AEPD (Spain) - EXP202202415
From GDPRhub
| AEPD - EXP202202415 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 12(3) GDPR Article 15 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 09.07.2024 |
| Published: | |
| Fine: | 15,000 EUR |
| Parties: | GlovoApp23 SA |
| National Case Number/Name: | EXP202202415 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | fb |
The DPA fined Glovo (the controller) €15,000 after it failed to act on an access request. The DPA considered irrelevant the fact that the request was not sent to the DPO email address but to a different contact point of the controller.
English Summary
Facts
The data subject, a Polish delivery driver, after facing some issues with a delivery, contacted the drivers’ assistance service and had a conversation with an employee. Since the data subject wanted to use this conversation to initiated legal proceedings against the controller, they asked the assistance service to provide them with the recording of the conversation. The controller refused to provide this recording.
After that, the data subject sent the controller, through the drivers’ assistance service portal, an access request under Article 15 GDPR. The controller reiterated that it cannot provide the recording and did not act further on the access request.
Therefore, the data subject filed a complaint with the Polish DPA. Since the main establishment of the controller is in Spain, the Polish DPA forwarded the complaint to the Spanish one pursuant to Article 56 and 60 GDPR.
The controller argued that the access request was not sent through the dedicated email address, but through the messaging system dedicated to drivers’ issues.
Moreover, it argued that it had not been aware of this access request until the DPA forwarded the request to it.
Furthermore, it noted that it had internal policies instructing all employees to escalate GDPR requests to the DPO office and that, in the case at hand, the delay was caused by the fact that only one employee had not complied with these policies.
Finally, it pointed out that the data subject did not initiate the legal proceeding they threatened to begin in their first message to the controller.
Holding
First, the DPA rejected the controller’s argument regarding the fact that the data subject did not use the dedicated email address for access requests. It pointed out that the data subject had sent his access request through a portal which was acknowledged by the controller as suitable for the submission of drivers’ requests.
According to the DPA, if the person receiving the message was not able to deal with GDPR issues, the controller should have forwarded the request to the right department.
On this point, the DPA held that, while the controller is free to determine its internal business organization, this cannot imply that the controller does not comply with the data subject’s GDPR rights. In the case at hand, the controller decided to centralize the response to all the GDPR requests through one email address. However, according to the DPA, this cannot mean that requests sent through other channels should not be replied to.
Furthermore, the DPA also referred to paragraph 56 of the EPDB Guidelines 01/2022 on data subject rights - Right of access, stating that the controller should make all reasonable efforts to make its services aware of a request sent to a general e-mail, so that it can be redirected to the data protection contact point and answered within the time limits provided for by the GDPR. In the case at hand, the DPA held that the controller did not make these reasonable efforts.
Moreover, the DPA noted that having a strict internal policy on how to deal with GDPR requests and that the fact that the violation depends on the negligent behaviour of one employee is not enough to be exempted from liability. On the contrary, the controller needs to adopt the necessary measures to ensure full compliance of these policies by all employees. Therefore, the DPA held that the fact that the employee acted in violation of these policies is irrelevant.
Finally, the DPA rejected the controller’s argument and held that the fact that the data subject eventually did not sue the controller is irrelevant.
On these grounds, the DPA found a violation of Article 15 GDPR and issued a fine of €15,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/66
File No.: EXP202202415
IMI Reference: A56ID 336608
SANCTIONING PROCEDURE RESOLUTION
Based on the procedure initiated by the Spanish Data Protection Agency and based on
the following Background, Proven Facts and Legal Grounds, the
Director of the Spanish Data Protection Agency resolves to adopt the present
sanctioning procedure resolution.
TABLE OF CONTENTS
BACKGROUND................................................................................................................2
PROVEN FACTS.......................................................................................................10
LEGAL BASIS........................................................................................................13
I Jurisdiction................................................................................................................14
II Preliminary issues...................................................................................................14
III Allegations raised...................................................................................................14
In relation to the allegations raised in relation to the agreement to initiate this
sanctioning procedure, the following are answered in the order set forth by GLOVO:...................................................................................15
FIRST.- ON GLOVO'S INTERNAL PROCESSES..................................................15
SECOND.- ON THE FORM OF REQUESTING THE RIGHT OF ACCESS
.................................................................................................................................17
THIRD.- ON KNOWLEDGE OF THE EXERCISE OF THE RIGHT AND
THE IMMEDIATE ACTION OF GLOVO. THE SPECIFIC FAILURE TO COMPLY WITH
INTERNAL PROCEDURES BY SPECIFIC EMPLOYEES AND THE DISPROPORTIONALITY OF THE
PROPOSED SANCTION........................................................................................................19
FOURTH.- OTHER RELEVANT PROCEDURES................................................................24
FIFTH.- ON THE EVOLUTION OF GLOVO................................................................25
In relation to the allegations raised in relation to the proposed resolution of
this sanctioning procedure, the following are answered in the order set forth by GLOVO:.................................................................................25
FIRST.- ON THE EVENTS THAT OCCURRED IN THE MANAGEMENT OF THE
APPLICATION........................................................................................................................25
SECOND.- ON THE NON-ATTENTION OF THE RIGHT OF ACCESS.................................31
THIRD.- ON THE THE OPENING OF A SANCTIONING PROCEDURE INSTEAD OF PROTECTION OF RIGHTS.................................36
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/66
FOURTH.- ON THE FAILURE TO TRANSFER THE COMPLAINT TO THE
DATA PROTECTION OFFICER.......................................................................43
FIFTH.- ON GLOVO'S GUILT OR NEGLIGENCE...................................44
SIXTH.- ON AGGRAVATING CIRCUMSTANCES.................................................56
IV Right of access of the interested party........................................................................60
V Classification and qualification of the infringement of article 15 of the RGPD.................................62
VI Sanction for the infringement of article 15 of the RGPD.................................................63
the Director of the Spanish Data Protection Agency RESOLVES:.................64
BACKGROUND
FIRST: A.A.A. (hereinafter, the complainant) filed a complaint on September 30, 2021 with the Urząd Ochrony Danych Osobowych, the Polish data protection authority. The complaint is directed against GLOVOAPP23, S.A.
with NIF A66362906 (hereinafter, GLOVO). The grounds on which the complaint is based
are the following:
The complainant requested from GLOVO the recording of its conversation with a
***PUESTO.1 of GLOVO on August 19, the time at which the complainant entered
the GLOVO application on that same day, information on the cancellation of an
order placed on that same day including the decisions made by GLOVO employees
and their motivation, and the work schedule on that same day with the changes made
by the system and by the employees. The complainant requested this information based on Article 15 of the General Data Protection Regulation (GDPR), to which GLOVO replied by denying access to the conversation.
Along with the complaint, the following is provided:
- Printout of an email dated August 19, 2021 at 2:31 p.m.
sent by support@glovo.mail.kustomerapp.com to the complainant in Polish with the following content (unofficial translation): “Thank you for contacting
us. We have received your communication and are sending this message
automatically to confirm it. Our customer service will contact you shortly. Best regards!”
This email is in response to a previous email sent by the complainant on August 19, 2021
at 12:31 p.m., with the following content (original Polish,
unofficial translation): “Good morning, please send me the conversation with (...),
B.B.B., to my email address, as it will be the basis of my court case,
if that does not happen, I will send you a court order.”
- Printout of an email dated August 19, 2021 at 3:30 p.m.
sent by support@glovo.mail.kustomerapp.com to the complainant in Polish, with the following content (unofficial translation): “Good morning, thank you for
contacting Glovo. Unfortunately, we cannot share the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/66
conversation or its fragments with you. Please let us know what your problem is with
our ***POST.1. Kind regards, Glovo Customer Support.”
- Printout of an email dated August 19, 2021 at 8:54 PM
sent by the complaining party to support@glovo.mail.kustomerapp.com in the
Polish language, with the following content (unofficial translation): “So, in that case, your
consultant said that I was blocked in red for doing nothing for 2 hours, and then
blocked me for the whole day?”.
- Printout of an email dated August 20, 2021 at 8:29 AM
sent by support@glovo.mail.kustomerapp.com to the complaining party in the
Polish language, with the following content (unofficial translation): “Good morning, thank you for
contacting Glovo. Please be advised that 15 minutes before the start of the blockage
you receive a check-in reminder. Afterwards you must confirm your readiness to
work during the hours that have been booked. You did not confirm that you were ready
to work, so the system automatically marked your blocks in red. If
you need further support, please contact us. We will be happy to help you. Glovo Customer
Support.”
- Printout of an email dated August 23, 2021 at 2:16 p.m.
sent by support@glovo.mail.kustomerapp.com to the complaining party, in Polish, with the following content:
“Good morning, thank you for contacting Glovo.
One hour was blocked because your contract was reassigned, the rest because you did
not check in on the application. Please be advised that 15 minutes before the start of the
blockage you receive a check-in reminder. Afterwards you must confirm your
readiness to work during the hours that have been booked. You did not confirm
that you were ready to work, so the system automatically marked your
blocks in red. If you need further support, we invite you to contact
us. We will be happy to help you. Glovo Customer Support.”
- Printout of an email dated August 26, 2021 at 09:56
sent by support@glovo.mail.kustomerapp.com to the complaining party in Polish, with the following content (unofficial translation): “Thank you for contacting
us. We have received your communication and we are sending this message
automatically to confirm it. Our customer service will contact you as soon as possible. Best regards!”
This email is in response to a previous email sent by the complainant on August 26, 2021 at 07:56, with the following content (original Polish,
unofficial translation): “On the basis of Article 15 of the GDPR, I would like to request
the following data:
- conversation log with (...) B.B.B. from August 17 with time per minute for
each sentence of this conversation
- the exact time I checked in on August 17 in the application together
with the actions taken by your employees that changed this data
- information about the cancelled order from ***ADDRESS.1 to
Biedronka from August 17, together with the reason for this cancellation and the
actions taken by your employees that changed this data
- work plan from August 17 with minute-by-minute information of your
changes by the system and your employees.”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/66
- Printout of an email dated August 26, 2021 at 8:09 p.m.
sent by support@glovo.mail.kustomerapp.com to the complainant in Polish, with the following content (unofficial translation): “Hello, A.A.A.! Thank you for
contacting us. Your case has been transferred to another department. Once we
have a response, we will pass it on to you. We hope that this information is
useful, because we are always trying to provide the highest quality in
our service. You can count on us. Thank you for your trust. Glovo Customer
Service.”
- Printout of an email dated September 3, 2021 at 12:36
hours sent by support@glovo.mail.kustomerapp.com to the complaining party in
Polish, with the following content (unofficial translation): “Good morning,
Unfortunately, we cannot share such information with you. Can you
specify what exactly you are requesting? We remind you that opening
multiple chats may slow down your service time. We ask you to use a
single chat for this request. Best regards, Glovo Team Glovo Customer
Support.”
- Printout of an email dated 3 September 2021 at 13:10
hours in which the complaining party sent to support@glovo.mail.kustomerapp.com a
reply to the previous email in Polish, with the following content
(unofficial translation): “I was requesting information from August 19 (however, I made a mistake when writing August 17). Based on Article 15
GDPR I would like to request the following information:
- conversation log with (...) B.B.B. from August 17 with minute-by-minute time for each sentence in this conversation
- the exact time I checked in on August 17 in the application along with the actions taken by your employees that changed this data
- information about the cancelled order from ***ADDRESS.1 to
Biedronka from August 17, along with the reason for this cancellation and the actions taken by your employees that changed this data
- work plan for August 17 with minute-by-minute information about your
changes by the system and your employees.”
And the official response from your company is that you cannot provide such information,
no?”
- Screenshot of email dated September 6, 2021 at 17:22 hours in which support@glovo.mail.kustomerapp.com replies to the complainant's previous email in Polish, with the following content
(unofficial translation): “Good morning, As we have mentioned above, we cannot
share such information. Kind regards, Glovo Team Glovo Customer Service”.
SECOND: Through the “Internal Market Information System” (hereinafter
IMI System), regulated by Regulation (EU) No 1024/2012, of the European Parliament
and of the Council, of October 25, 2012 (IMI Regulation), whose objective is to promote
cross-border administrative cooperation, mutual assistance between Member States and the exchange of information, the aforementioned claim was transmitted on February 24, 2022 and was given an entry date at the Spanish Data Protection Agency (AEPD) the following day. The transfer of this complaint to the
AEPD is carried out in accordance with the provisions of article 56 of Regulation
(EU) 2016/679 of the European Parliament and of the Council of 27/04/2016 on the
Protection of Natural Persons with regard to the Processing of Personal Data and the Free
Circulation of Such Data (hereinafter, GDPR), taking into account its cross-border nature and that this Agency is competent to act
as the main supervisory authority, given that GLOVO has its registered office and
main establishment in Spain.
The data processing carried out affects interested parties in several
Member States. According to the information incorporated into the IMI System, in
accordance with the provisions of article 60 of the GDPR, the authorities of Italy, Portugal and France act as
“interested supervisory authority” in addition to the data protection authority of Poland. All of them pursuant to article
4.22 of the GDPR, given that the interested parties residing in the territory of these
control authorities are substantially affected or are likely to be substantially
affected by the processing subject to this procedure.
THIRD: On June 6, 2022, the AEPD requests, through the IMI System, the
Polish data protection authority to send the relevant information of the
case again.
The Polish data protection authority shared the requested documentation
through the IMI System on June 10, 2022.
FOURTH: On June 24, 2022, in accordance with the then-current
article 64.3 of Organic Law 3/2018, of December 5, on the Protection of Personal
Data and Guarantee of Digital Rights (LOPDGDD), the claim filed by the
complainant was admitted for processing.
FIFTH: The General Subdirectorate of Data Inspection proceeded to carry out
preliminary investigative actions to clarify the facts in question, by virtue of the functions assigned to the control authorities in
article 57.1 and the powers granted in article 58.1 of the GDPR, and in accordance with the provisions of Title VII, Chapter I, Section Two, of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of
Digital Rights (hereinafter LOPDGDD), having knowledge of the
following facts:
1. On November 15, 2022, this Agency received a written response to
the request for information, submitted on behalf of GLOVO, with entry registration number ***REFERENCE.1, in which, among others, the following
information was provided:
a) Declaration that the party The complainant “… has exercised his right of access
through this Agency and that Glovo had never before received his request for access
through the email address enabled for this purpose, as indicated in the Privacy Policy in force at the time when he
exercised his right of access, namely, the email gdpr@glovoapp.com”.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/66
b) Indication that, when this request for access was received through the AEPD request, GLOVO forwarded the request to its data protection officer, who sent a reply to the complainant on November 14, 2022
from the address gdpr@glovoapp.com attaching the 4 documents that the complainant requested in their emails to Glovo Customer Service.
c) A copy of the email sent by gdpr@glovoapp.com to
***EMAIL.1 (which GLOVO indicates is the email address of the
complainant), dated November 14, 2022 at 7:30 PM, with the
following content is provided:
“Dear Mr. A.A.A.:
36. We confirm that we have received your request to exercise your right of
access in relation to personal data, in accordance with the applicable data protection laws (EU
Regulation 2016/679).
37. We are pleased to inform you that after analyzing the requested information
and verifying your identity in accordance with the information requested by the
Spanish Data Protection Authority (the so-called ≪Data Protection
Authority≫). Spanish Data Protection Agency), through
the Polish Data Protection Authority, we provide the following
information along with the attached documents:
1. Interview report with (...) B.B.B. dated 19.8.2021
38. A talk is attached (document 1).
2. Exact time of logging into the application on 19.8.2021 with a list of
actions taken by Glovo employees
39. Attached to the request for information (document 2).
3. Information about the cancellation of the order from Spring Square to Biedronka
on 19.8.2021 year in
40. Please note that for operational reasons we had to
proactively assign an order to another courier so that the user
received the order in due time. Please note that after a
long period of no activity on your part, we had to assign the
order to another courier in order to receive the product in a timely manner (see
Document 3).
4. Service schedule of 19.8.2021
41. Attached are the actions performed in the system indicating your
schedule and the actions undertaken by Glovo on that date (document
4).
42. We hope that this information is useful.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/66
43. Please note that you can read our privacy policy at
https://glovoapp.com/es/legal/privacy-couriers/
44. Considering that Glovo participates in the protection of personal
data, we remind you that you can exercise your rights of access,
rectification, deletion, limitation of processing, data portability and
opposition at any time, using the form available on the
Platform or by sending an email to gdpr@glovoapp.com.
Alternatively, in any case, you can contact the
competent data protection authority.
45. Glovo Team”
d) Copy of a certificate from the company ***COMPANY.1 indicating that the
email mentioned in the previous point was sent on November 14, 2022 at 7:31 p.m.
and was accessed by the recipient on November 14, 2022 at 7:44 p.m.
This certificate also includes the content of the documents attached to the email.
e) Copy of the “POLITYKA PRYWATNOŚCI DLA KURIERÓW” [Unofficial translation:
“Privacy Policy for Messengers”] in Polish of GLOVO. Within this
privacy policy, in its section 11, dedicated to the rights of interested parties,
it is indicated that “Powyższe prawa mogą być wykonywane poprzez wysłanie wiadomości
e-mail na adres gdpr@glovoapp.com.” [Unofficial translation: “These rights can be
exercised by sending an email to gdpr@glovoapp.com.”].
2. On March 30, 2023, the General Subdirectorate of Data Inspection browsed the website https://web.archive.org, obtaining the historical content of August 13, 2021 of the website
https://glovoapp.com/pl/legal/privacy-couriers/, which contains the privacy policy for GLOVO couriers, obtaining the following results:
Within the section “11. Rights of interested parties”, it is indicated that “The aforementioned rights may be exercised by sending an email to the
address gdpr@glovoapp.com”.
3. According to a query made on March 30, 2023 in the Monitoriza service of Axesor
(https://monitoriza.axesor.es/), GLOVO is a type of company “(...)” that, in
2021, had a total global annual turnover of ***AMOUNT.1 €, and
had ***AMOUNT.2 employees.
EIGHTH: On June 16, 2023, the Director of the AEPD adopted a draft
decision to initiate sanctioning proceedings. Following the process established
in article 60 of the GDPR, on that same day this draft decision was transmitted through the IMI system and the interested
authorities were informed that they had four weeks from that moment to formulate relevant and
reasoned objections. The processing period for this sanctioning procedure was automatically suspended for these four weeks, in accordance with the provisions of Article 64.5 of the LOPDGDD.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/66
Within the period for this purpose, the interested supervisory authorities did not present any pertinent and reasoned objections in this regard, so it was considered that all the authorities agreed with this draft decision and were bound by it, in accordance with the provisions of section 6 of Article 60 of the GDPR.
NINTH: On July 17, 2023, the Director of the Spanish Data Protection Agency agreed to initiate disciplinary proceedings against GLOVO, in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), in order to impose a fine of 15,000 euros, for the alleged violation of article 15 of the GDPR, classified in article 83.5 of the GDPR, in which it was indicated that it had a period of ten days to present allegations.
This start-up agreement, which was notified to GLOVO in accordance with the rules established
in Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (LPACAP), was collected on 07/17/2023 and 07/18/2023,
as stated in the acknowledgment of receipt in the file.
TENTH: On July 17, 2023, GLOVO submitted a letter to this Agency
reporting that it had received a notice of a postal notification sent to this
Agency with “Identifier: ***REFERENCE.2”, but that they could not find it.
They also reported that their current address was at Calle Llull, 108 08005
Barcelona and that the corporate form of the entity had changed to S.A., its
correct corporate name being Glovoapp23, S.A.
ELEVENTH: On July 17, 2023, GLOVO submitted a letter requesting an extension of the deadline for submitting objections.
TWELFTH: On July 19, 2023, the extension of the requested deadline for up to a maximum of five days was agreed, in accordance with the provisions of article 32.1
of the LPACAP.
The aforementioned agreement was notified to GLOVO on July 20, 2023, as stated in
the acknowledgment of receipt in the file.
THIRTEENTH: On August 3, 2023, this Agency received, in a timely manner, a letter from GLOVO in which it submitted objections to the initiation agreement.
In summary, these allegations stated that:
- First.- GLOVO has abundant internal procedures and a culture of
privacy in its company and acted diligently and proactively to ensure compliance with data
protection throughout the company.
- Second.- GLOVO had expressly established that in all cases similar to
that of the complainant, all requests must be communicated to its Data
Protection Department, but the complainant did not use the channels intended for this.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/66
- Third.- 3.1. The complainant was given a response with all the
required information as soon as the complaint was forwarded by this Agency.
3.2. GLOVO has not acted with malice or negligence.
- Fourth.- Other relevant procedures of this Agency are cited in which the archiving of proceedings was resolved.
- Fifth.- GLOVO has evolved greatly in terms of personal data protection.
FOURTEENTH: On April 16, 2024, the body in charge of the procedure issued a resolution proposal in which it proposed imposing a fine of 15,000 euros on GLOVO, in accordance with the provisions of articles 63 and 64 of the
LPACAP, for the violation of Article 15 of the GDPR, classified in Article 83.5 of the GDPR, in which it was indicated that it had a period of ten days to submit
allegations.
This resolution proposal, which was notified to GLOVO in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (LPACAP), was collected on April 26, 2024, as stated in the acknowledgment of receipt in the file.
FIFTEENTH: On April 26, 2024, GLOVO submitted a document requesting an extension of the deadline for submitting allegations.
SIXTEENTH: On April 30, 2024, the body in charge of the procedure agreed to the requested extension of the deadline up to a maximum of five days, in accordance with the provisions of article 32.1 of the LPACAP.
The aforementioned agreement was notified to GLOVO on the same day, as stated in the acknowledgment of receipt in the file.
SEVENTEENTH: On May 17, 2024, this Agency received, in a timely manner, a letter from GLOVO in which it presented objections to the proposed resolution. In summary, in these objections, it stated that:
- First.- GLOVO has numerous technical and organizational measures
in place to ensure compliance with the applicable regulations regarding
data protection and, especially in relation to the case at hand, the
attention to the rights of the interested parties.
- Second.- The interested party's request was responded to. GLOVO made
reasonable efforts to ensure that the agents of the delivery support team could
identify requests to exercise rights and either
communicate them directly to the data protection department, or respond to the
interested party with the address where to go, efforts that, due to human error, were not
translated into reality.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/66
- Third.- GLOVO is surprised that, having responded to the interested party first
by chat, and subsequently officially by the Data Protection Department, the Agency decides to proceed with the initiation of a sanctioning procedure without
proposing the opening of a procedure for the protection of rights.
- Fourth.- GLOVO is surprised that the AEPD does not apply in this case the possibility offered
by the LOPDGDD to refer any claim to the data protection delegate before deciding on its admission for processing, in accordance with
article 65.
- Fifth.- GLOVO should not be held responsible, due to negligence or fault, for the incorrect or insufficient response to the interested party who makes the claim.
- Sixth.- Requests that the aggravating circumstances alleged by the AEPD not be applied and that
the fact that the AEPD has been aware of several claims for attention to rights, without ever having found any
reprehensible fact in the actions of GLOVO, be considered as an attenuating circumstance.
From the actions carried out in the present procedure and from the documentation
in the file, the following have been proven:
PROVEN FACTS
FIRST: On August 19, 2021 at 12:31 p.m. the complaining party sent an
email to the address support@glovo.mail.kustomerapp.com, with the
following content (in Polish the original, unofficial translation): “Good morning, please
send me the conversation with (...), B.B.B., to my email address, as
it will be the basis of my legal case, if that does not happen, I will send you a court order.”
On August 19, 2021 at 2:31 p.m. the complaining party received an email from the address support@glovo.mail.kustomerapp.com in Polish language
with the following content (unofficial translation): “Thank you for contacting us.
We have received your communication and we are automatically sending this message to
confirm it. Our customer service will contact you shortly. Best regards!”
SECOND: On August 19, 2021 at 3:30 p.m. the complaining party received an
email from the address support@glovo.mail.kustomerapp.com in Polish,
with the following content (unofficial translation): “Good morning, thank you for
contacting Glovo. Unfortunately, we cannot share the conversation or its fragments with you. Please let us know what your problem is with
our ***POST.1. Best regards, Glovo Customer Support.”
THIRD: On August 19, 2021 at 8:54 p.m. the complainant sent an
email to the address support@glovo.mail.kustomerapp.com in Polish, with the following content (unofficial translation): “So, in that case, your
consultant said that I was blocked in red for doing nothing for 2 hours, and then
blocked me for the whole day?”.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/66
FOURTH: On August 20, 2021 at 8:29 a.m. the complainant received an
email from the address support@glovo.mail.kustomerapp.com in Polish, with the following content (unofficial translation): “Good morning, thank you for
contacting Glovo. Please be advised that 15 minutes before the start of the block you
receive a check-in reminder. Afterwards you must confirm your readiness to work
during the hours that have been booked. You did not confirm that you were ready to
work, so the system automatically marked your blocks in red. If you need
further support, please contact us. We will gladly assist you. Glovo Customer Support.”
FIFTH: On August 23, 2021 at 2:16 p.m. the complaining party received an
email from the address support@glovo.mail.kustomerapp.com in Polish, with the following
content: “Good morning, thank you for contacting Glovo. One hour was
blocked because your contract was reassigned, the rest because you did not check in
in the application. Please be advised that 15 minutes before the start of the block you
receive a check-in reminder. Afterwards you must confirm your readiness to work
during the hours that have been booked. You did not confirm that you were ready to
work, so the system automatically marked your blocks in red. If you need
further support, we invite you to contact us. We will be happy to
help you. Glovo Customer Support.”
SIXTH: On August 26, 2021 at 09:56 the complaining party received an
email from the address support@glovo.mail.kustomerapp.com in Polish, with the following content (unofficial translation): “Thank you for contacting
us. We have received your communication and we sent this message
automatically to confirm it. Our customer service will contact you as soon
as possible. Best regards!”
This email is in response to a previous email sent by the complainant on August 26, 2021 at 07:56, with the following content (original Polish, unofficial translation): “On the basis of Article 15 of the GDPR, I would like to request the following
data:
- conversation log with (...) B.B.B. from August 17 with time per minute for
each sentence of this conversation
- the exact time I checked in on August 17 in the application together with
the actions taken by your employees that changed this data
- information about the cancelled order from ***ADDRESS.1 to
Biedronka from August 17, together with the reason for this cancellation and the
actions taken by your employees that changed this data
- work plan from August 17 with minute-by-minute information of your
changes by the system and your employees.”
SEVENTH: On August 26, 2021 at 8:09 p.m. the complaining party received an
email from the address support@glovo.mail.kustomerapp.com in Polish,
with the following content (unofficial translation): “Hello, A.A.A.! Thank you for
contacting us. Your case has been transferred to another department. Once we
have a response, we will pass it on to you. We hope that this information is
useful, because we are always trying to provide the highest quality in
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/66
our service. You can count on us. Thank you for your trust. Glovo Customer
Service.”
EIGHTH: On September 3, 2021 at 12:36 p.m. the complaining party received an
email from support@glovo.mail.kustomerapp.com in Polish, with
the following content (unofficial translation): “Good morning, Unfortunately, we
cannot share such information with you. Can you please specify what
exactly you are requesting? We remind you that opening multiple chats
may slow down your service time. We ask you to use only one chat for this
request. Best regards, Glovo Team Glovo Customer Support.”
NINTH: On September 3, 2021 at 1:10 p.m. the complaining party sent an
email to support@glovo.mail.kustomerapp.com with a reply to the
previous email in Polish, with the following content (unofficial translation):
“I was requesting information from August 19 (however, I made a mistake
by writing August 17). Based on Article 15 GDPR I would like to request the
following information:
- conversation log with (...) B.B.B. from August 17 with minute-by-minute time for each sentence in this conversation
- the exact time I checked in on August 17 in the application along
with the actions taken by your employees that changed this data
- information about the cancelled order from ***ADDRESS.1 to
Biedronka from August 17, along with the reason for this cancellation and the
actions taken by your employees that changed this data
- work plan for August 17 with minute-by-minute information of your
changes by the system and your employees.”
And the official response from your company is that you cannot provide that information,
no?”
TENTH: On September 6, 2021 at 5:22 p.m. the complaining party received an
email from the address support@glovo.mail.kustomerapp.com, in
reply to the previous email from the complaining party, in Polish, with the following
content (unofficial translation): “Good morning, As we have mentioned
previously, we cannot share such information. Kind regards, Glovo Customer
Service Team.”
ELEVENTH: On November 14, 2022 at 7:31 p.m. an email was sent from the address gdpr@glovoapp.com to ***EMAIL.1, with the following
content:
“Dear A.A.A.:
We confirm that we have received your request to exercise your right of access in relation to personal data, in accordance with the applicable data protection laws (EU Regulation 2016/679).
We are pleased to inform you that after analyzing the requested information and verifying your identity in accordance with the information requested by the Spanish Data Protection Authority (the so-called ≪Data Protection Authority≫). Spanish:Spanish Data Protection Agency), through the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/66
Polish Data Protection Authority, we provide the following information
together with the attached documents:
1. Report of the interview with (...) B.B.B. dated 19.8.2021
A talk is attached (document 1).
2. Exact time of logging into the application on 19.8.2021 with a list of
actions taken by Glovo employees
Attached to the request for information (document 2).
3. Information about the cancellation of the order from Spring Square to Biedronka
on 19.8.2021 year in
Please note that for operational reasons we had to proactively
assign an order to another courier so that the user would receive the
order in due time. We inform you that after a long
time without any activity on your part, we had to assign the order to
another courier in order to receive the product in due time (see Document
3).
4. Service schedule of 19.8.2021
Attached are the actions performed in the system indicating their
schedule and the actions undertaken by Glovo on that date (document 4).
We hope that this information is useful.
Please note that you can read our privacy policy at
https://glovoapp.com/en/legal/privacy-couriers/
Considering that Glovo is involved in the protection of personal data,
we remind you that you can exercise your rights of access, rectification,
deletion, limitation of processing, data portability and opposition at
any time, using the form available on the Platform or
by sending an email to gdpr@glovoapp.com. Alternatively, in
any case, you can contact the competent data protection authority.
Glovo Team”
This email was accessed by the recipient on November 14, 2022 at
19:44 hours.
TWELFTH: In the “Privacy Policy for Messengers” in force in
September 2021, it was indicated that the address to contact
GLOVO regarding questions was by sending an email to gdpr@glovoapp.com.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/66
THIRTEENTH: According to the diligence dated March 30, 2023, in
the year 2021, GLOVO was a “(...)” type company with a total annual global
business volume of ***AMOUNT.1 €, and had ***AMOUNT.2 employees.
LEGAL BASIS
I
Jurisdiction
In accordance with the provisions of articles 58.2 and 60 of Regulation (EU) 2016/679
of the European Parliament and of the Council of 27 April 2016 on the protection
of natural persons with regard to the processing of personal data and the free movement of such data (RGPD), and as established in articles 47,
48.1, 64.2 and 68.1 and 68.2 of Organic Law 3/2018, of 5 December, on the Protection of Personal
Data and Guarantee of Digital Rights (hereinafter, LOPDGDD) the Director of the Spanish Data Protection Agency is
competent to initiate and resolve this procedure.
Likewise, article 63.2 of the LOPDGDD determines that: “The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
of Regulation (EU) 2016/679, in this organic law, by the regulatory
provisions issued in its development and, insofar as they do not contradict them,
in a subsidiary manner, by the general rules on administrative procedures.”
II
Preliminary questions
In the present case, in accordance with the provisions of article 4.1 and 4.2 of the RGPD,
the processing of personal data is recorded, since GLOVO
collects and stores, among others, the following personal data of
natural persons: name and surname and email, among other treatments.
GLOVO carries out this activity in its capacity as data controller, given
that it is the one who determines the purposes and means of such activity, pursuant to article 4.7 of the
RGPD. Furthermore, this is a cross-border treatment, given that GLOVO is
established in Spain, although it provides services to other countries in the European Union.
The GDPR provides, in its article 56.1, for cases of cross-border processing,
provided for in its article 4.23), in relation to the competence of the main supervisory authority, that, without prejudice to the provisions of article 55, the supervisory authority of the main establishment or of the sole establishment of the controller or the processor
will be competent to act as the main supervisory authority for the cross-border processing carried out by said controller or processor in accordance with the procedure established in article 60. In the case
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/66
examined, as has been explained, GLOVO has its main establishment in
Spain, so the Spanish Data Protection Agency is competent to act as the main supervisory authority.
For its part, article 15 of the GDPR regulates the right of access by the interested party to their
personal data.
III
Allegations raised
In relation to the allegations raised in relation to the agreement to initiate this
sanctioning procedure, the following are answered in the order set forth by GLOVO:
FIRST.- REGARDING GLOVO'S INTERNAL PROCESSES
GLOVO claims that it has its own internal procedures to ensure compliance with
personal data protection regulations in general and, in particular, in relation to the attention to data protection rights exercised
by interested parties, whether they are users, partners or distributors.
They indicate that they are aware that interested parties who interact with GLOVO can interact directly with their support or customer service channels (customer
support) for aspects related to their privacy and, in particular, to exercise their data protection rights, even though it is not the official channel for this as reported in their privacy policy.
However, due to the special sensitivity of these cases and, especially, those cases that may have an impact on other people - such as the present case
where the complainant requested a transcript of a conversation with B.B.B. from the Customer Support team - it was expressly established that in these
cases all requests must be communicated to the GLOVO Data Protection Department.
Attached as proof of this, as DOCUMENT 1, is a copy of the protocol of action that the agents in charge of providing Customer Support services, and
managed by the Live Ops Department, must follow in the event of receiving
GDPR rights requests such as the present case.
The aforementioned document provided indicates that it is “Version 1 - Valid from
February 2021” and in its section 5.1, the following is expressly indicated:
“5.1. Right of access by the data subject
User or Courier contact LiveOps and request his/her data.
If he/she is not in Glovo systems you should inform him/her that we are unable to
attend his/her request.
If he/she is in Glovo systems, LiveOps should redirect User or Courier to gdpr@glovoapp.com in order to assist this request, since the Legal Privacy Team C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/66 needs to reach out to Tech to obtain an Excel with personal details and order details as well as reach out the specific Team in charge of chat conversations or call recordings where applicable.”
(unofficial translation: “5.1. Right of access by the interested party
The user or Delivery person contacts LiveOps and requests his or her data.
If he or she is not in Glovo's systems, LiveOps must inform him or her that we cannot attend to his or her request.
If he or she is in Glovo's systems, LiveOps must redirect the User or
Delivery person to gdpr@glovoapp.com in order to attend to his or her request, since the Legal Privacy Team
needs to contact Tech to obtain an Excel with the personal details and order details as well as to contact the specific Team
in charge of chat conversations or call recordings, if applicable.”)
Additionally, in section 6, the following is also indicated:
“6. Relevant issues to take into account
In case of any doubt please, reach out to the Legal Privacy Team through
gdpr@glovoapp.com. In case if support of other Glovo teams is needed (such as Tech, Risk Ops, etc) please, reach out to the Legal Privacy Team through gdpr@glovoapp.com.
In accordance with Article 12 of the GDPR Glovo as data controller will provide User or Courier with the requested information within one month of receipt of the request.
The unique official channels to exercise data subjects rights are gdpr@glovoapp.com and the form available here.”
(unofficial translation: “6. Relevant aspects to take into account
In case of doubt, please contact the Privacy Legal Team through
gdpr@glovoapp.com.
In case assistance is required from other Glovo teams (such as Tech, Risk Ops,
etc.) please contact the Privacy Legal Team through
gdpr@glovoapp.com.
In accordance with article 12 of the GDPR, Glovo as data controller
will provide the User or Delivery Person with the requested information within one month
from receipt of the request.
The only official channels to exercise the rights of interested parties are
gdpr@glovoapp.com and the form available here.”)
GLOVO explains that this protocol, on the one hand, indicates what the rights of access, rectification, opposition, deletion, limitation and portability consist of. On the other hand,
it explains step by step how agents must attend to these rights. And it clarifies that,
in case of doubt, all agents in charge of providing Customer Support services are duly informed of the need to refer any exercise of
data protection rights to the direct communication channel
gdpr@glovoapp.com, as stated in its privacy policy.
GLOVO adds that all its employees, when they join the organization,
sign a document called “PERSONAL DATA PROCESSING,
COMMUNICATIONS AND USE OF EQUIPMENT POLICY” (a copy of said document is attached as
DOCUMENT 2), which in its section 8 includes a
specific chapter entitled “Guidelines for responding to a petition of access,
cancellation, limitation, suppression, opposition or portability rights” that describes how
to react to an exercise of data protection rights.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/66
GLOVO claims that the Data Protection Department, in addition to managing the
gdpr@glovoapp.com account, also has access to the legal@glovoapp.com account
so that it can address the data protection rights that the agents in charge of providing Customer Support services may redirect to this email.
GLOVO indicates that this document was accepted and signed by the three agents who
had discussions with the complainant. As an example, the conditions signed by one of them are provided
as DOCUMENT 3.
However, GLOVO adds that these agents no longer provide their services to the
organization. In this regard, the declaration signed by
the legal representative of Restaurant Partner Polska sp. z o.o. (hereinafter, "Glovo
Poland"), a subsidiary of Glovo that operates in the Polish market and with which the
agents involved in the complainant's case stopped providing their services
for Glovo Poland, is attached as DOCUMENT 4.
GLOVO highlights that all agents who provide Customer Support services to their users have been trained in the management of data protection rights and must act in accordance with the protocol of action provided as DOCUMENT 1.
It also explains that in April 2021, GLOVO's Data Protection Department provided specific training to the Live Ops Department, the team in charge of managing Customer Support agents, where it explained what the General Data Protection Regulation consists of, its principles, why compliance with privacy regulations is so important and, in particular, the management of the data protection rights of our users (including delivery drivers) by agents. The training carried out is attached as DOCUMENT 5.
Thus, GLOVO concludes that there is no other conclusion than that it has
abundant internal procedures and a privacy culture in its company
made up of different protocols, training and guidelines aimed at the protection of
personal data. Therefore, in its opinion, it is more than evident that it acted diligently and acts proactively to ensure compliance with data protection throughout the company through continuous mandatory training for all its employees.
In this regard, this Agency wishes to point out that, regardless of the measures
adopted by GLOVO, in the present case the complainant made numerous
communications requesting their right to access data about themselves,
even making reference to article 15 of the GDPR, a request that was not duly
responded to.
GLOVO itself recognizes that interested parties can interact with other channels
other than the official channel reported in its privacy policy and even had
indicated that cases such as the one that gives rise to this procedure should
be communicated to its Data Protection Department, which has not occurred.
Therefore, this allegation is rejected.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/66
SECOND.- REGARDING THE FORM OF APPLYING FOR THE RIGHT OF ACCESS
GLOVO claims that the request for the right of access was not made through the
official channels for this purpose, since it did not use the email address that GLOVO had
available to interested parties on the date on which the exercise of the right was requested
(gdpr@glovoapp.com).
It also indicates that all GLOVO delivery drivers - and, consequently, the
complainant - must expressly accept the terms and conditions applicable to delivery drivers and the
privacy policy at the time of creating an account on its platform. 6 screenshots of this
extent are attached as DOCUMENT (the document is written in Polish).
GLOVO adds that all delivery drivers have at their disposal, through the website or mobile application, a section in which to access the legal and privacy conditions. In the case of delivery drivers, the channels of attention are intended,
exclusively, for: accidents or offenses, issues related to shipments, issues related to
earnings or incidents with the application.
GLOVO also explains that in the app or website itself, delivery drivers can access
their user profile, where both the terms and conditions of the APP and the applicable privacy policy are permanently accessible, which
includes all the information on how to exercise rights.
Therefore, GLOVO alleges that, without wanting to justify the behavior of the agents
who attended to the complainant that was not in accordance with GLOVO's internal policies, it is also not possible to ignore that the complainant did not use the expected channels
for the exercise of rights.
And that the above is relevant because, taking into account that this was a person with a minimum sensitivity towards data protection, sufficient to
directly expose article 15 of the GDPR to request access to his personal data, he did not seem interested at any time in seeking official channels
to request the information when he did not obtain it from customer care. At
no time did the interested party contact GLOVO's Data Protection
Department.
In this sense, GLOVO understands that companies must indeed attend to the
rights through any channel used by the interested party, but this obligation must
be modulated, on the one hand because not any company email must be able
to receive this type of requests subject to a response time, nor if the company has official channels for the exercise of rights can the interested parties
ignore them to file claims or make requests through any channel,
clearly knowing where they should go to do so.
In short, it alleges that companies cannot be required to be diligent that can
reach absurdity. If any type of exercise of rights could be accepted in any way, it could lead to the absurdity that a user could require the same delivery person who delivers their order to delete their data from the application. All organizations have different employees or collaborators for different functions and it is in no way acceptable to require any employee or collaborator to have the authority or capacity to manage the rights of interested parties; this would mean indiscriminate access to user data that would seriously violate all regulations for the protection of personal rights.
In the present case, GLOVO understands that the same diligence that is requested of it to
respond to any request through any channel, must also be requested of an interested party
who knows the GDPR sufficiently to cite specific articles (as
can be seen from the communications held), and therefore it should be considered
to what extent it was also the obligation of the interested party to inform themselves of the channels that
GLOVO expressly makes available to them for the exercise of their rights and to
make use of them.
In this regard, this Agency wishes to point out that in the present case the complainant
made their request for access to their personal data through the channel that GLOVO
makes available to respond to queries from delivery drivers, precisely. It is not
a case of the complainant having made their request to “any employee or
collaborator”, but rather that they addressed the channel specifically provided so that delivery drivers could direct their queries and requests.
In fact, GLOVO itself already anticipated that such requests could be directed
through this channel, which is why its own protocol indicated that they should be
redirected to the corresponding department in order to be properly attended to.
GLOVO even acknowledges that the agents who interacted with the
complainant did not act as indicated by GLOVO's own protocol.
In any case, GLOVO cannot claim that greater diligence and
knowledge of the protection of personal data on the part of the person requesting an exercise of rights
becomes a higher level of demand for him than for other users.
For the reasons stated above, this claim is rejected.
THIRD.- REGARDING THE KNOWLEDGE OF THE EXERCISE OF THE RIGHT AND THE
IMMEDIATE ACTION OF GLOVO. THE ONE-OFF FAILURE TO COMPLY WITH INTERNAL PROCEDURES BY INDIVIDUAL EMPLOYEES AND THE DISPROPORTIONALITY OF THE PROPOSED SANCTION
3.1. Knowledge of the exercise of the right by the complainant and the immediate
reaction of Glovo
GLOVO claims that the Data Protection Department responsible for all
aspects related to the privacy of the interested parties was not at any
time aware of the right of access exercised by the complainant until
the AEPD itself brought it to the company's attention on October 11, 2022.
And that at that same moment, and after carefully reviewing the case, the
complainant's request was immediately answered by providing
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/66
access to all relevant information, including the transcript of the
mentioned conversation.
After the information was sent to the interested party, there has been no other complaint or
claim by the complainant, nor has there been any knowledge of any
judicial or extrajudicial procedure initiated by the latter, despite the latter expressly indicating
that this was the reason for requesting the information.
Thus, it is understood that it must be taken into account that, despite having internal protocols and
procedures duly implemented in the organization, in this specific case of the complainant, the agents in charge of providing
Customer Support services did not comply with the established process.
In this regard, this Agency has nothing to add to what has already been stated: that the complaining party was not
properly provided with access until this Agency intervened and that the request for access was not
duly redirected to the appropriate department. The fact that the complaining party submitted (or not) another complaint or claim or
had initiated judicial or extrajudicial proceedings is, for the purposes of the
present sanctioning procedure, irrelevant.
Recital (59) of the GDPR provides that: “Methods should be put in place to
facilitate the exercise of the rights of the data subject under this Regulation, including
mechanisms for requesting and, where appropriate, obtaining free of charge, in particular,
access to personal data and their rectification or erasure, as well as the exercise of the
right to object. The controller should also provide
means for requests to be submitted by electronic means, in particular
where personal data are processed by electronic means. The data controller must be obliged to respond to the data subject's requests without undue delay and no later than within one month, and to explain its reasons if it is not going to respond to them."
In this sense, it cannot be understood that only those requests for the exercise of rights that are made solely through the channels established by the data controllers in their privacy policies will be attended to. On the contrary, each data controller has the power to organize itself as it sees fit, provided that a satisfactory response is provided to the exercise of the rights requested by the interested parties, within the legally established period. But the organization that this data controller had foreseen cannot be an obstacle to the satisfaction of a right that the GDPR recognizes for the interested parties.
In the present case, GLOVO had decided to centralize all requests for the exercise of rights related to the address gdpr@glovoapp.com. However, the fact that a particular request is addressed through a different channel does not
imply that it should not be given a proper response, as the party responsible for the
processing in question.
In the present case, it cannot be denied that by communicating through the channel provided
for handling delivery incidents, the complainant could reasonably expect
that his request would be attended to. Furthermore, it seems reasonable in the eyes
of this Agency that the complainant communicated with GLOVO through this
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/66
channel, which is the one specifically provided for requests from delivery drivers. On the
contrary, this Agency considers that, in any case, it was GLOVO's obligation
to duly attend to the request of the complainant, whether the customer service
(to the delivery person) forwarded said request through the relevant channels to the
department dedicated to this type of requests, or as it
considered best.
In this regard, in section 53 of the aforementioned Guidelines 01/2022 on the
rights of interested parties - Right of access, the EDPB "...encourages
data controllers to provide the most appropriate and user-friendly
communication channels, in accordance with Article 12, paragraph 2, and
Article 25, to allow the interested party to make an effective request. However,
if the data subject makes a request through a communication channel
provided by the controller that is different from the one indicated as
preferable, the request will generally be considered effective and the controller
should process the request accordingly (see examples below).
Data controllers must make all reasonable efforts to ensure that the exercise of the data subject's rights is
facilitated (for example, in the event that the data subject sends the data subject's request to an
employee who is on leave, an automatic message informing the data subject
about an alternative communication channel for his or her request could be a
reasonable effort).”
Therefore, this Agency insists that the channel used in the present case by the
complainant, a channel that GLOVO itself provides to the delivery drivers as
an appropriate means of contacting it, is a perfectly valid means
to request the exercise of the rights recognized in the GDPR by the delivery drivers. And that it was GLOVO's obligation to properly address such a request,
forwarding the request to the Department that the company determined as the most
suitable to give a proper response, if applicable, or as the company considered best.
In fact, GLOVO itself recognizes in its allegations that it already anticipated that such
requests could be directed through this channel, which is why its own
protocol indicated that they should be redirected to the corresponding department in order to
be properly attended to. And GLOVO itself recognizes that the agents who interacted with the complaining party did not act as indicated by
GLOVO's own protocol.
Section 56 of the Guidelines cites as an example a case in which “a data controller X provides, on its website and in its privacy policy, two email addresses – the general email address of the data controller: contact@X.com and the email address of the data controller’s data protection contact point: requests@X.com. In addition, data controller X indicates on its website that in order to send any queries or requests regarding the processing of personal data, the data protection contact point must be contacted at the indicated email address. However, the data subject sends a request to the general email address of the data controller: contact@X.com. In this case, the data controller must make all reasonable efforts to ensure that its services are aware of the request, which was made via the general email address, so that it can be redirected to the data protection contact point and answered within the period established by the GDPR. Furthermore, the data controller cannot extend the period for responding to the request, only because the interested party has sent a request to the general email address of the data controller and not to the data protection contact point.”
In this regard, this Agency understands that precisely the first example in section 56 of the aforementioned Guidelines is the case that occurred in the present case. The interested party (the complaining party) has sent his request for access via a generic channel provided by the company to which it is addressed. Therefore, the data controller (GLOVO) should have made all “reasonable efforts to ensure that its services are aware of the request, which was made via the general email, so that it can be redirected to the data protection contact point and answered within the period established by the GDPR”, as indicated in the aforementioned Guidelines, so that such request could be redirected to the corresponding data protection contact point, in order to be able to respond to it within the period established by the GDPR. Therefore, this Agency considers that the complaining party could “reasonably expect” that its request would be attended to.
For all the reasons set out above, this claim is rejected.
3.2. Glovo's lack of negligence, non-compliance by agents and
disproportionate sanction
GLOVO claims that it is a company concerned about the privacy of the interested parties
who interact with it, and for this purpose has implemented legal texts and
privacy policies that provide detailed information on the data processing
carried out, as well as the channels for addressing issues related to
privacy and the exercise of rights.
It also indicates that it has internal procedures aimed at ensuring that
a specialized team, responsible for ensuring compliance with the regulations,
correctly manages all the doubts, complaints, claims and exercise of rights of the interested parties.
In this sense, it explains that this centralization has been prioritized with respect to
potential mismanagement by a non-specialized department such as
Customer Support, whose function is to resolve incidents
in the provision of the service.
The claimant alleges that in the specific case of the claimant's right of access, it cannot be said that there was intention or negligence in the actions of
GLOVO. The company has designed a specific and specialized mechanism for dealing with these cases, and provides training to all its employees on data protection in general and rights management in particular. Therefore, the claimant understands that it cannot be denied that GLOVO employees are aware of the existence of a specific procedure. And that the failure to comply with the company's internal procedures by specific employees, who make a misinterpretation of how to deal with the claim, cannot be attributed in this case,
under any circumstances, to negligence or intentionality on the part of GLOVO in this regard.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/66
GLOVO claims that, not counting the requests to exercise rights managed
directly by the Customer Support Department, the Data Protection Department has
managed 2,182 requests to exercise rights from interested parties in 2021, 6,396 in 2022 and 1,970 so far in 2023.
Therefore, it insists that the procedures implemented by GLOVO are
known, work and are effective. It explains that the present case depends
exclusively on the non-compliance with these procedures by specific employees,
a non-compliance that we understand cannot be attributed in any way to
GLOVO, which has made, in its opinion, all necessary and reasonable efforts
to ensure the correct attention to rights, even when the interested party does not use
the specific channels available to it for this purpose.
GLOVO also highlights that the management of the case with the complainant was not
in any case friendly, having disrespected the first interlocutor with whom it
dealt, which could affect the way in which the following agents in charge of
providing Customer Support services communicated and how they managed their
requests (which is in no case approved by GLOVO).
In view of the above, GLOVO considers it unfair and disproportionate that, being diligent, responsible and sensitive in terms of data protection, it is intended to be fined with such a high amount (€15,000) for merely failing to comply, in the eyes of
this Agency, incorrectly with a right of access, in which the ones who failed were agents of the Customer Support Department, and who are no longer even in the organization because the pertinent measures were taken after becoming aware of
these facts.
In this regard, this Agency wishes to point out that it is not enough for the data controller (in this case, GLOVO) to have action protocols to
eliminate intentionality or negligence in its actions. Rather, it is the obligation of the data controller to ensure that such protocols are known and followed by all its employees.
Furthermore, the negligent action of the employee does not exempt GLOVO from liability.
The liability of the company in the field of sanctions for the negligent action of an employee that implies non-compliance with the data protection regulations has been confirmed by the jurisprudence of the Supreme Court. In
this regard, it should be noted that the Supreme Court Judgment No. 188/2022
(Contentious Chamber, Section 3), of February 15, 2022 (rec. 7359/2020)
indicates in its Fourth Legal Basis: “The fact that the action was negligent
on the part of an employee does not exempt him from his responsibility as the person in charge
of the correct use of the security measures that should have guaranteed
the proper use of the data recording system designed. As we
already held in STS No. 196/2020, of February 15, 2021 (rec.
1***QUANTITY.2/2020) the data controller is also responsible for the
performance of its employees and cannot excuse itself for its diligent performance,
separately from the performance of its employees, but rather it is the "guilty" performance
of these employees, as a consequence of the violation of existing security measures, which
founds the company's liability in the area of sanctions for "own" acts of its employees or positions, not of third parties."
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/66
The judgment goes on to argue about the liability of legal persons in our legal system: “…It simply happens that, since our Administrative Law admits the direct liability of legal persons, who are therefore recognized as having the capacity to infringe, the subjective element of the infringement is expressed in these cases in a different way than in the case of natural persons, so that, as the constitutional doctrine that we have previously outlined points out -SsTC STC 246/1991, of December 19 (F.J. 2) and 129/2003, of June 30 (F.J. 8)- the direct blame derives from the legal asset protected by
the rule that is infringed and the need for said protection to be truly effective
and by the risk that, consequently, must be assumed by the legal entity that is subject to compliance with this rule." (emphasis added by this Agency).
Therefore, in the present case, the fact that the employees had (or had not) acted
outside of what was established by the GLOVO protocol does not exempt the latter from its
responsibility for its actions.
In any case, at no time has this Agency attributed responsibility to
GLOVO for the infringement of article 15 of the GDPR on the basis of intent, but rather its
action with respect to this claim has been considered to have been seriously
negligent.
This claim is therefore rejected.
FOURTH.- OTHER RELEVANT PROCEDURES
GLOVO considers it appropriate to mention various AEPD resolutions linked to
its activity in the care of rights:
1) EXP202305625: Filing of actions in relation to an exercise of data
deletion.
2) EXP202301329: Filing of proceedings in relation to a data deletion exercise.
3) E/00917/2021: Filing of proceedings in relation to a deletion/modification
of data.
GLOVO claims that, in all three cases, the effective exercise of the right was
untimely, due to different reasons that initially prevented its management.
Although these are cases whose origin and purpose are different, they are attributable to
errors that did not depend on the policies and procedures implemented by GLOVO, such as the present case, and yet in all cases the AEPD opted to
filing the proceedings and not to initiate a sanctioning procedure.
And GLOVO adds that the effective resolution of this case is the same as in the
previous ones, since, at the moment that GLOVO became aware of the case,
it immediately proceeded to address the right exercised by the claimant,
so it understands that the resolution of the case by the AEPD should have
been the same as in the previous situations.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 25/66
In this regard, this Agency wishes to emphasize that GLOVO itself recognizes that these are
cases with a different origin and purpose from the case that gives rise to the present
sanctioning procedure.
Furthermore, the cases cited by GLOVO had been admitted for processing after more than three months had passed since their receipt (with a difference of days), pursuant to article 65 of the current LOPDGDD, but they were filed because in response to the aforementioned transfer, by virtue of the discretionary powers held by this Agency, it was considered appropriate not to initiate any sanctioning procedure. However, this does not prevent this Agency from initiating the appropriate preliminary investigation actions or a sanctioning procedure, in order to determine the possible existence of an infringement of the GDPR within the scope of its powers.
In any case, regardless of any possible decisions that may have been previously adopted in response to a complaint filed with this Agency, in the present case we are dealing with a complaint filed by a citizen of a Member State of the European Union, for the performance of cross-border processing carried out by a controller located in another Member State, which affects citizens of more than one Member State of the European Union. Therefore, Article 60 of the GDPR requires the aforementioned Member States to reach a consensus regarding the possible decision to be adopted in respect of such a complaint. In the present case, the procedure established in the GDPR has been followed and an agreement has been reached with all the authorities involved to initiate sanctioning proceedings against GLOVO, with the scope set out in this document.
Therefore, this claim is rejected.
FIFTH.- ON THE EVOLUTION OF GLOVO
GLOVO claims that the facts on which the AEPD is based to impose the proposed sanction
are dated August and September 2021.
And that since the first interactions with this Agency began, GLOVO has
evolved a lot, increasing the members of its Data Protection Department,
improving and adapting the protocols, measures (both legal,
technical and organizational), guidelines and procedures that were already implemented in its
organization, as well as creating new ones.
All this with the aim of continuing to ensure the protection of the personal data
of delivery drivers, as well as other categories of interested parties whose data it processes.
It adds as proof of this that GLOVO's Data Protection Officer has
been pre-selected in the “Best Privacy Culture Improvement Award” category of
the prestigious PICCASO Privacy Awards Europe. And that GLOVO has recently
become a collaborating company of the prestigious Spanish Professional Association of
Privacy, which shows a firm and clear commitment of GLOVO to the privacy
of its users and, ultimately, of its delivery people.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 26/66
In this regard, this Agency wishes to point out that the subject of this procedure is not
the possible awards and recognitions that GLOVO or its
Data Protection Officer may or may not have, but rather it is a matter of determining in the specific case
whether GLOVO's actions may have infringed the provisions of article 15 of the GDPR.
Therefore, this claim is rejected.
In relation to the claims raised in relation to the proposed resolution of this sanctioning procedure, the following are answered in the order stated by GLOVO:
FIRST.- REGARDING THE EVENTS THAT OCCURRED IN THE MANAGEMENT OF THE
APPLICATION
GLOVO claims that it has numerous technical and organizational measures
in place to ensure compliance with the applicable regulations regarding data
protection and, especially, attention to the rights of the interested parties.
It is surprised that the AEPD limits itself, in its opinion, to concluding that the request was not
duly attended to “regardless of the measures adopted” by GLOVO,
rendering all these measures ineffective as if they did not exist.
GLOVO indicates that these measures not only exist, but are effective in
the vast majority of cases, recalling that it has managed 2,182 requests for the
exercise of rights of interested parties in 2021, 6,396 in 2022, 3,059 in 2023, and 329
so far in 2024. To this end, it highlights that it has managed more
than 17 requests per day, on average, only in the rights attention channel
through the GDPR mailbox.
GLOVO explains that at no time has it intended to reject that the present case
was not attended to in time by the Data Protection Department, but it does
consider that the sanctioning action of the AEPD is excessive, given what
is argued in the request for information.
In this regard, this Agency wishes to point out that it has in no way denied or
"nullified" the measures that GLOVO may have adopted in terms of
data protection, in relation to the issue that is the subject of the complaint. In fact,
if these measures were not in place, there would not only be a violation of article 15 of the
RGPD, but also very possibly the existence of other violations.
Nor is it the purpose of this procedure to carry out an audit of the
rights procedures that GLOVO has attended to.
It is simply a matter of verifying that in the present case, the exercise of the complainant's right of access to his or her personal data has not been
duly attended to, as requested, which has not been rejected by
GLOVO itself.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 27/66
Finally, this Agency wishes to emphasize that in the present case it is not a question of
the fact that such request was not attended to “in time”, but rather that such request would
not have been attended to had this Agency not intervened, since the complainant was only
provided with access to his/her data after having been requested
information about the claim.
GLOVO alleges that this claim is caused by a right of access exercised in
the customer support chat provided to users of the platform intended to
resolve incidents relating to its use, not in the channel intended to address
data protection rights.
It points out that the GLOVO Customer Service Department has managed almost 3 million cases between
2023 and 2024, which is more than 8,000 requests a day, and among them are requests to exercise rights under the
RGPD that had to be communicated to the data protection team.
And that this obligation to refer any request to exercise data protection rights to the Data Protection Department is communicated to all
GLOVO employees and, especially, to the Live Ops Department responsible for the user service and support channels, among others, as has been
accredited. However, given the multitude of cases that are managed, in this particular one, certain circumstances occurred that prevented correct management,
such as, for example:
- A previous conversation with an agent in which the interested party showed conduct, at the
very least, reprehensible in which no right was exercised in this conversation. - A rights request that required the provision of the conversation held with the agent, a conversation that the Customer Service Department is not authorized to provide, the Data Protection Department being authorized to do so.
- Other information related to GLOVO's operations and especially a discussion on the execution of the services provided by the complaining party,
which led to the attention of the requests made and which was correctly attended to by the responsible agents.
Therefore, GLOVO indicates that it was not only a request for access, but
the coexistence of several requests at the same time, which caused the
customer support service (i) to inform that it could not give access to the information (therefore, it did respond to the interested party's request) and, (ii) to focus on the attention of the
rest of requests, which it could attend to, since the objective of this department
is to manage the incidents and complaints of the users of the platform, which
also includes incidents and complaints that the delivery people may have in
relation to the execution of their services, and to help them in any way possible.
In this regard, this Agency wishes to insist that the fact that the
request was made through the GLOVO Customer Service Department is not an obstacle to
the obligation to give a proper response to such a request remaining.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 28/66
This Agency also wishes to point out that the subject of this procedure is not the possible prior conversation that the complainant had with a GLOVO agent, nor the conduct (reprehensible or not) of the complainant, since in this conversation no request for access to personal data was made.
Nor is the subject of this procedure the possible request by the complainant for “other information regarding GLOVO’s operations and especially a discussion about the execution of the services provided”. Simply,
in this procedure, it is a matter of establishing that in this case the exercise of the complainant’s right of access to his or her personal data has not been duly attended to, as requested, which has not been rejected by
GLOVO itself.
The fact that the Customer Service Department was not authorized to
provide the conversation between the complaining party and the GLOVO agent, but rather the
Data Protection Department, is due solely and exclusively to GLOVO's
ability to organize itself as it wishes and cannot be an obstacle
to the proper attention to requests for access to the personal data of the
interested parties.
As GLOVO has managed numerous requests, many of which
are requests to exercise rights under the GDPR, this Agency wishes to
point out that the object of the present sanctioning procedure is the specific case
outlined in the complaint that gave rise to it and that this
has been taken into account when graduating the sanction.
As regards the coexistence of several requests at the same time, this Agency wishes to clarify that (i) this Agency does not consider that a response was not given to
the complainant, but rather that the exercise of the right was not properly attended to (i.e., information on his personal data was not provided),
when this was GLOVO's responsibility. As regards GLOVO (ii) focusing on the
other requests, this Agency reiterates that this is not the subject of this
procedure. Regarding the fact that GLOVO's customer support service informed the complainant that it
could not provide the requested conversation but that it correctly attended to the rest of the requests made, this Agency wishes to remind that, as stated in the proven facts of this resolution, on August 26, 2021 at 8:09 p.m. the complainant received an email from the
address support@glovo.mail.kustomerapp.com in Polish, with the following
content (unofficial translation): “Hello, A.A.A.! Thank you for contacting us. Your
case has been transferred to another department. Once we have a response, we will
pass it on to you. We hope that this information is useful, because we are always
trying to take care of providing the highest quality in our service. You can count on us. Thank you for your trust. Glovo Customer Service.”
And that on September 3, 2021 at 12:36 p.m. the complainant received an
email from support@glovo.mail.kustomerapp.com in Polish, with
the following content (unofficial translation): “Good morning, Unfortunately, we
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 29/66
cannot share such information with you. Can you specify what
exactly you are requesting? We remind you that opening several chats
may slow down your service time. We ask that you use a single chat for this
request. Best regards, Glovo Team Glovo Customer Service”.
That is, the GLOVO Customer Service Department would have
transferred the complainant's request to another department, although this
Agency does not know to whom it was transferred. However, when responding to the complaining party, the reasons for such denial are not indicated, but rather it is simply limited to
indicating that "we cannot share this information with you", without further
information on the matter.
In any case, even in the event that several requests of a different nature had been made at the same time, this Agency considers that this is not an obstacle
to the obligation to give a proper response to the request for access by the complaining party.
Finally, GLOVO points out that, as will be explained later when discussing the
aggravating circumstances referred to by the AEPD, the interested party did not insist at least three
times that he wanted the requested information to be provided, meaning that
he had to make three different requests, but rather it was always done within the same
ticket, and always receiving the same response: the Customer Service Department
cannot provide that information.
In any case, GLOVO understands that there are two requests, a first one on August 26 at
7:56, indicating that it was requesting the conversation on August 17, along with other
information related to the execution of its services, and a second request, on September 3 at 12:36, copying exactly the same previous request, but
correcting the date of the requested conversation (initially it indicated that it was August 17, and later it rectified to indicate that it was August 19). It is
therefore, in its opinion, always the same request, within the one-month period
to respond, and that it was only repeated to correct the date of the
requested conversation. It emphasizes that the rest of the issues related to the execution of the services by the complaining party were resolved.
For all the above, GLOVO considers that this is a case that should be treated
as a human error in management by a department that is not the one that
should respond, GLOVO having taken all appropriate measures in its
power to ensure that, in accordance with article 12.1 and 12.2 of the GDPR, the interested party is provided with any communication in accordance with articles 15 to 22, and
to facilitate the exercise of their rights. It alleges that GLOVO cannot be required to do more than
provide, to all departments that do not have functions linked to the
management of data protection requests, clear instructions on how to
proceed, and much less, liability for non-compliance by these persons in relation to said instructions.
In this regard, this Agency wishes to point out that the fact that the communications of the complainant with the company were made through the same ticket is not indicative of anything, it is simply a way of organizing the company, like any other.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 30/66
In the present case, it is known that on August 19, 2021 at 12:31 p.m., the complainant sent a communication to the Customer Service Department with the following content (original Polish, unofficial translation): “Good morning, please
send me the conversation with (...), B.B.B., to my email address, as
it will be the basis of my legal case, if that does not happen, I will send you a court order.”
That is, he made a first request for access to his personal data (in this case,
the recordings of his conversation with a ***POST.1). GLOVO appears
to be unaware of this first request from the complainant in its allegations, but the
failure to cite Article 15 of the GDPR does not prevent its content from being a
request for access to the complainant's personal data.
Faced with the company's refusal to provide him with such information, and after a series of
conversations on other issues, on August 26, 2021 at 07:56, the
complainant again requested the GLOVO Customer Service Department to provide him with certain information from August 17, 2021
about him, this time based on Article 15 of the GDPR.
On August 26, 2021, the complainant was informed that his case was
transferred to another department and on September 3, 2021 at 12:36 p.m. he was
informed that the requested information could not be provided.
On September 3, 2021, the complainant indicated that he had made a mistake
requesting information about himself from August 17, 2021, that what he
wanted was information from August 19, 2021.
And, again, the company informed him on September 6, 2021 that it could
not provide him with such information.
That is, in three different communications (from August 19, August 26, and September 3) the complainant had requested access to his personal data. Although it is true that all these communications were made within the month within which GLOVO had to respond, it is no less true that such communications existed, that the complainant requested access to his personal data on three occasions and that GLOVO responded three times that it could not provide such access, without giving further information on the matter. GLOVO itself has acknowledged this in its allegations by stating “having always received the same response: the Customer Service Department cannot provide this information.”
As for the allegation that the rest of the issues related to the execution of the services by the complainant were resolved, this Agency has already insisted that this is not the subject of the present sanctioning procedure.
Finally, this Agency wishes to point out that it strongly disagrees with GLOVO's
statement that the Customer Service Department "is not the one that
should respond" to a request for access to the personal data of a data subject and
that it is a department that does not have "functions related to the management of
data protection requests". On the contrary, this Agency considers that the Customer Service Department channel is a perfectly valid means for
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 31/66
exercising rights, so the complainant's request should have been attended to.
It is not just a matter of giving him a (negative) response, but rather that he
should have been given proper access to his personal data by directing his
request through such a channel. This Agency does not have the power to establish how
each company should be organized and which department should respond to the
request for the exercise of rights, but it cannot be understood that a request
directed to a generic address such as that of the Customer Service Department is not
duly attended to (that is, that the exercise of the requested right is provided, not just a response that the
requested right cannot be provided).
As stated in the response to the allegations to the agreement to initiate
the present sanctioning procedure, it cannot be understood that only those requests for the exercise of rights that are made
only through the channels established by the data controllers in their privacy
policies will be attended to. Rather, each data controller has the power to
organize itself as it sees fit, provided that a satisfactory response is provided
to the exercise of the rights requested by the interested parties, within the legally
provided period. However, the organisation that this data controller had provided cannot
be an obstacle to the satisfaction of a right that is recognised to interested parties
by the GDPR.
In the present case, GLOVO had decided to centralise all requests for
exercising rights relating to the data subject at the address gdpr@glovoapp.com. However, the fact that a given request is addressed through a different channel
does not mean that it should not be given a proper response, as the data controller in question.
In the present case, it cannot be denied that by communicating through the channel provided
for handling incidents involving delivery drivers, the complainant could reasonably
expect that his request would be attended to. Moreover, it seems reasonable in the eyes
of this Agency that the complainant communicated with GLOVO through this
channel, which is the one specifically provided for requests from delivery drivers. On the
contrary, this Agency considers that, in any case, it was GLOVO's obligation
to properly attend to the request of the complainant, whether the customer service (to the delivery person)
forwarded said request through the channels
pertinent to the department dedicated to this type of requests, or as it
considered best.
Therefore, this Agency insists that the channel used in the present case by the
complainant, a channel that GLOVO itself provides to the delivery people as
an appropriate means to contact it, is a perfectly valid means
to request the exercise of the rights recognized in the GDPR by the
deliverers, forwarding the request to the Department that the company determined as
the most appropriate to give a proper response, if applicable, or as the company
considered best.
Finally, as regards the fact that GLOVO cannot be held liable for the
alleged failure by “these persons” in relation to “said
instructions”, this Agency wishes to insist on what was said in the response to the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 32/66
allegations to the start-up agreement, in the sense that the fact that the employees
had (or had not) acted outside of what was established by the GLOVO protocol does not exempt
the latter from its liability for its actions.
For all the reasons stated above, this claim is rejected.
SECOND.- REGARDING THE NON-ATTENTION OF THE RIGHT OF ACCESS
GLOVO alleges that the AEPD is initiating a sanctioning procedure against it for not attending to a
right of access.
And that technically, its request was answered, by indicating that
“Unfortunately, we cannot share this information with you.” It indicates that,
indeed, the delivery support team cannot directly provide this
information to delivery people because GLOVO's own regulations establish this
in order to ensure that any request for rights is correctly attended to in
compliance with the GDPR.
Therefore, the Agency requests that the AEPD re-evaluate the case taking this information into account, since it is not the same thing for an interested party to contact the Data Protection Department and not receive any response at all, as for a delivery person to make a request to a department that is not responsible for dealing with this type of request, and for said department to give him a response with which he was not satisfied.
In this regard, this Agency insists that this Agency does not consider that a response was not given to the complainant, but rather that the exercise of the right was not properly attended to (i.e., the information about his personal data was not provided), when this was GLOVO's responsibility. In the present case, it is not that the complainant was not satisfied with the response provided, but that it was GLOVO's obligation to provide him with the requested information.
This Agency would also like to stress that the fact that the Customer Service Department was not authorised to provide the complainant's conversation with the GLOVO agent, but rather the Data Protection Department, is solely and exclusively due to GLOVO's ability to organise itself as it wishes and cannot constitute an obstacle to the proper handling of requests for access to the personal data of interested parties.
Finally, this Agency stresses that it strongly disagrees with GLOVO's assertion that the Customer Service Department should not respond to a request for access to the personal data of an interested party. On the contrary, this Agency considers that the Customer Service Department channel is a perfectly valid means of exercising rights, and therefore the complainant's request should have been handled. It is not just that a (negative) response was given to him, but that he should have been given proper access to his personal data by directing his request through such a channel. This Agency
does not have the power to establish how each company should be organized and which
department should respond to the request for the exercise of rights,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 33/66
but it cannot be understood that a request addressed to a generic address
such as that of the Customer Service Department is not properly
attended to (that is, that the exercise of the requested right is provided, not just a response that the requested right cannot be provided).
As has already been stated, it cannot be understood that only those requests for the exercise of rights that are made solely through
the channels established by the data controllers in their privacy policies will be attended to. Rather, each data controller has the right to organize itself
as it sees fit, provided that a satisfactory response is provided to the exercise of the rights requested by the interested parties, within the legally established period. However, the
organization that this data controller had provided cannot be an obstacle
to the satisfaction of a right recognized to the interested parties by the GDPR.
In the present case, GLOVO had decided to centralize all requests for the
exercises of rights related to the address gdpr@glovoapp.com. However, the
fact that a given request is directed through a different channel does not
imply that it should not be given a proper response, as the controller of the
processing in question.
In the present case, it cannot be denied that by communicating through the channel provided
for the attention of incidents of the delivery drivers, the complaining party could
reasonably expect that its request would be attended to. Furthermore, it seems reasonable in the eyes of
this Agency that the complainant communicated with GLOVO through this
channel, which is the one specifically provided for requests from delivery drivers.
On the contrary, this Agency considers that, in any case, it was GLOVO's obligation
to duly attend to the complainant's request, whether the customer service
(to the delivery driver) forwarded said request through the channels
pertinent to the department dedicated to this type of requests, or as it
considered best.
Therefore, this Agency insists that the channel used in the present case by the
complainant, a channel that GLOVO itself provides to delivery drivers as
an appropriate means of contacting it, is a perfectly valid means
to request the exercise of the rights recognized in the GDPR by delivery drivers. And it was GLOVO's obligation to arbitrate the internal mechanisms
necessary so that this request for rights was, if applicable, forwarded to the
channels that the company determined to be the most suitable to provide a proper response.
GLOVO claims that the delivery person never contacted the Data Protection Department, despite:
- (i) having signed a contract with GLOVO in which the address where the data protection rights can be exercised appears,
- (ii) having accepted a privacy policy for the use of the app where the address for the exercise of data protection rights appears,
- (iii) there being a specific portal for delivery people where they can find relevant information, including the privacy policy, which identifies the address for the exercise of data protection rights, and
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 34/66
- (iv) using an application to carry out their delivery services, with a specific section in which they can access the privacy policy, where the address for the exercise of data protection rights is identified.
Therefore, GLOVO understands that it not only provided its delivery support service agents with the means, but also ensured that the delivery drivers had the appropriate information at all times to know where to go.
GLOVO explains that it is aware that the regulator and the data protection authorities are advocating that interested parties may request their rights through any channel, as mentioned by the AEPD in the Proposed Resolution, but it is also true that it is not an absolute right, not all channels are per se valid, nor can an interested party be exempt from liability if, while being able to expressly mention article 15 of the GDPR (and not make a generic request such as "I want you to send me my data"), they do not even bother to look for the address for exercising their rights.
GLOVO indicates that it is not that it does not look for it at first, but that it does not even try to do so when the Customer Service Department informs the delivery person, in a timely manner, that they cannot provide this information. It should be remembered
that the Guidelines 01/2022 on the rights of interested parties
mentioned by the AEPD indicate that “Data controllers must make
all reasonable efforts to ensure that the exercise of the rights of the interested party is facilitated [...]”.
GLOVO understands that it made reasonable efforts to ensure that the agents
of the delivery support team could identify requests to exercise rights and either communicate them directly to the data protection department,
or respond to the interested party with the address where to go, efforts that due to a human error
were not reflected in reality.
In short, just as it is accepted that an interested party may not choose to
direct their request to the corresponding department, having more than accessible ways of obtaining the
contact information, GLOVO understands that a human error must be understood as possible in the way of managing the response to a
request to exercise rights by an agent who was dedicated to trying to
resolve a series of incidents of said delivery person.
And that, in addition, the interested party did not insist (as the AEPD has interpreted in its
Proposed Resolution) on said right of access once he was informed that he
could not be provided with said information, which only prevented the
correction of the error committed by the agent of the department of support for the
deliverers, who could understand that the delivery person considered his
incident resolved, in general.
In this regard, this Agency wishes to point out that the subject of this procedure is not
what the agent of the department of support for delivery drivers could have
understood about the incident raised by the complainant. It is simply a matter of
stating that in the present case the exercise of the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 35/66
right of access by the complainant to his personal data, as he had
requested, which has not been rejected by GLOVO itself, has not been duly attended to.
This Agency insists that the channel used in the present case by the complainant, a channel that GLOVO itself provides to the delivery drivers as an appropriate means of contacting it, is a perfectly valid means of requesting the exercise of the rights recognized in the GDPR by the delivery drivers. And that it was GLOVO's obligation to duly respond to such a request, forwarding the request to the Department that the company determined to be the most appropriate to give a proper response, if applicable, or as the company considered best.
Nor is it a question of the right of access being an “absolute right” or of “all channels being per se valid”, but in the present case it cannot be understood that a
delivery person would contact the Customer Service Department, a channel intended to receive
delivery persons’ requests, in order to request a right of access to their personal
data, as it is not an ideal channel for this, as has already been
explained in detail.
At no time do the aforementioned Guidelines 01/2022 oblige interested parties to
direct their requests to exercise rights solely and exclusively through the
preferred channel for this, or even to look for it either at first or at a
later time or when the company indicates that it cannot provide such
information. Even though GLOVO tries to disassociate itself from the response provided by its
Customer Service Department to the complainant, as if it were not a response provided by the company itself, this is still the case: it was GLOVO,
through its Customer Service Department, that denied the information
requested by the complainant. Furthermore, the complainant's request had supposedly been
transferred to another department, as indicated in its
response to the complainant on August 26, 2021. In any case, if the
reason for such denial was that this Department was not authorized to
provide it, but there was another authorized to do so, that information was not provided to the complainant either.
What the aforementioned Guidelines 01/2022 do require, as GLOVO acknowledges, is that
“Data controllers must make all reasonable efforts
to ensure that the exercise of the rights of the interested party is facilitated [...]”.
This Agency insists that recital (59) of the GDPR provides that: “Formulas must be established to facilitate the exercise of the rights of the interested party under
this Regulation, including mechanisms to request and, where appropriate, obtain
free of charge, in particular, access to personal data and its rectification or
deletion, as well as the exercise of the right to object. The controller
must also provide means for requests to be submitted
by electronic means, in particular when personal data are processed by
electronic means. The controller must be obliged to respond to
the requests of the interested party without undue delay and no later than within one
month, and to explain its reasons if it is not going to respond to them”.
In this sense, it cannot be understood that only those requests for the exercise of rights that are made solely through the channels established by the data controllers in their privacy policies will be attended to. On the
contrary, each data controller has the power to organize itself as it sees fit, provided that a satisfactory response is provided to the exercise of the rights requested by the interested parties, within the legally established period. However, the organization that this data controller had foreseen cannot be an obstacle to the satisfaction of a right that the GDPR recognizes for the interested parties.
In the present case, GLOVO had decided to centralize all requests for the exercise of rights related to the address gdpr@glovoapp.com. However, the fact that a particular request is addressed through a different channel does not
imply that it should not be given a proper response, as the party responsible for the
processing in question.
In the present case, it cannot be denied that by communicating through the channel
provided for handling delivery incidents, the complainant could
reasonably expect that his request would be attended to. Moreover, it seems reasonable in
the eyes of this Agency that the complainant communicated with GLOVO through
this channel, which is the one specifically provided for requests from
delivery drivers. On the contrary, this Agency considers that, in any case, it was GLOVO's obligation to
properly attend to the complainant's request, whether the customer
service (for the delivery driver) forwarded said request through the channels
pertinent to the department dedicated to this type of request, or as it
considered best.
In this regard, in section 53 of the aforementioned Guidelines 01/2022 on
data subject rights – Right of access, the EDPB “…encourages
data controllers to provide the most appropriate and user-friendly
communication channels, in accordance with Article 12(2) and
Article 25, to enable the data subject to make an effective request. However,
if the data subject makes a request through a communication channel
provided by the controller that is different from the one indicated as
preferable, the request will generally be considered effective and the
data controller should process the request accordingly (see examples
below). Data controllers must make all reasonable efforts to ensure that the exercise of the rights of the interested party is facilitated (for example, in the event that the interested party sends the data request to an employee who is on leave, an automatic message informing the interested party about an alternative communication channel for his request could be a reasonable effort).”
Therefore, this Agency insists that the channel used in the present case by the
complainant, a channel that GLOVO itself provides to the delivery drivers as an
appropriate means of contacting it, is a perfectly valid means
to request the exercise of the rights recognized in the GDPR by the delivery drivers. And that it was GLOVO's obligation to duly respond to such a request,
forwarding the request to the Department that the company determined as the most
appropriate to give a proper response, if applicable, or as the company considered best.
Section 56 of the Guidelines cites as an example a case in which “a data controller X provides, on its website and in its privacy policy, two email addresses – the data controller’s general email address: contacto@X.com and the email address of the data controller’s data protection contact point: solicitud@X.com. In addition, data controller X indicates on its website that in order to send any query or request regarding the processing of personal data, the data protection contact point must be contacted at the indicated email address. However, the data subject sends a request to the data controller’s general email address: contacto@X.com. In this case, the data controller must make all reasonable efforts to ensure that its services
are aware of the request, which was made via the general email,
so that it can be redirected to the data protection contact point and
responded to within the period established by the GDPR. Furthermore, the data controller cannot extend the period for responding to the request,
only because the interested party has sent a request to the general email of the
data controller and not to the data protection contact point.”
In this regard, this Agency understands that precisely the first example of section
56 of the aforementioned Guidelines is the case that occurred in the present case. The
interested party (the complaining party) has sent his request for access through a generic
channel provided by the company to which it is addressed. Therefore, the data controller (GLOVO) should have made all “reasonable efforts to ensure that its services are aware of the request, which was made via the general email, so that it can be redirected to the data protection contact point and answered within the period established by the GDPR”, as indicated in the aforementioned Guidelines, so that such request could be redirected to the corresponding data protection contact point, in order to be able to respond to it within the period established by the GDPR. Therefore, this Agency considers that the complaining party could “reasonably expect” that its request would be attended to.
For all the reasons set out above, this claim is rejected.
THIRD.- REGARDING THE OPENING OF A SANCTIONING PROCEDURE INSTEAD OF A PROTECTION OF RIGHTS
GLOVO is surprised that the AEPD has chosen to directly initiate a sanctioning procedure in this case, taking into account that in the response to the request for information it was clearly proven that it had responded to the complaining party immediately once it became aware of the existence of its request, which happened once the AEPD sent it the request for information.
In this regard, this Agency wishes to point out that the complainant requested access to his/her personal data on three occasions from the GLOVO Customer Service Department
(on August 19, August 26 and September 3, 2021), a request that was
denied all three times by GLOVO, and that was only duly attended to
after the request for information was sent with the complaint to
this AEPD. It is not true that GLOVO was not aware of the existence of his/her
request, but rather, as the company itself has stated on multiple occasions
in its allegations, such requests from the complainant were rejected by the
company.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 38/66
GLOVO points out that it has not received any reaction from the complainant
to the information it provided in response to the right of access, and therefore
the complainant's right of access must be understood to have been fully respected.
In this regard, this Agency wishes to highlight that the fact that the complainant
has not reacted in any way since the information was provided
on his personal data is absolutely no evidence of anything as to whether or not the
right of access has been “fully respected”. In any case, this
Agency has considered that GLOVO has responded to the complainant's right of access
by email of November 14, 2022.
GLOVO claims that if it did not respond earlier it was (i) because the interested party did not
contact the appropriate department, (ii) because the Customer Service Department having responded, the delivery man did not insist on his claim or
look for another alternative way to request the information - which could not be any other way than
consulting the privacy policy or any of the other sources of information
indicated in the SECOND allegation above -, where the specific and clear address to go to appears-, and (iii) because when filing his complaint with the Polish Data
Protection Authority on September 30, 2021, the slowness of the "Internal Market
Information System" (hereinafter, IMI System), did not allow
GLOVO was not aware of the claim until October 11 of the following year,
that is, 2022, even though it had admitted the claim for processing on June 24 of that same year.
In this regard, (i) this Agency wishes to insist that it is not the obligation of the interested party
to direct their requests to exercise rights through the channel preferred by the
company responsible for processing. Furthermore, this Agency considers that the channel
used in the present case by the complainant, a channel that GLOVO itself
provides to the delivery people as an appropriate means of contacting it,
is a perfectly valid means of requesting the exercise of the rights
recognized in the GDPR by the delivery people. And that it was GLOVO's obligation to
duly attend to such a request, forwarding the request to the Department that
the company determined as the most appropriate to give a proper response, if applicable, or
as the company considered best.
(ii) Nor is it the obligation of the interested party to insist on his request or to seek an
alternative way of requesting the information. It cannot be understood that the interested party is not provided with access to his personal data for not requesting it through the
preferred channel of the company, but much less can it be understood that such information is not provided to him for not insisting on his request. In addition, as already
mentioned, in the present case the complainant did insist on his request for access in
three different communications with the company.
(iii) As regards the fact that GLOVO was not able to respond to the request earlier due to the slowness of the
Internal Market Information System, this Agency insists that the complainant insisted on three occasions on his request for access to his
personal data, so that GLOVO had several opportunities to do so, long before the complainant submitted his claim or such claim was
received by this Agency.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 39/66
GLOVO also indicates that there were means to ensure that a specific department, whose functions do not include responding to the rights of interested parties, forwards the information to the Data Protection Department, which is the sole and exclusive party responsible for responding to these requests, but that a human error prevented this communication from being effective.
In this regard, this Agency reiterates that it considers that the channel used in the present case by the complainant, a channel that GLOVO itself provides to the delivery drivers as an ideal means of contacting it, is a perfectly valid means of requesting the exercise of the rights recognized in the GDPR by the delivery drivers. And that it was GLOVO's obligation to properly respond to such a request, forwarding the request to the Department that the company
determined as the most suitable to give a proper response, if applicable, or as the company
considered best.
As for the Data Protection Department being the "sole and exclusive" party responsible for responding to these requests, this is due to the organizational power that GLOVO has and in no way can be an obstacle to properly responding to the rights of interested parties in terms of data protection. The
interested party (in this case, the complaining party) contacted the company
responsible for processing (GLOVO) and requested access to his or her personal data. And it was
the data controller (GLOVO) who denied such access on three occasions,
regardless of which Department did so.
GLOVO continues to claim that it is surprised that, having responded to the
interested party first by chat (although the response was not to the interest of the interested party or
did not satisfy his claims, which was not communicated to the agent in question), and
later officially by the Data Protection Department,
the Agency decides to proceed with the initiation of a sanctioning procedure without
even proposing the opening of a procedure for protection of rights.
GLOVO is also surprised that, there being precedents among the resolutions of
the AEPD in which, by responding late, a protection procedure has been closed
without any sanction (when, by responding out of time,
the GDPR has technically already been breached and therefore there is sanctioning capacity
on the part of the AEPD), it has not accepted this solution in the present case, it being
more than sufficiently proven that the AEPD has implemented, in its opinion, the
necessary means to comply with the regulations.
In this regard, GLOVO brings up the existence of procedures such as
PS/00197/2019, where an interested party requested a right of cancellation directly
from the controller, without receiving a response, and the AEPD:
1) Opened the protection procedure TD/01105/2018;
2) The respondent responded indicating that it answered the interested party by telephone;
3) The AEPD upheld the claim of the complaining party, urging the
respondent to respond within 10 days;
4) The AEPD had to make a second request, almost two months
later, since the respondent did not prove to the AEPD that it had given
a response to the interested party;
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 40/66
5) Almost a year later, the AEPD agreed to initiate a sanctioning procedure
because it had not been proven that the respondent had responded to the interested party;
6) In response to said sanctioning procedure, the respondent alleges that
it did respond to the interested party after the protection procedure;
7) In conclusion, the AEPD not only does not sanction or warn the respondent,
but it agrees to terminate the procedure “due to the nonexistence of
facts that could constitute the infringement described in 83.5 e)
of the GDPR”.
Another, more recent case, which surprises GLOVO even more, is
PD/00018/2024, in which:
1) An interested party requests a right of access.
2) The controller does not provide any response.
3) The interested party lodges a complaint with the AEPD who, via article 65.4 of Organic Law 3/2018, of December 5, on Data Protection and Guarantee of Digital Rights (hereinafter, "LOPDGDD", gave the respondent 10 days to submit allegations.
4) The respondent party did not respond to the complainant or even to the AEPD itself, but instead the AEPD continues to insist on giving the respondent even more time to respond to the interested party's right of access.
In short, GLOVO does not know why, in the case of an alleged
breach of article 15 to 22 of the GDPR, linked to the rights of the
interested parties, the AEPD has not opened, as in previous cases, a
rights protection procedure, or a rights procedure, granting GLOVO a certain period of time to comply with the obligation to comply with the right.
GLOVO expresses its disagreement with the Agency's approach to this
for having directly indicated a sanctioning procedure instead of a
rights protection procedure.
In this regard, this Agency wishes to emphasize that it does not consider that a response was not
given to the complainant, but that the exercise of the right was not properly
taken into account (i.e., the information on his personal data was not provided),
when this was GLOVO's responsibility. And that there was also
no obligation on the part of the interested party (the complainant) to
inform the agent in question that his claim had not been satisfied (which, on the other hand,
was obvious, since he had requested access to his personal data and the
request had been denied). Furthermore, the issue in this case is not
whether GLOVO's response to the request was satisfactory or not for
the interested party (the complainant), but rather, in this sanctioning procedure, it is simply a matter of establishing that GLOVO did not comply with the
obligation established in article 15 of the GDPR to properly attend to the exercise of
the complainant's right of access to his personal data, as he had requested, which has not been rejected by GLOVO itself.
As regards the reference to PS/00197/2019, this is a completely
different case to the present case.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 41/66
To begin with, this is a sanctioning procedure for not having complied with the
orders in the favorable resolution dated July 12, 2018 of the procedure
for the protection of rights TD/01105/2018 against the respondent, which originated in a
complaint submitted to this Agency on May 3, 2018 for a request for
cancellation of personal data (deletion of the complainant's image from a
YouTube video) dated March 5, 2018, which received no response. In other words, this is
not a sanctioning procedure for not having properly attended to a
request for the exercise of rights, but rather a sanctioning procedure was opened for
not having proven that the orders in a previous procedure had been complied with. Furthermore, as is evident, at the time of the events the GDPR was not even applicable, but the infringed regulation was the repealed LOPD.
For its part, the rights procedure PD/00018/2024 has its origin in a
claim for a right of access to the clinical history of the complainant, which
received no response, and in which, in addition to the GDPR, Law
41/2002, of November 14, basic regulation of the Autonomy of the Patient and of
Rights and Obligations in Matters of Information and Clinical Documentation, is applicable.
This Agency does not know what is causing GLOVO such surprise in this
procedure, which is nothing more than a typical situation of a right of access not attended to in the due time, after which the interested party files a
complaint with the AEPD, the latter forwards the complaint to the respondent, the respondent does not respond to this transfer (which is not obligatory, it should be remembered),
the complaint is admitted for processing and in the same act the respondent is given 10
days to present allegations (following the provisions of the LOPDGDD), to
finally issue a favorable resolution that orders the respondent to properly attend to the request of the complaining party. In this case, it is not a question of this
Agency giving the respondent more and more time to attend to the request of the person who complains without reason, but rather that this Agency must
follow a series of steps that the LOPDGDD establishes as a guarantee against whom the complaint is made, in order to issue a resolution that accepts the complaint filed.
As for the possibility of this Agency having initiated a sanctioning procedure
instead of a rights procedure, in no case does the regulation
oblige, in the event of an exercise of rights not properly attended to, to initiate a
so-called “rights procedure” instead of a sanctioning procedure. Or
to follow a certain order, first initiating a rights procedure and
then, upon its completion, initiating a sanctioning procedure. On the contrary, these are
two paths independent of each other, which can take place
simultaneously or alternatively. In the present case, GLOVO's failure to comply with Article 15 of the
GDPR has been established, and a sanctioning procedure has therefore been initiated.
In this regard, it is worth mentioning the National Court's ruling 3432/2009 of 18 June 2009, which is fully applicable to the present case, which states:
“(…) E-Business argues in the claim that, given the denial of the complainant's right of access to his personal data, the AEPD cannot directly order the initiation of a sanctioning procedure, but must initiate the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 42/66
rights protection procedure provided for in RD 1332/1994 (in force until 18-
4-2008), in order to guarantee said access and resolve it within six months and, if the resolution is favorable, make the repeated access effective within ten days.
This is how the Agency has been ruling in the procedures for the protection of rights, whose resolutions are attached as documents 1 to 14 with the claim,
so that in view of the evidence that the AEPD has not followed the legally established procedure, we are faced with the nullity of full right established
by article 62.1.e) of Law 30/1992.
Indeed, it is article 18.2 of the LOPD which, under the name "protection of rights", indicates that the interested party who is denied, totally or partially, the
exercise of the rights of (among others) access, may bring it to the attention of the
AEPD, which must ensure the admissibility or inadmissibility of the denial.
Adding ordinal 3 of the same article 48 that the maximum period in which the express resolution of protection of rights must be issued will be six months and the following
48.4 that, against the resolutions of the AEPD, a contentious-administrative appeal will proceed.
Based on this, it is true that in the majority of occasions in which a private individual reports to the AEPD the non-compliance of the right of access exercised by him,
said Administration initiates the procedure of protection of rights, regulated at present in articles 115 to 119 of RD 1720/20007, of December 21, as it
appears to have been carried out in the fourteen procedures whose resolutions are attached as documentary evidence by the plaintiff entity.
It is also true that the sanctioning procedure provided for in article 48 of
the same LOPD, which can be initiated ex officio based on the infringements provided for in
article 44 of said LO 15/1999, among others, for preventing or obstructing the exercise of
the rights of access and opposition (Art 44.3 .e) is a procedure completely
different from that of protection of rights, and with a different purpose, since while the latter is
aimed at guaranteeing or protecting the indicated personal rights (access, opposition,
rectification and cancellation) for the benefit of the holders of personal data, the
sanctioning procedure seeks to determine and sanction the infringements
committed and derived from non-compliance with the Data Protection Act.
The clear distinction between such procedures for the protection of rights and sanctioning was already
made clear in SAN 11-5-2001 (Rec. 12/2000), which reasons that one thing is the
procedure regulated in Art. 17 of RD 1332/1994, which is established to
guarantee the rights of access, rectification and cancellation, through the creation
of a claim system resolved by the AEPD, its resolution being appealable
through administrative litigation; and quite another is the opening of a
sanctioning procedure, which can even be done ex officio, and for which Art. 47 of
LO 5/1992 (Art. 48 LOPD ), developed by Art. 18 of RD 1332/1994, enables. These are
two different procedures, which serve different purposes, so there cannot be
a violation of the principle non bis in idem or the principle of legal certainty.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 43/66
In similar terms, our SAN 26-1-2006 (Rec. 441/2004) also indicates that
although the protection procedure is not a sanctioning procedure, it may have, and
in fact sometimes has, sanctioning implications for the person concerned.
When the Administration upholds a claim, as is the case here, it is declaring
that the effectiveness of one of the rights that affect the essential core of the fundamental right recognized in article 18.4 of the Constitution - the
habeas data or habeas scriptum - has been denied and among the serious infractions included in Art. 44
of Law 15/1999, is that of preventing or obstructing the exercise of the rights of access and opposition and the refusal to provide the information that is requested, so that
the declaration of the Administration may have the consequence of opening a subsequent
sanctioning procedure.
FOURTH.- What is raised in this litigation by E-Business, however, is not the
distinction and compatibility of both procedures provided for in the LOPD but whether, in the
lack of response to one of these rights (access, cancellation and rectification) by
the person responsible for the file, the AEPD must necessarily resort to the
rights protection procedure or may also alternatively, or even
simultaneously, request the initiation of a sanctioning procedure.
It was the SAN, Sec. 1ª, 14-12-2006 (Rec. 165/2005) that resolved the dilemma,
declaring that the initiation of a procedure for the protection of the rights of the
injured party is not an obstacle to the imposition of the sanction, since both paths
can be developed in parallel.
The appellant there had filed a complaint with the AEPD against a Savings Bank
for lack of any response to the exercise of the right of access to his data.
The AEPD issued a resolution declaring the filing of proceedings in relation to the
infringement of article 15 of the LOPD, on the grounds that the protection of the right of
access is achieved through the procedure for the protection of rights contained in
LO 15/1999, and not through the imposition of sanctions. The administrative appeal against this resolution is upheld by the aforementioned judgment, which
orders the retroactive action of the procedure so that the Agency may issue the
appropriate resolution, in relation to the violation of the indicated right of access of article
15 of Organic Law 15/1999.
The Court, after reiterating its doctrine that there does not seem to be a greater impediment to the
exercise of the right of access than the absolute disregard (lack of response) to it, rendering said right useless or completely ineffective, concludes that the
right that the appellant has under article 17.1 of RD 1332/1994,
consisting of requesting the AEPD to carry out the rights protection procedure, is
not incompatible with the imposition of sanctions for the failure to provide information.
(…) It is necessary to point out, concludes the same judgment, that in the petition of the complaint made by the appellant, there was express mention of the possibility of initiating the procedure for the protection of rights, but, however, the Agency chose to initiate only one procedure, the sanctioning one, and what does not make sense is, now, to force the appellant to initiate a new procedure for the protection of rights when there has been a serious disregard by the credit institution of its obligations regarding data protection.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 44/66
Doctrine fully applicable to the case now in dispute and which prevents this Court from
heeding the claim of E-Business taking into account that it has been
proven in the proceedings that the complainant requested access to his personal data from said entity, on
24-11-2005, 12-12-2006 and 27-12-2006, requests for access that are not recorded as having been answered by said appellant. (…)”
In any case, in the present case we are dealing with a claim presented
by a citizen of a Member State of the European Union, for the performance of a
cross-border processing carried out by a data controller located in
another Member State, which affects citizens of more than one Member State of the
European Union. Therefore, Article 60 of the GDPR requires the Member States to reach a consensus regarding the possible decision to be taken
with respect to such a claim.
In the present case, the procedure established in the GDPR has been followed and
an agreement has been reached with all the authorities involved to initiate a
sanctioning procedure against GLOVO, with the scope set out in this document.
For all the reasons stated above, this claim is rejected.
FOURTH.- REGARDING THE FAILURE TO TRANSFER THE COMPLAINT TO THE DATA PROTECTION OFFICER
GLOVO claims that it is surprised that the AEPD did not apply in this case the
possibility offered by the LOPDGDD to forward any complaint to the data protection officer
before deciding whether to admit it for processing, in accordance with
article 65.
It adds that the AEPD knows that GLOVO's Data Protection Officer, as well
as the Data Protection Department that she heads, has always had the
intention of collaborating with any procedure or inspection carried out by this
Agency. It claims that, in this case, prior communication to the Data Protection Officer
would have allowed the information to be provided to the complaining party
more quickly (since the AEPD was informed of the complaint through the IMI
system on February 24, 2022). Likewise, it could have held a dialogue
on the causes of the case and the mechanisms implemented by GLOVO to prevent
similar cases in a more constructive way than through a sanctioning
procedure (again, not even for the protection of rights), in which the AEPD does
not take into full consideration all the work carried out by GLOVO.
In any case, GLOVO indicates that it is aware that article 65.4 of the
LOPDGDD only offers the AEPD the power to carry out this action, without
it being obligatory in any case.
In this regard, this Agency wishes to point out that the possibility established in article 65.4 of the LOPDGDD for this Agency to transfer the claim to the data protection officer, refers to claims submitted to the Spanish Data Protection Agency, in accordance with article 65.1 of the LOPDGDD.
In the present case, the claim was submitted to the Polish data protection authority, that is, the AEPD acted as a consequence of the communication sent by the supervisory authority of another Member State of the European Union, in accordance with the provisions of article 65.5 of the aforementioned LOPDGDD, so that the claim could not be transferred to GLOVO before the aforementioned claim was admitted for processing.
In any case, as GLOVO itself has acknowledged in its allegations, the
possibility of forwarding the claim to the Data Protection Officer
established in article 65.4 of the LOPDGDD is a power of the AEPD
to carry out this action, without it being obligatory in any case.
Therefore, this allegation is rejected.
FIFTH.- ON THE GUILT OR NEGLIGENCE OF GLOVO
GLOVO indicates that the AEPD alleges that “the negligent action of the employee does not
exempt the defendant from liability”, relying on the Supreme Court Judgment No. 188/2022 (Contentious Chamber, Section 3a), of 15
February 2022 (rec. 7359/2020).
However, the AEPD ignores a key element, which is that, in this case, the request
made by the complainant was not made through official channels and communicated to
the interested parties, but rather it was made through a support chat for the delivery person which,
as explained, is not intended to address the rights of the interested parties.
In this regard, this Agency wishes to insist that it is not the obligation of the interested party to direct
their requests to exercise rights through the channel preferred by the company
responsible for processing. In addition, this Agency considers that the channel used in
the present case by the complainant, a channel that GLOVO itself provides to
the delivery people as an ideal means of contacting it, is a
perfectly valid means to request the exercise of the rights recognized in the
RGPD by the delivery people. And that it was GLOVO's obligation to properly respond to such a request, forwarding the request to the Department that the company
determined as the most suitable to give a proper response, if applicable, or as the company
considered best.
GLOVO claims that having made the request for access to its personal data
through a support chat to the delivery person is key when evaluating the company's guilt
in relation to the management of rights, since this is not, in its opinion, evaluating whether an agent with data protection rights functions has complied or not with his obligations, and therefore, can be directly linked to the legal asset protected by the rule. Rather, it is, in its opinion, a department with other different functions, which has internal rules to ensure that the Data Protection Department can comply with the obligations of the GDPR.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 46/66
In this regard, GLOVO cites Guidelines 01/2022 on the rights of interested parties
which indicate that “Data controllers must make all reasonable efforts
to ensure that the exercise of the rights of the interested party is facilitated [...]”.
Regarding this quote, GLOVO says that the AEPD indicates that the channel used by the
complainant is a perfectly valid means to request the exercise of the rights recognized in the RGPD by the delivery people, adding that it was
GLOVO's obligation to arbitrate the internal mechanisms necessary so that this
request for rights was forwarded to the channels that the company determined as the most suitable to give a proper response.
And the AEPD adds, furthermore, that “In this regard, this Agency wishes to point out that it is not
enough for the data controller (in this case, the respondent party)
to have action protocols to eliminate intentionality or
negligence in its actions. Rather, it is the obligation of the data controller
that such protocols are known and followed by all its employees.”
GLOVO understands that it has already been proven, with all the information and documentation
provided in the allegations to the agreement to initiate the present sanctioning
procedure, that these necessary internal mechanisms existed and had been
effectively communicated.
He adds that this is once again proven by providing the protocol of action that the agents in charge of providing customer support services, and
managed by the Live Ops Department, had to follow in the event of receiving GDPR rights requests (DOCUMENT 1 of these allegations) and the
training carried out by GLOVO's Data Protection Department to the
Live Ops Department, the team in charge of managing the customer support agents, where the management of the data protection rights of its users (including delivery drivers) by the agents was explained in particular (DOCUMENT
2 of these allegations), without prejudice to other documents provided throughout the procedure.
GLOVO indicates that it does not know how else its existence and communication, or its effectiveness, can be accredited, but what is evident, in its opinion, is that the AEPD cannot
expect GLOVO to make disproportionate and unreasonable efforts
by individually and daily going after each agent of the delivery support department to
ensure that they comply with its procedures. Nor can it expect that, by
having communicated an internal procedure and clear instructions, an employee
cannot make a human error in its application, precisely because it is a
human and not an automated technological system.
In this regard, this Agency wishes to insist that the channel used in the present case
by the complainant, a channel that GLOVO itself provides to the delivery drivers
as an ideal means of contacting it, is a perfectly
valid means of requesting the exercise of the rights recognized in the GDPR by the
deliverers. And that it was GLOVO's obligation to properly respond to such a request,
forwarding the request to the Department that the company determined as the most
suitable to give a proper response, if applicable, or as the company considered best.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 47/66
And that in the present case it cannot be understood that a delivery person would contact the Customer Service
Service, a channel intended to receive requests from delivery people, in order to
request a right of access to their personal data, it is not an ideal channel for
this, as has already been explained at length.
It is reiterated that at no time do the aforementioned Guidelines 01/2022 oblige interested parties
to direct their requests to exercise rights solely and exclusively through the
preferred channel for this, nor even to look for it either at first or at a
later time or when the company indicates that it cannot provide such
information. Even though GLOVO tries to disassociate itself from the response provided by its
Customer Service Department to the complainant, as if it were not a response
provided by the company itself, this is still the case: it has been GLOVO
through its Customer Service Department that has denied the information
requested by the complainant. Furthermore, the complainant's request had supposedly been transferred to another department, as indicated in its response to the complainant on August 26, 2021. In any case, if the reason for such denial was that this Department was not authorized to provide it, but another one was authorized to do so, this information was not provided to the complainant either.
What the aforementioned Guidelines 01/2022 do require, as GLOVO recognizes, is that
"Data controllers must make all reasonable efforts to ensure that the exercise of the rights of the interested party is facilitated [...]."
This Agency insists that recital (59) of the GDPR provides that: “Formulas should be established to facilitate the exercise by the interested party of his rights under this Regulation, including mechanisms for requesting and, where appropriate, obtaining free of charge, in particular, access to personal data and their rectification or deletion, as well as the exercise of the right to object. The controller should also provide means for requests to be submitted electronically, in particular when personal data are processed electronically. The controller should be obliged to respond to requests from the interested party without undue delay and no later than within one month, and to explain its reasons if it is not going to respond to them.”
In this sense, it cannot be understood that only those requests for the exercise of rights that are made solely through the channels established by the controllers in their privacy policies will be attended to. On the
contrary, each data controller has the right to organize itself
as it sees fit, provided that a satisfactory response is provided to the exercise
of the rights requested by the interested parties, within the legally established period. However, the
organization that this data controller had provided cannot be an obstacle
to the satisfaction of a right recognized to the interested parties by the GDPR.
In the present case, GLOVO had decided to centralize all requests for
exercises of rights related to the address gdpr@glovoapp.com. However, the
fact that a given request is directed through a different channel does
not imply that a proper response should not be given, as the controller of the
processing in question.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 48/66
In the present case, it cannot be denied that by communicating through the channel
provided for handling incidents for delivery drivers, the complainant could
reasonably expect that his request would be attended to. Moreover, it seems reasonable in
the eyes of this Agency that the complainant communicated with GLOVO through
this channel, which is the one specifically provided for requests from
delivery drivers. On the contrary, this Agency considers that, in any case, it was GLOVO's obligation to
duly attend to the request of the complainant, whether the customer service
(for the delivery driver) forwarded said request through the channels
pertinent to the department dedicated to this type of requests, or as it
considered best.
In this regard, in section 53 of the aforementioned Guidelines 01/2022 on the rights of data subjects - Right of access, the EDPB “…encourages controllers to provide the most appropriate and user-friendly communication channels, in accordance with Article 12(2) and Article 25, to enable the data subject to make an effective request. However, if the data subject makes a request through a communication channel provided by the controller that is different from the one indicated as preferred, the request will generally be considered effective and the controller must process the request accordingly (see examples below). Data controllers must make all reasonable efforts to ensure that the exercise of the rights of the interested party is facilitated (for example, in the event that the interested party sends the data request to an employee who is on leave, an automatic message informing the interested party
about an alternative communication channel for his request could be a reasonable effort).”
Therefore, this Agency insists that the channel used in the present case by the
complainant, a channel that GLOVO itself provides to the delivery drivers as
an appropriate means to contact it, is a perfectly valid means
to request the exercise of the rights recognized in the GDPR by the delivery drivers. And that it was GLOVO's obligation to properly respond to such a request,
forwarding the request to the Department that the company determined as the most
appropriate to give a proper response, if applicable, or as the company considered best.
Section 56 of the Guidelines cites as an example a case in which “a data controller X provides, on its website and in its privacy policy, two email addresses – the data controller’s general email address: contact@X.com and the data controller’s data protection contact point email address: requests@X.com. In addition, data controller X indicates on its website that in order to send any query or request regarding the processing of personal data, the data protection contact point must be contacted at the indicated email address. However, the data subject sends a request to the data controller’s general email address: contact@X.com. In this case, the data controller must make all reasonable efforts to make its services aware of the request, which was made through the general email address, so that it can be redirected to the data protection contact point and answered within the period established by the GDPR. Furthermore, the data controller cannot extend the deadline for responding to the request,
only because the data subject has sent a request to the general email address of the
data controller and not to the data protection contact point.”
In this regard, this Agency understands that the first example in section
56 of the aforementioned Guidelines is precisely the case that occurred in the present case. The
data subject (the complaining party) has sent his request for access through a generic channel
provided by the company to which it is addressed. Therefore, the data controller (GLOVO) should have made all “reasonable efforts to ensure that its
services are aware of the request, which was made via the general email, so that it can be redirected to the data protection contact point and
answered within the time limit established by the GDPR”, as indicated in the aforementioned
Guidelines, so that such request could be redirected to the corresponding data protection contact point, in order to be able to respond to it within the time limit established by the
GDPR. Therefore, this Agency considers that the complaining party could
“reasonably expect” that its request would be attended to.
As regards GLOVO's claim that the AEPD cannot expect the company to make disproportionate and unreasonable efforts by individually and
daily going after each agent in the delivery support department to
ensure that they comply with its procedures, at no time has this Agency
affirmed such a thing. It is not a question of the data controller making
disproportionate and unreasonable efforts, but rather that the company must ensure that
requests to exercise rights are duly attended to. Expecting a
Customer Service Department to properly process a request of this
type is not disproportionate or unreasonable, since it is a channel
intended to receive requests of all kinds. For this reason, agents must
be able to identify, channel and duly respond to such requests, which has
not occurred in the present case.
GLOVO claims that the AEPD's sanctioning activity is attempting to assume that, when an interested party requests a right through a channel that is not
specifically provided for by the company for this purpose, the obligation to arbitrate the necessary internal mechanisms results in an obligation of result, while both the aforementioned guidelines and the GDPR itself configure it as an obligation of means, in the same way as it happens in relation to security measures, an aspect that is precisely dealt with in the same STS 188/2022 referenced
above.
GLOVO explains that the GDPR establishes in its article 12 that "The data controller shall take appropriate measures to facilitate the interested party [...] any
communication in accordance with articles 15 to 22", and continues indicating that "The data controller shall facilitate the interested party's exercise of their rights under
articles 15 to 22".
And that the aforementioned STS 188/2022 also resolves this in its legal basis
THIRD in relation to the security measures, equally extrapolable to
the technical and organizational measures that the data controller establishes
for the attention of the data protection rights of the interested parties:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 50/66
“The obligation to adopt the necessary measures to guarantee the security of
personal data cannot be considered an obligation of result, which implies
that if a leak of personal data to a third party occurs, there is liability
regardless of the measures adopted and the activity carried out by the
data controller or the data processor.”
It alleges that GLOVO (i) has taken the appropriate measures to facilitate communication
with the interested party, and (ii) facilitates the interested party's exercise of their rights.
It understands that the interpretation of article 12, together with Guidelines 01/2022, cannot lead to any other consideration than that, especially when a request has been sent to a department that is not appropriate to address the rights of the interested parties, the only obligation of the data controller is to ensure the implementation ("arbitrate", in the words of the Guidelines) of internal mechanisms necessary for the request to be forwarded to the appropriate channels to provide a response. It is therefore an obligation of means, in these cases, and not of results, in relation to compliance with article 15 of the GDPR. GLOVO claims that it was not the function of the Customer Service Department to provide the delivery person with a response to the right of access, which in fact was indicated to the complaining party, when they were informed that they could not provide them with such information.
In this regard, this Agency wishes to point out that at no time has this Agency
stated that compliance with Article 15 of the GDPR is an obligation of
result, far from it.
However, this Agency insists that it is not the obligation of the interested party to direct their
requests to exercise rights through the channel preferred by the company
responsible for processing. And that this Agency considers that the channel used in
the present case by the complainant, a channel that GLOVO itself provides to
the delivery people as an appropriate means to contact it, is a
perfectly valid means to request the exercise of the rights recognized in the
RGPD by the delivery people. And that it was GLOVO's obligation to
properly attend to such a request, forwarding the request to the Department that the company
determined as the most suitable to give a proper response, if applicable, or as the company
considered best.
As regards GLOVO (i) having taken the appropriate measures to facilitate
communication with the interested party, and (ii) facilitating the interested party in exercising their rights,
this Agency understands that these statements refer to the channel established as
the preferred means, since it insists on numerous occasions that the Customer Service is not the
ideal means to exercise such rights, even though its own documents intended for this area provide that such requests
take place.
This Agency considers that having responded in the present case to the complaining party
that the requested data could not be provided, without giving them further
information in this regard, cannot be understood as GLOVO having “facilitated communication with the interested party” or “the exercise of their rights”.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 51/66
This Agency wishes to insist that it does not consider that a response was not given to the complainant, but rather that the exercise of the right was not properly attended to (i.e., the information on his personal data was not provided), when this was GLOVO's responsibility.
GLOVO continues to argue that it cannot be considered otherwise when this case depended on the actions of a person, where it is not possible for the rule to establish an obligation of result, there being countless reasons that can lead to an error. GLOVO explains that human error is something that is
known and studied empirically. And that in any human activity there are
environmental, personal and statistical factors that configure the level of probability that an error will occur. And that this risk is calculable using a simple
mathematical formula. In fact, human error is something so human that the Ministry of Labor and Social Affairs itself has had, for more than 25 years, a series of
technical notes on human reliability, among which the NTP 360 stands out, on
basic concepts, the NTP 377, where different analysis methods are studied, or the
NTP 401, on quantification methods. Three technical notes dedicated
exclusively to human error.
GLOVO claims that, indeed, it is a one-off error in the management of a
ticket that dealt with different incidents, in which a response was accepted that,
although a response, was not the one expected by the interested party or by the regulations of
GLOVO. It explains that it is not an error in an information system, or a
mechanical valve that must be opened or closed, nor a systemic failure or derived from
corporate negligence. Rather, it was a mistake made by a person,
mistakes that happen in any company, which are unpredictable and cannot be
controlled or prevented. Just as it happens with security measures when,
having applied those that were considered appropriate, they are ineffective against a
computer attack committed by cybercriminals who have obtained access credentials to the
systems through a previous phishing attack, so that
they can access legitimately without being detected by security systems,
firewalls, antivirus, successfully perpetrating the security incident.
GLOVO explains that in the present case there may be thousands of factors that
imperceptibly affect the human being and cause an error in the execution of his
obligations. Stress, fatigue, external aspects of his private life, repetition, are
factors that can lead a person to make a mistake. And that the error that
cannot be foreseen or prevented, simply happens, but definitely this error
that meant that the interested party received insufficient information (he was told that
the information could not be provided, but he was not redirected to the Data Protection
Department) cannot constitute a sanctionable act for the person responsible, and
even less so when GLOVO (i) developed internal, general data protection and specific data management procedures in LiveOps for the attention of the rights of the interested parties, (ii) trained the delivery person service department on
data protection and the attention of rights, and (iii) made available to all interested parties multiple ways of ensuring that they could obtain information on how to
exercise their data protection rights (delivery person contract, privacy policy, delivery person portal, legal texts in the application, website...).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 52/66
GLOVO also reminds us that we must not forget the large volume of
requests for the exercise of rights and the resolution of queries and incidents that it
receives, the percentage of which is very significant when they are successfully addressed.
In short, GLOVO concludes that, as proven, it is an
obligation of means, because this is deduced from the regulations and Guidelines 1/2022, and
because it cannot be otherwise, the company took all reasonable and
necessary measures to ensure that the agents knew that they should redirect these
requests to the Data Protection Department. But simply in this case,
it did not happen, due to a human error, equivalent to a zero-day vulnerability in a
computer system. And that this is not foreseeable, nor can it be prevented or avoided.
GLOVO does not dispute that, in fact, the request was not sent to the
Data Protection Department.
But it alleges that this infringement is not related to compliance with the GDPR,
but to GLOVO's internal regulations, caused by a human error by an
employee that, in no case, can be attributed to the person responsible or derive
legal liability from him. And that GLOVO adopted technical and organizational means and
deployed diligent activity in the implementation and use of these to
achieve the expected result, hoping that the diligence of its employees will
facilitate this.
In this regard, this Agency wishes to insist that it does not consider that a response was not given to
the complainant, but rather that the exercise of the right was not properly attended to
(that is, the information on the complainant's personal data was not provided), when this was GLOVO's responsibility.
As regards the fact that in the present case it was a one-off error by an employee, this
Agency wishes to remind that, as stated in the proven facts of this
resolution, on August 19, 2021 at 12:31 p.m., the complainant sent a
communication to the Customer Service Department with the following content (in
Polish the original, unofficial translation): “Good morning, please send me the
conversation with (...), B.B.B., to my email address, as it will be the
basis of my legal case, if that does not happen, I will send you a court order.”
That is, he made a first request for access to his personal data (in this case,
the recordings of his conversation with a ***POST.1). GLOVO appears to
not be aware of this first request from the complainant in its pleadings, but the fact that it
fails to cite Article 15 of the GDPR does not prevent its content from being that of a
request for access to the complainant's personal data.
In response to this request, the company replied to the complainant on August 19, 2021
at 3:30 p.m. in Polish, with the following content (unofficial translation):
“Good morning, thank you for contacting Glovo. Unfortunately, we cannot
share the conversation or its fragments with you. Please let us know what your
problem is with our ***POST.1. Best regards, Glovo Customer Service.”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 53/66
Given the company's refusal to provide such information, and after a series of
conversations on other issues, on August 26, 2021 at 07:56 hours, the
complainant again requested the GLOVO Customer Service Department to
provide him with certain information from August 17, 2021
about him, this time based on article 15 of the GDPR.
On August 26, 2021, the complainant was informed that his case was
transferred to another department and on September 3, 2021 at 12:36 hours he was
informed that the requested information could not be provided.
On September 3, 2021, the complainant indicated that he had made a mistake
by requesting information about himself from August 17, 2021, that what he wanted
was information from August 19, 2021.
And, again, the company informed him on September 6, 2021 that it could not
provide him with such information.
That is, in three different communications (on August 19, August 26, and September 3) the complainant had requested access to his personal data. And
all three times GLOVO responded that it could not provide him with such access, without
giving further information on the matter. GLOVO itself has acknowledged this in its
allegations.
Moreover, on September 3, 2021 at 12:36 p.m. the complaining party received an
email from support@glovo.mail.kustomerapp.com in Polish, with
the following content (unofficial translation): “Good morning, Unfortunately, we
cannot share such information with you. Can you specify what
exactly you are requesting? We remind you that opening multiple chats
may slow down your service time. We ask you to use only one chat for this
request. Best regards, Glovo Team Glovo Customer Support”.
This Agency understands that in the present case it is not possible to understand that a
human error occurred due to “stress, fatigue, external aspects of your private life, repetition…”.
On three different occasions, on three different days, and even after the issue had been analyzed by two different departments (the request from the complainant had been
transferred to another department, according to the company), GLOVO's response
had always been the same: that it could not provide the complainant with such
information, when it was GLOVO's obligation to provide it.
GLOVO cites here Procedure PD/00078/2023, for the resolution of rights procedures, which addresses, among others, the obligation to respond to the request through
any channel:
“The aforementioned rules (NOTE: articles 15 to 22 RGPD and 12 LOPDGDD) do not
allow the request to be ignored as if it had not been raised, leaving it
without the response that those responsible must obligatorily issue, even in the
case that there is no data in the files or even in those cases in which it does not meet the requirements provided, in which case the recipient of said
request is equally obliged to request the correction of the deficiencies observed or, where appropriate, deny the request with reasons indicating the reasons
for which that it is not appropriate to consider the right in question.”
In this regard, GLOVO indicates that a response was given, and the complainant was told
that the requested information could not be provided, which only
deepens the fact that the company has implemented the necessary internal mechanisms
so that the agents of the Customer Service Department who provide support to the
delivery person know that they cannot attend to the rights of the interested parties and
the request was forwarded to the Data Protection Department where they could request
such information, as required by the internal mechanisms implemented by
GLOVO, both at the level of internal regulations and as a training initiative for its
employees (see the documents “Protocol for Action in the event of GDPR requests
from Glovo users, couriers or any data subject” or the “Training GDPR - Live Ops 2021”,
both provided to this procedure in GLOVO's previous response to the
AEPD, and which are provided again as DOCUMENTS 1 and 2 of these
allegations). Although, again and due to human error, this was not done in the case of the
complainant.
GLOVO also claims that in the aforementioned procedure PD/00078/2023, the respondent was not
sanctioned, but was given a period of 10 days to proceed
to address the requested right of access.
In this regard, this Agency wishes to insist that it does not consider that a response was not given to the
complainant (as in the case of PD/00078/2023), but rather that
the exercise of the right was not properly attended to (i.e., the information on her personal
data was not provided), when this was GLOVO's responsibility.
And that, regardless of the measures adopted by GLOVO, in the present
case the complainant made numerous communications requesting his right of
access to data about him, even referring to article 15 of the
RGPD, a request that was not duly attended to.
As regards the fact that it was a “human error”, this Agency reiterates that it cannot
be considered as such the fact that it responded that the requested information was not provided to the complainant on three different occasions, on different days and
after the matter was analyzed by two different departments of the company.
Furthermore, this Agency cannot understand why GLOVO cites in its
allegations PD/00078/2023 in which the right of the complainant to access the recordings of his conversations with the
respondent company is precisely recognized and upholds the claim, ordering the respondent to provide the requested access.
As regards the decision not to initiate a sanctioning procedure in this case, this Agency reiterates that in no case does the regulation oblige, in the event of an exercise of rights not duly attended to, to initiate a so-called
"rights procedure" instead of a sanctioning procedure. Or to follow a
determined order, first initiating a rights procedure and then, upon its
completion, initiating a sanctioning procedure. On the contrary, these are two paths
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 55/66
independent of each other, which can take place simultaneously or
alternatively.
In short, GLOVO understands that the company cannot be held responsible for the incorrect or insufficient response to the complaining party, due to negligence or fault, since:
1) It was a request made through a generic channel provided
by GLOVO to address incidents in the provision of services by delivery drivers.
2) GLOVO had implemented appropriate internal mechanisms so that the request received through this channel was forwarded to the appropriate channel for its response, that is, the Data Protection Department.
3) The obligation to implement such mechanisms cannot be considered as anything other
than an obligation of means, and not of results.
4) The implementation of these mechanisms, duly accredited,
involve reasonable efforts to ensure that its services are aware of the request,
as argued by the AEPD in its Resolution Proposal, and proposed by the
Guidelines 1/2022.
5) The agent replied to the interested party informing them that he could not provide
the requested information.
6) GLOVO has a specific channel for requesting data protection rights, reported in a multitude of channels and documents, including
the contract signed by the delivery person or the specific application and web environment
for delivery people, so the interested party could easily use
this channel. Therefore, GLOVO claims that the incomplete response by the agent who assisted the complainant, who did not provide the address of the Data Protection Department, or did not directly send the request to this department, cannot be categorized as anything other than a human error which, as explained above, derives from (i) the belief that he had responded to his request by indicating that he could not provide this information, and (ii) from correctly responding to the rest of the incidents reported by the interested party, in accordance with the functions that he did have in accordance with his role within the Customer Service Department to support the delivery person.
In this regard, this Agency reiterates that:
1) The channel used by the complainant is a perfectly valid means
to exercise a request for access to his personal data.
2) Regardless of the measures adopted by GLOVO, in the present
case the complainant made numerous communications requesting his
right of access to data about him, even referring to
article 15 of the GDPR, a request that was not duly attended to.
3) It is not an obligation of result. But it is not the obligation of the
interested party to direct his requests to exercise rights through the channel
preferred by the company responsible for the treatment. It was GLOVO's obligation
to duly attend to such a request, forwarding the request to the Department that
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 56/66
the company determined as the most suitable to give a proper response, if
necessary, or as the company considered best.
4) It is not a question of the data controller making
disproportionate and unreasonable efforts, but rather that the company must
ensure that requests to exercise rights are duly attended to.
Expecting a Customer Service Department to process a request of this type as appropriate is not disproportionate or unreasonable, since it is a channel intended for receiving requests of all kinds. For this reason, agents must be able to identify, channel and respond appropriately to such requests, which has not occurred in the present case.
5) It is not considered that a response was not given to the complaining party, but rather that the exercise of the right was not properly attended to (i.e., information about their personal data was not provided), when this was GLOVO's responsibility.
6) The interested party is not obliged to direct their requests to exercise their rights through the channel preferred by the company responsible for the processing.
Finally, this Agency reiterates that what happened in the present case cannot be classified as a “human error” in having responded that the information requested by the complainant was not provided on three different occasions, on different days and after the issue was analyzed by two different departments of the company.
Furthermore, according to what was ruled in the STS 7887/2011 of November 24, 2011,
Rec. 258/2009, “(…) since its judgment 76/1990, of April 26, the Constitutional Court
has declared that objective liability or liability without fault is not included in the scope of administrative sanctions, a doctrine that is reaffirmed in judgment
164/2005, of June 20, 2005, by virtue of which the possibility of imposing
sanctions for the mere result is excluded, without proving a minimum of guilt even in the case of mere negligence. However, the way of attributing responsibility to legal entities does not correspond to the forms of willful or imprudent guilt that are attributable to human conduct.”
Thus, in the case of infringements committed by legal persons, although the element of guilt must be present (see the judgment of this Chamber of the Supreme Court of 20 November 2011 (appeal for cassation in the interest of law
48/2007), this is necessarily applied in a different way than it is done with respect to
natural persons. According to STC 246/1991 "(...) this different construction of the
imputability of the authorship of the infringement to the legal person arises from the very
nature of legal fiction to which these subjects respond. They lack the
volitional element in the strict sense, but not the capacity to infringe the rules to which they are subject. Capacity to infringe and, therefore, direct blameworthiness that
derives from the legal asset protected by the rule that is infringed and the need for
said protection to be truly effective and from the risk that, consequently, the person must
assume
Following the judgment of 23 January 1998,
partially transcribed in STS 6262/2009, of 9 October 2009, Rec 5285/2005,
and STS 6336/2009, of 23 October 2009, Rec 1067/2006, it should be added that "although the
guilt of the conduct must also be proven, it must be considered in
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 57/66
order to assume the corresponding burden, that ordinarily the
volitional and cognitive elements necessary to assess the former form part of the
typical conduct proven, and that their exclusion requires that the absence of such
elements be proven, or in their absence, that the latter is not a valid reason for the normative aspect, that the diligence that was
required by the person claiming its nonexistence has been used; In short, the invocation of the absence of guilt is not sufficient for exculpation in the face of typically unlawful behavior."
In any case, as has been pointed out, the Supreme Court Judgment No. 188/2022 (Contentious Chamber, Section 3), of February 15, 2022 (rec.
7359/2020) argues about the liability of legal persons in our legal system: "... It simply happens that, since our Administrative Law admits the direct liability of legal persons, who are therefore recognized as having the capacity to infringe, the subjective element of the infringement is expressed in these cases in a different way than it is with respect to natural persons, so that, as the constitutional doctrine that we have previously reviewed points out - SsTC STC 246/1991, of 19 December (F.J. 2) and 129/2003, of June 30
(F.J. 8)- the direct blame derives from the legal asset protected by the rule that
is infringed and the need for such protection to be truly effective and from the risk that, consequently, the legal person that is subject to compliance with
said rule must assume." (emphasis added by this Agency).
Therefore, in the present case, the actions of the employees do not exempt GLOVO from
its responsibility for such actions.
Finally, as regards the fact that the rest of the issues related to the
execution of the services by the complainant were resolved, this Agency has
already insisted that this is not the subject of the present sanctioning procedure.
For all the reasons stated above, the present allegation is rejected.
SIXTH.- REGARDING AGGRAVATING CIRCUMSTANCES
GLOVO makes some observations on the aggravating circumstances alleged by the AEPD:
1) The nature, seriousness and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation in question as well as the number of interested parties affected and the level of damages they have suffered (section a): due to the failure to attend to the request of the complaining party to
exercise their right of access, from August 19, 2021 to November 14,
2022, once this Agency intervened.
GLOVO understands that this aggravating circumstance should not be considered, since (i) a response was given, even if it could be insufficient or incomplete, as the
department of customer service cannot provide the information requested by the
delivery person, and (ii) if no response was given until November 14, 2022, it was because the
IMI information exchange system is excessively slow, because the AEPD
did not contact the Data Protection Officer in February 2022 before
admitting the claim for processing, and because even so, having been admitted in June,
it did not forward the request for information until November of that same year.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 58/66
Therefore, the Agency requests that this aggravating circumstance not be taken into consideration or, if applicable, that
the time periods as calculated by the AEPD not be considered, since
everything could have been much quicker.
In this regard, this Agency reiterates that it does not consider that a response was not given to the
complainant, but rather that the exercise of the right was not properly attended to (i.e., the information on his personal data was not provided), when this was GLOVO's responsibility.
And that the complainant insisted on three occasions on his request for access to his personal
data, so that GLOVO had several opportunities to provide such
information, long before the complainant submitted his complaint or before such complaint was received by this Agency.
As regards the fact that the Data Protection Officer was not contacted before
admitting the claim for processing, this Agency reiterates that the LOPDGDD provides
for this possibility (which is not obligatory) only for claims submitted
directly to the AEPD, which did not occur in the present case.
In any case, this Agency wishes to emphasize that in the
present case it is not a question of the fact that such a request was not attended to
in time, but rather that such a request would not have been attended to if this Agency had not intervened, since
the complainant was only provided with access to his/her data after having
been asked for information about the claim.
2) The intentionality or negligence in the infringement (section b): the conduct of
GLOVO was seriously negligent since the exercise of the right of access to personal data was not attended to despite the fact that the complainant insisted at least
three times that he/she wanted to be provided with the requested information.
GLOVO claims that in no case can it accept that its actions were considered to be grossly negligent.
First, because as it considers proven, GLOVO implemented the appropriate mechanisms to ensure that the Customer Service Department that provides
support services to the delivery person provided the address of the Data Protection Department to the interested parties, as required by the obligation of means of article 12
RGPD or Guidelines 1/2022, it being a human error of the agent who attended the case that generated the claim that gives rise to the present procedure.
Second, because, even if it were not so (which it is), GLOVO understands that the
complaining party did not insist three times that it wanted the requested information to be provided. According to the documentation provided by the AEPD itself, there are
only two messages that refer to the right of access, the first on
August 26 at 7:56, indicating that it requested the conversation of August 17,
together with other information related to the execution of its services, and a
second request, on September 3 at 12:36, copying exactly the same
previous request, but correcting the date of the requested conversation (initially
it indicated that it was from August 17, and later it corrected to indicate that it was from August 19.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 59/66
it is true that, in the documentation provided, the message of September 3
appears twice, but it is always the same message.
GLOVO also points out that both messages were sent 6 days apart,
in the same case or ticket, so it cannot be considered as
"insisted three times". It is the same request, made (to correct it) in duplicate
within the month that GLOVO had to respond, so it cannot be considered
repetition or insistence at all.
Therefore, GLOVO requests that this aggravating circumstance not be taken into consideration as it is not
applicable to this case.
In this regard, this Agency reiterates what has already been answered in the previous allegation, in
particular, that regardless of the measures adopted by GLOVO, in the
present case the complainant made numerous communications requesting their
right of access to data about themselves, even referring to
article 15 of the GDPR, a request that was not duly attended to.
At no time is an obligation of result intended. However, it was GLOVO's obligation to properly respond to such a request, forwarding the request to the Department that
the company determined to be the most suitable to give a proper response, if applicable, or
as the company considered best.
This Agency does not intend for the data controller to make
disproportionate and unreasonable efforts, but rather for the company to ensure that
requests to exercise rights are properly attended to. Pretending that a
Customer Service Department properly processes a request of this type is
not disproportionate or unreasonable, since it is a channel
intended to receive requests of all kinds. For this reason, agents must
be able to identify, channel and properly respond to such requests, which has
not occurred in the present case.
As regards the number of times the complainant requested his/her data, this Agency
reiterates that, as stated in the proven facts of this resolution,
on August 19, 2021 at 12:31 p.m., the complainant sent a
communication to the Customer Service Department with the following content (in
Polish the original, unofficial translation): “Good morning, please send me the
conversation with (...), B.B.B., to my email address, as it will be the
basis of my legal case, if that does not happen, I will send you a court order.”
That is, he/she made a first request for access to his/her personal data (in this case,
the recordings of his/her conversation with a ***POST.1). GLOVO appears to
not be aware of this first request from the complainant in its allegations, but the fact that it
fails to cite Article 15 of the GDPR does not prevent its content from being that of a
request for access to the complainant's personal data.
In response to this request, the company replied to the complainant on August 19, 2021
at 3:30 p.m. in Polish, with the following content (unofficial translation):
“Good morning, thank you for contacting Glovo. Unfortunately, we cannot
share the conversation or its fragments with you. Please let us know what is
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 60/66
your problem with our ***POST.1. Best regards, Glovo Customer Service.”
Following the company's refusal to provide such information, and after a series of
discussions on other issues, on 26 August 2021 at 07:56, the
complainant again requested the GLOVO Customer Service Department to provide him with certain information from 17 August 2021
regarding him, this time based on Article 15 of the GDPR.
On 26 August 2021, the complainant was informed that his case was
transferred to another department and on 3 September 2021 at 12:36 he was informed that the requested information could not be provided.
On September 3, 2021, the complainant indicated that he had made a mistake
by requesting information about himself from August 17, 2021, that what he wanted
was information from August 19, 2021.
And, again, the company informed him on September 6, 2021 that it could not
provide him with such information.
That is, in three different communications (on August 19, August 26, and September 3) the complainant had requested access to his personal data. And
all three times GLOVO responded that it could not provide him with such access, without
giving further information on the matter. GLOVO itself has acknowledged this in its
allegations.
Moreover, on September 3, 2021 at 12:36 p.m. the complaining party received an
email from support@glovo.mail.kustomerapp.com in Polish, with
the following content (unofficial translation): “Good morning, Unfortunately, we
cannot share such information with you. Can you please specify what
exactly you are requesting? We remind you that opening multiple chats
may slow down your service time. We ask you to use only one chat for this
request. Best regards, Glovo Team Glovo Customer Support.”
This Agency understands that it cannot be considered that in the present case there was a
human error when on three different occasions, on three different days and even
having analyzed the issue by two different departments (the request of the
complainant had been transferred to another department, according to the company),
GLOVO's response had always been the same: that it could not provide the
complainant with such information, when it was GLOVO's obligation
to provide it.
Finally, this Agency wishes to point out that the fact that the communications of the
complainant with the company had been made through the same ticket, is not
indicative of anything, it is simply a way of organizing the company, like
any other.
Therefore, for all the reasons stated, this allegation is rejected.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 61/66
3) Any previous infringement committed by the controller or processor
(section e): On April 1, 2020, the Director of the AEPD signed resolution of
sanctioning procedure PS/00417/2019 in which GLOVO was sanctioned with a
fine of €25,000 for the infringement of article 37 of the GDPR.
On March 7, 2023, the Director of the AEPD signed the resolution of the sanctioning procedure PS/00209/2022 in which a warning was issued to GLOVO for the
infringement of article 13 of the GDPR and GLOVO was fined €550,000 for the infringement of articles 25 and 32 of the GDPR.
GLOVO claims that it does not deny the existence of the previous sanctioning procedures,
but it does consider it appropriate to remind the AEPD that they have nothing to do
with the present case, neither directly nor indirectly, and that instead it is not taking
into consideration that among the cases that the AEPD has managed linked to the
attention of the rights of interested parties, it has never proceeded to sanction GLOVO.
Therefore, it requests that this aggravating circumstance not be taken into consideration or, failing that,
that the fact that the AEPD has been aware of several claims for attention to rights, without having
ever found any reprehensible fact in the actions of GLOVO, be also considered as an attenuating circumstance.
In this regard, this Agency wishes to point out that the literal of article 83.2.e) of the GDPR
states: "any previous infringement committed by the controller or the person in charge of the
processing", without requiring that the aforementioned infringements be related to the
infringement being evaluated. But it cannot be denied that when
grading a fine, someone who has never infringed the GDPR cannot be given the same consideration as someone who has. Likewise, the same consideration will not be given when grading the fine for a given infringement if the
identical infringement has been committed on previous occasions or if it is a question of other
infringements. For the peace of mind of GLOVO, please be advised that all of this has been
duly taken into account by this Agency when graduating the sanction for the
present procedure, which is why a fine of only 0.01% of the
total annual turnover is imposed (€15,000 in relation to ***AMOUNT.1 € of
turnover, as stated in the proven facts).
Furthermore, due to an involuntary error on its part, this Agency has omitted in
its assessment of the graduation of the possible sanction in the present procedure the
procedure PS/00372/2021 in which, by resolution of June 13, 2022
the Director of this Agency imposed a warning on GLOVO for the violation of
article 12 of the GDPR, for a right of deletion not duly attended to.
Also due to an involuntary error on its part, this Agency did not take into account that in procedure TD/00268/2020 a decision was issued in favor of the claimant's claim for a request for the right of access to the claimant's personal data that had not been duly attended to.
For the reasons set forth above, this Agency cannot but reject this allegation.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 62/66
IV
Right of access of the interested party
Article 15 “Right of access of the interested party” of the GDPR establishes:
“1. The interested party shall have the right to obtain from the data controller confirmation of
whether or not personal data concerning him or her are being processed and, if
this is the case, the right of access to the personal data and to the following information:
a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipients to whom the personal data have been or will be
disclosed, in particular recipients in third countries or international
organisations;
(d) where possible, the envisaged period for which the personal data will be stored, or, if
not possible, the criteria used to determine that period;
(e) the existence of the right to request from the controller rectification or erasure of
personal data or restriction of processing of personal data concerning the data subject, or to object to such
processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the personal data have not been obtained from the data subject, any
available information as to their source;
(h) the existence of automated decision-making, including profiling, referred to in
Article 22(1) and (4), and, at least in such cases, meaningful
information about the logic involved, as well as the significance and the envisaged
consequences of such processing for the data subject.
2. Where personal data are transferred to a third country or an international organisation, the data subject shall have the right to be informed of the appropriate
guarantees pursuant to Article 46 relating to the transfer.
3. The controller shall provide a copy of the personal data being
processed. The controller may charge a reasonable fee for any further copy requested by the data subject, based on administrative costs. Where the data subject makes the request by electronic means, and unless the data subject
requests that the data be provided otherwise, the information shall be provided in a commonly used electronic format.
4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the
rights and freedoms of others.”
In the present case, the complainant requested GLOVO via an email to support@glovo.mail.kustomerapp.com on August 19, 2021, the
conversation held with B.B.B..
On the same day, GLOVO's Customer Service team informed him that they could not
share the aforementioned conversation or its fragments, without justifying such refusal.
After an exchange of emails between the complainant and GLOVO, the complainant on August 26, 2021 requested GLOVO via
email to support@glovo.mail.kustomerapp.com, based on article
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 63/66
15 of the GDPR to provide him with the record of the conversation with B.B.B. 17 August 2021, the exact time of check-in on that day and the actions of the employees who changed that data, information about an order cancelled on 17 August
together with the reasons for cancellation and the actions of the employees who changed that data, and the work plan for 17 August of changes in the system and GLOVO employees.
On 26 August 2021 at 20:09 the complainant received an email from the address support@glovo.mail.kustomerapp.com in Polish,
with the following content (unofficial translation): “Hello, A.A.A.! Thank you for contacting
us. Your case has been transferred to another department. Once we have
a response, we will pass it on to you. We hope that this information is useful, because
we are always trying to provide the highest quality in our service.
You can count on us. Thank you for your trust. Glovo Customer Service”.
On September 3, 2021, the GLOVO customer service team replies
again that it cannot share the information requested by the complainant,
without providing any justification.
On September 3, 2021, the complainant indicates that it made a mistake and was
requesting the information corresponding to August 19, 2021.
On September 6, 2021, the GLOVO customer service team insists that
it cannot provide the requested information to the complainant, without providing
any justification.
That is, on none of these occasions was GLOVO responding to the request for
access to the complainant's personal data.
Therefore, in accordance with the evidence available at this time
of the sanctioning procedure resolution, it is considered that the known facts
constitute an infringement, attributable to GLOVO, for violation of article
15 of the GDPR.
V
Classification and qualification of the infringement of article 15 of the GDPR
The aforementioned infringement of article 15 of the GDPR involves the commission of the infringements
classified in article 83.5 of the GDPR, which under the heading “General conditions
for the imposition of administrative fines” provides:
“Infringements of the following provisions shall be punishable, in accordance with
paragraph 2, by administrative fines of a maximum of EUR 20 000 000 or,
in the case of an undertaking, an amount equivalent to a maximum of 4% of the
total global annual turnover of the previous financial year, whichever is higher:
(…)
b) the rights of data subjects pursuant to articles 12 to 22; (…)”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 64/66
For the purposes of the limitation period, article 72 “Infringements considered very serious” of the LOPDGDD indicates:
“1. In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679, infringements that constitute a
substantial violation of the articles mentioned therein and, in particular, the
following are considered very serious and will be subject to a three-year statute of limitations:
(…)
k) The impediment or obstruction or repeated failure to comply with the exercise
of the rights established in articles 15 to 22 of Regulation (EU) 2016/679 (…)”.
VI
Penalty for infringement of Article 15 of the GDPR
For the purposes of deciding on the imposition of an administrative fine and its amount, in accordance with the evidence available at the time of the resolution of the sanctioning procedure, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the following criteria established in Article 83.2 of the GDPR:
- The nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question, as well as the number of data subjects affected and the level of damages and losses they have suffered (section a): due to the failure to attend to the request of the complaining party to exercise their right of access, from August 19, 2021 to November 14, 2022, once this Agency intervened.
- The intention or negligence in the infringement (section b): GLOVO's conduct was seriously negligent since the exercise of the right of access to personal data was not attended to despite the fact that the complainant insisted at least three times that he wanted to be provided with the requested information.
As aggravating factors:
- Any previous infringement committed by the controller or the person in charge of the
processing (section e): On April 1, 2020, the Director of the AEPD signed
resolution of sanctioning procedure PS/00417/2019 in which GLOVO was sanctioned
with a fine of €25,000 for the infringement of article 37 of the GDPR.
On March 7, 2023, the Director of the AEPD signed the resolution of sanctioning procedure PS/00209/2022 in which a warning was issued to GLOVO for the violation of article 13 of the GDPR and GLOVO was fined €550,000 for the violation of articles 25 and 32 of the GDPR.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 65/66
It is also considered that the sanction to be imposed should be graded in accordance with the
following criteria established in section 2 of article 76 “Sanctions and corrective
measures” of the LOPDGDD:
As aggravating factors:
- The link between the offender's activity and the processing of personal data (section b): The development of the business activity that GLOVO carries out
requires continuous processing of personal data.
The balance of the circumstances contemplated in article 83.2 of the RGPD and 76.2 of
the LOPDGDD, with respect to the infringement committed by violating the provisions of
article 15 of the RGPD, allows for the imposition of a sanction of €15,000 (fifteen thousand euros).
Therefore, in accordance with the applicable legislation and having assessed the criteria for grading the sanctions whose existence has been proven,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: TO IMPOSE on GLOVOAPP23, S.A., with NIF A66362906, for an infringement
of Article 15 of the GDPR, classified in Article 83.5 of the GDPR, a fine of
15,000.00 euros (FIFTEEN THOUSAND euros).
SECOND: TO NOTIFY this resolution to GLOVOAPP23, S.A.
This resolution will be enforceable once the deadline for filing the optional appeal for reconsideration
ends (one month from the day following notification of this resolution) without the interested party having made use of this faculty. The sanctioned party is warned that he/she must pay the sanction imposed once this resolution becomes enforceable, in accordance with the provisions of art. 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), within the voluntary payment period established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17 December, by depositing it, indicating the NIF of the sanctioned party and the procedure number that appears in the heading of this document, in the restricted account nº IBAN: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code:
CAIXESBBXXX), opened in the name of the Spanish Data Protection Agency in the banking entity CAIXABANK, S.A. Otherwise, it will be collected during the enforcement period.
Once the notification has been received and has become enforceable, if the date of enforceability is between the 1st and 15th of each month, both inclusive, the deadline for making the voluntary payment will be until the 20th of the following month or the next business day thereafter, and if it is between the 16th and the last day of each month, both inclusive, the payment deadline will be until the 5th of the second following month or the next business day thereafter.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 66/66
Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties may, at their discretion, lodge an appeal for reconsideration before the
Director of the Spanish Data Protection Agency within one month from the
day following notification of this resolution or directly
an administrative appeal before the Administrative Litigation Division of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Administrative Litigation Jurisdiction, within two months from the
day following notification of this act, as provided for in article 46.1 of the
referred Law.
Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final resolution may be provisionally suspended by administrative means if the
interested party expresses his intention to lodge an administrative appeal.
If this is the case, the interested party must formally communicate this fact by means of
a letter addressed to the Spanish Data Protection Agency, presenting it through
the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web/], or through one of the other registries provided for in art. 16.4 of
the aforementioned Law 39/2015, of October 1. He must also transfer to the Agency the
documentation that proves the effective filing of the administrative appeal. If the Agency is not aware of the filing of the administrative appeal
within two months from the day following the notification of this resolution, it will terminate the provisional suspension.
938-16012024
Mar España Martí
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
