Poland: Personal Data Protection Office fined Glovo PLN 5.898 million over unlawful data collection practices

On 19 March 2026, Poland’s Personal Data Protection Office (UODO) announced a fine of PLN 5.898 million against Glovo over the unlawful data collection practices in its mobile application. The authority found that the company unlawfully required users to submit scans or photos of identity cards or passports for fraud verification, including suspected theft, counterfeit payments, or mismatched card details, relying incorrectly on legitimate interest under Article 6(1) of the General Data Protection Regulation (GDPR). The authority held that the processing lacked a valid legal basis, was excessive, and breached the principles of lawfulness, fairness, transparency, data minimisation, and accountability under the GDPR. It emphasised that only legally authorised entities may process such identity document data, and that anti-fraud measures cannot justify disproportionate data collection. It was stated that infringement, ongoing since July 2019 and affecting over 3.4 million users, also created a risk of non-material harm, including identity theft concerns. In addition to the fine, the authority ordered Glovo to cease collecting such data and delete all previously obtained data within 30 days.