The President of the Polish Personal Data Protection Office (UODO) has imposed an administrative fine of PLN 5,898,064 on Restaurant Partner Polska, the company operating the Glovo platform in Poland. The penalty was issued for violating the General Data Protection Regulation (GDPR) by collecting scans and photographs of users’ identity documents without an appropriate legal basis.
The case stems from an inspection carried out by the President of UODO, which examined how personal data of users of the mobile application “Glovo – food delivery and more” was processed. The supervisory authority assessed, among other things, the purposes, scope, and legal grounds for the processing of personal data.
Additional Verification in Suspected Fraud Cases
According to UODO’s findings, the company requested that users provide a scan or photograph of their identity card or passport in certain situations involving suspected abuse.
Such situations reportedly included cases where couriers reported attempted theft of an order by a customer, the use of counterfeit money, discrepancies between payment card details and user data, or suspicions that a package might contain illegal substances.
Restaurant Partner Polska argued that its actions were based on Article 6(1)(f) of the GDPR, which allows processing when it is necessary for the legitimate interests of the data controller. According to the company, this was intended to verify the identity of individuals suspected of fraud.
The company also maintained that such measures were exceptional and had been introduced only after conducting a data protection impact assessment and a balancing test.
UODO: Legitimate Interest Is Not Sufficient
The President of UODO rejected this argument. According to the authority, relying on the controller’s legitimate interest cannot justify the extensive scope of personal data contained in identity documents.
The authority emphasized that copying or recording identity documents may only occur in specific circumstances and by entities explicitly authorized to do so by law. Such authorization may arise, for example, under regulations related to anti-money laundering and counter-terrorist financing, but only for strictly designated institutions.
Restaurant Partner Polska does not fall into this category and therefore could not rely on such powers.
UODO also pointed out that the Act on the Provision of Electronic Services does not provide a legal basis for requesting full scans of identity documents. According to the authority, such a broad scope of personal data was not necessary for concluding, performing, or terminating the contract between the user and the platform.
Violation of the Data Minimisation Principle
The data minimisation principle played a key role in the case. UODO concluded that efforts to prevent fraud cannot justify collecting excessive amounts of personal data.
However, the scope of data processed by the company included a very wide range of information contained in identity documents, such as:
- first and last name
- maiden name
- parents’ names
- date and place of birth
- PESEL number (Polish national identification number)
- document series and number
- date of issue and expiration date
- residential address
- facial image
- and other data visible on the document.
According to the President of UODO, this constituted a violation of Article 6(1) GDPR, as the data were processed without a valid legal basis and in a scope disproportionate to the declared purpose.
The authority also determined that the company violated the principles of lawfulness, fairness and transparency, as well as data minimisation, set out in Article 5(1)(a) and (c) GDPR.
Additionally, since the processing itself was unlawful, UODO concluded that the accountability principle under Article 5(2) GDPR had also been breached.
Public Documents Protection Concerns
The supervisory authority also referred to the Polish Act on Public Documents. Under this law, identity cards and passports are classified as Category I public documents, which are subject to a special protection regime.
In UODO’s view, the company’s practices were also questionable in light of the purpose of this legislation, which aims to protect the most important public documents from misuse.
Over 3.4 Million Users and Long-Term Violations
The amount of the fine was influenced not only by the nature and severity of the violation, but also by its duration.
According to the President of UODO, the irregularities had been occurring since July 2019.
The authority also considered the scale of the company’s operations, as the database affected by the case involved more than 3.4 million active users in Poland.
UODO concluded that there was a real risk of non-material damage for users, including anxiety about losing control over their personal data and the potential risk of identity theft.
The authority considered the infringement to be serious because it concerned fundamental principles of personal data processing. According to UODO, the imposed fine is intended to be effective, proportionate, and dissuasive.
Order to Delete Data and Stop the Practice
In addition to the financial penalty, UODO ordered the company to:
- cease collecting and further processing scans and photographs of identity cards and passports of Glovo application users
- delete all data previously collected in this way.
The company has 30 days from the delivery of the decision to comply with this order.
A Warning for the Digital Economy
The decision of the President of UODO demonstrates that even measures implemented as part of anti-fraud procedures must remain within the limits of the law.
The mere objective of preventing fraud does not automatically give data controllers the right to collect full scans of identity documents.
The Glovo case may therefore serve as an important signal for other companies operating in the digital economy. UODO clearly indicates that security measures and verification procedures cannot lead to the collection of excessive personal data without an explicit legal basis.
Case reference: DKN.5112.33.2022
Source: CEO.com.pl
