Spanish Authority imposes a fine on Glovo for failing to appoint a DPO

By Vincent Rezzouk-Hammachi, Lupe Sampedro, Natalia Gonzalez, Alex Willan

07-2020

The Spanish Data Protection Authority (Agencia Española de Protección de Datos ("AEPD")) imposed a fine of EUR 25,000 on Glovo, an on-demand courier service, for failing to appoint a Data Protection Officer ("DPO") in application of Articles 37 and 83 of the General Data Protection Regulation ("GDPR").

In its decision, the AEPD considered that Glovo breached Article 37(1)(b) of the GDPR, which stipulates that a controller or processor must appoint a DPO where:

"the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale".

What happened?

The AEPD's proceedings were initiated following the filing of two separate complaints against Glovo, on 21 May 2019 and 4 November 2019 respectively.

In response to the complaints, Glovo argued that:

  1. they did not fall within the scope of Article 37(1)(b) of the GDPR and therefore were not required to appoint a DPO; and

  2. they had already put in place a Data Protection Committee, which effectively carried out all the functions of a DPO in line with Article 39 of the GDPR.

The decision

The AEPD determined that:

  1. Glovo was in breach of Article 37(1)(b) as its activities consist of large-scale processing of personal data. This was due to the (i) number of customers, and (ii) the personal identifiers of customers being processed (although it is not explicitly mentioned in the decision, it is likely that the processing of customer's geolocation was a factor).

    Although the GDPR does not specifically define the notion of “large-scale processing”, it is likely that the AEPD considered the following factors when making its decision [1]:

    - the number of data subjects concerned;

    - the volume of data and/or the range of different data items being processed;

    - the duration, or permanence, of the data processing activity; and

    - the geographical extent of the processing activity.

  2. Whilst Glovo argued that the Data Protection Committee effectively carried out all the functions of a DPO; at the time the proceedings were initiated, there was no mention of an appointed DPO in their online privacy policy.

In response to the proceedings, Glovo communicated the appointment of a DPO to the AEPD on 31 January 2020. Whilst the AEPD recognised the proactive action, it was not enough to avoid the fine of EUR 25,000.

It should be noted that the decision is not final and that an appeal for reversal and a contentious-administrative appeal may be lodged with the National Court. Glovo has stated that they "will exhaust all judicial instances to prove that it acted at all times in accordance with the provisions of the data protection regulations" [2]

A decision in line with recent case law about DPO requirements

The AEPD's decision and similar sanctions made by other Data Protection Authorities highlight that European regulators are starting to turn their focus to ensure that the role & obligations of DPOs are correctly fulfilled.

In a couple of recent cases fined businesses for non-compliance with the GDPR requirements in relation to the DPO:

  • On 1 December 2019, the Hamburg Data Protection Commission imposed a fine of EUR 51,000 on Facebook's German subsidiary for failing to notify the appointment of its DPO to German Data Protection Authorities.
  • On 28 April 2020 the Belgian Data Protection Authority imposed an administrative fine of EUR 50,000 on a telecom services provider for having appointed its Director for Audit, Risk and Compliance as their DPO; considering that the combination of roles gave rise to a conflict of interest.

Key takeaways

Organisations are strongly advised to undertake the assessment on whether or not they need to appoint a DPO. This assessment should be done on a regular basis, in order to take into account any potential new product or processing activity which may trigger the requirement to appoint a DPO.