The Spanish Data Protection Authority (Agencia Española de Protección de Datos ("AEPD")) imposed a fine of EUR 25,000 on Glovo, an on-demand courier service, for failing to appoint a Data Protection Officer ("DPO") in application of Articles 37 and 83 of the General Data Protection Regulation ("GDPR").
In its decision, the AEPD considered that Glovo breached Article 37(1)(b) of the GDPR, which stipulates that a controller or processor must appoint a DPO where:
"the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale".
What happened?
The AEPD's proceedings were initiated following the filing of two separate complaints against Glovo, on 21 May 2019 and 4 November 2019 respectively.
In response to the complaints, Glovo argued that:
The decision
The AEPD determined that:
Although the GDPR does not specifically define the notion of “large-scale processing”, it is likely that the AEPD considered the following factors when making its decision [1]:
- the number of data subjects concerned;
- the volume of data and/or the range of different data items being processed;
- the duration, or permanence, of the data processing activity; and
- the geographical extent of the processing activity.
In response to the proceedings, Glovo communicated the appointment of a DPO to the AEPD on 31 January 2020. Whilst the AEPD recognised the proactive action, it was not enough to avoid the fine of EUR 25,000.
It should be noted that the decision is not final and that an appeal for reversal and a contentious-administrative appeal may be lodged with the National Court. Glovo has stated that they "will exhaust all judicial instances to prove that it acted at all times in accordance with the provisions of the data protection regulations" [2]
A decision in line with recent case law about DPO requirements
The AEPD's decision and similar sanctions made by other Data Protection Authorities highlight that European regulators are starting to turn their focus to ensure that the role & obligations of DPOs are correctly fulfilled.
In a couple of recent cases fined businesses for non-compliance with the GDPR requirements in relation to the DPO:
Key takeaways
Organisations are strongly advised to undertake the assessment on whether or not they need to appoint a DPO. This assessment should be done on a regular basis, in order to take into account any potential new product or processing activity which may trigger the requirement to appoint a DPO.
[1] Article 29 Working Party guidance on determining whether the processing is carried out on a large scale: https://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp243_en_40855.pdf?wb48617274=CD63BD9A