Food delivery companies Wolt and Glovo being ordered by information commissary to stop Labelling Their Delivery Personnel

08.10.2024

The IC found that the food delivery companies had no legal basis for printing the identity numbers on the outside of the delivery bags of their personnel, presumably to prevent traffic violations. Both companies were ordered to stop this practice which violates the provisions of Articles 5/1.(a) and 6/1. of the GDPR. One of the orders is not yet final.

It all began with alleged complaints from the citizens of main Slovenian city Ljubljana who felt endangered by the reckless driving of Wolt and Glovo delivery drivers. To appease the Ljubljana City Municipality which shared the citizens’ concerns, the Slovenian subsidiaries of the delivery giants agreed to print unique identity numbers on the delivery bags used by their staff so that their cyclists and motorcyclists could be more easily identified in the event of traffic or other violations.

In the inspection proceedings before the Slovenian Information Commissioner (IC), the companies defended this move by pointing out that the contract between the company and its staff requires compliance with traffic regulations. They also claimed that the correct and careful execution of the delivery services was in their legitimate interest as well as in the legitimate interest of the city’s residents. The alternative would presumably have been to ban the delivery service in the centre of Ljubljana which would been a severe blow to the companies.

The IC rejected the processing of personal data on two legal grounds simultaneously. While not prohibited per se, the data controller may not only rely on it if the data is processed for different purposes, which was not the case here.

Furthermore, the IC found that the processing of the identity number was not really necessary for the performance of the contract, but only to establish the non-performance of the contract, relying, inter alia, on the EDPB Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects.

As far as the legitimate interest is concerned, the IC did not doubt its existence, but considered the measure to be disproportionate. This is all the more true as the companies track the GPS locations of their delivery staff (this fact was not part of the inspection proceedings), meaning that the perpetrators of traffic violations can be easily identified.

To add insult to injury, the IC noted that Slovenia was the only country where the identification numbers had been used, while Ljubljana is not the most populous city with the heaviest road traffic.

The IC’s order against Glovo is not yet final as the company has decided to challenge it before the Administrative Court of the Republic of Slovenia.

 

Article provided by INPLP member: Boris Kozlevcar (JK Group, Slovenia)

 

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.