Riders’ personal data – Italian DPA fines Foodinho

Vincenzo Diego Cutugno //

In the last few months, the Italian supervisory authority (“Garante per la protezione dei dati personali” or “Garante”) imposed some significant administrative fines on two major food delivery companies operating in Italy: Foodinho and Deliveroo. In both cases, the Italian data protection authority (“DPA”) claimed the violation of several provisions of the GDPR concerning the processing of personal data of the riders. The measures applied confirm the attention addressed by the Garante to the processing of the personal data of the riders by the delivery companies using technological platforms.

Foodinho is an Italy-based company and a subsidiary of GlovoApp23, a Spanish company. It operates a digital platform for on-demand food delivery in Milan. The Italian DPA fined the latter 2,600,000 euros for using discriminatory algorithms to manage its food delivery riders. In addition, Foodinho failed to: (a) supply transparent information about how its reputational rating system for riders works; (b) provide clear and consistent indication of data retention periods; (c) comply with privacy-by-design and privacy-by-default principles in setting the digital platform; (d) to implement appropriate security measures; (e) to carry out a data protection impact assessment mandatory pursuant to Article 35 GDPR; (f) adhere with Article 22 concerning the automated individual decision-making, including profiling; (g) comply with other specific Italian labour law.

  1. On the incomplete, unclear and incorrect information:

  • the Italian DPA found that the company provided several information documents inconsistent, incomplete, with no date, no signature and no details on the measures adopted to provide such documents to the riders. Foodinho did not clearly and timely inform the riders on the processing of personal data and therefore breached the transparency principle (Article 5(1)(a)): the information did not correctly mention:

  1. the actual means of processing of personal data relating to the geographical position;

  2. all the categories of data collected (data relating to communications via chat, email and telephone with the call center, feedback by suppliers and customers);

  3. the data retention periods (Article 13, par. 2, lett. a) (“only for the time strictly necessary to achieve the purposes for which they were collected and, in any case, no later than the termination of the collaboration relationship “);

  4. the existence of an automated decision-making process, including profiling (Article 13, par. 2, lett. f) of the GDPR);

  5. the DPO (Article 13, par. 1, lett. b) GDPR), provided that the requirements in Article 37 were fulfilled.

The Italian DPA stressed that, in the framework of a working/professional relationship, the obligation to inform the data subject is an expression of the general principle of fairness (Article 5, par. 1, lett. a) GDPR). Quoting Article 12 GPDR, the Garante reminded that the information provided to the data subject must be “concise, transparent, intelligible and easily accessible“. However, the Italian DPA found that the information documents provided by the food delivery company were inconsistent, incorrect, misleading and unclear and, therefore, Foodinho failed to comply with Articles 5, par. 1, lett. a) and 13 GDPR.

  1. On the data retention period: the Italian DPA identified the following violations:

  • the company failed to define clear and consistent data retention periods;

  • the company identified a single storage term for different categories of personal data and purposes of processing;

  • the criteria used to define the periods of retention was indetermined in nature: as a matter of fact, failure to expressly terminate the working relationship by one of the parties would imply the persistence of the processing;

  • with respect to storage periods of the routes followed by the riders (10 months), the company did not provide any specific reason how such term was determined and considered appropriate.

Foodinho, therefore, breached the storage limitation principle (Article 5, par. 1, lett. e) which states that the data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

  1. On the privacy-by-design and privacy-by-default: the Italian DPA stated that Foodinho failed to configure the digital systems in compliance with the principles of “privacy by design” and “by default”. In particular, the Garante held that an excessive number (more than necessary) of subjects was authorized to have access to the personal data of the riders (and consequently in breach of the principle of data minimization Articles 5, par. 1, lett. c) and art. 25.

  1. On the data security breach: the Garante decided that the systems were not configured in a way to ensure “ongoing confidentiality, integrity, availability and resilience of processing systems and services and, in general, an adequate level of security in accordance with existing and foreseeable risks which may cause “loss, alteration, unauthorised disclosure of, or access to, personal data, allowing any “operation” employee to have full access to the data of all the riders operating both in the EU and outside the EU (breach of Article 32).

  1. On the impact assessment: the food delivery company did not carry out an impact assessment, although the requirements of Article 35 were met (the processing was considered to be likely to result in a high risk to the rights and freedoms of natural persons, taking into account the nature, scope, context and purposes of the processing itself). The Italian DPA held that the digital platform may result in risks for the rights and freedoms of the data subjects as the processing activities relate to the “evaluation of certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, […], reliability, behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, […], are processed; or where processing involves a large amount of personal data and affects a large number of data subjects […]; where the processing may give rise to discrimination”(see recital 75 GDPR).

  1. On the automated processing including profiling: according to the Garante, Foodinho carries out automated processing, including profiling, through its “system of excellence”. This system assigns a score to each rider applying specific and predetermined parameters, which allows him/her to have priority access in choosing the slots. More precisely, the system of excellence uses a formula which has negative effect for the riders who do not promptly accept the order or refuse it or who do not actually complete a certain number of deliveries and positive for those who accept and deliver more orders. In addition, the system for assigning orders to riders called “Jarvis”: an algorithm which uses the geographic position of the rider and other relevant details. In this regard, the Italian DPA concluded that Foodinho did not “implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision” (Article 22 GDPR), breaching Article 22, par. 3, GDPR.

  1. On the record of processing activities: the record did not comply with the provisions of Article 30 of the GDPR for the following reasons:

  • there was no indication of the DPO;

  • the document was imprecise and unclear;

  • some categories of personal data processed were not included (e.g. communications between riders and customer care, external data relating to phone calls, data used in the framework of the excellence system, data relating to order details, etc.);

  • the storage periods were not clearly stated;

  • technical and organizational security measures were not indicated;

  1. Statute of workers: the Italian DPA determined that some provision of the Italian Statute of Workers (precisely, Article 4 of Law n. 300/1970) shall apply. The company carries out some invasive monitoring activities of the riders through the geolocation of the device and other technological tools (in ways that go beyond what is necessary to assign the order to the riders) and by collecting and storing a variety of additional personal data during the execution of the order, including communications with customer care. Such activities lead to a violation of the principle of lawfulness (Article 5, par. 1, lett. a) GDPR), of Article 114 of the Italian Privacy Code and Article 88 GDPR.

Vincenzo Diego Cutugno, Lawyer – Data Protection Officer, Carone & Partner Feder Privacy; Provincia di Milano, Lombardei, Italy

Tagged on: , , ,