g-docweb-display Portlet

Abstract of Italian SA’s order as issued against Foodinho S.r.l.

Stampa Stampa Stampa
PDF Trasforma contenuto in PDF




Abstract of Italian SA’s order as issued against Foodinho S.r.l.

The AEPD had agreed, on 21 November 2019, on the competence of the Italian SA under Article 56(2) GDPR with regard to the processing activities performed by Foodinho S.r.l., which substantially affected the riders who only worked in Italy on the basis of an employment contract with the said company.

On 10 June 2021, the Italian SA issued an order (No 234) against Foodinho S.r.l., a company with registered office in Italy that is partly owned by GlovoApp23; the order was the last step in a proceeding that had been initiated as part of supervision activities. The company in question delivers, by way of a digital platform, food or other goods supplied by retailers following orders placed by customers; to that end, the company relies on dedicated staff (so-called riders). The order by the Italian SA concerns the processing of riders’ personal data.

The order in question established several infringements of GPDR provisions; accordingly, the Italian SA issued several corrective measures and imposed an administrative fine on the Italian company.

More specifically, the following infringements could be found:

a. Regarding the information provided by Foodinho to riders:

- Article 5(1)(a) GDPR was infringed in respect of the transparency principle on account of the failure to specify the following: the actual arrangements for processing location data as detected in the course of the inspection and as opposed to the generic information provided; the categories of collected data with particular regard to the data on the conversations via chats, emails and/or phone calls with the call centre; the evaluation of riders by retailers and customers;

- Article 13(2)(a) GDPR was infringed since the information notice only provided high-level as well as inaccurate information on storage periods and it failed to specify the storage periods for certain data categories;

- Article 13(2)(f) GDPR was infringed since the information notice did not refer to any automated processing activities including profiling, whilst such activities could be found in the course of the inspections and were intended to score riders so as to rank them in terms of priority in booking the time slots as determined by the company for sending delivery orders; additionally ‘no meaningful information was provided regarding the logic of the processing and the importance and consequences of such processing for data subjects’;

- Article 13(1)(b) GDPR was infringed since no contact details for the DPO were provided, although the group DPO was apparently designated by the holding company on 23.05.2019, i.e., prior to the inspections carried out by the Italian SA;

- Article 5(1)(a) GDPR was infringed with regard to the fairness principle, since the obligation to inform employees as part of the employer-employee relations also mirrors the general principle of fairness of processing activities, which has been repeatedly pointed out by the Italian SA.
The infringement of the aforementioned provisions could also be found with regard to the information notice the company published on its website when the Italian SA’s order was adopted. Indeed, the new information notice shows some shortcomings regarding the principles set forth in Article 5 GDPR as well as the requirements made in Article 13 GDPR similarly to the information notice the company had supplied during the inspection.

b. Regarding storage periods:

- Article 5(1)(e) was infringed since the company stores several categories of riders’ data, which were collected for multifarious purposes, throughout the duration of the employment relation as well as until 4 years following termination of employment. Additionally, the routes followed by riders for all orders are stored for 10 months by the company, whilst the so-called external data relating to customer care calls (calling and called party’s numbers, start and end time of the call, waiting time, duration) are stored for 4 years; upon granting of an authorisation by the holding company, the contents of phone calls can be accessed, such calls being stored for three months on a platform that is operated by the Mas Voz Telecomunicaciones Interactivas S.L. company;

c. Regarding configuration of the systems relied upon by the company:

- Article 5(1)(c) GDPR (data minimization principle) and Article 25 GDPR (privacy by design and by default principles) were infringed since the systems relied upon by the company were configured so as to collect and store all the data relating to the handling of orders and to enable authorised operators to jointly and simultaneously use the data collected by both Admin and Customer systems. Furthermore, the chat and email management system was configured to enable each operator to directly access the contents of the chats and emails exchanged with riders without any further steps being required. Of note, there is a considerable number of entities that are authorised by the company to access the said systems on the basis of profiles allowing full access to riders’ data, including detailed information;

d. Regarding the security measures in place:

- Article 32 GDPR was infringed since the systems were configured from inception, i.e. from the start of the company’s business in Italy in 2016, until at least activation of the so-called city permission so as to enable access by default to a substantial number of personal data by a significant number of system operators in connection with a wide gamut of tasks to be discharged by riders. This did not allow ensuring ‘confidentiality, integrity, availability and resilience of systems’ on a permanent basis, taking account of the factual risks due to the ‘loss, alteration, unauthorised disclosure of, or accidental or unlawful access to the personal data’;

e. Regarding the need for a DPIA:

- Article 35 GDPR was infringed since the processing implemented by the company - which concerned a substantial amount of data of various nature relating to a considerable number of data subjects and was performed by way of a digital platform relying on algorithms to match offer and demand - was clearly innovative in nature and fell as such within the scope of the obligation to carry out a data protection impact assessment. The innovative nature of the technology deployed and therefore of the activities performed by the company lies firstly in the fact that labour is also managed through a digital platform whose operation is based on complex algorithms – indeed, the functioning of those algorithms was disclosed only in part. Secondly, the innovative features of the technology relied upon consist in the use of automated processing, including profiling, which significantly affects data subjects on account of the processing of multifarious data, including geolocation data, and the resulting exclusion of some riders from working opportunities.

f. Regarding automated processing, including profiling:

- Article 22(3) GDPR was infringed since the company carried out automated processing activities, including profiling, both within the framework of the so-called ‘excellence system’ and as part of the order allocation system (called ‘Jarvis’); whilst one of the exemptions provided for by Article 22 applied to the specific processing, which was necessary for the performance of a contract between the parties (see Article 22(2)(a) GDPR), it does not appear that the company implemented suitable measures ‘to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention (…) to express his or her point of view and to contest the decision’;

g. Regarding communication of the DPO’s contact details:

- Article 37(7) GDPR was infringed since the company communicated the contact details the group-level DPO to the Italian SA via the ad-hoc online procedure made available on the SA’s website as late as 1 July 2020;

h. Regarding the records of processing activities:

- Article 30(1), letters a), b), c), f), and g) was infringed since it could be established that the records did not include information on several categories of personal data; there was no specific information on storage periods; there was no general description of the technical and organisational security measures referred to in Article 32(1) GDPR; and finally, the records did not allow keeping track of their change history;

i. Regarding lawfulness of the processing:

- Article 5(1)(a) and Article 88 GDPR, and Section 114 of the Italian data protection Code (legislative decree No 196/2003) were infringed since the riders’ personal data were processed by the company as part of the relevant employer-employee relations in breach of the applicable employment laws regulating remote surveillance of employees (Law No 300 of 20.05.1970) as well as of the provisions protecting labour on digital platforms (legislative decree No 81 of 15 June 2015), partly in the light of the relevant Italian case law.

Having found the above infringements, and having regard to the corrective powers set forth in Article 58(2) GDPR as well as to the specific circumstances of the case at hand,  the Italian SA ordered the company to bring their processing operations into compliance with the GDPR in respect of the following:

- The documents containing the information notice, the records of processing operations and the DPIA, by also ensuring consistency among the processing operations referred to therein (Article 58(2) GDPR);

- Specification of the storage periods of processed data (Article 58(2)(d) GDPR);

- Suitable measures to safeguard the data subject’s rights, fundamental freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision, with regard to the automated processing performed via the platform including profiling (Article 58(2)(d) GDPR);

- Suitable measures to regularly check fairness and accuracy of the results of algorithmic systems, partly in order to ensure that the risk of errors is minimised and to comply with Section 47-d of legislative decree No 81/2015 as for the prohibition to discriminate, access to and exclusion from the platform (Article 58(2)(d) GDPR);

- Suitable measures to introduce arrangements that can prevent inappropriate and/or discriminatory applications of feedback-based reputational mechanisms; this assessment will have to be performed each time the algorithm is changed as for the use of feedback information to calculate the scoring (Article 58(2)(d) GDPR);

- Application of minimization and privacy by design and default principles in respect of the entities authorised to access the various data categories, by having regard to the tasks allocated in the individual cases (Article 58(2)(d) GDPR);

- Compliance with the provisions made in Section 4(1) of Law No 300 of 20.05.1970 (Article 58(2)(d) GDPR).

An administrative fine was imposed in addition to the corrective measures pursuant to Article 83 GDPR by having regard to the circumstances of the individual case (Article 58(2)(i) GDPR), amounting to EUR 2,600,000.00.