€ 2.6M GDPR fine for privacy breaches performed through the algorithm of a food delivery company

The Italian data protection authority issued a € 2.6 million GDPR fine against, Foodinho, the Italian company of the Glovo group, for privacy violations committed through the algorithm of the rider management App.

Food delivery companies are under the radar of the Italian data protection authority (the Garante) because of the algorithm that manages their riders. This decision is significant for the raised remarks, as outlined below.

The main privacy violations performed through the algorithm challenged by the Garante

The most interesting points of the Italian data protection authority’s decision are:

1. The AEPD, the Spanish data protection authority, is the leading authority, but the Garante has jurisdiction over the specific processing of riders in Italy 📌 This position confirms the restrictive interpretation of the one-stop-shop principle recently validated by the Court of Justice; 
2. The privacy information notice provided to riders was not fully transparent and complete about the modalities of data processing, also because it had an approach based on mere examples and did not indicate the methods of automated processing of personal data through the algorithm used by the artificial intelligence system of the App to which riders could not object 📌 Such an approach confirms the position recently expressed by the Italian Supreme Court which held that if the processing of data through an algorithm is not clearly laid down in the privacy information notice, any given consent is not valid;
3. The precautions provided by Art. 4 of the Italian Workers’ Statute for the remote control system and scoring of riders via the App had not been adopted and, in particular, no measures had been taken to avoid errors and discrimination 📌 As such, the compliance with employment law obligations becomes a condition to ensure data protection law compliance;
4. The appointment of the DPO had not been notified to the Garante, emphasizing that a notification to the lead data protection authority made by the parent company was not sufficient 📌 This is a major point frequently overlooked by multinational companies;
5. Data retention periods were not considered detailed, consistent, and justified, and, on the expiry of the retention period, personal data were not anonymized in a manner ensuring that under no circumstances data can be traced back to the relevant individual, even indirectly 📌 The position of the Garante is important as it expressly challenged any generic wording referring to the retention of data for a period in line with the data protection purposes, requesting to lay down the actual applicable terms;
6. The amount of data collected through the App and the amount of data accessible from each user profile have not been considered in line with the principle of data minimization 📌 Data shall be collected and made accessible within the organization only within limits necessary to achieve the required purposes;
7. The processing carried out through the App required the carrying out a DPIA, which was not performed 📌  A pre-DPIA identifying the data processing activities requiring a DPIA is a pivotal step to be followed by the actual performance of the risk assessments;
8. The record of data processing was not complete and sufficiently detailed 📌 This aspect is often tricky since an over-detailed record of data processing can be impossible to handle. In contrast, a high-level record of data processing does not reflect the actual operations.

What are the lessons learned from the Foodinho decision?

The decision of the Garante goes through quite frequent mistakes that we encounter in reviewing a data processing activity, especially in the case of multinational companies that need to ensure compliance but – at the same time – strive for efficiency. And finding the right balance between the opposite needs definitely is challenging.

However, this decision shows that the Italian data protection authority runs detailed scrutiny of privacy information notices, and a lack of transparency can lead to costly fines.

On a similar topic, you can find interesting “2021 DLA Piper GDPR fines and data breach notifications report“.

Photo by Kai Pilger on Unsplash