On March 7, 2023, the Spanish data protection authority (AEPD) published its decision in Proceeding No. PS-00209-2023, in which it imposed a fine of €550,000 on Glovoapp23, S.L. (Glovo) for violation of the General Data Protection Regulation (GDPR), following an investigation.

Background to the decision

In particular, the AEPD stated that the Italian data protection authority (Garante) contacted the AEPD with an inquiry after an investigation revealed that the data of delivery drivers who used a platform operated by Glovo, could be accessed by operators outside Italy.

Findings of the AEPD

Following its investigation, the AEPD found that Glovo did not implement adequate security measures to prevent users of its delivery platform from accessing user information of other companies, in violation of Article 32 of the GDPR. The AEPD noted that although Glovo rectified the issue, until May 2020 there was no mechanism in place to limit access.

The AEPD also found that Glovo allowed users to access data sets from other countries using a delivery person's data. Accordingly, the AEPD determined that Glovo breached Article 25 of the GDPR, by not limiting access to the country of the corresponding delivery person by default.

Outcomes

Consequently, the AEPD imposed a fine of €550,000 on Glovo.

You can read the decision, only available in Spanish, here.