The President of the Polish Office for Personal Data Protection (UODO) imposed a fine of 5,898,064 zlotys on the company operating the Glovo platform in Poland for violating the General Data Protection Regulation (GDPR). The fine relates to the illegal collection of scans of the app users’ identity documents. According to the Office, the case could have affected up to 3.4 million users of the platform.
According to the UODO website, Restaurant Partner Polska requested a scan or photo of an identity document, such as an ID card or passport, in certain situations. This concerned suspected abuse, such as attempted fraudulent orders, the use of counterfeit money, or payment details that did not match the user’s data.
The company justified these actions by citing the need to verify identity. However, according to the supervisory authority, this legal basis was insufficient to obtain such a broad range of information contained in identity documents, in accordance with the principle of data minimization.
According to the head of the Personal Data Protection Authority, copying or recording identity documents is permitted only in clearly defined situations and by entities expressly authorized to do so by law. The food delivery platform does not fall into this category, so the regulator found this practice to be inconsistent with the principles of the GDPR.
The investigation revealed that the problem was systemic and could have affected a very large group of app users. According to the regulator’s findings, the risk of data leakage affected approximately 3.4 million platform users, which was considered when determining the fine. The violations had been ongoing since July 2019.
The supervisory authority also noted a real risk of non-material damage in the form of app users’ fear of losing control of their data and identity theft.
At the same time, UODO ordered the company to cease receiving and subsequently processing scans and photographs of Glovo app users’ ID cards or passports and to delete the data collected in this way within 30 days of the decision.