The Spanish Data Protection Authority (DPA) AEPD fined Glovo €25,000 for not appointing a Data Protection Officer pursuant to article 37 GDPR.
Have you ever wondered whether your business is subject to the DPO designation requirement covered by the GDPR? The ambiguity of the GDPR when it comes to the definition of the cases where the appointment of a DPO is mandatory for controllers and processors is causing confusion in the industry. The latest fine in this regard comes from the Spanish DPA, and it is the first fine in Spain imposed for Data Protection Officer appointment violation.
What happened?
According to the AEPD decision, it seems that Glovo had not appointed a DPO. Apart from that, the company’s website did not contain information about an appointed DPO.
The Spanish DPA deems the lack of DPO appointment a breach of article 37 (1) GDPR because it considers the core activities of Glovo “consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale”.
Glovo, on its side, argued that they have not breached the GDPR because they had appointed a Data Protection Board which was in charge of data protection matters. Furthermore, they pointed out that they actually appointed a DPO. However, it should be noted that this appointment took place after the investigation started plus nothing about the DPO or the Data Protection Board was said in their Privacy Policy.
Similar cases
On 28 April 2020, the Belgian Data Protection Authority issued its decision whereby it fined the telecommunications and ICT company Proximus €50,000 for failing at involving the DPO in the processing of personal data breaches. Moreover, the company did not have a system in place to prevent a conflict of interest of the DPO, who also held numerous other positions within the company (head of compliance and audit department) in violation of Article 38(6) of the GDPR. As a consequence, the controller could not ensure that any such tasks and duties did not result in a conflict of interest.
Should our business be worried?
Under the GDPR, you, as controller or processor, should appoint a DPO if:
- you are a public authority or body (except for courts acting in their judicial capacity);
- your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
It should be stressed that controllers and processors can appoint a DPO even if they are not required to.
What is the origin of Glovo and Spanish DPA disagreement?
While the Spanish DPA states that Glovo should have appointed a DPO because they process personal data on a large scale, Glovo’s counterargument is based on the fact that the GDPR does not define “large scale”.
WP29’s (current EDPB) Guidelines on Data Protection Officers partially clarify this issue.
When determining if a processing is on a large scale, the guidelines say the following factors should be taken into consideration:
- the numbers of data subjects concerned;
- the volume of personal data being processed;
- the range of different data items being processed;
- the geographical extent of the activity; and
- the duration or permanence of the processing activity.
Our tip
Running a business online increases the need for a DPO due to the ubiquity of data on the internet, so at least it is recommended to receive advice from a data protection and privacy expert before deciding if the company is subject to the mandatory GDPR requirement.
