1/5

NON-OFFICIAL ENGLISH TRANSLATION

• Procedure Nº: PS/00417/2019

SANCTIONING PROCEDURE RESOLUTION

From the procedure instructed by the Spanish Data Protection Authority and on the basis
of the following

BACKGROUND

FIRST: A.A.A., and B.B.B. (hereinafter, the plaintiffs) respectively lodged a complaint with the
Spanish Data Protection Authority on 21 May and 4 November 2019.

Their claims are directed against GLOVOAPP23, S.L. with NIF B66362906 (hereinafter, the
defendant).

The reason on which they base their claim is that no Data Protection Officer (hereinafter DPO)
has been appointed to address the claims.

SECOND: Upon receipt of the complaint, the Subdirectorate General for Data Inspection carried
out the following actions:

On 2 July 2019, the first complaint was transferred to the defendant for analysis and a
communication was done to the plaintiffs of the decision taken in this regard.

The defendant responds to the transfer of the complaint by stating that neither within the text
of Article 37 of the GDPR or within the one of Article 34 LOPGDD (Spanish Law implementing the
GDPR), they have the obligation to designate a DPO.

THIRD: On January 13, 2020, the Director of the Spanish Data Protection Authority agreed to
initiate sanctioning proceedings against the defendant, for the alleged violation of Article 37 of
the GDPR, as defined under Article 83.4 of the GDPR.

FOURTH: Notified on 22 January 2020 of the aforementioned initiation agreement, the defendant
submitted on 31 January 2020 a written statement of allegations in which, in summary, it stated
that its personal data processing activity is exempt from the obligations laid down in Articles 37
GDPR and 34 LOPGDD, and therefore exempt from the obligation to designate a Data Protection
Officer.

However, it claims that at no time it has denied the existence of a body dedicated, in the context
of the organization, to the performance of the functions which are specific to a Data Protection
Officer, since on 8 June 2018, it constituted the Data Protection Committee, in order to cover the
technical areas of the company and on the same date, a Data Protection Sub-Committee was also
appointed in order to comply with the authorization of the Board of Directors to set up that
committee.

EUROPEN DATA PROTECTION OFFICE (EDPO)

AVENUE HUART HAMOIR 71 – 1030 BRUSSELS –
BELGIUM WWW.EDPO.COM
 2/5

NON-OFFICIAL ENGLISH TRANSLATION

It concludes by stating that the Data Protection Committee performs the functions of a Data
Protection Officer as described in Article 39 of the GDPR.

FIFTH: On 25 February 2020, the investigator of the proceeding agreed on the opening of a period
of practice of evidence, taking into account the previous investigation actions, E/06131/2019, as
well as the documents provided by the defendant.

SIXTH: A proposal for a resolution is made on 26 February 2020, proposing that the requested
entity be sanctioned for a violation of Article 37 of the GDPR, as referred to in Article 83.4 of the
GDPR.

SEPTIMO: On 13 March 2020, the defendant filed a brief of allegations to the aforementioned
proposal, stating that on 23 May 2019, C.C.C. was formally appointed as the defendant’s Data
Protection Officer, but it was not until February 2020 that it was decided to make the
appointment official to third parties by registering the DPO to the Spanish Data Protection
Authority’s Registry, since the Data Protection Committee, the Subcommittee and the Legal
Department had been carrying out these functions effectively and with full guarantee of the rights
and freedoms of the data subjects.

UNDISPUTED FACTS

FIRST: The defendant has not appointed a Data Protection Officer.

SECOND: The defendant claims that its personal data processing activity is exempt from the
obligations set out in Articles 37 GDPR and 34 LOPGDD, but that, nevertheless, it has a Data
Protection Committee, which performs the functions of a Data Protection Officer as described in
Article 39 of the GDPR.

THIRD: It has been found that the defendant, after the start of the present sanctioning procedure
on 13 January 2020, communicated on 31 January 2020 to the Spanish Data Protection Authority
the appointment of its Data Protection Officer.

LEGAL GROUNDS

The Director of the Spanish Data Protection Authority is competent to resolve this
procedure, in accordance with the provisions of Article 58.2 of the GDPR and Articles 47 and 48.1
of the LOPDGDD.

II

Article 37 of the GDPR provides:

“1. The controller and processor shall appoint a data protection officer provided in any
case where

EUROPEN DATA PROTECTION OFFICE (EDPO)

AVENUE HUART HAMOIR 71 – 1030 BRUSSELS –
BELGIUM WWW.EDPO.COM
 3/5

NON-OFFICIAL ENGLISH TRANSLATION

b) the core activities of the controller or the processor consist of processing operations
which, by virtue of their nature, their scope and/or purposes, require a regular and systematic
monitoring of data subjects on a large scale”

In this regard, the LOPDGDD determines in Article 34.1 and 3: "Appointment of a data
protection officer”

1. “The data controllers and processors shall appoint a data protection officer in the
cases provided for in Article 37.1 of the Regulation (UE) 2016/679

3. The data controllers and processors will communicate within ten days to the Spanish
Data Protection Authority or, where appropriate, to the regional data protection authorities, the
designations, appointments and dismissals of data protection officers both in cases where they
are obliged to be designated and in the case where they are voluntary.”

III

The failure to designate DPO, when carrying out the claimed processing of personal data
on a large scale, is considered to result in the infringement of Article 37(1 b) of the GDPR in
conjunction with Article 34 of the LOPDGDD.

In this sense, the defendant states that in its organization it has a Data Protection
Committee, which performs the functions of a Data Protection Officer as described in Article 39
of the GDPR.

However, at the beginning of the sanctioning procedure, when accessing the website of
the defendant following the link, https://glovoapp.com/en/legal/privacy, no mention was made
of the defendant’s Data Protection Office, as the figure guaranteeing compliance with the
organization’s data protection regulations.

However, it has been noted on 31 January 2020 that the defendant notified the Spanish
Data Protection Authority of the appointment of its Data Protection Officer, a communication
that was signed and notified by this Authority to the defendant on 18 February 2020.

IV

Article 83.7 GDPR provides that: “Without prejudice to the corrective powers of the
supervisory authorities pursuant to Article 58(2), each Member State may lay down rules on
whether and to what extent administrative fines may be imposed on public authorities and bodies
established in that Member State”

Article 58.2 of the GDPR provides that: “Each supervisory authority shall have all of the
following corrective powers:

b) to issue reprimands to a controller or processor where processing operations have

infringed provisions of this Regulation;

EUROPEN DATA PROTECTION OFFICE (EDPO)

AVENUE HUART HAMOIR 71 – 1030 BRUSSELS –
BELGIUM WWW.EDPO.COM
 4/5

NON-OFFICIAL ENGLISH TRANSLATION

d) order the controller or processor to comply to bring processing operations into

compliance with the provisions of this Regulation, where appropriate, in a specified manner and
within a specified period;

i) to impose an administrative fine pursuant to Article 83, in addition to, or instead of the
measures referred to in this paragraph, depending on the circumstances of each individual case;

Article 73 of the LOPDDG states that:” Violations considered serious

“Pursuant to Article 83.4 of Regulation (EU) 2016/679, infringements which substantially

infringe the articles referred to therein and, in particular the following, shall be regarded as serious
and shall be limited after two years:”

v) Failure to comply with the obligation to appoint a data protection officer when its
appointment is required under Article 37 of Regulation (EU) 2016/679 and Article 34 of this
organic law.”

Article 83.4 of the GDPR provides that "infringements of the following provisions shall, in
accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the
case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial
year, whichever is higher:

a) the obligations of the controller and processor pursuant to Articles 8, 11, 25 to 39 and 42
and 43”

It is also considered that the penalty to be imposed should be graduated according to the
following criteria established in Article 83.2 of the GDPR:

The following are aggravating factors:

• In the present case, the number of affected data subjects is found to be an aggravating
factor, given that the defendant processes personal data on a large scale given the
number of customers that it has (Article 83.2 a)

• Basic personal identifiers are affected (Article 83.2 g)

Therefore, in accordance with the applicable legislation and having assessed the criteria
for the graduation of sanctions whose existence has been established,

the Director of the Spanish Data Protection Authority RESOLVES:

FIRST: IMPOSE GLOVOAPP23, S.L., with NIF B66362906, a fine of EUR 25,000 (twenty-five
thousand euros) for an infringement to Article 37 of the GDPR, as categorized under Article 83.4
of the GDPR.

EUROPEN DATA PROTECTION OFFICE (EDPO)

AVENUE HUART HAMOIR 71 – 1030 BRUSSELS –
BELGIUM WWW.EDPO.COM
 5/5

NON-OFFICIAL ENGLISH TRANSLATION

SECOND: NOTIFY this resolution to GLOVOAPP23, S.L.

THIRD: To warn the sanctioned party that it must make the sanction imposed effective once this
resolution is enforceable, in accordance with Article 98.1(b) of Law 39/2015 of 1 October of the
Common Administrative Procedure of Public Administrations (hereinafter LPACAP), within the
voluntary payment period established in Article 68 of the General Collection Regulation, approved
by Royal
Decree n° 285 of 29 July on Art. 62 of Law 58/2003, of 17 December, by means of its payment,
indicating the tax identification of the sanctioned party and the procedural number that appears
in the heading of this document, into the restricted account n° ES00 0000 0000 0000 0000 0000
0000, opened in the name of the Spanish Data Protection Authority at Banco CAIXABANK, S.A.
Otherwise, it will be collected during the enforcement period.

Once the notification has been received and once it has been executed, if the date of
execution is between the 1st and 15th of each month, inclusive, the term for voluntary payment
will be up to the 20th of the following month or immediately following business month, and if it
is between the 16th and last day of each month, inclusive, the payment term will be up to 5th of
the second month following or the immediately following business month.

In accordance with Article 50 of the LOPDGDD, this Resolution shall be made public once
it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure pursuant to
Article 48.6 of the LOPDGDD, and in accordance with Article 123 of the LPACAP, the interested
parties may lodge, optionally, an appeal for the reversal to the Director of the Spanish Data
Protection Authority within one month from the day following the notification of this decision or
directly an administrative appeal before the Administrative Litigation Chamber of the Audiencia
Nacional, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional
provision of Law 29/1998 of 13 July 1998, regulating the Administrative Litigation Jurisdiction,
within two months from the day following the notification of this act, as provided for in Article
46.1 of the aforementioned Law.

Finally, it is noted that, in accordance with Article 90.3 a) of the LPACAP, the final
resolution may be suspended as a precautionary measure through administrative channels if the
interested party expresses its intention to file an administrative-litigation appeal. If this is the
case, the interested party must formally communicate this fact in writing to the Spanish Data
Protection Authority, presenting it through the Authority’s Electronic Registry
[https://sedeagpd.gob.es/sede-electronica-web/], or through any of other registers provided for
in Article 16.4 of the aforementioned Law 39/2015, of 1 October. It shall also transfer to the
Authority the documentation proving to the effective filing of the administrative-litigation appeal.
If the Authority is not informed of the lodging of the administrative-litigation appeal within two
months from the day following the notification of the present decision, it shall terminate the
precautionary suspension.

Mar España Martí

Director of the Spanish Data Protection Authority

EUROPEN DATA PROTECTION OFFICE (EDPO)

AVENUE HUART HAMOIR 71 – 1030 BRUSSELS –
BELGIUM WWW.EDPO.COM