GlovoApp23 SA – €15,000 Fine (Spain, 2024)

The data subject, a Polish delivery driver, after facing some issues with a delivery, contacted the deliverers’ assistance service and had a conversation with an employee. Since the data subject wanted to use this conversation to initiated legal proceedings against the controller, they asked the assistance service to provide them with the recording of the conversation. The controller refused to provide this recording. After that, the data subject sent the controller, through the deliverers’ assistance service portal, an access request under Article 15 GDPR. The controller reiterated that it cannot provide the recording and did not act further on the access request. Therefore, the data subject filed a complaint with the Polish DPA. Since the main establishment of the controller is in Spain, the Polish DPA forwarded the complaint to the Spanish one pursuant to Article 56 and 60 GDPR. The controller argued that the access request was not sent through the dedicated email address, but through the messaging system dedicated to deliverers’ issues. Moreover, it argued that it had not been aware of this access request until the DPA forwarded the request to it. Furthermore, it noted that it had internal policies instructing all employees to escalate GDPR requests to the DPO office and that, in the case at hand, the delay was caused by the fact that only one employee had not complied with these policies. Finally, it pointed out that the data subject did not initiate the legal proceeding they threatened to begin in their first message to the controller. First, the DPA rejected the controller’s argument regarding the fact that the data subject did not use the dedicated email address for access requests. It pointed out that the data subject had sent his access request through a portal which was acknowledged by the controller as suitable for the submission of deliverers’ requests. According to the DPA, if the person receiving the message was not able to deal with GDPR issues,