Opinion

Italian data protection supervisory authority fines two food delivery companies for non-compliant algorithmic processing

Published Date
Aug 9, 2021
On 2 August 2021, the Italian supervisory authority (Garante) announced that is has imposed a fine of EUR 2.5 million against a food delivery company Deliveroo Italy s.r.l. (Deliveroo) for violation of several requirements of the GDPR. 

Garante clarified that Deliveroo collected a disproportionate amount of personal data of its riders in violation of the principles of storage limitation, data minimisation, transparency and lawfulness under Article 5 of the GDPR. According to Garante’s investigation, the company also used this data for the automated rating of rider’s performance and assignment of work. Garante noted that Deliveroo was not sufficiently transparent about the algorithms used for the management of its riders, for both the assignment of orders and for the booking of work shifts. 

In light of Garante’s findings, and in addition to the EUR 2.5 million fine, Garante imposed a number of corrective measures for Deliveroo to implement in order to address its GDPR violations. These included compliance with transparency requirements and implementing appropriate measures to periodically verify the correctness and accuracy of the results from Deliveroo’s algorithmic systems.

In another recent enforcement action, published on 5 July 2021, Garante fined the delivery platform Foodinho s.r.l (Foodinho) EUR 2.6 million for privacy violations concerning the algorithms used for the management of its employees. Garante concluded that Foodinho:

  • had not sufficiently explained the functioning of its automatic order management system and did not ensure the correctness or accuracy of the results of the automatic algorithm system used to evaluate workers’ performance;
  • had failed to provide workers with ways to challenge decisions made using the algorithm in question, and to guarantee that procedures to protect the right to obtain human intervention were put in place; and 
  • did not comply with other obligations under the GDPR, including conducting DPIAs, appointment of a data protection officer, maintaining appropriate records of processing activities, and implementing appropriate technical and organisational security measures.

In addition to the EUR 2.6 million fine, Garante required Foodinho to implement a series of corrective measures. Garante further highlighted that it had initiated the joint operation with the Spanish supervisory authority (AEPD) to investigate Foodinho’s Spanish parent company, GlovoApp23.

The press release about Deliveroo is available here and the decision is available here (both only available in Italian). The press release about Foodinho is available here, the decision here (both only available in Italian) and the summary on the EDPB website is available here.

 

Content Disclaimer
This content was originally published by Allen & Overy before the A&O Shearman merger