On June 10, 2021, the Italian Data Protection Authority, the Garante per la Protezione dei Dati Personali, announced a fine of € 2.6 million against Foodinho s.r.l. an Italian company that offers users an online platform for ordering food delivery, while employing riders to conduct the deliveries. Foodinho is 100% owned by GlovoApp23 SL, a Spanish company.
In a June 2019 review of the company’s handling of personal data of its riders, the Garante determined that the company had infringed several provisions of employment laws and data protection laws and regulation, including the General Data Protection Regulation, as follows:
- Article 5(1)(a), due to
- Foodinho’s failure to state specifically the categories of data it collected from electronic and telephonic communications between riders and the company’s call center;
- Failure to state expressly its practices regarding the processing of the location information of the riders;
- Failure to explain its use of data for the evaluation of riders;
- Violation of the fairness principle, based on Foodinho’s failure to inform the riders or the public of its processing of personal data;
- Article 5(1)(c), the data minimization principle, for using systems that were configured both to collect and preserve all data pertaining to customer orders, and to allow multiple users within the company unfettered access to chat and email content;
- Article 5(1)(e), for storing riders’ location data for 10 months, and customer calls for 4 years;
- Article 13(1)(b) for failing to provide contact details for the DPO;
- Article 13(2)(a) for not providing accurate information regarding the data storage periods;
- Article 13(2)(f) for failing to inform riders of how their data was used to profile and rank them for priority placement in the order queue;
- Various sections of Article 30(1), for failing to provide adequate information about the collection, storage and protection of personal data;
- Article 32, for failing to satisfy the principles of confidentiality, integrity and resilience designed to protect personal data from unauthorized access;
- Article 35, for failure to conduct a data protection impact assessment, in light of the innovative nature of the algorithm employed by the company, and for failure to disclose how the company’s complex algorithm was used;
- Article 37(7), for failure to transmit the contact details of the company’s Data Protection Officer to the parent company, and;
- Section 114 of the Italian Data Protection Code, as well as Article 88 of the GDPR, for processing employee data in contravention of the applicable employment laws.
In addition to the € 2.6 million fine, the Garante’s order requires Foodinho to bring its privacy information notices into compliance with the GDPR and to specify the duration of data storage; to take appropriate measures to protect the rights of employees with regard to automated processing of their data; to implement a mechanism for preventing discriminatory or inappropriate use of data via the company’s algorithm for assessing employee performance, and to apply the data minimization principle correctly. Furthermore, for the first time the Garante promoted the international cooperation procedure laid out in the GDPR, and involved the Agencia Española de Protección de Datos (the Spanish Data Protection Authority, known as AEPD) to verify the compliance of GlovoApp23’s practices with the GDPR by means of an independent proceeding pending in Spain.