal data including first and last names, maiden names, parents’ names, date and place of birth, national identification numbers (PESEL), document numbers, issue and expiration dates, addresses, and photographs.

Because the company lacked a valid legal basis for processing this information, the regulator found that Restaurant Partner Polska violated Article 6(1) of the GDPR. The authority also concluded that the practice breached the fundamental principles of personal data processing, including lawfulness, fairness, transparency, and data minimization, set out in Article 5(1)(a) and (c) of the regulation.

The decision further stated that the unlawful processing meant the company failed to meet the GDPR’s accountability requirement under Article 5(2).

In explaining its reasoning, the regulator pointed out that copying or recording identity documents is typically reserved for specific entities that are explicitly authorized to do so under law. For example, institutions subject to Poland’s Act on Counteracting Money Laundering and Terrorism Financing may collect such documents as part of customer due diligence requirements.

Restaurant Partner Polska, however, does not fall within that category of regulated institutions.

The regulator also rejected the argument that the practice could be justified under Poland’s Act on the Provision of Electronic Services, finding that collecting full scans of identity documents was not necessary for the formation or performance of a contract between the platform and its users.

In addition, the authority highlighted the special legal protection afforded to identity documents under Poland’s Public Documents Act, which treats documents such as passports and ID cards as particularly sensitive forms of public documentation.

The investigation also examined the scale and duration of the practice. According to the decision, the processing had been taking place since July 2019 and could potentially affect a large number of individuals. The company’s database included more than 3.4 million active users in Poland, raising concerns about the breadth of the potential impact.

While the regulator did not identify specific cases of identity theft resulting from the practice, it noted that collecting and storing copies of identity documents creates a real risk of harm. That risk includes the possibility that individuals could lose control of their personal data or become victims of identity fraud.

Given the nature of the violations and their duration, the regulator described the infringement as serious and concluded that a financial penalty was necessary to ensure the decision was effective, proportionate, and dissuasive.

The authority also ordered Restaurant Partner Polska to stop requesting scans or photos of identity documents from Glovo users. The company must also delete any identity document data collected in this manner within 30 days of receiving the decision.

The regulator emphasized that while companies may implement measures to combat fraud, those measures must still comply with data protection law. Anti-fraud procedures, the authority said, cannot justify collecting excessive personal data without a clear legal basis.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.