Home
Blogs

Italian data protection supervisory authority fines two food delivery companies for non-compliant algorithmic processing

Blog Post

09 August 2021

Author

Jane Finlayson-Brown

Partner

London

Livio Bossotto

Partner

Milan

Browse this blog post

Related news and insights

News: 12 January 2024

Allen & Overy advises Dr. Max on the financing for the acquisition of Neo Apotek

News: 22 December 2023

Allen & Overy advises Campari Group on its contemplated acquisition of premium Cognac Courvoisier, valuing Courvoisier at USD1.32 billion

News: 09 May 2023

Allen & Overy advises on a EUR800 million sustainability-linked financing to Campari Group

News: 03 March 2023

Allen & Overy advises on the green real estate financing for Serravalle Outlet Village (Phase 6)

On 2 August 2021, the Italian supervisory authority (Garante) announced that is has imposed a fine of EUR 2.5 million against a food delivery company Deliveroo Italy s.r.l. (Deliveroo) for violation of several requirements of the GDPR.

Garante clarified that Deliveroo collected a disproportionate amount of personal data of its riders in violation of the principles of storage limitation, data minimisation, transparency and lawfulness under Article 5 of the GDPR. According to Garante’s investigation, the company also used this data for the automated rating of rider’s performance and assignment of work. Garante noted that Deliveroo was not sufficiently transparent about the algorithms used for the management of its riders, for both the assignment of orders and for the booking of work shifts.

In light of Garante’s findings, and in addition to the EUR 2.5 million fine, Garante imposed a number of corrective measures for Deliveroo to implement in order to address its GDPR violations. These included compliance with transparency requirements and implementing appropriate measures to periodically verify the correctness and accuracy of the results from Deliveroo’s algorithmic systems.

In another recent enforcement action, published on 5 July 2021, Garante fined the delivery platform Foodinho s.r.l (Foodinho) EUR 2.6 million for privacy violations concerning the algorithms used for the management of its employees. Garante concluded that Foodinho:

had not sufficiently explained the functioning of its automatic order management system and did not ensure the correctness or accuracy of the results of the automatic algorithm system used to evaluate workers’ performance;
had failed to provide workers with ways to challenge decisions made using the algorithm in question, and to guarantee that procedures to protect the right to obtain human intervention were put in place; and
did not comply with other obligations under the GDPR, including conducting DPIAs, appointment of a data protection officer, maintaining appropriate records of processing activities, and implementing appropriate technical and organisational security measures.

In addition to the EUR 2.6 million fine, Garante required Foodinho to implement a series of corrective measures. Garante further highlighted that it had initiated the joint operation with the Spanish supervisory authority (AEPD) to investigate Foodinho’s Spanish parent company, GlovoApp23.

The press release about Deliveroo is available here and the decision is available here (both only available in Italian). The press release about Foodinho is available here, the decision here (both only available in Italian) and the summary on the EDPB website is available here.