On July 5, 2021, the Italian supervisory authority (“Garante”) published an injunction against a company operating a food delivery app (“Company”) over the processing of riders’ personal data with respect to the use of algorithms for the management of the orders. The decision imposed on the Company:

(i) The obligation to take several corrective measures aimed at protecting the riders’ personal data, including preventing inappropriate and/or discriminatory applications of the automated orders;

(ii) An administrative fine of € 2.6 million.

What infringements did the Garante identify?

The Company was found guilty of infringing the following provisions of Regulation EU 2016/679 (“GDPR”):

  • Information provided to the riders pursuant to Article 13 of the GDPR

The Garante found that the Company infringed:

  1. Article 5(1)(a) for failing to comply with the fairness and transparency principles, including for not describing the specific means of showing the riders’ location (i.e. the display of the route taken by the riders and the systematic collection of the location data every 15 seconds), as well as the categories of personal data collected (i.e. the communications made by chat, email and phone with the call center and the evaluation of riders by retailers and customers);
  2. Article 13(2)(a) for failing to provide accurate information relating to the retention period of the personal data (the Garante considered that the information that “the personal data are only processed for the time strictly necessary to achieve the purposes for which they were collected and, in any case, not beyond the termination of the relationship of collaboration” too generic, also considering the type of contractual relationship with the riders);
  3. Article 13(2)(f) for failing to refer to the existence of automated individual decision making, including profiling, pursuant to Article 22 GDPR, including information on the logic involved, as well as the significance and the envisaged consequences of such processing for the riders;
  4. Article 13(1)(b) for not giving contact details of the DPO.

It is worth noting that, among other things, the Garante pointed out that the information notice was not dated and that the personal data processed were listed only on a ‘by way of example’ basis.

  • Retention period

The Garante also assessed the infringement of Article 5(1)(e) with respect to the retention of personal data. Among others, the Garante verified that the Company failed to:

  1. Establish a clear and consistent framework for the retention of riders’ personal data – causing the same processing activities to show divergent retention periods;
  2. Differentiate retention periods when needed as it grouped under the same retention period many different kinds of processing, although only a few of them were strictly necessary for the purpose of the arrangement.
  • Minimization, privacy by design and by default principles

The Company was also charged with the violation of Articles 5(1)(c) and 25 of the GDPR. In particular, the Garante identified, among others, the following problems:

  1. The Company’s systems collect and store all the data relating to the management of the order and allow the authorized operators the simultaneous use of two different applications ̶ one for the management of orders in real time and for the visualization of the order history, the other for the management of problems occurring during the course of the order;
  2. There are a significant number of people authorized by the Company to access the above-mentioned systems with access profiles that allow full access to the data (also detailed ones) relating to the riders.
  • Security measures in place

The Company was also charged with violating Article 32 of the GDPR, since the Garante found that the IT systems adopted and set up by the Company allowed authorized operators to access personal data of riders operating both in the EU and outside the EU, until the Company implemented so-called “city permission”, allowing authorized operators to access riders’ personal data on a territorial basis only.

  • The need for a DPIA

The Garante objected that the Company did not perform a Data Processing Impact Assessment (DPIA) for the processing activities under analysis and, as a consequence, breached Article 35 of the GDPR. In particular, the Garante argued that the processing of a large number of different types of data referring to a significant number of data subjects, carried out through a digital platform based on algorithmic functions, had an evident innovative character. The innovative nature of the technology used and, therefore, of the activity carried out by the Company, lies in the:

  1. Management of the work activity through a digital platform whose operation is based on complex algorithms (the operating mechanism of which has been only partially made known);
  2. Performance of automated processing, including profiling, which processes a multiplicity of data and has a significant impact on those concerned. For example, geolocation data was used to exclude some riders from work opportunities.
  • Automated processing, including profiling

Article 22(3) of the GDPR was infringed since the Garante observed that the Company did not implement:

  1. Dedicated channels for the exercise of the riders’ rights, nor measures to inform the data subjects of their ability to exercise such rights with regard to the decisions taken through the use of the platform;
  2. Technical and organizational measures to protect the data subjects. Such measures should periodically verify the fairness and accuracy of the results of the algorithmic systems, and check whether the data used is pertinent and adequate in order to achieve the purposes pursued. Furthermore, they should minimize the risk of distorted or discriminatory effects.
  • Communication of the DPO’s contact details to the Garante

The Company infringed Article 37(7) of the GDPR since it failed to properly communicate the contact details of the group-level DPO to the Garante.

  • Record of the processing activities

The Garante established infringements of Article 30(1), letters a), b), c), f), and g) of the GPDR since the record of processing activities presented to the Garante did not:

  1. Include the contact details of the data protection officer;
  2. Allow a clear distinction to be made between the categories of data subjects and the categories of personal data processed;
  3. Specifically describe the purposes of the processing activities which utilize the riders’ personal data
  4. Disclose certain categories of personal data which were processed – as later ascertained during the investigation activities;
  5. Clearly provide the retention period of the personal data processed;
  6. Contain a general description of the technical and organizational measures adopted by the Company.

Furthermore, the Garante observed that the Company’s record of processing activities did not include a verifiable indication of the date on which the document was drafted, nor of the first update.

  • Lawfulness of the processing

Article 5(1)(a) of the GDPR, and Article 88 as well as Section 114 of the Italian data protection Code, were infringed, since the riders’ personal data were processed by the Company as part of the relevant employer-employee relations, in breach of the applicable employment laws regulating remote surveillance of employees, as well as of the provisions protecting labor on digital platforms.

How did the Garante quantify the administrative sanction?

Unlike other European data protection authorities, the Garante has not adopted a methodology for quantifying the sanctions to be applied for violations of data protection legislation. Therefore, the calculation is based on the criteria identified by Article 83 of the GDPR.

In the case under analysis, the amount of € 2.6 million was calculated by the Garante on the basis of the following circumstances:

  • The violation concerned the general principles of the processing, including the lawfulness of the processing, as well as further multiple provisions, including those relating to the information notice, exercise of rights in the context of automated processing, including profiling.
  • The processing activities, carried out in breach of the applicable legislation, affected and continue to affect a considerable number of stakeholders (identified by the Garante as 18,864 individuals).
  • The Company’s negligent conduct, as well as the degree to which it failed to comply with data protection regulations in relation to a number of provisions was relatively severe.
  • During the proceedings carried out by the Garante, the Company adopted a corrective measure with reference to the alleged breach of Article 32.
  • There was an absence of specific precedents (relating to the same type of processing) against the Company;
  • The Company only partially cooperated with the Authority during the proceedings.

Although, as mentioned above, the Garante has not defined a methodology for the quantification of the administrative sanctions and albeit each criteria may be considered differently depending on the specific circumstances, they may nevertheless be useful in shedding a light on the elements taken into consideration and deemed relevant by the authority. It will now be interesting to see how the Company will implement the corrective measures ordered by the Garante, especially with respect to the very delicate processing through the use of algorithms.