The Spanish data protection supervisory authority, Agencia Española de Protección de Datos (AEPD), has issued a fined of 2 million EUR against Amazon Road Transport Spain, S. L., a logistics company that manages deliveries for US-based online-merchant Amazon (see here).

Backgound, or: How to Become a Delivery Driver

Amazon Road Transport works with formally self-employed drivers. In the selection process of applicants for a contract as a delivery driver with the company, Amazon Road Transport requested police certificates of good conduct from the candidates. The local workers union (Unión General de Trabajadores) had lodged a complaint with the AEPD regarding this practice. The union criticized that the formally self-employed workers were required to use an app which not only would enable the surveillance of the future delivery drivers, but also had to be used already in the selection process. There, candidates had to, inter alia, provide a police certificate of good conduct, showing no entries of criminal convictions. To that end, applicants were requested to consent to the transfer of their personal data to any company pertaining to the Amazon Group as well as to the US-based company Accurate Background Checks and their affiliates. The personal data of applicants regarding their criminal record was to be processed by Accurate Background in cooperation with an Amazon branch in India.

What the AEPD Thought of It – Is It “Personal Data Relating to Criminal Convictions”?

The AEPD found this arrangement not to be compliant with the EU General Data Protection Regulation (GDPR). Contrary to the view of Amazon Road Transport, the Spanish data protection authority came to the conclusion that the request of a police certificate of good conduct that certifies the absence of criminal convictions, does constitute processing of personal data relating to criminal convictions in the meaning of Art. 10 GDPR, in that is provides information relating to the existence or absence (as in the present case) of a criminal record of an individual. Such data processing would therefore only be permissible under the control of official authority and with the data subject’s consent, unless it could be based on a specific legal basis according to national law.

But Consent was Obtained…

The AEPD concluded that there was no Spanish law requiring delivery personnel to provide a certificate of good conduct, and it held that there was no valid consent either, since the requested consent, which was required in order to be able to proceed with the application process, was not voluntary.

And what about Legitimate Interest?

The data protection authority did not follow the company’s argumentation that requesting the certificate would be in the company’s legitimate interest in that it would safeguard their customers’ safety and trust. Even if one were to assume legitimate interest as a legal basis (Art. 6 (1) lit. f GDPR), the requirement to submit a certificate of good conduct would be unproportionate in the case at hand, concluded the authority.