Skip to main content

Food delivery companies Wolt and Glovo being ordered by information commissary to stop Labelling Their Delivery Personnel

|

The IC found that the food delivery companies had no legal basis for printing the identity numbers on the outside of the delivery bags of their personnel, presumably to prevent traffic violations. Both companies were ordered to stop this practice which violates the provisions of Articles 5/1.(a) and 6/1. of the GDPR. One of the orders is not yet final.

It all began with alleged complaints from the citizens of main Slovenian city Ljubljana who felt endangered by the reckless driving of Wolt and Glovo delivery drivers. To appease the Ljubljana City Municipality which shared the citizens’ concerns, the Slovenian subsidiaries of the delivery giants agreed to print unique identity numbers on the delivery bags used by their staff so that their cyclists and motorcyclists could be more easily identified in the event of traffic or other violations.

In the inspection proceedings before the Slovenian Information Commissioner (IC), the companies defended this move by pointing out that the contract between the company and its staff requires compliance with traffic regulations. They also claimed that the correct and careful execution of the delivery services was in their legitimate interest as well as in the legitimate interest of the city’s residents. The alternative would presumably have been to ban the delivery service in the centre of Ljubljana which would been a severe blow to the companies.

The IC rejected the processing of personal data on two legal grounds simultaneously. While not prohibited per se, the data controller may not only rely on it if the data is processed for different purposes, which was not the case here.

Furthermore, the IC found that the processing of the identity number was not really necessary for the performance of the contract, but only to establish the non-performance of the contract, relying, inter alia, on the EDPB Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects.

As far as the legitimate interest is concerned, the IC did not doubt its existence, but considered the measure to be disproportionate. This is all the more true as the companies track the GPS locations of their delivery staff (this fact was not part of the inspection proceedings), meaning that the perpetrators of traffic violations can be easily identified.

To add insult to injury, the IC noted that Slovenia was the only country where the identification numbers had been used, while Ljubljana is not the most populous city with the heaviest road traffic.

The IC’s order against Glovo is not yet final as the company has decided to challenge it before the Administrative Court of the Republic of Slovenia.

 

Article provided by INPLP member: Boris Kozlevcar (JK Group, Slovenia)

 

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

VIEW STREAM

About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.

{$page.footerData}