Documents cannot be copied without a legal basis – fine for Glovo
The company Restaurant Partner Polska, which operates the Glovo platform, infringed the rules on the protection of personal data by obtaining scans and photographs of the identity cards of users of the mobile application, which was used, inter alia, to order meals, without a legal basis. The President of the Personal Data Protection Office, Mirosław Wróblewski, imposed an administrative fine of PLN 5 898 064 on it for infringement of the rules on the protection of personal data.
The case followed the President of the Personal Data Protection Office inspection of the way in which the data of users of the mobile application ‘Glovo – delivery of food and other’ were processed. The supervisory authority examined the legal bases, the purposes and the scope of the processing of the application users’ data.
As established by the President of the Personal Data Protection Office, in situations of suspected fraud, the company provided for additional verification and required the submission of a scan or photo of an identity document, including in cases where a courier delivering the parcel reported an attempted theft of the order by the customer, the use of counterfeit money, or discrepancies between the payment card details and the user’s data. The same applied when the courier suspected that the shipment might contain illegal substances.
The company referred to Article 6 (1)(f) GDPR as the legal basis i.e. processing is necessary for the purposes of the legitimate interest pursued by the controller, i.e. in this case the verification of the identity of the person suspected of fraud. It also argued that requests for a document were exceptional and that the processing was preceded by a data protection impact assessment and a balancing test.
The President of the Personal Data Protection Office rejected that line of argument. He stressed that the processing of personal data requires one of the conditions of Article 6 (1) GDPR to be fulfilled. In the view of the supervisory authority, the company’s reliance on the ‘legitimate interest of the controller’ was insufficient in the light of the wide range of personal data that it processed included in the identity documents.
The President of the Personal Data Protection Office indicated that the copying or recording of identity documents should only be used in exceptional cases by specific entities authorised by law and in situations expressly provided for by law – such a ground could arise from the Polish Act of 1 March 2018 on Counteracting Money Laundering and Terrorist Financing (the AML Act), which, however, grants such powers only to the institutions specified therein. Restaurant Partner Polska does not belong to this category of entities and cannot therefore rely on such competence.
Nor does the Act of 18 July 2002 on the provision of services by electronic means provide a legal basis for the processing of full scanned identity documents. The supervisory authority considered that the request for such data was not necessary for the conclusion, shaping, implementation or termination of the contract between the parties. Nor did the processing of data for identity verification pursue the purposes defined in that act. The President of the Personal Data Protection Office also pointed out that the prevention of fraud must not come at the expense of a breach of the principle of data minimisation. He also took into account the provisions of the Act of 22 November 2018 on public documents, which provides for a special protection regime for public documents of the first category, which include an identity card and a passport. Therefore, the company’s actions can also be considered questionable from the perspective of an interpretation of the provisions of the Act aimed at protecting the most relevant public documents.
As a result of the findings, the President of the Personal Data Protection Office found that the controller had infringed Article 6 (1) GDPR, as it processed excess data, in addition without a legal basis and not fit for purpose. The scope of the data obtained by the controller included the full personal data contained in the identity document, including first name, surname, family name, parents’ forenames, date and place of birth, Personal Identification Number (PESEL number), document series and number, date of issue and validity, residential address, image and other information visible on the document. Therefore, it violated the principles of lawfulness, fairness and transparency and data minimisation (Article 5 (1)(a,c) GDPR).
In the opinion of the President of the Personal Data Protection Office, the lack of lawfulness of the data processing also entails a breach of the principle of accountability (Article 5 (2) GDPR).
The amount of the fine imposed by the President of the Personal Data Protection Office (PLN 5 898 064) takes into account the nature and gravity of the infringement, its long duration (since July 2019) and its potentially wide-ranging impact, as the database included more than 3.4 million active users in Poland. The supervisory authority also pointed to a real risk of non-material damage in the form of app users’ fear of losing control of their data and identity theft.
The President of the Personal Data Protection Office considered the infringement to be serious as it concerned the fundamental principles of the processing of personal data. On the other hand, the administrative fine is, according to the supervisory authority, effective, proportionate and dissuasive. The decision of the President of the Personal Data Protection Office also makes it clear that, even in the event of suspicion of fraud, the data controller is obliged to comply with the law and the anti-fraud procedures applied must not lead to the obtaining of excessive data without a clear legal basis.
The supervisory authority also ordered the company to cease the acquisition and further processing of scans and photos of identity cards or passports of users of the Glovo application and to delete the data thus collected within 30 days of notification of the decision.
Decision in Polish: DKN.5112.33.2022