AEPD (Spain) - EXP202202415
AEPD - EXP202202415 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 12(3) GDPR Article 15 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 09.07.2024 |
Published: | |
Fine: | 15,000 EUR |
Parties: | GlovoApp23 SA |
National Case Number/Name: | EXP202202415 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | fb |
The DPA fined Glovo €15,000 after it failed to act on an access request. The DPA considered irrelevant the fact that the request was not sent to the DPO email address but to a different contact point of the controller.
English Summary
Facts
The data subject, a Polish delivery driver, after facing some issues with a delivery, contacted the deliverers’ assistance service and had a conversation with an employee. Since the data subject wanted to use this conversation to initiated legal proceedings against the controller, they asked the assistance service to provide them with the recording of the conversation. The controller refused to provide this recording.
After that, the data subject sent the controller, through the deliverers’ assistance service portal, an access request under Article 15 GDPR. The controller reiterated that it cannot provide the recording and did not act further on the access request.
Therefore, the data subject filed a complaint with the Polish DPA. Since the main establishment of the controller is in Spain, the Polish DPA forwarded the complaint to the Spanish one pursuant to Article 56 and 60 GDPR.
The controller argued that the access request was not sent through the dedicated email address, but through the messaging system dedicated to deliverers’ issues.
Moreover, it argued that it had not been aware of this access request until the DPA forwarded the request to it.
Furthermore, it noted that it had internal policies instructing all employees to escalate GDPR requests to the DPO office and that, in the case at hand, the delay was caused by the fact that only one employee had not complied with these policies.
Finally, it pointed out that the data subject did not initiate the legal proceeding they threatened to begin in their first message to the controller.
Holding
First, the DPA rejected the controller’s argument regarding the fact that the data subject did not use the dedicated email address. It pointed out that the data subject had sent his access request through a portal which was acknowledged by the controller as suitable for the submission of deliverers’ requests.
According to the DPA, if the person receiving the message was not able to deal with GDPR issues, the controller should have forwarded the request to the right department.
On this point, the DPA held that, while the controller is free to determine its internal business organization, this cannot imply that the controller does not comply with the data subject’s GDPR rights. In the case at hand, the controller decided to centralize the response to all the GDPR requests through one email address. However, according to the DPA, this cannot mean that requests sent through other channels should not be replied.
The DPA also referenced to paragraph 56 of the EPDB Guidelines 01/2022 on data subject rights - Right of access, stating that the controller should make all reasonable efforts to make its services aware of a request sent to a general e-mail, so that it can be redirected to the data protection contact point and answered within the time limits provided for by the GDPR. In the case at hand, the DPA held that the controller did not make these reasonable efforts.
Moreover, the DPA noted that having a strict internal policy on how to deal with GDPR requests and that the fact that the violation depends on the negligent behaviour of one employee is not enough to be exempted from liability. On the contrary, the controller needs to adopt the necessary measures to ensure full compliance of these policies by all employees. Therefore, the DPA held that the fact that the employee acted in violation of these policies is irrelevant.
Finally, the DPA rejected the controller’s argument and held that the fact that the data subject eventually did not sue the controller is irrelevant.
On these grounds, the DPA found a violation of Article 15 GDPR and issued a fine of €15,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/66 File No.: EXP202202415 IMI Reference: A56ID 336608 SANCTIONING PROCEDURE RESOLUTION Based on the procedure initiated by the Spanish Data Protection Agency and based on the following Background, Proven Facts and Legal Grounds, the Director of the Spanish Data Protection Agency resolves to adopt the present sanctioning procedure resolution. TABLE OF CONTENTS BACKGROUND................................................................................................................2 PROVEN FACTS.......................................................................................................10 LEGAL BASIS........................................................................................................13 I Jurisdiction................................................................................................................14 II Preliminary issues...................................................................................................14 III Allegations raised...................................................................................................14 In relation to the allegations raised in relation to the agreement to initiate this sanctioning procedure, the following are answered in the order set forth by GLOVO:...................................................................................15 FIRST.- ON GLOVO'S INTERNAL PROCESSES..................................................15 SECOND.- ON THE FORM OF REQUESTING THE RIGHT OF ACCESS .................................................................................................................................17 THIRD.- ON KNOWLEDGE OF THE EXERCISE OF THE RIGHT AND THE IMMEDIATE ACTION OF GLOVO. THE SPECIFIC FAILURE TO COMPLY WITH INTERNAL PROCEDURES BY SPECIFIC EMPLOYEES AND THE DISPROPORTIONALITY OF THE PROPOSED SANCTION........................................................................................................19 FOURTH.- OTHER RELEVANT PROCEDURES................................................................24 FIFTH.- ON THE EVOLUTION OF GLOVO................................................................25 In relation to the allegations raised in relation to the proposed resolution of this sanctioning procedure, the following are answered in the order set forth by GLOVO:.................................................................................25 FIRST.- ON THE EVENTS THAT OCCURRED IN THE MANAGEMENT OF THE APPLICATION........................................................................................................................25 SECOND.- ON THE NON-ATTENTION OF THE RIGHT OF ACCESS.................................31 THIRD.- ON THE THE OPENING OF A SANCTIONING PROCEDURE INSTEAD OF PROTECTION OF RIGHTS.................................36 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/66 FOURTH.- ON THE FAILURE TO TRANSFER THE COMPLAINT TO THE DATA PROTECTION OFFICER.......................................................................43 FIFTH.- ON GLOVO'S GUILT OR NEGLIGENCE...................................44 SIXTH.- ON AGGRAVATING CIRCUMSTANCES.................................................56 IV Right of access of the interested party........................................................................60 V Classification and qualification of the infringement of article 15 of the RGPD.................................62 VI Sanction for the infringement of article 15 of the RGPD.................................................63 the Director of the Spanish Data Protection Agency RESOLVES:.................64 BACKGROUND FIRST: A.A.A. (hereinafter, the complainant) filed a complaint on September 30, 2021 with the Urząd Ochrony Danych Osobowych, the Polish data protection authority. The complaint is directed against GLOVOAPP23, S.A. with NIF A66362906 (hereinafter, GLOVO). The grounds on which the complaint is based are the following: The complainant requested from GLOVO the recording of its conversation with a ***PUESTO.1 of GLOVO on August 19, the time at which the complainant entered the GLOVO application on that same day, information on the cancellation of an order placed on that same day including the decisions made by GLOVO employees and their motivation, and the work schedule on that same day with the changes made by the system and by the employees. The complainant requested this information based on Article 15 of the General Data Protection Regulation (GDPR), to which GLOVO replied by denying access to the conversation. Along with the complaint, the following is provided: - Printout of an email dated August 19, 2021 at 2:31 p.m. sent by support@glovo.mail.kustomerapp.com to the complainant in Polish with the following content (unofficial translation): “Thank you for contacting us. We have received your communication and are sending this message automatically to confirm it. Our customer service will contact you shortly. Best regards!” This email is in response to a previous email sent by the complainant on August 19, 2021 at 12:31 p.m., with the following content (original Polish, unofficial translation): “Good morning, please send me the conversation with (...), B.B.B., to my email address, as it will be the basis of my court case, if that does not happen, I will send you a court order.” - Printout of an email dated August 19, 2021 at 3:30 p.m. sent by support@glovo.mail.kustomerapp.com to the complainant in Polish, with the following content (unofficial translation): “Good morning, thank you for contacting Glovo. Unfortunately, we cannot share the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/66 conversation or its fragments with you. Please let us know what your problem is with our ***POST.1. Kind regards, Glovo Customer Support.” - Printout of an email dated August 19, 2021 at 8:54 PM sent by the complaining party to support@glovo.mail.kustomerapp.com in the Polish language, with the following content (unofficial translation): “So, in that case, your consultant said that I was blocked in red for doing nothing for 2 hours, and then blocked me for the whole day?”. - Printout of an email dated August 20, 2021 at 8:29 AM sent by support@glovo.mail.kustomerapp.com to the complaining party in the Polish language, with the following content (unofficial translation): “Good morning, thank you for contacting Glovo. Please be advised that 15 minutes before the start of the blockage you receive a check-in reminder. Afterwards you must confirm your readiness to work during the hours that have been booked. You did not confirm that you were ready to work, so the system automatically marked your blocks in red. If you need further support, please contact us. We will be happy to help you. Glovo Customer Support.” - Printout of an email dated August 23, 2021 at 2:16 p.m. sent by support@glovo.mail.kustomerapp.com to the complaining party, in Polish, with the following content: “Good morning, thank you for contacting Glovo. One hour was blocked because your contract was reassigned, the rest because you did not check in on the application. Please be advised that 15 minutes before the start of the blockage you receive a check-in reminder. Afterwards you must confirm your readiness to work during the hours that have been booked. You did not confirm that you were ready to work, so the system automatically marked your blocks in red. If you need further support, we invite you to contact us. We will be happy to help you. Glovo Customer Support.” - Printout of an email dated August 26, 2021 at 09:56 sent by support@glovo.mail.kustomerapp.com to the complaining party in Polish, with the following content (unofficial translation): “Thank you for contacting us. We have received your communication and we are sending this message automatically to confirm it. Our customer service will contact you as soon as possible. Best regards!” This email is in response to a previous email sent by the complainant on August 26, 2021 at 07:56, with the following content (original Polish, unofficial translation): “On the basis of Article 15 of the GDPR, I would like to request the following data: - conversation log with (...) B.B.B. from August 17 with time per minute for each sentence of this conversation - the exact time I checked in on August 17 in the application together with the actions taken by your employees that changed this data - information about the cancelled order from ***ADDRESS.1 to Biedronka from August 17, together with the reason for this cancellation and the actions taken by your employees that changed this data - work plan from August 17 with minute-by-minute information of your changes by the system and your employees.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/66 - Printout of an email dated August 26, 2021 at 8:09 p.m. sent by support@glovo.mail.kustomerapp.com to the complainant in Polish, with the following content (unofficial translation): “Hello, A.A.A.! Thank you for contacting us. Your case has been transferred to another department. Once we have a response, we will pass it on to you. We hope that this information is useful, because we are always trying to provide the highest quality in our service. You can count on us. Thank you for your trust. Glovo Customer Service.” - Printout of an email dated September 3, 2021 at 12:36 hours sent by support@glovo.mail.kustomerapp.com to the complaining party in Polish, with the following content (unofficial translation): “Good morning, Unfortunately, we cannot share such information with you. Can you specify what exactly you are requesting? We remind you that opening multiple chats may slow down your service time. We ask you to use a single chat for this request. Best regards, Glovo Team Glovo Customer Support.” - Printout of an email dated 3 September 2021 at 13:10 hours in which the complaining party sent to support@glovo.mail.kustomerapp.com a reply to the previous email in Polish, with the following content (unofficial translation): “I was requesting information from August 19 (however, I made a mistake when writing August 17). Based on Article 15 GDPR I would like to request the following information: - conversation log with (...) B.B.B. from August 17 with minute-by-minute time for each sentence in this conversation - the exact time I checked in on August 17 in the application along with the actions taken by your employees that changed this data - information about the cancelled order from ***ADDRESS.1 to Biedronka from August 17, along with the reason for this cancellation and the actions taken by your employees that changed this data - work plan for August 17 with minute-by-minute information about your changes by the system and your employees.” And the official response from your company is that you cannot provide such information, no?” - Screenshot of email dated September 6, 2021 at 17:22 hours in which support@glovo.mail.kustomerapp.com replies to the complainant's previous email in Polish, with the following content (unofficial translation): “Good morning, As we have mentioned above, we cannot share such information. Kind regards, Glovo Team Glovo Customer Service”. SECOND: Through the “Internal Market Information System” (hereinafter IMI System), regulated by Regulation (EU) No 1024/2012, of the European Parliament and of the Council, of October 25, 2012 (IMI Regulation), whose objective is to promote cross-border administrative cooperation, mutual assistance between Member States and the exchange of information, the aforementioned claim was transmitted on February 24, 2022 and was given an entry date at the Spanish Data Protection Agency (AEPD) the following day. The transfer of this complaint to the AEPD is carried out in accordance with the provisions of article 56 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27/04/2016 on the Protection of Natural Persons with regard to the Processing of Personal Data and the Free Circulation of Such Data (hereinafter, GDPR), taking into account its cross-border nature and that this Agency is competent to act as the main supervisory authority, given that GLOVO has its registered office and main establishment in Spain. The data processing carried out affects interested parties in several Member States. According to the information incorporated into the IMI System, in accordance with the provisions of article 60 of the GDPR, the authorities of Italy, Portugal and France act as “interested supervisory authority” in addition to the data protection authority of Poland. All of them pursuant to article 4.22 of the GDPR, given that the interested parties residing in the territory of these control authorities are substantially affected or are likely to be substantially affected by the processing subject to this procedure. THIRD: On June 6, 2022, the AEPD requests, through the IMI System, the Polish data protection authority to send the relevant information of the case again. The Polish data protection authority shared the requested documentation through the IMI System on June 10, 2022. FOURTH: On June 24, 2022, in accordance with the then-current article 64.3 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), the claim filed by the complainant was admitted for processing. FIFTH: The General Subdirectorate of Data Inspection proceeded to carry out preliminary investigative actions to clarify the facts in question, by virtue of the functions assigned to the control authorities in article 57.1 and the powers granted in article 58.1 of the GDPR, and in accordance with the provisions of Title VII, Chapter I, Section Two, of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), having knowledge of the following facts: 1. On November 15, 2022, this Agency received a written response to the request for information, submitted on behalf of GLOVO, with entry registration number ***REFERENCE.1, in which, among others, the following information was provided: a) Declaration that the party The complainant “… has exercised his right of access through this Agency and that Glovo had never before received his request for access through the email address enabled for this purpose, as indicated in the Privacy Policy in force at the time when he exercised his right of access, namely, the email gdpr@glovoapp.com”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/66 b) Indication that, when this request for access was received through the AEPD request, GLOVO forwarded the request to its data protection officer, who sent a reply to the complainant on November 14, 2022 from the address gdpr@glovoapp.com attaching the 4 documents that the complainant requested in their emails to Glovo Customer Service. c) A copy of the email sent by gdpr@glovoapp.com to ***EMAIL.1 (which GLOVO indicates is the email address of the complainant), dated November 14, 2022 at 7:30 PM, with the following content is provided: “Dear Mr. A.A.A.: 36. We confirm that we have received your request to exercise your right of access in relation to personal data, in accordance with the applicable data protection laws (EU Regulation 2016/679). 37. We are pleased to inform you that after analyzing the requested information and verifying your identity in accordance with the information requested by the Spanish Data Protection Authority (the so-called ≪Data Protection Authority≫). Spanish Data Protection Agency), through the Polish Data Protection Authority, we provide the following information along with the attached documents: 1. Interview report with (...) B.B.B. dated 19.8.2021 38. A talk is attached (document 1). 2. Exact time of logging into the application on 19.8.2021 with a list of actions taken by Glovo employees 39. Attached to the request for information (document 2). 3. Information about the cancellation of the order from Spring Square to Biedronka on 19.8.2021 year in 40. Please note that for operational reasons we had to proactively assign an order to another courier so that the user received the order in due time. Please note that after a long period of no activity on your part, we had to assign the order to another courier in order to receive the product in a timely manner (see Document 3). 4. Service schedule of 19.8.2021 41. Attached are the actions performed in the system indicating your schedule and the actions undertaken by Glovo on that date (document 4). 42. We hope that this information is useful. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/66 43. Please note that you can read our privacy policy at https://glovoapp.com/es/legal/privacy-couriers/ 44. Considering that Glovo participates in the protection of personal data, we remind you that you can exercise your rights of access, rectification, deletion, limitation of processing, data portability and opposition at any time, using the form available on the Platform or by sending an email to gdpr@glovoapp.com. Alternatively, in any case, you can contact the competent data protection authority. 45. Glovo Team” d) Copy of a certificate from the company ***COMPANY.1 indicating that the email mentioned in the previous point was sent on November 14, 2022 at 7:31 p.m. and was accessed by the recipient on November 14, 2022 at 7:44 p.m. This certificate also includes the content of the documents attached to the email. e) Copy of the “POLITYKA PRYWATNOŚCI DLA KURIERÓW” [Unofficial translation: “Privacy Policy for Messengers”] in Polish of GLOVO. Within this privacy policy, in its section 11, dedicated to the rights of interested parties, it is indicated that “Powyższe prawa mogą być wykonywane poprzez wysłanie wiadomości e-mail na adres gdpr@glovoapp.com.” [Unofficial translation: “These rights can be exercised by sending an email to gdpr@glovoapp.com.”]. 2. On March 30, 2023, the General Subdirectorate of Data Inspection browsed the website https://web.archive.org, obtaining the historical content of August 13, 2021 of the website https://glovoapp.com/pl/legal/privacy-couriers/, which contains the privacy policy for GLOVO couriers, obtaining the following results: Within the section “11. Rights of interested parties”, it is indicated that “The aforementioned rights may be exercised by sending an email to the address gdpr@glovoapp.com”. 3. According to a query made on March 30, 2023 in the Monitoriza service of Axesor (https://monitoriza.axesor.es/), GLOVO is a type of company “(...)” that, in 2021, had a total global annual turnover of ***AMOUNT.1 €, and had ***AMOUNT.2 employees. EIGHTH: On June 16, 2023, the Director of the AEPD adopted a draft decision to initiate sanctioning proceedings. Following the process established in article 60 of the GDPR, on that same day this draft decision was transmitted through the IMI system and the interested authorities were informed that they had four weeks from that moment to formulate relevant and reasoned objections. The processing period for this sanctioning procedure was automatically suspended for these four weeks, in accordance with the provisions of Article 64.5 of the LOPDGDD. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/66 Within the period for this purpose, the interested supervisory authorities did not present any pertinent and reasoned objections in this regard, so it was considered that all the authorities agreed with this draft decision and were bound by it, in accordance with the provisions of section 6 of Article 60 of the GDPR. NINTH: On July 17, 2023, the Director of the Spanish Data Protection Agency agreed to initiate disciplinary proceedings against GLOVO, in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), in order to impose a fine of 15,000 euros, for the alleged violation of article 15 of the GDPR, classified in article 83.5 of the GDPR, in which it was indicated that it had a period of ten days to present allegations. This start-up agreement, which was notified to GLOVO in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (LPACAP), was collected on 07/17/2023 and 07/18/2023, as stated in the acknowledgment of receipt in the file. TENTH: On July 17, 2023, GLOVO submitted a letter to this Agency reporting that it had received a notice of a postal notification sent to this Agency with “Identifier: ***REFERENCE.2”, but that they could not find it. They also reported that their current address was at Calle Llull, 108 08005 Barcelona and that the corporate form of the entity had changed to S.A., its correct corporate name being Glovoapp23, S.A. ELEVENTH: On July 17, 2023, GLOVO submitted a letter requesting an extension of the deadline for submitting objections. TWELFTH: On July 19, 2023, the extension of the requested deadline for up to a maximum of five days was agreed, in accordance with the provisions of article 32.1 of the LPACAP. The aforementioned agreement was notified to GLOVO on July 20, 2023, as stated in the acknowledgment of receipt in the file. THIRTEENTH: On August 3, 2023, this Agency received, in a timely manner, a letter from GLOVO in which it submitted objections to the initiation agreement. In summary, these allegations stated that: - First.- GLOVO has abundant internal procedures and a culture of privacy in its company and acted diligently and proactively to ensure compliance with data protection throughout the company. - Second.- GLOVO had expressly established that in all cases similar to that of the complainant, all requests must be communicated to its Data Protection Department, but the complainant did not use the channels intended for this. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/66 - Third.- 3.1. The complainant was given a response with all the required information as soon as the complaint was forwarded by this Agency. 3.2. GLOVO has not acted with malice or negligence. - Fourth.- Other relevant procedures of this Agency are cited in which the archiving of proceedings was resolved. - Fifth.- GLOVO has evolved greatly in terms of personal data protection. FOURTEENTH: On April 16, 2024, the body in charge of the procedure issued a resolution proposal in which it proposed imposing a fine of 15,000 euros on GLOVO, in accordance with the provisions of articles 63 and 64 of the LPACAP, for the violation of Article 15 of the GDPR, classified in Article 83.5 of the GDPR, in which it was indicated that it had a period of ten days to submit allegations. This resolution proposal, which was notified to GLOVO in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (LPACAP), was collected on April 26, 2024, as stated in the acknowledgment of receipt in the file. FIFTEENTH: On April 26, 2024, GLOVO submitted a document requesting an extension of the deadline for submitting allegations. SIXTEENTH: On April 30, 2024, the body in charge of the procedure agreed to the requested extension of the deadline up to a maximum of five days, in accordance with the provisions of article 32.1 of the LPACAP. The aforementioned agreement was notified to GLOVO on the same day, as stated in the acknowledgment of receipt in the file. SEVENTEENTH: On May 17, 2024, this Agency received, in a timely manner, a letter from GLOVO in which it presented objections to the proposed resolution. In summary, in these objections, it stated that: - First.- GLOVO has numerous technical and organizational measures in place to ensure compliance with the applicable regulations regarding data protection and, especially in relation to the case at hand, the attention to the rights of the interested parties. - Second.- The interested party's request was responded to. GLOVO made reasonable efforts to ensure that the agents of the delivery support team could identify requests to exercise rights and either communicate them directly to the data protection department, or respond to the interested party with the address where to go, efforts that, due to human error, were not translated into reality. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/66 - Third.- GLOVO is surprised that, having responded to the interested party first by chat, and subsequently officially by the Data Protection Department, the Agency decides to proceed with the initiation of a sanctioning procedure without proposing the opening of a procedure for the protection of rights. - Fourth.- GLOVO is surprised that the AEPD does not apply in this case the possibility offered by the LOPDGDD to refer any claim to the data protection delegate before deciding on its admission for processing, in accordance with article 65. - Fifth.- GLOVO should not be held responsible, due to negligence or fault, for the incorrect or insufficient response to the interested party who makes the claim. - Sixth.- Requests that the aggravating circumstances alleged by the AEPD not be applied and that the fact that the AEPD has been aware of several claims for attention to rights, without ever having found any reprehensible fact in the actions of GLOVO, be considered as an attenuating circumstance. From the actions carried out in the present procedure and from the documentation in the file, the following have been proven: PROVEN FACTS FIRST: On August 19, 2021 at 12:31 p.m. the complaining party sent an email to the address support@glovo.mail.kustomerapp.com, with the following content (in Polish the original, unofficial translation): “Good morning, please send me the conversation with (...), B.B.B., to my email address, as it will be the basis of my legal case, if that does not happen, I will send you a court order.” On August 19, 2021 at 2:31 p.m. the complaining party received an email from the address support@glovo.mail.kustomerapp.com in Polish language with the following content (unofficial translation): “Thank you for contacting us. We have received your communication and we are automatically sending this message to confirm it. Our customer service will contact you shortly. Best regards!” SECOND: On August 19, 2021 at 3:30 p.m. the complaining party received an email from the address support@glovo.mail.kustomerapp.com in Polish, with the following content (unofficial translation): “Good morning, thank you for contacting Glovo. Unfortunately, we cannot share the conversation or its fragments with you. Please let us know what your problem is with our ***POST.1. Best regards, Glovo Customer Support.” THIRD: On August 19, 2021 at 8:54 p.m. the complainant sent an email to the address support@glovo.mail.kustomerapp.com in Polish, with the following content (unofficial translation): “So, in that case, your consultant said that I was blocked in red for doing nothing for 2 hours, and then blocked me for the whole day?”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/66 FOURTH: On August 20, 2021 at 8:29 a.m. the complainant received an email from the address support@glovo.mail.kustomerapp.com in Polish, with the following content (unofficial translation): “Good morning, thank you for contacting Glovo. Please be advised that 15 minutes before the start of the block you receive a check-in reminder. Afterwards you must confirm your readiness to work during the hours that have been booked. You did not confirm that you were ready to work, so the system automatically marked your blocks in red. If you need further support, please contact us. We will gladly assist you. Glovo Customer Support.” FIFTH: On August 23, 2021 at 2:16 p.m. the complaining party received an email from the address support@glovo.mail.kustomerapp.com in Polish, with the following content: “Good morning, thank you for contacting Glovo. One hour was blocked because your contract was reassigned, the rest because you did not check in in the application. Please be advised that 15 minutes before the start of the block you receive a check-in reminder. Afterwards you must confirm your readiness to work during the hours that have been booked. You did not confirm that you were ready to work, so the system automatically marked your blocks in red. If you need further support, we invite you to contact us. We will be happy to help you. Glovo Customer Support.” SIXTH: On August 26, 2021 at 09:56 the complaining party received an email from the address support@glovo.mail.kustomerapp.com in Polish, with the following content (unofficial translation): “Thank you for contacting us. We have received your communication and we sent this message automatically to confirm it. Our customer service will contact you as soon as possible. Best regards!” This email is in response to a previous email sent by the complainant on August 26, 2021 at 07:56, with the following content (original Polish, unofficial translation): “On the basis of Article 15 of the GDPR, I would like to request the following data: - conversation log with (...) B.B.B. from August 17 with time per minute for each sentence of this conversation - the exact time I checked in on August 17 in the application together with the actions taken by your employees that changed this data - information about the cancelled order from ***ADDRESS.1 to Biedronka from August 17, together with the reason for this cancellation and the actions taken by your employees that changed this data - work plan from August 17 with minute-by-minute information of your changes by the system and your employees.” SEVENTH: On August 26, 2021 at 8:09 p.m. the complaining party received an email from the address support@glovo.mail.kustomerapp.com in Polish, with the following content (unofficial translation): “Hello, A.A.A.! Thank you for contacting us. Your case has been transferred to another department. Once we have a response, we will pass it on to you. We hope that this information is useful, because we are always trying to provide the highest quality in C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/66 our service. You can count on us. Thank you for your trust. Glovo Customer Service.” EIGHTH: On September 3, 2021 at 12:36 p.m. the complaining party received an email from support@glovo.mail.kustomerapp.com in Polish, with the following content (unofficial translation): “Good morning, Unfortunately, we cannot share such information with you. Can you please specify what exactly you are requesting? We remind you that opening multiple chats may slow down your service time. We ask you to use only one chat for this request. Best regards, Glovo Team Glovo Customer Support.” NINTH: On September 3, 2021 at 1:10 p.m. the complaining party sent an email to support@glovo.mail.kustomerapp.com with a reply to the previous email in Polish, with the following content (unofficial translation): “I was requesting information from August 19 (however, I made a mistake by writing August 17). Based on Article 15 GDPR I would like to request the following information: - conversation log with (...) B.B.B. from August 17 with minute-by-minute time for each sentence in this conversation - the exact time I checked in on August 17 in the application along with the actions taken by your employees that changed this data - information about the cancelled order from ***ADDRESS.1 to Biedronka from August 17, along with the reason for this cancellation and the actions taken by your employees that changed this data - work plan for August 17 with minute-by-minute information of your changes by the system and your employees.” And the official response from your company is that you cannot provide that information, no?” TENTH: On September 6, 2021 at 5:22 p.m. the complaining party received an email from the address support@glovo.mail.kustomerapp.com, in reply to the previous email from the complaining party, in Polish, with the following content (unofficial translation): “Good morning, As we have mentioned previously, we cannot share such information. Kind regards, Glovo Customer Service Team.” ELEVENTH: On November 14, 2022 at 7:31 p.m. an email was sent from the address gdpr@glovoapp.com to ***EMAIL.1, with the following content: “Dear A.A.A.: We confirm that we have received your request to exercise your right of access in relation to personal data, in accordance with the applicable data protection laws (EU Regulation 2016/679). We are pleased to inform you that after analyzing the requested information and verifying your identity in accordance with the information requested by the Spanish Data Protection Authority (the so-called ≪Data Protection Authority≫). Spanish:Spanish Data Protection Agency), through the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/66 Polish Data Protection Authority, we provide the following information together with the attached documents: 1. Report of the interview with (...) B.B.B. dated 19.8.2021 A talk is attached (document 1). 2. Exact time of logging into the application on 19.8.2021 with a list of actions taken by Glovo employees Attached to the request for information (document 2). 3. Information about the cancellation of the order from Spring Square to Biedronka on 19.8.2021 year in Please note that for operational reasons we had to proactively assign an order to another courier so that the user would receive the order in due time. We inform you that after a long time without any activity on your part, we had to assign the order to another courier in order to receive the product in due time (see Document 3). 4. Service schedule of 19.8.2021 Attached are the actions performed in the system indicating their schedule and the actions undertaken by Glovo on that date (document 4). We hope that this information is useful. Please note that you can read our privacy policy at https://glovoapp.com/en/legal/privacy-couriers/ Considering that Glovo is involved in the protection of personal data, we remind you that you can exercise your rights of access, rectification, deletion, limitation of processing, data portability and opposition at any time, using the form available on the Platform or by sending an email to gdpr@glovoapp.com. Alternatively, in any case, you can contact the competent data protection authority. Glovo Team” This email was accessed by the recipient on November 14, 2022 at 19:44 hours. TWELFTH: In the “Privacy Policy for Messengers” in force in September 2021, it was indicated that the address to contact GLOVO regarding questions was by sending an email to gdpr@glovoapp.com. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/66 THIRTEENTH: According to the diligence dated March 30, 2023, in the year 2021, GLOVO was a “(...)” type company with a total annual global business volume of ***AMOUNT.1 €, and had ***AMOUNT.2 employees. LEGAL BASIS I Jurisdiction In accordance with the provisions of articles 58.2 and 60 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data (RGPD), and as established in articles 47, 48.1, 64.2 and 68.1 and 68.2 of Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter, LOPDGDD) the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure. Likewise, article 63.2 of the LOPDGDD determines that: “The procedures processed by the Spanish Data Protection Agency will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its development and, insofar as they do not contradict them, in a subsidiary manner, by the general rules on administrative procedures.” II Preliminary questions In the present case, in accordance with the provisions of article 4.1 and 4.2 of the RGPD, the processing of personal data is recorded, since GLOVO collects and stores, among others, the following personal data of natural persons: name and surname and email, among other treatments. GLOVO carries out this activity in its capacity as data controller, given that it is the one who determines the purposes and means of such activity, pursuant to article 4.7 of the RGPD. Furthermore, this is a cross-border treatment, given that GLOVO is established in Spain, although it provides services to other countries in the European Union. The GDPR provides, in its article 56.1, for cases of cross-border processing, provided for in its article 4.23), in relation to the competence of the main supervisory authority, that, without prejudice to the provisions of article 55, the supervisory authority of the main establishment or of the sole establishment of the controller or the processor will be competent to act as the main supervisory authority for the cross-border processing carried out by said controller or processor in accordance with the procedure established in article 60. In the case C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/66 examined, as has been explained, GLOVO has its main establishment in Spain, so the Spanish Data Protection Agency is competent to act as the main supervisory authority. For its part, article 15 of the GDPR regulates the right of access by the interested party to their personal data. III Allegations raised In relation to the allegations raised in relation to the agreement to initiate this sanctioning procedure, the following are answered in the order set forth by GLOVO: FIRST.- REGARDING GLOVO'S INTERNAL PROCESSES GLOVO claims that it has its own internal procedures to ensure compliance with personal data protection regulations in general and, in particular, in relation to the attention to data protection rights exercised by interested parties, whether they are users, partners or distributors. They indicate that they are aware that interested parties who interact with GLOVO can interact directly with their support or customer service channels (customer support) for aspects related to their privacy and, in particular, to exercise their data protection rights, even though it is not the official channel for this as reported in their privacy policy. However, due to the special sensitivity of these cases and, especially, those cases that may have an impact on other people - such as the present case where the complainant requested a transcript of a conversation with B.B.B. from the Customer Support team - it was expressly established that in these cases all requests must be communicated to the GLOVO Data Protection Department. Attached as proof of this, as DOCUMENT 1, is a copy of the protocol of action that the agents in charge of providing Customer Support services, and managed by the Live Ops Department, must follow in the event of receiving GDPR rights requests such as the present case. The aforementioned document provided indicates that it is “Version 1 - Valid from February 2021” and in its section 5.1, the following is expressly indicated: “5.1. Right of access by the data subject User or Courier contact LiveOps and request his/her data. If he/she is not in Glovo systems you should inform him/her that we are unable to attend his/her request. If he/she is in Glovo systems, LiveOps should redirect User or Courier to gdpr@glovoapp.com in order to assist this request, since the Legal Privacy Team C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/66 needs to reach out to Tech to obtain an Excel with personal details and order details as well as reach out the specific Team in charge of chat conversations or call recordings where applicable.” (unofficial translation: “5.1. Right of access by the interested party The user or Delivery person contacts LiveOps and requests his or her data. If he or she is not in Glovo's systems, LiveOps must inform him or her that we cannot attend to his or her request. If he or she is in Glovo's systems, LiveOps must redirect the User or Delivery person to gdpr@glovoapp.com in order to attend to his or her request, since the Legal Privacy Team needs to contact Tech to obtain an Excel with the personal details and order details as well as to contact the specific Team in charge of chat conversations or call recordings, if applicable.”) Additionally, in section 6, the following is also indicated: “6. Relevant issues to take into account In case of any doubt please, reach out to the Legal Privacy Team through gdpr@glovoapp.com. In case if support of other Glovo teams is needed (such as Tech, Risk Ops, etc) please, reach out to the Legal Privacy Team through gdpr@glovoapp.com. In accordance with Article 12 of the GDPR Glovo as data controller will provide User or Courier with the requested information within one month of receipt of the request. The unique official channels to exercise data subjects rights are gdpr@glovoapp.com and the form available here.” (unofficial translation: “6. Relevant aspects to take into account In case of doubt, please contact the Privacy Legal Team through gdpr@glovoapp.com. In case assistance is required from other Glovo teams (such as Tech, Risk Ops, etc.) please contact the Privacy Legal Team through gdpr@glovoapp.com. In accordance with article 12 of the GDPR, Glovo as data controller will provide the User or Delivery Person with the requested information within one month from receipt of the request. The only official channels to exercise the rights of interested parties are gdpr@glovoapp.com and the form available here.”) GLOVO explains that this protocol, on the one hand, indicates what the rights of access, rectification, opposition, deletion, limitation and portability consist of. On the other hand, it explains step by step how agents must attend to these rights. And it clarifies that, in case of doubt, all agents in charge of providing Customer Support services are duly informed of the need to refer any exercise of data protection rights to the direct communication channel gdpr@glovoapp.com, as stated in its privacy policy. GLOVO adds that all its employees, when they join the organization, sign a document called “PERSONAL DATA PROCESSING, COMMUNICATIONS AND USE OF EQUIPMENT POLICY” (a copy of said document is attached as DOCUMENT 2), which in its section 8 includes a specific chapter entitled “Guidelines for responding to a petition of access, cancellation, limitation, suppression, opposition or portability rights” that describes how to react to an exercise of data protection rights. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/66 GLOVO claims that the Data Protection Department, in addition to managing the gdpr@glovoapp.com account, also has access to the legal@glovoapp.com account so that it can address the data protection rights that the agents in charge of providing Customer Support services may redirect to this email. GLOVO indicates that this document was accepted and signed by the three agents who had discussions with the complainant. As an example, the conditions signed by one of them are provided as DOCUMENT 3. However, GLOVO adds that these agents no longer provide their services to the organization. In this regard, the declaration signed by the legal representative of Restaurant Partner Polska sp. z o.o. (hereinafter, "Glovo Poland"), a subsidiary of Glovo that operates in the Polish market and with which the agents involved in the complainant's case stopped providing their services for Glovo Poland, is attached as DOCUMENT 4. GLOVO highlights that all agents who provide Customer Support services to their users have been trained in the management of data protection rights and must act in accordance with the protocol of action provided as DOCUMENT 1. It also explains that in April 2021, GLOVO's Data Protection Department provided specific training to the Live Ops Department, the team in charge of managing Customer Support agents, where it explained what the General Data Protection Regulation consists of, its principles, why compliance with privacy regulations is so important and, in particular, the management of the data protection rights of our users (including delivery drivers) by agents. The training carried out is attached as DOCUMENT 5. Thus, GLOVO concludes that there is no other conclusion than that it has abundant internal procedures and a privacy culture in its company made up of different protocols, training and guidelines aimed at the protection of personal data. Therefore, in its opinion, it is more than evident that it acted diligently and acts proactively to ensure compliance with data protection throughout the company through continuous mandatory training for all its employees. In this regard, this Agency wishes to point out that, regardless of the measures adopted by GLOVO, in the present case the complainant made numerous communications requesting their right to access data about themselves, even making reference to article 15 of the GDPR, a request that was not duly responded to. GLOVO itself recognizes that interested parties can interact with other channels other than the official channel reported in its privacy policy and even had indicated that cases such as the one that gives rise to this procedure should be communicated to its Data Protection Department, which has not occurred. Therefore, this allegation is rejected. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/66 SECOND.- REGARDING THE FORM OF APPLYING FOR THE RIGHT OF ACCESS GLOVO claims that the request for the right of access was not made through the official channels for this purpose, since it did not use the email address that GLOVO had available to interested parties on the date on which the exercise of the right was requested (gdpr@glovoapp.com). It also indicates that all GLOVO delivery drivers - and, consequently, the complainant - must expressly accept the terms and conditions applicable to delivery drivers and the privacy policy at the time of creating an account on its platform. 6 screenshots of this extent are attached as DOCUMENT (the document is written in Polish). GLOVO adds that all delivery drivers have at their disposal, through the website or mobile application, a section in which to access the legal and privacy conditions. In the case of delivery drivers, the channels of attention are intended, exclusively, for: accidents or offenses, issues related to shipments, issues related to earnings or incidents with the application. GLOVO also explains that in the app or website itself, delivery drivers can access their user profile, where both the terms and conditions of the APP and the applicable privacy policy are permanently accessible, which includes all the information on how to exercise rights. Therefore, GLOVO alleges that, without wanting to justify the behavior of the agents who attended to the complainant that was not in accordance with GLOVO's internal policies, it is also not possible to ignore that the complainant did not use the expected channels for the exercise of rights. And that the above is relevant because, taking into account that this was a person with a minimum sensitivity towards data protection, sufficient to directly expose article 15 of the GDPR to request access to his personal data, he did not seem interested at any time in seeking official channels to request the information when he did not obtain it from customer care. At no time did the interested party contact GLOVO's Data Protection Department. In this sense, GLOVO understands that companies must indeed attend to the rights through any channel used by the interested party, but this obligation must be modulated, on the one hand because not any company email must be able to receive this type of requests subject to a response time, nor if the company has official channels for the exercise of rights can the interested parties ignore them to file claims or make requests through any channel, clearly knowing where they should go to do so. In short, it alleges that companies cannot be required to be diligent that can reach absurdity. If any type of exercise of rights could be accepted in any way, it could lead to the absurdity that a user could require the same delivery person who delivers their order to delete their data from the application. All organizations have different employees or collaborators for different functions and it is in no way acceptable to require any employee or collaborator to have the authority or capacity to manage the rights of interested parties; this would mean indiscriminate access to user data that would seriously violate all regulations for the protection of personal rights. In the present case, GLOVO understands that the same diligence that is requested of it to respond to any request through any channel, must also be requested of an interested party who knows the GDPR sufficiently to cite specific articles (as can be seen from the communications held), and therefore it should be considered to what extent it was also the obligation of the interested party to inform themselves of the channels that GLOVO expressly makes available to them for the exercise of their rights and to make use of them. In this regard, this Agency wishes to point out that in the present case the complainant made their request for access to their personal data through the channel that GLOVO makes available to respond to queries from delivery drivers, precisely. It is not a case of the complainant having made their request to “any employee or collaborator”, but rather that they addressed the channel specifically provided so that delivery drivers could direct their queries and requests. In fact, GLOVO itself already anticipated that such requests could be directed through this channel, which is why its own protocol indicated that they should be redirected to the corresponding department in order to be properly attended to. GLOVO even acknowledges that the agents who interacted with the complainant did not act as indicated by GLOVO's own protocol. In any case, GLOVO cannot claim that greater diligence and knowledge of the protection of personal data on the part of the person requesting an exercise of rights becomes a higher level of demand for him than for other users. For the reasons stated above, this claim is rejected. THIRD.- REGARDING THE KNOWLEDGE OF THE EXERCISE OF THE RIGHT AND THE IMMEDIATE ACTION OF GLOVO. THE ONE-OFF FAILURE TO COMPLY WITH INTERNAL PROCEDURES BY INDIVIDUAL EMPLOYEES AND THE DISPROPORTIONALITY OF THE PROPOSED SANCTION 3.1. Knowledge of the exercise of the right by the complainant and the immediate reaction of Glovo GLOVO claims that the Data Protection Department responsible for all aspects related to the privacy of the interested parties was not at any time aware of the right of access exercised by the complainant until the AEPD itself brought it to the company's attention on October 11, 2022. And that at that same moment, and after carefully reviewing the case, the complainant's request was immediately answered by providing C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 20/66 access to all relevant information, including the transcript of the mentioned conversation. After the information was sent to the interested party, there has been no other complaint or claim by the complainant, nor has there been any knowledge of any judicial or extrajudicial procedure initiated by the latter, despite the latter expressly indicating that this was the reason for requesting the information. Thus, it is understood that it must be taken into account that, despite having internal protocols and procedures duly implemented in the organization, in this specific case of the complainant, the agents in charge of providing Customer Support services did not comply with the established process. In this regard, this Agency has nothing to add to what has already been stated: that the complaining party was not properly provided with access until this Agency intervened and that the request for access was not duly redirected to the appropriate department. The fact that the complaining party submitted (or not) another complaint or claim or had initiated judicial or extrajudicial proceedings is, for the purposes of the present sanctioning procedure, irrelevant. Recital (59) of the GDPR provides that: “Methods should be put in place to facilitate the exercise of the rights of the data subject under this Regulation, including mechanisms for requesting and, where appropriate, obtaining free of charge, in particular, access to personal data and their rectification or erasure, as well as the exercise of the right to object. The controller should also provide means for requests to be submitted by electronic means, in particular where personal data are processed by electronic means. The data controller must be obliged to respond to the data subject's requests without undue delay and no later than within one month, and to explain its reasons if it is not going to respond to them." In this sense, it cannot be understood that only those requests for the exercise of rights that are made solely through the channels established by the data controllers in their privacy policies will be attended to. On the contrary, each data controller has the power to organize itself as it sees fit, provided that a satisfactory response is provided to the exercise of the rights requested by the interested parties, within the legally established period. But the organization that this data controller had foreseen cannot be an obstacle to the satisfaction of a right that the GDPR recognizes for the interested parties. In the present case, GLOVO had decided to centralize all requests for the exercise of rights related to the address gdpr@glovoapp.com. However, the fact that a particular request is addressed through a different channel does not imply that it should not be given a proper response, as the party responsible for the processing in question. In the present case, it cannot be denied that by communicating through the channel provided for handling delivery incidents, the complainant could reasonably expect that his request would be attended to. Furthermore, it seems reasonable in the eyes of this Agency that the complainant communicated with GLOVO through this C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 21/66 channel, which is the one specifically provided for requests from delivery drivers. On the contrary, this Agency considers that, in any case, it was GLOVO's obligation to duly attend to the request of the complainant, whether the customer service (to the delivery person) forwarded said request through the relevant channels to the department dedicated to this type of requests, or as it considered best. In this regard, in section 53 of the aforementioned Guidelines 01/2022 on the rights of interested parties - Right of access, the EDPB "...encourages data controllers to provide the most appropriate and user-friendly communication channels, in accordance with Article 12, paragraph 2, and Article 25, to allow the interested party to make an effective request. However, if the data subject makes a request through a communication channel provided by the controller that is different from the one indicated as preferable, the request will generally be considered effective and the controller should process the request accordingly (see examples below). Data controllers must make all reasonable efforts to ensure that the exercise of the data subject's rights is facilitated (for example, in the event that the data subject sends the data subject's request to an employee who is on leave, an automatic message informing the data subject about an alternative communication channel for his or her request could be a reasonable effort).” Therefore, this Agency insists that the channel used in the present case by the complainant, a channel that GLOVO itself provides to the delivery drivers as an appropriate means of contacting it, is a perfectly valid means to request the exercise of the rights recognized in the GDPR by the delivery drivers. And that it was GLOVO's obligation to properly address such a request, forwarding the request to the Department that the company determined as the most suitable to give a proper response, if applicable, or as the company considered best. In fact, GLOVO itself recognizes in its allegations that it already anticipated that such requests could be directed through this channel, which is why its own protocol indicated that they should be redirected to the corresponding department in order to be properly attended to. And GLOVO itself recognizes that the agents who interacted with the complaining party did not act as indicated by GLOVO's own protocol. Section 56 of the Guidelines cites as an example a case in which “a data controller X provides, on its website and in its privacy policy, two email addresses – the general email address of the data controller: contact@X.com and the email address of the data controller’s data protection contact point: requests@X.com. In addition, data controller X indicates on its website that in order to send any queries or requests regarding the processing of personal data, the data protection contact point must be contacted at the indicated email address. However, the data subject sends a request to the general email address of the data controller: contact@X.com. In this case, the data controller must make all reasonable efforts to ensure that its services are aware of the request, which was made via the general email address, so that it can be redirected to the data protection contact point and answered within the period established by the GDPR. Furthermore, the data controller cannot extend the period for responding to the request, only because the interested party has sent a request to the general email address of the data controller and not to the data protection contact point.” In this regard, this Agency understands that precisely the first example in section 56 of the aforementioned Guidelines is the case that occurred in the present case. The interested party (the complaining party) has sent his request for access via a generic channel provided by the company to which it is addressed. Therefore, the data controller (GLOVO) should have made all “reasonable efforts to ensure that its services are aware of the request, which was made via the general email, so that it can be redirected to the data protection contact point and answered within the period established by the GDPR”, as indicated in the aforementioned Guidelines, so that such request could be redirected to the corresponding data protection contact point, in order to be able to respond to it within the period established by the GDPR. Therefore, this Agency considers that the complaining party could “reasonably expect” that its request would be attended to. For all the reasons set out above, this claim is rejected. 3.2. Glovo's lack of negligence, non-compliance by agents and disproportionate sanction GLOVO claims that it is a company concerned about the privacy of the interested parties who interact with it, and for this purpose has implemented legal texts and privacy policies that provide detailed information on the data processing carried out, as well as the channels for addressing issues related to privacy and the exercise of rights. It also indicates that it has internal procedures aimed at ensuring that a specialized team, responsible for ensuring compliance with the regulations, correctly manages all the doubts, complaints, claims and exercise of rights of the interested parties. In this sense, it explains that this centralization has been prioritized with respect to potential mismanagement by a non-specialized department such as Customer Support, whose function is to resolve incidents in the provision of the service. The claimant alleges that in the specific case of the claimant's right of access, it cannot be said that there was intention or negligence in the actions of GLOVO. The company has designed a specific and specialized mechanism for dealing with these cases, and provides training to all its employees on data protection in general and rights management in particular. Therefore, the claimant understands that it cannot be denied that GLOVO employees are aware of the existence of a specific procedure. And that the failure to comply with the company's internal procedures by specific employees, who make a misinterpretation of how to deal with the claim, cannot be attributed in this case, under any circumstances, to negligence or intentionality on the part of GLOVO in this regard. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 23/66 GLOVO claims that, not counting the requests to exercise rights managed directly by the Customer Support Department, the Data Protection Department has managed 2,182 requests to exercise rights from interested parties in 2021, 6,396 in 2022 and 1,970 so far in 2023. Therefore, it insists that the procedures implemented by GLOVO are known, work and are effective. It explains that the present case depends exclusively on the non-compliance with these procedures by specific employees, a non-compliance that we understand cannot be attributed in any way to GLOVO, which has made, in its opinion, all necessary and reasonable efforts to ensure the correct attention to rights, even when the interested party does not use the specific channels available to it for this purpose. GLOVO also highlights that the management of the case with the complainant was not in any case friendly, having disrespected the first interlocutor with whom it dealt, which could affect the way in which the following agents in charge of providing Customer Support services communicated and how they managed their requests (which is in no case approved by GLOVO). In view of the above, GLOVO considers it unfair and disproportionate that, being diligent, responsible and sensitive in terms of data protection, it is intended to be fined with such a high amount (€15,000) for merely failing to comply, in the eyes of this Agency, incorrectly with a right of access, in which the ones who failed were agents of the Customer Support Department, and who are no longer even in the organization because the pertinent measures were taken after becoming aware of these facts. In this regard, this Agency wishes to point out that it is not enough for the data controller (in this case, GLOVO) to have action protocols to eliminate intentionality or negligence in its actions. Rather, it is the obligation of the data controller to ensure that such protocols are known and followed by all its employees. Furthermore, the negligent action of the employee does not exempt GLOVO from liability. The liability of the company in the field of sanctions for the negligent action of an employee that implies non-compliance with the data protection regulations has been confirmed by the jurisprudence of the Supreme Court. In this regard, it should be noted that the Supreme Court Judgment No. 188/2022 (Contentious Chamber, Section 3), of February 15, 2022 (rec. 7359/2020) indicates in its Fourth Legal Basis: “The fact that the action was negligent on the part of an employee does not exempt him from his responsibility as the person in charge of the correct use of the security measures that should have guaranteed the proper use of the data recording system designed. As we already held in STS No. 196/2020, of February 15, 2021 (rec. 1***QUANTITY.2/2020) the data controller is also responsible for the performance of its employees and cannot excuse itself for its diligent performance, separately from the performance of its employees, but rather it is the "guilty" performance of these employees, as a consequence of the violation of existing security measures, which founds the company's liability in the area of sanctions for "own" acts of its employees or positions, not of third parties." C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 24/66 The judgment goes on to argue about the liability of legal persons in our legal system: “…It simply happens that, since our Administrative Law admits the direct liability of legal persons, who are therefore recognized as having the capacity to infringe, the subjective element of the infringement is expressed in these cases in a different way than in the case of natural persons, so that, as the constitutional doctrine that we have previously outlined points out -SsTC STC 246/1991, of December 19 (F.J. 2) and 129/2003, of June 30 (F.J. 8)- the direct blame derives from the legal asset protected by the rule that is infringed and the need for said protection to be truly effective and by the risk that, consequently, must be assumed by the legal entity that is subject to compliance with this rule." (emphasis added by this Agency). Therefore, in the present case, the fact that the employees had (or had not) acted outside of what was established by the GLOVO protocol does not exempt the latter from its responsibility for its actions. In any case, at no time has this Agency attributed responsibility to GLOVO for the infringement of article 15 of the GDPR on the basis of intent, but rather its action with respect to this claim has been considered to have been seriously negligent. This claim is therefore rejected. FOURTH.- OTHER RELEVANT PROCEDURES GLOVO considers it appropriate to mention various AEPD resolutions linked to its activity in the care of rights: 1) EXP202305625: Filing of actions in relation to an exercise of data deletion. 2) EXP202301329: Filing of proceedings in relation to a data deletion exercise. 3) E/00917/2021: Filing of proceedings in relation to a deletion/modification of data. GLOVO claims that, in all three cases, the effective exercise of the right was untimely, due to different reasons that initially prevented its management. Although these are cases whose origin and purpose are different, they are attributable to errors that did not depend on the policies and procedures implemented by GLOVO, such as the present case, and yet in all cases the AEPD opted to filing the proceedings and not to initiate a sanctioning procedure. And GLOVO adds that the effective resolution of this case is the same as in the previous ones, since, at the moment that GLOVO became aware of the case, it immediately proceeded to address the right exercised by the claimant, so it understands that the resolution of the case by the AEPD should have been the same as in the previous situations. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 25/66 In this regard, this Agency wishes to emphasize that GLOVO itself recognizes that these are cases with a different origin and purpose from the case that gives rise to the present sanctioning procedure. Furthermore, the cases cited by GLOVO had been admitted for processing after more than three months had passed since their receipt (with a difference of days), pursuant to article 65 of the current LOPDGDD, but they were filed because in response to the aforementioned transfer, by virtue of the discretionary powers held by this Agency, it was considered appropriate not to initiate any sanctioning procedure. However, this does not prevent this Agency from initiating the appropriate preliminary investigation actions or a sanctioning procedure, in order to determine the possible existence of an infringement of the GDPR within the scope of its powers. In any case, regardless of any possible decisions that may have been previously adopted in response to a complaint filed with this Agency, in the present case we are dealing with a complaint filed by a citizen of a Member State of the European Union, for the performance of cross-border processing carried out by a controller located in another Member State, which affects citizens of more than one Member State of the European Union. Therefore, Article 60 of the GDPR requires the aforementioned Member States to reach a consensus regarding the possible decision to be adopted in respect of such a complaint. In the present case, the procedure established in the GDPR has been followed and an agreement has been reached with all the authorities involved to initiate sanctioning proceedings against GLOVO, with the scope set out in this document. Therefore, this claim is rejected. FIFTH.- ON THE EVOLUTION OF GLOVO GLOVO claims that the facts on which the AEPD is based to impose the proposed sanction are dated August and September 2021. And that since the first interactions with this Agency began, GLOVO has evolved a lot, increasing the members of its Data Protection Department, improving and adapting the protocols, measures (both legal, technical and organizational), guidelines and procedures that were already implemented in its organization, as well as creating new ones. All this with the aim of continuing to ensure the protection of the personal data of delivery drivers, as well as other categories of interested parties whose data it processes. It adds as proof of this that GLOVO's Data Protection Officer has been pre-selected in the “Best Privacy Culture Improvement Award” category of the prestigious PICCASO Privacy Awards Europe. And that GLOVO has recently become a collaborating company of the prestigious Spanish Professional Association of Privacy, which shows a firm and clear commitment of GLOVO to the privacy of its users and, ultimately, of its delivery people. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 26/66 In this regard, this Agency wishes to point out that the subject of this procedure is not the possible awards and recognitions that GLOVO or its Data Protection Officer may or may not have, but rather it is a matter of determining in the specific case whether GLOVO's actions may have infringed the provisions of article 15 of the GDPR. Therefore, this claim is rejected. In relation to the claims raised in relation to the proposed resolution of this sanctioning procedure, the following are answered in the order stated by GLOVO: FIRST.- REGARDING THE EVENTS THAT OCCURRED IN THE MANAGEMENT OF THE APPLICATION GLOVO claims that it has numerous technical and organizational measures in place to ensure compliance with the applicable regulations regarding data protection and, especially, attention to the rights of the interested parties. It is surprised that the AEPD limits itself, in its opinion, to concluding that the request was not duly attended to “regardless of the measures adopted” by GLOVO, rendering all these measures ineffective as if they did not exist. GLOVO indicates that these measures not only exist, but are effective in the vast majority of cases, recalling that it has managed 2,182 requests for the exercise of rights of interested parties in 2021, 6,396 in 2022, 3,059 in 2023, and 329 so far in 2024. To this end, it highlights that it has managed more than 17 requests per day, on average, only in the rights attention channel through the GDPR mailbox. GLOVO explains that at no time has it intended to reject that the present case was not attended to in time by the Data Protection Department, but it does consider that the sanctioning action of the AEPD is excessive, given what is argued in the request for information. In this regard, this Agency wishes to point out that it has in no way denied or "nullified" the measures that GLOVO may have adopted in terms of data protection, in relation to the issue that is the subject of the complaint. In fact, if these measures were not in place, there would not only be a violation of article 15 of the RGPD, but also very possibly the existence of other violations. Nor is it the purpose of this procedure to carry out an audit of the rights procedures that GLOVO has attended to. It is simply a matter of verifying that in the present case, the exercise of the complainant's right of access to his or her personal data has not been duly attended to, as requested, which has not been rejected by GLOVO itself. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 27/66 Finally, this Agency wishes to emphasize that in the present case it is not a question of the fact that such request was not attended to “in time”, but rather that such request would not have been attended to had this Agency not intervened, since the complainant was only provided with access to his/her data after having been requested information about the claim. GLOVO alleges that this claim is caused by a right of access exercised in the customer support chat provided to users of the platform intended to resolve incidents relating to its use, not in the channel intended to address data protection rights. It points out that the GLOVO Customer Service Department has managed almost 3 million cases between 2023 and 2024, which is more than 8,000 requests a day, and among them are requests to exercise rights under the RGPD that had to be communicated to the data protection team. And that this obligation to refer any request to exercise data protection rights to the Data Protection Department is communicated to all GLOVO employees and, especially, to the Live Ops Department responsible for the user service and support channels, among others, as has been accredited. However, given the multitude of cases that are managed, in this particular one, certain circumstances occurred that prevented correct management, such as, for example: - A previous conversation with an agent in which the interested party showed conduct, at the very least, reprehensible in which no right was exercised in this conversation. - A rights request that required the provision of the conversation held with the agent, a conversation that the Customer Service Department is not authorized to provide, the Data Protection Department being authorized to do so. - Other information related to GLOVO's operations and especially a discussion on the execution of the services provided by the complaining party, which led to the attention of the requests made and which was correctly attended to by the responsible agents. Therefore, GLOVO indicates that it was not only a request for access, but the coexistence of several requests at the same time, which caused the customer support service (i) to inform that it could not give access to the information (therefore, it did respond to the interested party's request) and, (ii) to focus on the attention of the rest of requests, which it could attend to, since the objective of this department is to manage the incidents and complaints of the users of the platform, which also includes incidents and complaints that the delivery people may have in relation to the execution of their services, and to help them in any way possible. In this regard, this Agency wishes to insist that the fact that the request was made through the GLOVO Customer Service Department is not an obstacle to the obligation to give a proper response to such a request remaining. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 28/66 This Agency also wishes to point out that the subject of this procedure is not the possible prior conversation that the complainant had with a GLOVO agent, nor the conduct (reprehensible or not) of the complainant, since in this conversation no request for access to personal data was made. Nor is the subject of this procedure the possible request by the complainant for “other information regarding GLOVO’s operations and especially a discussion about the execution of the services provided”. Simply, in this procedure, it is a matter of establishing that in this case the exercise of the complainant’s right of access to his or her personal data has not been duly attended to, as requested, which has not been rejected by GLOVO itself. The fact that the Customer Service Department was not authorized to provide the conversation between the complaining party and the GLOVO agent, but rather the Data Protection Department, is due solely and exclusively to GLOVO's ability to organize itself as it wishes and cannot be an obstacle to the proper attention to requests for access to the personal data of the interested parties. As GLOVO has managed numerous requests, many of which are requests to exercise rights under the GDPR, this Agency wishes to point out that the object of the present sanctioning procedure is the specific case outlined in the complaint that gave rise to it and that this has been taken into account when graduating the sanction. As regards the coexistence of several requests at the same time, this Agency wishes to clarify that (i) this Agency does not consider that a response was not given to the complainant, but rather that the exercise of the right was not properly attended to (i.e., information on his personal data was not provided), when this was GLOVO's responsibility. As regards GLOVO (ii) focusing on the other requests, this Agency reiterates that this is not the subject of this procedure. Regarding the fact that GLOVO's customer support service informed the complainant that it could not provide the requested conversation but that it correctly attended to the rest of the requests made, this Agency wishes to remind that, as stated in the proven facts of this resolution, on August 26, 2021 at 8:09 p.m. the complainant received an email from the address support@glovo.mail.kustomerapp.com in Polish, with the following content (unofficial translation): “Hello, A.A.A.! Thank you for contacting us. Your case has been transferred to another department. Once we have a response, we will pass it on to you. We hope that this information is useful, because we are always trying to take care of providing the highest quality in our service. You can count on us. Thank you for your trust. Glovo Customer Service.” And that on September 3, 2021 at 12:36 p.m. the complainant received an email from support@glovo.mail.kustomerapp.com in Polish, with the following content (unofficial translation): “Good morning, Unfortunately, we C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 29/66 cannot share such information with you. Can you specify what exactly you are requesting? We remind you that opening several chats may slow down your service time. We ask that you use a single chat for this request. Best regards, Glovo Team Glovo Customer Service”. That is, the GLOVO Customer Service Department would have transferred the complainant's request to another department, although this Agency does not know to whom it was transferred. However, when responding to the complaining party, the reasons for such denial are not indicated, but rather it is simply limited to indicating that "we cannot share this information with you", without further information on the matter. In any case, even in the event that several requests of a different nature had been made at the same time, this Agency considers that this is not an obstacle to the obligation to give a proper response to the request for access by the complaining party. Finally, GLOVO points out that, as will be explained later when discussing the aggravating circumstances referred to by the AEPD, the interested party did not insist at least three times that he wanted the requested information to be provided, meaning that he had to make three different requests, but rather it was always done within the same ticket, and always receiving the same response: the Customer Service Department cannot provide that information. In any case, GLOVO understands that there are two requests, a first one on August 26 at 7:56, indicating that it was requesting the conversation on August 17, along with other information related to the execution of its services, and a second request, on September 3 at 12:36, copying exactly the same previous request, but correcting the date of the requested conversation (initially it indicated that it was August 17, and later it rectified to indicate that it was August 19). It is therefore, in its opinion, always the same request, within the one-month period to respond, and that it was only repeated to correct the date of the requested conversation. It emphasizes that the rest of the issues related to the execution of the services by the complaining party were resolved. For all the above, GLOVO considers that this is a case that should be treated as a human error in management by a department that is not the one that should respond, GLOVO having taken all appropriate measures in its power to ensure that, in accordance with article 12.1 and 12.2 of the GDPR, the interested party is provided with any communication in accordance with articles 15 to 22, and to facilitate the exercise of their rights. It alleges that GLOVO cannot be required to do more than provide, to all departments that do not have functions linked to the management of data protection requests, clear instructions on how to proceed, and much less, liability for non-compliance by these persons in relation to said instructions. In this regard, this Agency wishes to point out that the fact that the communications of the complainant with the company were made through the same ticket is not indicative of anything, it is simply a way of organizing the company, like any other. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 30/66 In the present case, it is known that on August 19, 2021 at 12:31 p.m., the complainant sent a communication to the Customer Service Department with the following content (original Polish, unofficial translation): “Good morning, please send me the conversation with (...), B.B.B., to my email address, as it will be the basis of my legal case, if that does not happen, I will send you a court order.” That is, he made a first request for access to his personal data (in this case, the recordings of his conversation with a ***POST.1). GLOVO appears to be unaware of this first request from the complainant in its allegations, but the failure to cite Article 15 of the GDPR does not prevent its content from being a request for access to the complainant's personal data. Faced with the company's refusal to provide him with such information, and after a series of conversations on other issues, on August 26, 2021 at 07:56, the complainant again requested the GLOVO Customer Service Department to provide him with certain information from August 17, 2021 about him, this time based on Article 15 of the GDPR. On August 26, 2021, the complainant was informed that his case was transferred to another department and on September 3, 2021 at 12:36 p.m. he was informed that the requested information could not be provided. On September 3, 2021, the complainant indicated that he had made a mistake requesting information about himself from August 17, 2021, that what he wanted was information from August 19, 2021. And, again, the company informed him on September 6, 2021 that it could not provide him with such information. That is, in three different communications (from August 19, August 26, and September 3) the complainant had requested access to his personal data. Although it is true that all these communications were made within the month within which GLOVO had to respond, it is no less true that such communications existed, that the complainant requested access to his personal data on three occasions and that GLOVO responded three times that it could not provide such access, without giving further information on the matter. GLOVO itself has acknowledged this in its allegations by stating “having always received the same response: the Customer Service Department cannot provide this information.” As for the allegation that the rest of the issues related to the execution of the services by the complainant were resolved, this Agency has already insisted that this is not the subject of the present sanctioning procedure. Finally, this Agency wishes to point out that it strongly disagrees with GLOVO's statement that the Customer Service Department "is not the one that should respond" to a request for access to the personal data of a data subject and that it is a department that does not have "functions related to the management of data protection requests". On the contrary, this Agency considers that the Customer Service Department channel is a perfectly valid means for C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 31/66 exercising rights, so the complainant's request should have been attended to. It is not just a matter of giving him a (negative) response, but rather that he should have been given proper access to his personal data by directing his request through such a channel. This Agency does not have the power to establish how each company should be organized and which department should respond to the request for the exercise of rights, but it cannot be understood that a request directed to a generic address such as that of the Customer Service Department is not duly attended to (that is, that the exercise of the requested right is provided, not just a response that the requested right cannot be provided). As stated in the response to the allegations to the agreement to initiate the present sanctioning procedure, it cannot be understood that only those requests for the exercise of rights that are made only through the channels established by the data controllers in their privacy policies will be attended to. Rather, each data controller has the power to organize itself as it sees fit, provided that a satisfactory response is provided to the exercise of the rights requested by the interested parties, within the legally provided period. However, the organisation that this data controller had provided cannot be an obstacle to the satisfaction of a right that is recognised to interested parties by the GDPR. In the present case, GLOVO had decided to centralise all requests for exercising rights relating to the data subject at the address gdpr@glovoapp.com. However, the fact that a given request is addressed through a different channel does not mean that it should not be given a proper response, as the data controller in question. In the present case, it cannot be denied that by communicating through the channel provided for handling incidents involving delivery drivers, the complainant could reasonably expect that his request would be attended to. Moreover, it seems reasonable in the eyes of this Agency that the complainant communicated with GLOVO through this channel, which is the one specifically provided for requests from delivery drivers. On the contrary, this Agency considers that, in any case, it was GLOVO's obligation to properly attend to the request of the complainant, whether the customer service (to the delivery person) forwarded said request through the channels pertinent to the department dedicated to this type of requests, or as it considered best. Therefore, this Agency insists that the channel used in the present case by the complainant, a channel that GLOVO itself provides to the delivery people as an appropriate means to contact it, is a perfectly valid means to request the exercise of the rights recognized in the GDPR by the deliverers, forwarding the request to the Department that the company determined as the most appropriate to give a proper response, if applicable, or as the company considered best. Finally, as regards the fact that GLOVO cannot be held liable for the alleged failure by “these persons” in relation to “said instructions”, this Agency wishes to insist on what was said in the response to the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 32/66 allegations to the start-up agreement, in the sense that the fact that the employees had (or had not) acted outside of what was established by the GLOVO protocol does not exempt the latter from its liability for its actions. For all the reasons stated above, this claim is rejected. SECOND.- REGARDING THE NON-ATTENTION OF THE RIGHT OF ACCESS GLOVO alleges that the AEPD is initiating a sanctioning procedure against it for not attending to a right of access. And that technically, its request was answered, by indicating that “Unfortunately, we cannot share this information with you.” It indicates that, indeed, the delivery support team cannot directly provide this information to delivery people because GLOVO's own regulations establish this in order to ensure that any request for rights is correctly attended to in compliance with the GDPR. Therefore, the Agency requests that the AEPD re-evaluate the case taking this information into account, since it is not the same thing for an interested party to contact the Data Protection Department and not receive any response at all, as for a delivery person to make a request to a department that is not responsible for dealing with this type of request, and for said department to give him a response with which he was not satisfied. In this regard, this Agency insists that this Agency does not consider that a response was not given to the complainant, but rather that the exercise of the right was not properly attended to (i.e., the information about his personal data was not provided), when this was GLOVO's responsibility. In the present case, it is not that the complainant was not satisfied with the response provided, but that it was GLOVO's obligation to provide him with the requested information. This Agency would also like to stress that the fact that the Customer Service Department was not authorised to provide the complainant's conversation with the GLOVO agent, but rather the Data Protection Department, is solely and exclusively due to GLOVO's ability to organise itself as it wishes and cannot constitute an obstacle to the proper handling of requests for access to the personal data of interested parties. Finally, this Agency stresses that it strongly disagrees with GLOVO's assertion that the Customer Service Department should not respond to a request for access to the personal data of an interested party. On the contrary, this Agency considers that the Customer Service Department channel is a perfectly valid means of exercising rights, and therefore the complainant's request should have been handled. It is not just that a (negative) response was given to him, but that he should have been given proper access to his personal data by directing his request through such a channel. This Agency does not have the power to establish how each company should be organized and which department should respond to the request for the exercise of rights, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 33/66 but it cannot be understood that a request addressed to a generic address such as that of the Customer Service Department is not properly attended to (that is, that the exercise of the requested right is provided, not just a response that the requested right cannot be provided). As has already been stated, it cannot be understood that only those requests for the exercise of rights that are made solely through the channels established by the data controllers in their privacy policies will be attended to. Rather, each data controller has the right to organize itself as it sees fit, provided that a satisfactory response is provided to the exercise of the rights requested by the interested parties, within the legally established period. However, the organization that this data controller had provided cannot be an obstacle to the satisfaction of a right recognized to the interested parties by the GDPR. In the present case, GLOVO had decided to centralize all requests for the exercises of rights related to the address gdpr@glovoapp.com. However, the fact that a given request is directed through a different channel does not imply that it should not be given a proper response, as the controller of the processing in question. In the present case, it cannot be denied that by communicating through the channel provided for the attention of incidents of the delivery drivers, the complaining party could reasonably expect that its request would be attended to. Furthermore, it seems reasonable in the eyes of this Agency that the complainant communicated with GLOVO through this channel, which is the one specifically provided for requests from delivery drivers. On the contrary, this Agency considers that, in any case, it was GLOVO's obligation to duly attend to the complainant's request, whether the customer service (to the delivery driver) forwarded said request through the channels pertinent to the department dedicated to this type of requests, or as it considered best. Therefore, this Agency insists that the channel used in the present case by the complainant, a channel that GLOVO itself provides to delivery drivers as an appropriate means of contacting it, is a perfectly valid means to request the exercise of the rights recognized in the GDPR by delivery drivers. And it was GLOVO's obligation to arbitrate the internal mechanisms necessary so that this request for rights was, if applicable, forwarded to the channels that the company determined to be the most suitable to provide a proper response. GLOVO claims that the delivery person never contacted the Data Protection Department, despite: - (i) having signed a contract with GLOVO in which the address where the data protection rights can be exercised appears, - (ii) having accepted a privacy policy for the use of the app where the address for the exercise of data protection rights appears, - (iii) there being a specific portal for delivery people where they can find relevant information, including the privacy policy, which identifies the address for the exercise of data protection rights, and C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 34/66 - (iv) using an application to carry out their delivery services, with a specific section in which they can access the privacy policy, where the address for the exercise of data protection rights is identified. Therefore, GLOVO understands that it not only provided its delivery support service agents with the means, but also ensured that the delivery drivers had the appropriate information at all times to know where to go. GLOVO explains that it is aware that the regulator and the data protection authorities are advocating that interested parties may request their rights through any channel, as mentioned by the AEPD in the Proposed Resolution, but it is also true that it is not an absolute right, not all channels are per se valid, nor can an interested party be exempt from liability if, while being able to expressly mention article 15 of the GDPR (and not make a generic request such as "I want you to send me my data"), they do not even bother to look for the address for exercising their rights. GLOVO indicates that it is not that it does not look for it at first, but that it does not even try to do so when the Customer Service Department informs the delivery person, in a timely manner, that they cannot provide this information. It should be remembered that the Guidelines 01/2022 on the rights of interested parties mentioned by the AEPD indicate that “Data controllers must make all reasonable efforts to ensure that the exercise of the rights of the interested party is facilitated [...]”. GLOVO understands that it made reasonable efforts to ensure that the agents of the delivery support team could identify requests to exercise rights and either communicate them directly to the data protection department, or respond to the interested party with the address where to go, efforts that due to a human error were not reflected in reality. In short, just as it is accepted that an interested party may not choose to direct their request to the corresponding department, having more than accessible ways of obtaining the contact information, GLOVO understands that a human error must be understood as possible in the way of managing the response to a request to exercise rights by an agent who was dedicated to trying to resolve a series of incidents of said delivery person. And that, in addition, the interested party did not insist (as the AEPD has interpreted in its Proposed Resolution) on said right of access once he was informed that he could not be provided with said information, which only prevented the correction of the error committed by the agent of the department of support for the deliverers, who could understand that the delivery person considered his incident resolved, in general. In this regard, this Agency wishes to point out that the subject of this procedure is not what the agent of the department of support for delivery drivers could have understood about the incident raised by the complainant. It is simply a matter of stating that in the present case the exercise of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 35/66 right of access by the complainant to his personal data, as he had requested, which has not been rejected by GLOVO itself, has not been duly attended to. This Agency insists that the channel used in the present case by the complainant, a channel that GLOVO itself provides to the delivery drivers as an appropriate means of contacting it, is a perfectly valid means of requesting the exercise of the rights recognized in the GDPR by the delivery drivers. And that it was GLOVO's obligation to duly respond to such a request, forwarding the request to the Department that the company determined to be the most appropriate to give a proper response, if applicable, or as the company considered best. Nor is it a question of the right of access being an “absolute right” or of “all channels being per se valid”, but in the present case it cannot be understood that a delivery person would contact the Customer Service Department, a channel intended to receive delivery persons’ requests, in order to request a right of access to their personal data, as it is not an ideal channel for this, as has already been explained in detail. At no time do the aforementioned Guidelines 01/2022 oblige interested parties to direct their requests to exercise rights solely and exclusively through the preferred channel for this, or even to look for it either at first or at a later time or when the company indicates that it cannot provide such information. Even though GLOVO tries to disassociate itself from the response provided by its Customer Service Department to the complainant, as if it were not a response provided by the company itself, this is still the case: it was GLOVO, through its Customer Service Department, that denied the information requested by the complainant. Furthermore, the complainant's request had supposedly been transferred to another department, as indicated in its response to the complainant on August 26, 2021. In any case, if the reason for such denial was that this Department was not authorized to provide it, but there was another authorized to do so, that information was not provided to the complainant either. What the aforementioned Guidelines 01/2022 do require, as GLOVO acknowledges, is that “Data controllers must make all reasonable efforts to ensure that the exercise of the rights of the interested party is facilitated [...]”. This Agency insists that recital (59) of the GDPR provides that: “Formulas must be established to facilitate the exercise of the rights of the interested party under this Regulation, including mechanisms to request and, where appropriate, obtain free of charge, in particular, access to personal data and its rectification or deletion, as well as the exercise of the right to object. The controller must also provide means for requests to be submitted by electronic means, in particular when personal data are processed by electronic means. The controller must be obliged to respond to the requests of the interested party without undue delay and no later than within one month, and to explain its reasons if it is not going to respond to them”. In this sense, it cannot be understood that only those requests for the exercise of rights that are made solely through the channels established by the data controllers in their privacy policies will be attended to. On the contrary, each data controller has the power to organize itself as it sees fit, provided that a satisfactory response is provided to the exercise of the rights requested by the interested parties, within the legally established period. However, the organization that this data controller had foreseen cannot be an obstacle to the satisfaction of a right that the GDPR recognizes for the interested parties. In the present case, GLOVO had decided to centralize all requests for the exercise of rights related to the address gdpr@glovoapp.com. However, the fact that a particular request is addressed through a different channel does not imply that it should not be given a proper response, as the party responsible for the processing in question. In the present case, it cannot be denied that by communicating through the channel provided for handling delivery incidents, the complainant could reasonably expect that his request would be attended to. Moreover, it seems reasonable in the eyes of this Agency that the complainant communicated with GLOVO through this channel, which is the one specifically provided for requests from delivery drivers. On the contrary, this Agency considers that, in any case, it was GLOVO's obligation to properly attend to the complainant's request, whether the customer service (for the delivery driver) forwarded said request through the channels pertinent to the department dedicated to this type of request, or as it considered best. In this regard, in section 53 of the aforementioned Guidelines 01/2022 on data subject rights – Right of access, the EDPB “…encourages data controllers to provide the most appropriate and user-friendly communication channels, in accordance with Article 12(2) and Article 25, to enable the data subject to make an effective request. However, if the data subject makes a request through a communication channel provided by the controller that is different from the one indicated as preferable, the request will generally be considered effective and the data controller should process the request accordingly (see examples below). Data controllers must make all reasonable efforts to ensure that the exercise of the rights of the interested party is facilitated (for example, in the event that the interested party sends the data request to an employee who is on leave, an automatic message informing the interested party about an alternative communication channel for his request could be a reasonable effort).” Therefore, this Agency insists that the channel used in the present case by the complainant, a channel that GLOVO itself provides to the delivery drivers as an appropriate means of contacting it, is a perfectly valid means to request the exercise of the rights recognized in the GDPR by the delivery drivers. And that it was GLOVO's obligation to duly respond to such a request, forwarding the request to the Department that the company determined as the most appropriate to give a proper response, if applicable, or as the company considered best. Section 56 of the Guidelines cites as an example a case in which “a data controller X provides, on its website and in its privacy policy, two email addresses – the data controller’s general email address: contacto@X.com and the email address of the data controller’s data protection contact point: solicitud@X.com. In addition, data controller X indicates on its website that in order to send any query or request regarding the processing of personal data, the data protection contact point must be contacted at the indicated email address. However, the data subject sends a request to the data controller’s general email address: contacto@X.com. In this case, the data controller must make all reasonable efforts to ensure that its services are aware of the request, which was made via the general email, so that it can be redirected to the data protection contact point and responded to within the period established by the GDPR. Furthermore, the data controller cannot extend the period for responding to the request, only because the interested party has sent a request to the general email of the data controller and not to the data protection contact point.” In this regard, this Agency understands that precisely the first example of section 56 of the aforementioned Guidelines is the case that occurred in the present case. The interested party (the complaining party) has sent his request for access through a generic channel provided by the company to which it is addressed. Therefore, the data controller (GLOVO) should have made all “reasonable efforts to ensure that its services are aware of the request, which was made via the general email, so that it can be redirected to the data protection contact point and answered within the period established by the GDPR”, as indicated in the aforementioned Guidelines, so that such request could be redirected to the corresponding data protection contact point, in order to be able to respond to it within the period established by the GDPR. Therefore, this Agency considers that the complaining party could “reasonably expect” that its request would be attended to. For all the reasons set out above, this claim is rejected. THIRD.- REGARDING THE OPENING OF A SANCTIONING PROCEDURE INSTEAD OF A PROTECTION OF RIGHTS GLOVO is surprised that the AEPD has chosen to directly initiate a sanctioning procedure in this case, taking into account that in the response to the request for information it was clearly proven that it had responded to the complaining party immediately once it became aware of the existence of its request, which happened once the AEPD sent it the request for information. In this regard, this Agency wishes to point out that the complainant requested access to his/her personal data on three occasions from the GLOVO Customer Service Department (on August 19, August 26 and September 3, 2021), a request that was denied all three times by GLOVO, and that was only duly attended to after the request for information was sent with the complaint to this AEPD. It is not true that GLOVO was not aware of the existence of his/her request, but rather, as the company itself has stated on multiple occasions in its allegations, such requests from the complainant were rejected by the company. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 38/66 GLOVO points out that it has not received any reaction from the complainant to the information it provided in response to the right of access, and therefore the complainant's right of access must be understood to have been fully respected. In this regard, this Agency wishes to highlight that the fact that the complainant has not reacted in any way since the information was provided on his personal data is absolutely no evidence of anything as to whether or not the right of access has been “fully respected”. In any case, this Agency has considered that GLOVO has responded to the complainant's right of access by email of November 14, 2022. GLOVO claims that if it did not respond earlier it was (i) because the interested party did not contact the appropriate department, (ii) because the Customer Service Department having responded, the delivery man did not insist on his claim or look for another alternative way to request the information - which could not be any other way than consulting the privacy policy or any of the other sources of information indicated in the SECOND allegation above -, where the specific and clear address to go to appears-, and (iii) because when filing his complaint with the Polish Data Protection Authority on September 30, 2021, the slowness of the "Internal Market Information System" (hereinafter, IMI System), did not allow GLOVO was not aware of the claim until October 11 of the following year, that is, 2022, even though it had admitted the claim for processing on June 24 of that same year. In this regard, (i) this Agency wishes to insist that it is not the obligation of the interested party to direct their requests to exercise rights through the channel preferred by the company responsible for processing. Furthermore, this Agency considers that the channel used in the present case by the complainant, a channel that GLOVO itself provides to the delivery people as an appropriate means of contacting it, is a perfectly valid means of requesting the exercise of the rights recognized in the GDPR by the delivery people. And that it was GLOVO's obligation to duly attend to such a request, forwarding the request to the Department that the company determined as the most appropriate to give a proper response, if applicable, or as the company considered best. (ii) Nor is it the obligation of the interested party to insist on his request or to seek an alternative way of requesting the information. It cannot be understood that the interested party is not provided with access to his personal data for not requesting it through the preferred channel of the company, but much less can it be understood that such information is not provided to him for not insisting on his request. In addition, as already mentioned, in the present case the complainant did insist on his request for access in three different communications with the company. (iii) As regards the fact that GLOVO was not able to respond to the request earlier due to the slowness of the Internal Market Information System, this Agency insists that the complainant insisted on three occasions on his request for access to his personal data, so that GLOVO had several opportunities to do so, long before the complainant submitted his claim or such claim was received by this Agency. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 39/66 GLOVO also indicates that there were means to ensure that a specific department, whose functions do not include responding to the rights of interested parties, forwards the information to the Data Protection Department, which is the sole and exclusive party responsible for responding to these requests, but that a human error prevented this communication from being effective. In this regard, this Agency reiterates that it considers that the channel used in the present case by the complainant, a channel that GLOVO itself provides to the delivery drivers as an ideal means of contacting it, is a perfectly valid means of requesting the exercise of the rights recognized in the GDPR by the delivery drivers. And that it was GLOVO's obligation to properly respond to such a request, forwarding the request to the Department that the company determined as the most suitable to give a proper response, if applicable, or as the company considered best. As for the Data Protection Department being the "sole and exclusive" party responsible for responding to these requests, this is due to the organizational power that GLOVO has and in no way can be an obstacle to properly responding to the rights of interested parties in terms of data protection. The interested party (in this case, the complaining party) contacted the company responsible for processing (GLOVO) and requested access to his or her personal data. And it was the data controller (GLOVO) who denied such access on three occasions, regardless of which Department did so. GLOVO continues to claim that it is surprised that, having responded to the interested party first by chat (although the response was not to the interest of the interested party or did not satisfy his claims, which was not communicated to the agent in question), and later officially by the Data Protection Department, the Agency decides to proceed with the initiation of a sanctioning procedure without even proposing the opening of a procedure for protection of rights. GLOVO is also surprised that, there being precedents among the resolutions of the AEPD in which, by responding late, a protection procedure has been closed without any sanction (when, by responding out of time, the GDPR has technically already been breached and therefore there is sanctioning capacity on the part of the AEPD), it has not accepted this solution in the present case, it being more than sufficiently proven that the AEPD has implemented, in its opinion, the necessary means to comply with the regulations. In this regard, GLOVO brings up the existence of procedures such as PS/00197/2019, where an interested party requested a right of cancellation directly from the controller, without receiving a response, and the AEPD: 1) Opened the protection procedure TD/01105/2018; 2) The respondent responded indicating that it answered the interested party by telephone; 3) The AEPD upheld the claim of the complaining party, urging the respondent to respond within 10 days; 4) The AEPD had to make a second request, almost two months later, since the respondent did not prove to the AEPD that it had given a response to the interested party; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 40/66 5) Almost a year later, the AEPD agreed to initiate a sanctioning procedure because it had not been proven that the respondent had responded to the interested party; 6) In response to said sanctioning procedure, the respondent alleges that it did respond to the interested party after the protection procedure; 7) In conclusion, the AEPD not only does not sanction or warn the respondent, but it agrees to terminate the procedure “due to the nonexistence of facts that could constitute the infringement described in 83.5 e) of the GDPR”. Another, more recent case, which surprises GLOVO even more, is PD/00018/2024, in which: 1) An interested party requests a right of access. 2) The controller does not provide any response. 3) The interested party lodges a complaint with the AEPD who, via article 65.4 of Organic Law 3/2018, of December 5, on Data Protection and Guarantee of Digital Rights (hereinafter, "LOPDGDD", gave the respondent 10 days to submit allegations. 4) The respondent party did not respond to the complainant or even to the AEPD itself, but instead the AEPD continues to insist on giving the respondent even more time to respond to the interested party's right of access. In short, GLOVO does not know why, in the case of an alleged breach of article 15 to 22 of the GDPR, linked to the rights of the interested parties, the AEPD has not opened, as in previous cases, a rights protection procedure, or a rights procedure, granting GLOVO a certain period of time to comply with the obligation to comply with the right. GLOVO expresses its disagreement with the Agency's approach to this for having directly indicated a sanctioning procedure instead of a rights protection procedure. In this regard, this Agency wishes to emphasize that it does not consider that a response was not given to the complainant, but that the exercise of the right was not properly taken into account (i.e., the information on his personal data was not provided), when this was GLOVO's responsibility. And that there was also no obligation on the part of the interested party (the complainant) to inform the agent in question that his claim had not been satisfied (which, on the other hand, was obvious, since he had requested access to his personal data and the request had been denied). Furthermore, the issue in this case is not whether GLOVO's response to the request was satisfactory or not for the interested party (the complainant), but rather, in this sanctioning procedure, it is simply a matter of establishing that GLOVO did not comply with the obligation established in article 15 of the GDPR to properly attend to the exercise of the complainant's right of access to his personal data, as he had requested, which has not been rejected by GLOVO itself. As regards the reference to PS/00197/2019, this is a completely different case to the present case. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 41/66 To begin with, this is a sanctioning procedure for not having complied with the orders in the favorable resolution dated July 12, 2018 of the procedure for the protection of rights TD/01105/2018 against the respondent, which originated in a complaint submitted to this Agency on May 3, 2018 for a request for cancellation of personal data (deletion of the complainant's image from a YouTube video) dated March 5, 2018, which received no response. In other words, this is not a sanctioning procedure for not having properly attended to a request for the exercise of rights, but rather a sanctioning procedure was opened for not having proven that the orders in a previous procedure had been complied with. Furthermore, as is evident, at the time of the events the GDPR was not even applicable, but the infringed regulation was the repealed LOPD. For its part, the rights procedure PD/00018/2024 has its origin in a claim for a right of access to the clinical history of the complainant, which received no response, and in which, in addition to the GDPR, Law 41/2002, of November 14, basic regulation of the Autonomy of the Patient and of Rights and Obligations in Matters of Information and Clinical Documentation, is applicable. This Agency does not know what is causing GLOVO such surprise in this procedure, which is nothing more than a typical situation of a right of access not attended to in the due time, after which the interested party files a complaint with the AEPD, the latter forwards the complaint to the respondent, the respondent does not respond to this transfer (which is not obligatory, it should be remembered), the complaint is admitted for processing and in the same act the respondent is given 10 days to present allegations (following the provisions of the LOPDGDD), to finally issue a favorable resolution that orders the respondent to properly attend to the request of the complaining party. In this case, it is not a question of this Agency giving the respondent more and more time to attend to the request of the person who complains without reason, but rather that this Agency must follow a series of steps that the LOPDGDD establishes as a guarantee against whom the complaint is made, in order to issue a resolution that accepts the complaint filed. As for the possibility of this Agency having initiated a sanctioning procedure instead of a rights procedure, in no case does the regulation oblige, in the event of an exercise of rights not properly attended to, to initiate a so-called “rights procedure” instead of a sanctioning procedure. Or to follow a certain order, first initiating a rights procedure and then, upon its completion, initiating a sanctioning procedure. On the contrary, these are two paths independent of each other, which can take place simultaneously or alternatively. In the present case, GLOVO's failure to comply with Article 15 of the GDPR has been established, and a sanctioning procedure has therefore been initiated. In this regard, it is worth mentioning the National Court's ruling 3432/2009 of 18 June 2009, which is fully applicable to the present case, which states: “(…) E-Business argues in the claim that, given the denial of the complainant's right of access to his personal data, the AEPD cannot directly order the initiation of a sanctioning procedure, but must initiate the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 42/66 rights protection procedure provided for in RD 1332/1994 (in force until 18- 4-2008), in order to guarantee said access and resolve it within six months and, if the resolution is favorable, make the repeated access effective within ten days. This is how the Agency has been ruling in the procedures for the protection of rights, whose resolutions are attached as documents 1 to 14 with the claim, so that in view of the evidence that the AEPD has not followed the legally established procedure, we are faced with the nullity of full right established by article 62.1.e) of Law 30/1992. Indeed, it is article 18.2 of the LOPD which, under the name "protection of rights", indicates that the interested party who is denied, totally or partially, the exercise of the rights of (among others) access, may bring it to the attention of the AEPD, which must ensure the admissibility or inadmissibility of the denial. Adding ordinal 3 of the same article 48 that the maximum period in which the express resolution of protection of rights must be issued will be six months and the following 48.4 that, against the resolutions of the AEPD, a contentious-administrative appeal will proceed. Based on this, it is true that in the majority of occasions in which a private individual reports to the AEPD the non-compliance of the right of access exercised by him, said Administration initiates the procedure of protection of rights, regulated at present in articles 115 to 119 of RD 1720/20007, of December 21, as it appears to have been carried out in the fourteen procedures whose resolutions are attached as documentary evidence by the plaintiff entity. It is also true that the sanctioning procedure provided for in article 48 of the same LOPD, which can be initiated ex officio based on the infringements provided for in article 44 of said LO 15/1999, among others, for preventing or obstructing the exercise of the rights of access and opposition (Art 44.3 .e) is a procedure completely different from that of protection of rights, and with a different purpose, since while the latter is aimed at guaranteeing or protecting the indicated personal rights (access, opposition, rectification and cancellation) for the benefit of the holders of personal data, the sanctioning procedure seeks to determine and sanction the infringements committed and derived from non-compliance with the Data Protection Act. The clear distinction between such procedures for the protection of rights and sanctioning was already made clear in SAN 11-5-2001 (Rec. 12/2000), which reasons that one thing is the procedure regulated in Art. 17 of RD 1332/1994, which is established to guarantee the rights of access, rectification and cancellation, through the creation of a claim system resolved by the AEPD, its resolution being appealable through administrative litigation; and quite another is the opening of a sanctioning procedure, which can even be done ex officio, and for which Art. 47 of LO 5/1992 (Art. 48 LOPD ), developed by Art. 18 of RD 1332/1994, enables. These are two different procedures, which serve different purposes, so there cannot be a violation of the principle non bis in idem or the principle of legal certainty. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 43/66 In similar terms, our SAN 26-1-2006 (Rec. 441/2004) also indicates that although the protection procedure is not a sanctioning procedure, it may have, and in fact sometimes has, sanctioning implications for the person concerned. When the Administration upholds a claim, as is the case here, it is declaring that the effectiveness of one of the rights that affect the essential core of the fundamental right recognized in article 18.4 of the Constitution - the habeas data or habeas scriptum - has been denied and among the serious infractions included in Art. 44 of Law 15/1999, is that of preventing or obstructing the exercise of the rights of access and opposition and the refusal to provide the information that is requested, so that the declaration of the Administration may have the consequence of opening a subsequent sanctioning procedure. FOURTH.- What is raised in this litigation by E-Business, however, is not the distinction and compatibility of both procedures provided for in the LOPD but whether, in the lack of response to one of these rights (access, cancellation and rectification) by the person responsible for the file, the AEPD must necessarily resort to the rights protection procedure or may also alternatively, or even simultaneously, request the initiation of a sanctioning procedure. It was the SAN, Sec. 1ª, 14-12-2006 (Rec. 165/2005) that resolved the dilemma, declaring that the initiation of a procedure for the protection of the rights of the injured party is not an obstacle to the imposition of the sanction, since both paths can be developed in parallel. The appellant there had filed a complaint with the AEPD against a Savings Bank for lack of any response to the exercise of the right of access to his data. The AEPD issued a resolution declaring the filing of proceedings in relation to the infringement of article 15 of the LOPD, on the grounds that the protection of the right of access is achieved through the procedure for the protection of rights contained in LO 15/1999, and not through the imposition of sanctions. The administrative appeal against this resolution is upheld by the aforementioned judgment, which orders the retroactive action of the procedure so that the Agency may issue the appropriate resolution, in relation to the violation of the indicated right of access of article 15 of Organic Law 15/1999. The Court, after reiterating its doctrine that there does not seem to be a greater impediment to the exercise of the right of access than the absolute disregard (lack of response) to it, rendering said right useless or completely ineffective, concludes that the right that the appellant has under article 17.1 of RD 1332/1994, consisting of requesting the AEPD to carry out the rights protection procedure, is not incompatible with the imposition of sanctions for the failure to provide information. (…) It is necessary to point out, concludes the same judgment, that in the petition of the complaint made by the appellant, there was express mention of the possibility of initiating the procedure for the protection of rights, but, however, the Agency chose to initiate only one procedure, the sanctioning one, and what does not make sense is, now, to force the appellant to initiate a new procedure for the protection of rights when there has been a serious disregard by the credit institution of its obligations regarding data protection. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 44/66 Doctrine fully applicable to the case now in dispute and which prevents this Court from heeding the claim of E-Business taking into account that it has been proven in the proceedings that the complainant requested access to his personal data from said entity, on 24-11-2005, 12-12-2006 and 27-12-2006, requests for access that are not recorded as having been answered by said appellant. (…)” In any case, in the present case we are dealing with a claim presented by a citizen of a Member State of the European Union, for the performance of a cross-border processing carried out by a data controller located in another Member State, which affects citizens of more than one Member State of the European Union. Therefore, Article 60 of the GDPR requires the Member States to reach a consensus regarding the possible decision to be taken with respect to such a claim. In the present case, the procedure established in the GDPR has been followed and an agreement has been reached with all the authorities involved to initiate a sanctioning procedure against GLOVO, with the scope set out in this document. For all the reasons stated above, this claim is rejected. FOURTH.- REGARDING THE FAILURE TO TRANSFER THE COMPLAINT TO THE DATA PROTECTION OFFICER GLOVO claims that it is surprised that the AEPD did not apply in this case the possibility offered by the LOPDGDD to forward any complaint to the data protection officer before deciding whether to admit it for processing, in accordance with article 65. It adds that the AEPD knows that GLOVO's Data Protection Officer, as well as the Data Protection Department that she heads, has always had the intention of collaborating with any procedure or inspection carried out by this Agency. It claims that, in this case, prior communication to the Data Protection Officer would have allowed the information to be provided to the complaining party more quickly (since the AEPD was informed of the complaint through the IMI system on February 24, 2022). Likewise, it could have held a dialogue on the causes of the case and the mechanisms implemented by GLOVO to prevent similar cases in a more constructive way than through a sanctioning procedure (again, not even for the protection of rights), in which the AEPD does not take into full consideration all the work carried out by GLOVO. In any case, GLOVO indicates that it is aware that article 65.4 of the LOPDGDD only offers the AEPD the power to carry out this action, without it being obligatory in any case. In this regard, this Agency wishes to point out that the possibility established in article 65.4 of the LOPDGDD for this Agency to transfer the claim to the data protection officer, refers to claims submitted to the Spanish Data Protection Agency, in accordance with article 65.1 of the LOPDGDD. In the present case, the claim was submitted to the Polish data protection authority, that is, the AEPD acted as a consequence of the communication sent by the supervisory authority of another Member State of the European Union, in accordance with the provisions of article 65.5 of the aforementioned LOPDGDD, so that the claim could not be transferred to GLOVO before the aforementioned claim was admitted for processing. In any case, as GLOVO itself has acknowledged in its allegations, the possibility of forwarding the claim to the Data Protection Officer established in article 65.4 of the LOPDGDD is a power of the AEPD to carry out this action, without it being obligatory in any case. Therefore, this allegation is rejected. FIFTH.- ON THE GUILT OR NEGLIGENCE OF GLOVO GLOVO indicates that the AEPD alleges that “the negligent action of the employee does not exempt the defendant from liability”, relying on the Supreme Court Judgment No. 188/2022 (Contentious Chamber, Section 3a), of 15 February 2022 (rec. 7359/2020). However, the AEPD ignores a key element, which is that, in this case, the request made by the complainant was not made through official channels and communicated to the interested parties, but rather it was made through a support chat for the delivery person which, as explained, is not intended to address the rights of the interested parties. In this regard, this Agency wishes to insist that it is not the obligation of the interested party to direct their requests to exercise rights through the channel preferred by the company responsible for processing. In addition, this Agency considers that the channel used in the present case by the complainant, a channel that GLOVO itself provides to the delivery people as an ideal means of contacting it, is a perfectly valid means to request the exercise of the rights recognized in the RGPD by the delivery people. And that it was GLOVO's obligation to properly respond to such a request, forwarding the request to the Department that the company determined as the most suitable to give a proper response, if applicable, or as the company considered best. GLOVO claims that having made the request for access to its personal data through a support chat to the delivery person is key when evaluating the company's guilt in relation to the management of rights, since this is not, in its opinion, evaluating whether an agent with data protection rights functions has complied or not with his obligations, and therefore, can be directly linked to the legal asset protected by the rule. Rather, it is, in its opinion, a department with other different functions, which has internal rules to ensure that the Data Protection Department can comply with the obligations of the GDPR. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 46/66 In this regard, GLOVO cites Guidelines 01/2022 on the rights of interested parties which indicate that “Data controllers must make all reasonable efforts to ensure that the exercise of the rights of the interested party is facilitated [...]”. Regarding this quote, GLOVO says that the AEPD indicates that the channel used by the complainant is a perfectly valid means to request the exercise of the rights recognized in the RGPD by the delivery people, adding that it was GLOVO's obligation to arbitrate the internal mechanisms necessary so that this request for rights was forwarded to the channels that the company determined as the most suitable to give a proper response. And the AEPD adds, furthermore, that “In this regard, this Agency wishes to point out that it is not enough for the data controller (in this case, the respondent party) to have action protocols to eliminate intentionality or negligence in its actions. Rather, it is the obligation of the data controller that such protocols are known and followed by all its employees.” GLOVO understands that it has already been proven, with all the information and documentation provided in the allegations to the agreement to initiate the present sanctioning procedure, that these necessary internal mechanisms existed and had been effectively communicated. He adds that this is once again proven by providing the protocol of action that the agents in charge of providing customer support services, and managed by the Live Ops Department, had to follow in the event of receiving GDPR rights requests (DOCUMENT 1 of these allegations) and the training carried out by GLOVO's Data Protection Department to the Live Ops Department, the team in charge of managing the customer support agents, where the management of the data protection rights of its users (including delivery drivers) by the agents was explained in particular (DOCUMENT 2 of these allegations), without prejudice to other documents provided throughout the procedure. GLOVO indicates that it does not know how else its existence and communication, or its effectiveness, can be accredited, but what is evident, in its opinion, is that the AEPD cannot expect GLOVO to make disproportionate and unreasonable efforts by individually and daily going after each agent of the delivery support department to ensure that they comply with its procedures. Nor can it expect that, by having communicated an internal procedure and clear instructions, an employee cannot make a human error in its application, precisely because it is a human and not an automated technological system. In this regard, this Agency wishes to insist that the channel used in the present case by the complainant, a channel that GLOVO itself provides to the delivery drivers as an ideal means of contacting it, is a perfectly valid means of requesting the exercise of the rights recognized in the GDPR by the deliverers. And that it was GLOVO's obligation to properly respond to such a request, forwarding the request to the Department that the company determined as the most suitable to give a proper response, if applicable, or as the company considered best. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 47/66 And that in the present case it cannot be understood that a delivery person would contact the Customer Service Service, a channel intended to receive requests from delivery people, in order to request a right of access to their personal data, it is not an ideal channel for this, as has already been explained at length. It is reiterated that at no time do the aforementioned Guidelines 01/2022 oblige interested parties to direct their requests to exercise rights solely and exclusively through the preferred channel for this, nor even to look for it either at first or at a later time or when the company indicates that it cannot provide such information. Even though GLOVO tries to disassociate itself from the response provided by its Customer Service Department to the complainant, as if it were not a response provided by the company itself, this is still the case: it has been GLOVO through its Customer Service Department that has denied the information requested by the complainant. Furthermore, the complainant's request had supposedly been transferred to another department, as indicated in its response to the complainant on August 26, 2021. In any case, if the reason for such denial was that this Department was not authorized to provide it, but another one was authorized to do so, this information was not provided to the complainant either. What the aforementioned Guidelines 01/2022 do require, as GLOVO recognizes, is that "Data controllers must make all reasonable efforts to ensure that the exercise of the rights of the interested party is facilitated [...]." This Agency insists that recital (59) of the GDPR provides that: “Formulas should be established to facilitate the exercise by the interested party of his rights under this Regulation, including mechanisms for requesting and, where appropriate, obtaining free of charge, in particular, access to personal data and their rectification or deletion, as well as the exercise of the right to object. The controller should also provide means for requests to be submitted electronically, in particular when personal data are processed electronically. The controller should be obliged to respond to requests from the interested party without undue delay and no later than within one month, and to explain its reasons if it is not going to respond to them.” In this sense, it cannot be understood that only those requests for the exercise of rights that are made solely through the channels established by the controllers in their privacy policies will be attended to. On the contrary, each data controller has the right to organize itself as it sees fit, provided that a satisfactory response is provided to the exercise of the rights requested by the interested parties, within the legally established period. However, the organization that this data controller had provided cannot be an obstacle to the satisfaction of a right recognized to the interested parties by the GDPR. In the present case, GLOVO had decided to centralize all requests for exercises of rights related to the address gdpr@glovoapp.com. However, the fact that a given request is directed through a different channel does not imply that a proper response should not be given, as the controller of the processing in question. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 48/66 In the present case, it cannot be denied that by communicating through the channel provided for handling incidents for delivery drivers, the complainant could reasonably expect that his request would be attended to. Moreover, it seems reasonable in the eyes of this Agency that the complainant communicated with GLOVO through this channel, which is the one specifically provided for requests from delivery drivers. On the contrary, this Agency considers that, in any case, it was GLOVO's obligation to duly attend to the request of the complainant, whether the customer service (for the delivery driver) forwarded said request through the channels pertinent to the department dedicated to this type of requests, or as it considered best. In this regard, in section 53 of the aforementioned Guidelines 01/2022 on the rights of data subjects - Right of access, the EDPB “…encourages controllers to provide the most appropriate and user-friendly communication channels, in accordance with Article 12(2) and Article 25, to enable the data subject to make an effective request. However, if the data subject makes a request through a communication channel provided by the controller that is different from the one indicated as preferred, the request will generally be considered effective and the controller must process the request accordingly (see examples below). Data controllers must make all reasonable efforts to ensure that the exercise of the rights of the interested party is facilitated (for example, in the event that the interested party sends the data request to an employee who is on leave, an automatic message informing the interested party about an alternative communication channel for his request could be a reasonable effort).” Therefore, this Agency insists that the channel used in the present case by the complainant, a channel that GLOVO itself provides to the delivery drivers as an appropriate means to contact it, is a perfectly valid means to request the exercise of the rights recognized in the GDPR by the delivery drivers. And that it was GLOVO's obligation to properly respond to such a request, forwarding the request to the Department that the company determined as the most appropriate to give a proper response, if applicable, or as the company considered best. Section 56 of the Guidelines cites as an example a case in which “a data controller X provides, on its website and in its privacy policy, two email addresses – the data controller’s general email address: contact@X.com and the data controller’s data protection contact point email address: requests@X.com. In addition, data controller X indicates on its website that in order to send any query or request regarding the processing of personal data, the data protection contact point must be contacted at the indicated email address. However, the data subject sends a request to the data controller’s general email address: contact@X.com. In this case, the data controller must make all reasonable efforts to make its services aware of the request, which was made through the general email address, so that it can be redirected to the data protection contact point and answered within the period established by the GDPR. Furthermore, the data controller cannot extend the deadline for responding to the request, only because the data subject has sent a request to the general email address of the data controller and not to the data protection contact point.” In this regard, this Agency understands that the first example in section 56 of the aforementioned Guidelines is precisely the case that occurred in the present case. The data subject (the complaining party) has sent his request for access through a generic channel provided by the company to which it is addressed. Therefore, the data controller (GLOVO) should have made all “reasonable efforts to ensure that its services are aware of the request, which was made via the general email, so that it can be redirected to the data protection contact point and answered within the time limit established by the GDPR”, as indicated in the aforementioned Guidelines, so that such request could be redirected to the corresponding data protection contact point, in order to be able to respond to it within the time limit established by the GDPR. Therefore, this Agency considers that the complaining party could “reasonably expect” that its request would be attended to. As regards GLOVO's claim that the AEPD cannot expect the company to make disproportionate and unreasonable efforts by individually and daily going after each agent in the delivery support department to ensure that they comply with its procedures, at no time has this Agency affirmed such a thing. It is not a question of the data controller making disproportionate and unreasonable efforts, but rather that the company must ensure that requests to exercise rights are duly attended to. Expecting a Customer Service Department to properly process a request of this type is not disproportionate or unreasonable, since it is a channel intended to receive requests of all kinds. For this reason, agents must be able to identify, channel and duly respond to such requests, which has not occurred in the present case. GLOVO claims that the AEPD's sanctioning activity is attempting to assume that, when an interested party requests a right through a channel that is not specifically provided for by the company for this purpose, the obligation to arbitrate the necessary internal mechanisms results in an obligation of result, while both the aforementioned guidelines and the GDPR itself configure it as an obligation of means, in the same way as it happens in relation to security measures, an aspect that is precisely dealt with in the same STS 188/2022 referenced above. GLOVO explains that the GDPR establishes in its article 12 that "The data controller shall take appropriate measures to facilitate the interested party [...] any communication in accordance with articles 15 to 22", and continues indicating that "The data controller shall facilitate the interested party's exercise of their rights under articles 15 to 22". And that the aforementioned STS 188/2022 also resolves this in its legal basis THIRD in relation to the security measures, equally extrapolable to the technical and organizational measures that the data controller establishes for the attention of the data protection rights of the interested parties: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 50/66 “The obligation to adopt the necessary measures to guarantee the security of personal data cannot be considered an obligation of result, which implies that if a leak of personal data to a third party occurs, there is liability regardless of the measures adopted and the activity carried out by the data controller or the data processor.” It alleges that GLOVO (i) has taken the appropriate measures to facilitate communication with the interested party, and (ii) facilitates the interested party's exercise of their rights. It understands that the interpretation of article 12, together with Guidelines 01/2022, cannot lead to any other consideration than that, especially when a request has been sent to a department that is not appropriate to address the rights of the interested parties, the only obligation of the data controller is to ensure the implementation ("arbitrate", in the words of the Guidelines) of internal mechanisms necessary for the request to be forwarded to the appropriate channels to provide a response. It is therefore an obligation of means, in these cases, and not of results, in relation to compliance with article 15 of the GDPR. GLOVO claims that it was not the function of the Customer Service Department to provide the delivery person with a response to the right of access, which in fact was indicated to the complaining party, when they were informed that they could not provide them with such information. In this regard, this Agency wishes to point out that at no time has this Agency stated that compliance with Article 15 of the GDPR is an obligation of result, far from it. However, this Agency insists that it is not the obligation of the interested party to direct their requests to exercise rights through the channel preferred by the company responsible for processing. And that this Agency considers that the channel used in the present case by the complainant, a channel that GLOVO itself provides to the delivery people as an appropriate means to contact it, is a perfectly valid means to request the exercise of the rights recognized in the RGPD by the delivery people. And that it was GLOVO's obligation to properly attend to such a request, forwarding the request to the Department that the company determined as the most suitable to give a proper response, if applicable, or as the company considered best. As regards GLOVO (i) having taken the appropriate measures to facilitate communication with the interested party, and (ii) facilitating the interested party in exercising their rights, this Agency understands that these statements refer to the channel established as the preferred means, since it insists on numerous occasions that the Customer Service is not the ideal means to exercise such rights, even though its own documents intended for this area provide that such requests take place. This Agency considers that having responded in the present case to the complaining party that the requested data could not be provided, without giving them further information in this regard, cannot be understood as GLOVO having “facilitated communication with the interested party” or “the exercise of their rights”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 51/66 This Agency wishes to insist that it does not consider that a response was not given to the complainant, but rather that the exercise of the right was not properly attended to (i.e., the information on his personal data was not provided), when this was GLOVO's responsibility. GLOVO continues to argue that it cannot be considered otherwise when this case depended on the actions of a person, where it is not possible for the rule to establish an obligation of result, there being countless reasons that can lead to an error. GLOVO explains that human error is something that is known and studied empirically. And that in any human activity there are environmental, personal and statistical factors that configure the level of probability that an error will occur. And that this risk is calculable using a simple mathematical formula. In fact, human error is something so human that the Ministry of Labor and Social Affairs itself has had, for more than 25 years, a series of technical notes on human reliability, among which the NTP 360 stands out, on basic concepts, the NTP 377, where different analysis methods are studied, or the NTP 401, on quantification methods. Three technical notes dedicated exclusively to human error. GLOVO claims that, indeed, it is a one-off error in the management of a ticket that dealt with different incidents, in which a response was accepted that, although a response, was not the one expected by the interested party or by the regulations of GLOVO. It explains that it is not an error in an information system, or a mechanical valve that must be opened or closed, nor a systemic failure or derived from corporate negligence. Rather, it was a mistake made by a person, mistakes that happen in any company, which are unpredictable and cannot be controlled or prevented. Just as it happens with security measures when, having applied those that were considered appropriate, they are ineffective against a computer attack committed by cybercriminals who have obtained access credentials to the systems through a previous phishing attack, so that they can access legitimately without being detected by security systems, firewalls, antivirus, successfully perpetrating the security incident. GLOVO explains that in the present case there may be thousands of factors that imperceptibly affect the human being and cause an error in the execution of his obligations. Stress, fatigue, external aspects of his private life, repetition, are factors that can lead a person to make a mistake. And that the error that cannot be foreseen or prevented, simply happens, but definitely this error that meant that the interested party received insufficient information (he was told that the information could not be provided, but he was not redirected to the Data Protection Department) cannot constitute a sanctionable act for the person responsible, and even less so when GLOVO (i) developed internal, general data protection and specific data management procedures in LiveOps for the attention of the rights of the interested parties, (ii) trained the delivery person service department on data protection and the attention of rights, and (iii) made available to all interested parties multiple ways of ensuring that they could obtain information on how to exercise their data protection rights (delivery person contract, privacy policy, delivery person portal, legal texts in the application, website...). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 52/66 GLOVO also reminds us that we must not forget the large volume of requests for the exercise of rights and the resolution of queries and incidents that it receives, the percentage of which is very significant when they are successfully addressed. In short, GLOVO concludes that, as proven, it is an obligation of means, because this is deduced from the regulations and Guidelines 1/2022, and because it cannot be otherwise, the company took all reasonable and necessary measures to ensure that the agents knew that they should redirect these requests to the Data Protection Department. But simply in this case, it did not happen, due to a human error, equivalent to a zero-day vulnerability in a computer system. And that this is not foreseeable, nor can it be prevented or avoided. GLOVO does not dispute that, in fact, the request was not sent to the Data Protection Department. But it alleges that this infringement is not related to compliance with the GDPR, but to GLOVO's internal regulations, caused by a human error by an employee that, in no case, can be attributed to the person responsible or derive legal liability from him. And that GLOVO adopted technical and organizational means and deployed diligent activity in the implementation and use of these to achieve the expected result, hoping that the diligence of its employees will facilitate this. In this regard, this Agency wishes to insist that it does not consider that a response was not given to the complainant, but rather that the exercise of the right was not properly attended to (that is, the information on the complainant's personal data was not provided), when this was GLOVO's responsibility. As regards the fact that in the present case it was a one-off error by an employee, this Agency wishes to remind that, as stated in the proven facts of this resolution, on August 19, 2021 at 12:31 p.m., the complainant sent a communication to the Customer Service Department with the following content (in Polish the original, unofficial translation): “Good morning, please send me the conversation with (...), B.B.B., to my email address, as it will be the basis of my legal case, if that does not happen, I will send you a court order.” That is, he made a first request for access to his personal data (in this case, the recordings of his conversation with a ***POST.1). GLOVO appears to not be aware of this first request from the complainant in its pleadings, but the fact that it fails to cite Article 15 of the GDPR does not prevent its content from being that of a request for access to the complainant's personal data. In response to this request, the company replied to the complainant on August 19, 2021 at 3:30 p.m. in Polish, with the following content (unofficial translation): “Good morning, thank you for contacting Glovo. Unfortunately, we cannot share the conversation or its fragments with you. Please let us know what your problem is with our ***POST.1. Best regards, Glovo Customer Service.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 53/66 Given the company's refusal to provide such information, and after a series of conversations on other issues, on August 26, 2021 at 07:56 hours, the complainant again requested the GLOVO Customer Service Department to provide him with certain information from August 17, 2021 about him, this time based on article 15 of the GDPR. On August 26, 2021, the complainant was informed that his case was transferred to another department and on September 3, 2021 at 12:36 hours he was informed that the requested information could not be provided. On September 3, 2021, the complainant indicated that he had made a mistake by requesting information about himself from August 17, 2021, that what he wanted was information from August 19, 2021. And, again, the company informed him on September 6, 2021 that it could not provide him with such information. That is, in three different communications (on August 19, August 26, and September 3) the complainant had requested access to his personal data. And all three times GLOVO responded that it could not provide him with such access, without giving further information on the matter. GLOVO itself has acknowledged this in its allegations. Moreover, on September 3, 2021 at 12:36 p.m. the complaining party received an email from support@glovo.mail.kustomerapp.com in Polish, with the following content (unofficial translation): “Good morning, Unfortunately, we cannot share such information with you. Can you specify what exactly you are requesting? We remind you that opening multiple chats may slow down your service time. We ask you to use only one chat for this request. Best regards, Glovo Team Glovo Customer Support”. This Agency understands that in the present case it is not possible to understand that a human error occurred due to “stress, fatigue, external aspects of your private life, repetition…”. On three different occasions, on three different days, and even after the issue had been analyzed by two different departments (the request from the complainant had been transferred to another department, according to the company), GLOVO's response had always been the same: that it could not provide the complainant with such information, when it was GLOVO's obligation to provide it. GLOVO cites here Procedure PD/00078/2023, for the resolution of rights procedures, which addresses, among others, the obligation to respond to the request through any channel: “The aforementioned rules (NOTE: articles 15 to 22 RGPD and 12 LOPDGDD) do not allow the request to be ignored as if it had not been raised, leaving it without the response that those responsible must obligatorily issue, even in the case that there is no data in the files or even in those cases in which it does not meet the requirements provided, in which case the recipient of said request is equally obliged to request the correction of the deficiencies observed or, where appropriate, deny the request with reasons indicating the reasons for which that it is not appropriate to consider the right in question.” In this regard, GLOVO indicates that a response was given, and the complainant was told that the requested information could not be provided, which only deepens the fact that the company has implemented the necessary internal mechanisms so that the agents of the Customer Service Department who provide support to the delivery person know that they cannot attend to the rights of the interested parties and the request was forwarded to the Data Protection Department where they could request such information, as required by the internal mechanisms implemented by GLOVO, both at the level of internal regulations and as a training initiative for its employees (see the documents “Protocol for Action in the event of GDPR requests from Glovo users, couriers or any data subject” or the “Training GDPR - Live Ops 2021”, both provided to this procedure in GLOVO's previous response to the AEPD, and which are provided again as DOCUMENTS 1 and 2 of these allegations). Although, again and due to human error, this was not done in the case of the complainant. GLOVO also claims that in the aforementioned procedure PD/00078/2023, the respondent was not sanctioned, but was given a period of 10 days to proceed to address the requested right of access. In this regard, this Agency wishes to insist that it does not consider that a response was not given to the complainant (as in the case of PD/00078/2023), but rather that the exercise of the right was not properly attended to (i.e., the information on her personal data was not provided), when this was GLOVO's responsibility. And that, regardless of the measures adopted by GLOVO, in the present case the complainant made numerous communications requesting his right of access to data about him, even referring to article 15 of the RGPD, a request that was not duly attended to. As regards the fact that it was a “human error”, this Agency reiterates that it cannot be considered as such the fact that it responded that the requested information was not provided to the complainant on three different occasions, on different days and after the matter was analyzed by two different departments of the company. Furthermore, this Agency cannot understand why GLOVO cites in its allegations PD/00078/2023 in which the right of the complainant to access the recordings of his conversations with the respondent company is precisely recognized and upholds the claim, ordering the respondent to provide the requested access. As regards the decision not to initiate a sanctioning procedure in this case, this Agency reiterates that in no case does the regulation oblige, in the event of an exercise of rights not duly attended to, to initiate a so-called "rights procedure" instead of a sanctioning procedure. Or to follow a determined order, first initiating a rights procedure and then, upon its completion, initiating a sanctioning procedure. On the contrary, these are two paths C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 55/66 independent of each other, which can take place simultaneously or alternatively. In short, GLOVO understands that the company cannot be held responsible for the incorrect or insufficient response to the complaining party, due to negligence or fault, since: 1) It was a request made through a generic channel provided by GLOVO to address incidents in the provision of services by delivery drivers. 2) GLOVO had implemented appropriate internal mechanisms so that the request received through this channel was forwarded to the appropriate channel for its response, that is, the Data Protection Department. 3) The obligation to implement such mechanisms cannot be considered as anything other than an obligation of means, and not of results. 4) The implementation of these mechanisms, duly accredited, involve reasonable efforts to ensure that its services are aware of the request, as argued by the AEPD in its Resolution Proposal, and proposed by the Guidelines 1/2022. 5) The agent replied to the interested party informing them that he could not provide the requested information. 6) GLOVO has a specific channel for requesting data protection rights, reported in a multitude of channels and documents, including the contract signed by the delivery person or the specific application and web environment for delivery people, so the interested party could easily use this channel. Therefore, GLOVO claims that the incomplete response by the agent who assisted the complainant, who did not provide the address of the Data Protection Department, or did not directly send the request to this department, cannot be categorized as anything other than a human error which, as explained above, derives from (i) the belief that he had responded to his request by indicating that he could not provide this information, and (ii) from correctly responding to the rest of the incidents reported by the interested party, in accordance with the functions that he did have in accordance with his role within the Customer Service Department to support the delivery person. In this regard, this Agency reiterates that: 1) The channel used by the complainant is a perfectly valid means to exercise a request for access to his personal data. 2) Regardless of the measures adopted by GLOVO, in the present case the complainant made numerous communications requesting his right of access to data about him, even referring to article 15 of the GDPR, a request that was not duly attended to. 3) It is not an obligation of result. But it is not the obligation of the interested party to direct his requests to exercise rights through the channel preferred by the company responsible for the treatment. It was GLOVO's obligation to duly attend to such a request, forwarding the request to the Department that C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 56/66 the company determined as the most suitable to give a proper response, if necessary, or as the company considered best. 4) It is not a question of the data controller making disproportionate and unreasonable efforts, but rather that the company must ensure that requests to exercise rights are duly attended to. Expecting a Customer Service Department to process a request of this type as appropriate is not disproportionate or unreasonable, since it is a channel intended for receiving requests of all kinds. For this reason, agents must be able to identify, channel and respond appropriately to such requests, which has not occurred in the present case. 5) It is not considered that a response was not given to the complaining party, but rather that the exercise of the right was not properly attended to (i.e., information about their personal data was not provided), when this was GLOVO's responsibility. 6) The interested party is not obliged to direct their requests to exercise their rights through the channel preferred by the company responsible for the processing. Finally, this Agency reiterates that what happened in the present case cannot be classified as a “human error” in having responded that the information requested by the complainant was not provided on three different occasions, on different days and after the issue was analyzed by two different departments of the company. Furthermore, according to what was ruled in the STS 7887/2011 of November 24, 2011, Rec. 258/2009, “(…) since its judgment 76/1990, of April 26, the Constitutional Court has declared that objective liability or liability without fault is not included in the scope of administrative sanctions, a doctrine that is reaffirmed in judgment 164/2005, of June 20, 2005, by virtue of which the possibility of imposing sanctions for the mere result is excluded, without proving a minimum of guilt even in the case of mere negligence. However, the way of attributing responsibility to legal entities does not correspond to the forms of willful or imprudent guilt that are attributable to human conduct.” Thus, in the case of infringements committed by legal persons, although the element of guilt must be present (see the judgment of this Chamber of the Supreme Court of 20 November 2011 (appeal for cassation in the interest of law 48/2007), this is necessarily applied in a different way than it is done with respect to natural persons. According to STC 246/1991 "(...) this different construction of the imputability of the authorship of the infringement to the legal person arises from the very nature of legal fiction to which these subjects respond. They lack the volitional element in the strict sense, but not the capacity to infringe the rules to which they are subject. Capacity to infringe and, therefore, direct blameworthiness that derives from the legal asset protected by the rule that is infringed and the need for said protection to be truly effective and from the risk that, consequently, the person must assume Following the judgment of 23 January 1998, partially transcribed in STS 6262/2009, of 9 October 2009, Rec 5285/2005, and STS 6336/2009, of 23 October 2009, Rec 1067/2006, it should be added that "although the guilt of the conduct must also be proven, it must be considered in C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 57/66 order to assume the corresponding burden, that ordinarily the volitional and cognitive elements necessary to assess the former form part of the typical conduct proven, and that their exclusion requires that the absence of such elements be proven, or in their absence, that the latter is not a valid reason for the normative aspect, that the diligence that was required by the person claiming its nonexistence has been used; In short, the invocation of the absence of guilt is not sufficient for exculpation in the face of typically unlawful behavior." In any case, as has been pointed out, the Supreme Court Judgment No. 188/2022 (Contentious Chamber, Section 3), of February 15, 2022 (rec. 7359/2020) argues about the liability of legal persons in our legal system: "... It simply happens that, since our Administrative Law admits the direct liability of legal persons, who are therefore recognized as having the capacity to infringe, the subjective element of the infringement is expressed in these cases in a different way than it is with respect to natural persons, so that, as the constitutional doctrine that we have previously reviewed points out - SsTC STC 246/1991, of 19 December (F.J. 2) and 129/2003, of June 30 (F.J. 8)- the direct blame derives from the legal asset protected by the rule that is infringed and the need for such protection to be truly effective and from the risk that, consequently, the legal person that is subject to compliance with said rule must assume." (emphasis added by this Agency). Therefore, in the present case, the actions of the employees do not exempt GLOVO from its responsibility for such actions. Finally, as regards the fact that the rest of the issues related to the execution of the services by the complainant were resolved, this Agency has already insisted that this is not the subject of the present sanctioning procedure. For all the reasons stated above, the present allegation is rejected. SIXTH.- REGARDING AGGRAVATING CIRCUMSTANCES GLOVO makes some observations on the aggravating circumstances alleged by the AEPD: 1) The nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question as well as the number of interested parties affected and the level of damages they have suffered (section a): due to the failure to attend to the request of the complaining party to exercise their right of access, from August 19, 2021 to November 14, 2022, once this Agency intervened. GLOVO understands that this aggravating circumstance should not be considered, since (i) a response was given, even if it could be insufficient or incomplete, as the department of customer service cannot provide the information requested by the delivery person, and (ii) if no response was given until November 14, 2022, it was because the IMI information exchange system is excessively slow, because the AEPD did not contact the Data Protection Officer in February 2022 before admitting the claim for processing, and because even so, having been admitted in June, it did not forward the request for information until November of that same year. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 58/66 Therefore, the Agency requests that this aggravating circumstance not be taken into consideration or, if applicable, that the time periods as calculated by the AEPD not be considered, since everything could have been much quicker. In this regard, this Agency reiterates that it does not consider that a response was not given to the complainant, but rather that the exercise of the right was not properly attended to (i.e., the information on his personal data was not provided), when this was GLOVO's responsibility. And that the complainant insisted on three occasions on his request for access to his personal data, so that GLOVO had several opportunities to provide such information, long before the complainant submitted his complaint or before such complaint was received by this Agency. As regards the fact that the Data Protection Officer was not contacted before admitting the claim for processing, this Agency reiterates that the LOPDGDD provides for this possibility (which is not obligatory) only for claims submitted directly to the AEPD, which did not occur in the present case. In any case, this Agency wishes to emphasize that in the present case it is not a question of the fact that such a request was not attended to in time, but rather that such a request would not have been attended to if this Agency had not intervened, since the complainant was only provided with access to his/her data after having been asked for information about the claim. 2) The intentionality or negligence in the infringement (section b): the conduct of GLOVO was seriously negligent since the exercise of the right of access to personal data was not attended to despite the fact that the complainant insisted at least three times that he/she wanted to be provided with the requested information. GLOVO claims that in no case can it accept that its actions were considered to be grossly negligent. First, because as it considers proven, GLOVO implemented the appropriate mechanisms to ensure that the Customer Service Department that provides support services to the delivery person provided the address of the Data Protection Department to the interested parties, as required by the obligation of means of article 12 RGPD or Guidelines 1/2022, it being a human error of the agent who attended the case that generated the claim that gives rise to the present procedure. Second, because, even if it were not so (which it is), GLOVO understands that the complaining party did not insist three times that it wanted the requested information to be provided. According to the documentation provided by the AEPD itself, there are only two messages that refer to the right of access, the first on August 26 at 7:56, indicating that it requested the conversation of August 17, together with other information related to the execution of its services, and a second request, on September 3 at 12:36, copying exactly the same previous request, but correcting the date of the requested conversation (initially it indicated that it was from August 17, and later it corrected to indicate that it was from August 19. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 59/66 it is true that, in the documentation provided, the message of September 3 appears twice, but it is always the same message. GLOVO also points out that both messages were sent 6 days apart, in the same case or ticket, so it cannot be considered as "insisted three times". It is the same request, made (to correct it) in duplicate within the month that GLOVO had to respond, so it cannot be considered repetition or insistence at all. Therefore, GLOVO requests that this aggravating circumstance not be taken into consideration as it is not applicable to this case. In this regard, this Agency reiterates what has already been answered in the previous allegation, in particular, that regardless of the measures adopted by GLOVO, in the present case the complainant made numerous communications requesting their right of access to data about themselves, even referring to article 15 of the GDPR, a request that was not duly attended to. At no time is an obligation of result intended. However, it was GLOVO's obligation to properly respond to such a request, forwarding the request to the Department that the company determined to be the most suitable to give a proper response, if applicable, or as the company considered best. This Agency does not intend for the data controller to make disproportionate and unreasonable efforts, but rather for the company to ensure that requests to exercise rights are properly attended to. Pretending that a Customer Service Department properly processes a request of this type is not disproportionate or unreasonable, since it is a channel intended to receive requests of all kinds. For this reason, agents must be able to identify, channel and properly respond to such requests, which has not occurred in the present case. As regards the number of times the complainant requested his/her data, this Agency reiterates that, as stated in the proven facts of this resolution, on August 19, 2021 at 12:31 p.m., the complainant sent a communication to the Customer Service Department with the following content (in Polish the original, unofficial translation): “Good morning, please send me the conversation with (...), B.B.B., to my email address, as it will be the basis of my legal case, if that does not happen, I will send you a court order.” That is, he/she made a first request for access to his/her personal data (in this case, the recordings of his/her conversation with a ***POST.1). GLOVO appears to not be aware of this first request from the complainant in its allegations, but the fact that it fails to cite Article 15 of the GDPR does not prevent its content from being that of a request for access to the complainant's personal data. In response to this request, the company replied to the complainant on August 19, 2021 at 3:30 p.m. in Polish, with the following content (unofficial translation): “Good morning, thank you for contacting Glovo. Unfortunately, we cannot share the conversation or its fragments with you. Please let us know what is C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 60/66 your problem with our ***POST.1. Best regards, Glovo Customer Service.” Following the company's refusal to provide such information, and after a series of discussions on other issues, on 26 August 2021 at 07:56, the complainant again requested the GLOVO Customer Service Department to provide him with certain information from 17 August 2021 regarding him, this time based on Article 15 of the GDPR. On 26 August 2021, the complainant was informed that his case was transferred to another department and on 3 September 2021 at 12:36 he was informed that the requested information could not be provided. On September 3, 2021, the complainant indicated that he had made a mistake by requesting information about himself from August 17, 2021, that what he wanted was information from August 19, 2021. And, again, the company informed him on September 6, 2021 that it could not provide him with such information. That is, in three different communications (on August 19, August 26, and September 3) the complainant had requested access to his personal data. And all three times GLOVO responded that it could not provide him with such access, without giving further information on the matter. GLOVO itself has acknowledged this in its allegations. Moreover, on September 3, 2021 at 12:36 p.m. the complaining party received an email from support@glovo.mail.kustomerapp.com in Polish, with the following content (unofficial translation): “Good morning, Unfortunately, we cannot share such information with you. Can you please specify what exactly you are requesting? We remind you that opening multiple chats may slow down your service time. We ask you to use only one chat for this request. Best regards, Glovo Team Glovo Customer Support.” This Agency understands that it cannot be considered that in the present case there was a human error when on three different occasions, on three different days and even having analyzed the issue by two different departments (the request of the complainant had been transferred to another department, according to the company), GLOVO's response had always been the same: that it could not provide the complainant with such information, when it was GLOVO's obligation to provide it. Finally, this Agency wishes to point out that the fact that the communications of the complainant with the company had been made through the same ticket, is not indicative of anything, it is simply a way of organizing the company, like any other. Therefore, for all the reasons stated, this allegation is rejected. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 61/66 3) Any previous infringement committed by the controller or processor (section e): On April 1, 2020, the Director of the AEPD signed resolution of sanctioning procedure PS/00417/2019 in which GLOVO was sanctioned with a fine of €25,000 for the infringement of article 37 of the GDPR. On March 7, 2023, the Director of the AEPD signed the resolution of the sanctioning procedure PS/00209/2022 in which a warning was issued to GLOVO for the infringement of article 13 of the GDPR and GLOVO was fined €550,000 for the infringement of articles 25 and 32 of the GDPR. GLOVO claims that it does not deny the existence of the previous sanctioning procedures, but it does consider it appropriate to remind the AEPD that they have nothing to do with the present case, neither directly nor indirectly, and that instead it is not taking into consideration that among the cases that the AEPD has managed linked to the attention of the rights of interested parties, it has never proceeded to sanction GLOVO. Therefore, it requests that this aggravating circumstance not be taken into consideration or, failing that, that the fact that the AEPD has been aware of several claims for attention to rights, without having ever found any reprehensible fact in the actions of GLOVO, be also considered as an attenuating circumstance. In this regard, this Agency wishes to point out that the literal of article 83.2.e) of the GDPR states: "any previous infringement committed by the controller or the person in charge of the processing", without requiring that the aforementioned infringements be related to the infringement being evaluated. But it cannot be denied that when grading a fine, someone who has never infringed the GDPR cannot be given the same consideration as someone who has. Likewise, the same consideration will not be given when grading the fine for a given infringement if the identical infringement has been committed on previous occasions or if it is a question of other infringements. For the peace of mind of GLOVO, please be advised that all of this has been duly taken into account by this Agency when graduating the sanction for the present procedure, which is why a fine of only 0.01% of the total annual turnover is imposed (€15,000 in relation to ***AMOUNT.1 € of turnover, as stated in the proven facts). Furthermore, due to an involuntary error on its part, this Agency has omitted in its assessment of the graduation of the possible sanction in the present procedure the procedure PS/00372/2021 in which, by resolution of June 13, 2022 the Director of this Agency imposed a warning on GLOVO for the violation of article 12 of the GDPR, for a right of deletion not duly attended to. Also due to an involuntary error on its part, this Agency did not take into account that in procedure TD/00268/2020 a decision was issued in favor of the claimant's claim for a request for the right of access to the claimant's personal data that had not been duly attended to. For the reasons set forth above, this Agency cannot but reject this allegation. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 62/66 IV Right of access of the interested party Article 15 “Right of access of the interested party” of the GDPR establishes: “1. The interested party shall have the right to obtain from the data controller confirmation of whether or not personal data concerning him or her are being processed and, if this is the case, the right of access to the personal data and to the following information: a) the purposes of the processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject, or to object to such processing; (f) the right to lodge a complaint with a supervisory authority; (g) where the personal data have not been obtained from the data subject, any available information as to their source; (h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4), and, at least in such cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. 2. Where personal data are transferred to a third country or an international organisation, the data subject shall have the right to be informed of the appropriate guarantees pursuant to Article 46 relating to the transfer. 3. The controller shall provide a copy of the personal data being processed. The controller may charge a reasonable fee for any further copy requested by the data subject, based on administrative costs. Where the data subject makes the request by electronic means, and unless the data subject requests that the data be provided otherwise, the information shall be provided in a commonly used electronic format. 4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.” In the present case, the complainant requested GLOVO via an email to support@glovo.mail.kustomerapp.com on August 19, 2021, the conversation held with B.B.B.. On the same day, GLOVO's Customer Service team informed him that they could not share the aforementioned conversation or its fragments, without justifying such refusal. After an exchange of emails between the complainant and GLOVO, the complainant on August 26, 2021 requested GLOVO via email to support@glovo.mail.kustomerapp.com, based on article C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 63/66 15 of the GDPR to provide him with the record of the conversation with B.B.B. 17 August 2021, the exact time of check-in on that day and the actions of the employees who changed that data, information about an order cancelled on 17 August together with the reasons for cancellation and the actions of the employees who changed that data, and the work plan for 17 August of changes in the system and GLOVO employees. On 26 August 2021 at 20:09 the complainant received an email from the address support@glovo.mail.kustomerapp.com in Polish, with the following content (unofficial translation): “Hello, A.A.A.! Thank you for contacting us. Your case has been transferred to another department. Once we have a response, we will pass it on to you. We hope that this information is useful, because we are always trying to provide the highest quality in our service. You can count on us. Thank you for your trust. Glovo Customer Service”. On September 3, 2021, the GLOVO customer service team replies again that it cannot share the information requested by the complainant, without providing any justification. On September 3, 2021, the complainant indicates that it made a mistake and was requesting the information corresponding to August 19, 2021. On September 6, 2021, the GLOVO customer service team insists that it cannot provide the requested information to the complainant, without providing any justification. That is, on none of these occasions was GLOVO responding to the request for access to the complainant's personal data. Therefore, in accordance with the evidence available at this time of the sanctioning procedure resolution, it is considered that the known facts constitute an infringement, attributable to GLOVO, for violation of article 15 of the GDPR. V Classification and qualification of the infringement of article 15 of the GDPR The aforementioned infringement of article 15 of the GDPR involves the commission of the infringements classified in article 83.5 of the GDPR, which under the heading “General conditions for the imposition of administrative fines” provides: “Infringements of the following provisions shall be punishable, in accordance with paragraph 2, by administrative fines of a maximum of EUR 20 000 000 or, in the case of an undertaking, an amount equivalent to a maximum of 4% of the total global annual turnover of the previous financial year, whichever is higher: (…) b) the rights of data subjects pursuant to articles 12 to 22; (…)” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 64/66 For the purposes of the limitation period, article 72 “Infringements considered very serious” of the LOPDGDD indicates: “1. In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679, infringements that constitute a substantial violation of the articles mentioned therein and, in particular, the following are considered very serious and will be subject to a three-year statute of limitations: (…) k) The impediment or obstruction or repeated failure to comply with the exercise of the rights established in articles 15 to 22 of Regulation (EU) 2016/679 (…)”. VI Penalty for infringement of Article 15 of the GDPR For the purposes of deciding on the imposition of an administrative fine and its amount, in accordance with the evidence available at the time of the resolution of the sanctioning procedure, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the following criteria established in Article 83.2 of the GDPR: - The nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question, as well as the number of data subjects affected and the level of damages and losses they have suffered (section a): due to the failure to attend to the request of the complaining party to exercise their right of access, from August 19, 2021 to November 14, 2022, once this Agency intervened. - The intention or negligence in the infringement (section b): GLOVO's conduct was seriously negligent since the exercise of the right of access to personal data was not attended to despite the fact that the complainant insisted at least three times that he wanted to be provided with the requested information. As aggravating factors: - Any previous infringement committed by the controller or the person in charge of the processing (section e): On April 1, 2020, the Director of the AEPD signed resolution of sanctioning procedure PS/00417/2019 in which GLOVO was sanctioned with a fine of €25,000 for the infringement of article 37 of the GDPR. On March 7, 2023, the Director of the AEPD signed the resolution of sanctioning procedure PS/00209/2022 in which a warning was issued to GLOVO for the violation of article 13 of the GDPR and GLOVO was fined €550,000 for the violation of articles 25 and 32 of the GDPR. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 65/66 It is also considered that the sanction to be imposed should be graded in accordance with the following criteria established in section 2 of article 76 “Sanctions and corrective measures” of the LOPDGDD: As aggravating factors: - The link between the offender's activity and the processing of personal data (section b): The development of the business activity that GLOVO carries out requires continuous processing of personal data. The balance of the circumstances contemplated in article 83.2 of the RGPD and 76.2 of the LOPDGDD, with respect to the infringement committed by violating the provisions of article 15 of the RGPD, allows for the imposition of a sanction of €15,000 (fifteen thousand euros). Therefore, in accordance with the applicable legislation and having assessed the criteria for grading the sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: TO IMPOSE on GLOVOAPP23, S.A., with NIF A66362906, for an infringement of Article 15 of the GDPR, classified in Article 83.5 of the GDPR, a fine of 15,000.00 euros (FIFTEEN THOUSAND euros). SECOND: TO NOTIFY this resolution to GLOVOAPP23, S.A. This resolution will be enforceable once the deadline for filing the optional appeal for reconsideration ends (one month from the day following notification of this resolution) without the interested party having made use of this faculty. The sanctioned party is warned that he/she must pay the sanction imposed once this resolution becomes enforceable, in accordance with the provisions of art. 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), within the voluntary payment period established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17 December, by depositing it, indicating the NIF of the sanctioned party and the procedure number that appears in the heading of this document, in the restricted account nº IBAN: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code: CAIXESBBXXX), opened in the name of the Spanish Data Protection Agency in the banking entity CAIXABANK, S.A. Otherwise, it will be collected during the enforcement period. Once the notification has been received and has become enforceable, if the date of enforceability is between the 1st and 15th of each month, both inclusive, the deadline for making the voluntary payment will be until the 20th of the following month or the next business day thereafter, and if it is between the 16th and the last day of each month, both inclusive, the payment deadline will be until the 5th of the second following month or the next business day thereafter. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 66/66 Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties may, at their discretion, lodge an appeal for reconsideration before the Director of the Spanish Data Protection Agency within one month from the day following notification of this resolution or directly an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Administrative Litigation Jurisdiction, within two months from the day following notification of this act, as provided for in article 46.1 of the referred Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final resolution may be provisionally suspended by administrative means if the interested party expresses his intention to lodge an administrative appeal. If this is the case, the interested party must formally communicate this fact by means of a letter addressed to the Spanish Data Protection Agency, presenting it through the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web/], or through one of the other registries provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. He must also transfer to the Agency the documentation that proves the effective filing of the administrative appeal. If the Agency is not aware of the filing of the administrative appeal within two months from the day following the notification of this resolution, it will terminate the provisional suspension. 938-16012024 Mar España Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es