Glovo Delivery: First sanction in Spain for not having a Data Protection Officer

On June 9, the Spanish Data Protection Agency published on its website the resolution that puts an end to the Sanctioning Procedure PS/00417/2019 in administrative proceedings, by which an administrative fine of 25,000 euros (twenty-five thousand euros) is imposed on Glovo for not having appointed a Data Protection Officer (DPO) as established in article 37 of the General Data Protection Regulations (RGPD).

The article in question provides that:

“The data controller and the processor shall appoint a data protection representative provided that:

(a) the processing is carried out by a public authority, except for courts acting in their judicial capacity
(b) the main activities of the controller or processor are processing operations which, by their nature, their scope and/or their purposes, require routine and systematic observation of data subjects on a large scale; or
(c) the main activities of the controller or processor are the large-scale processing of special categories of personal data pursuant to Article 9 and of data relating to convictions and criminal offences referred to in Article 10.

Due to the type of activity carried out by the sanctioned company (geolocation of riders and clients) and the amount of personal data it handles, it would be obliged to appoint a Data Protection Delegate from May 25, 2018 (date on which the RGPD began to be applied in Europe), as it falls under scenario b) above.

Failure to appoint a Data Protection Officer when the controller complies with at least one of the three cases referred to in Article 37 GPRS constitutes an infringement and may result in an administrative fine of up to EUR 10 million or in an amount not exceeding 2 % of the total annual turnover of the preceding financial year, whichever is higher. In turn, Article 73 of the Organic Law on Data Protection and the Guarantee of Digital Rights (LOPDGDD) provides that the infringement is considered serious.

Although it is true that the assumptions mentioned in the RGPD may be confusing, the LOPDGDD has shed some light with its list of assumptions in which it is mandatory to appoint a Data Protection Officer:

“Data controllers and processors must appoint a data protection delegate in the cases provided for in Article 37(1) of Regulation (EU) 2016/679 and, in any case, in the case of the following entities

a) The professional associations and their general councils.
(b) Educational establishments offering education at any of the levels established in the legislation regulating the right to education, as well as public and private universities.
(c) entities operating electronic communications networks and services in accordance with the provisions of their specific legislation, when they routinely and systematically process personal data on a large scale.
(d) Information Society service providers when they produce large-scale profiles of service users.
(e) The institutions included in Article 1 of Law 10/2014 of 26 June on the organisation, supervision and solvency of credit institutions
(f) Financial credit establishments.
g) Insurance and reinsurance entities
h) Investment services companies, regulated by the legislation of the Stock Market.
(i) Electricity distributors and marketers and natural gas distributors and marketers
j) Entities responsible for joint files for the evaluation of asset and credit solvency or joint files for the management and prevention of fraud, including those responsible for files regulated by legislation on the prevention of money laundering and the financing of terrorism.
k) Entities carrying out advertising and commercial prospecting activities, including commercial and market research, when they carry out processing based on the preferences of those affected or carry out activities involving the profiling of those affected.
l) Health centers that are legally obliged to keep patient records.
Health professionals who, although legally obliged to keep patients’ medical records, exercise their activity in an individual capacity are excluded.
(m) Entities whose business is to issue business reports which may relate to natural persons.
n) Operators who carry out the activity of gaming through electronic, computer, telematic and interactive channels, in accordance with the regulations governing gaming.
ñ) Private security companies.
o) Sports federations when they process data on minors.

If your company has not yet appointed a DPO or if you have doubts about whether your company is obliged to appoint a DPO, consult an expert in the field for advice and to avoid a possible fine.

If your company is part of one of these cases and has not yet appointed a Data Protection Officer or if you have doubts about whether your company is obliged to appoint a Data Protection Officer, consult an expert in the field for advice and to avoid a possible fine.