€2.6 Million GDPR Violation Penalty Imposed on Italian Food Delivery Company

The Italian Data Protection Authority Garante has announced the food delivery company Foodinho has been fined €2.6 Million (U.S. $3.1 million) to resolve violations of the E.U. General Data Protection Regulation (GDPR).

Foodinho, a subsidiary of GlovoApp23, is one of the leading food delivery companies in Italy. The company was investigated by Garante over the handling of the data of its employees and found several infringements of data protection legislation as well as Italian laws governing employer-employee relations.

Foodinho used an app with an algorithmic rating system that was based on a mathematical formula for allocating delivery jobs to riders. The algorithm either prioritized or penalized riders based on their job performance – how many jobs they accepted, fulfilled, rejected, or completed on time. The investigations by Garante revealed the algorithm was discriminating against certain employees which, in some cases, resulted in riders being excluded from work assignments.

The company was also found to have failed to inform its employees about how the system functioned and had not implemented safeguards to ensure the accuracy and fairness of the algorithmic results rating the performance of riders. There were also no procedures in place to allow riders to obtain human interventions, express their points of view, or contest the decisions made by the algorithms.

Article 22 of the GDPR gives data subjects the right to not be subjected to decisions based solely on automatic processing of their data, which includes profiling that has potential to produce legal or other significant effects against data subjects. In this case, the processing and profiling was causing financial harm, as the algorithmic processes were determining how much work an employee was offered over other employees.

Garante has also launched a joint operation with the Spanish Data Protection Authority (AEPD) into the practices of Foodinho’s parent company GlovoApp23.

When calculating the GDPR penalty, Garante considered the severity and extent of the violation. Foodinho employed 19,000 riders in Italy at the time of the investigation to the impact of the violations was considerable. Garante also took into consideration the poor level of cooperation provided by the company during the inquiries and investigation.

In addition to the financial penalty, Foodinho is required to check the accuracy and relevance of data used by the system and to assess the level of data collected by the system, which appeared excessive. The system uses chats, emails, and phone calls between riders and customer care, geolocation recordings every 15-second intervals, route mapping data, estimated and actual delivery times, details about the handling of current and past orders, feedback from customers and partners, device battery level, and more.

Foodinho must also put measures in place to prevent inappropriate or discriminatory applications of the reputational mechanisms based on the feedback from customers and business partners, and must start implementing the recommendations within 60 days. An additional 90 days was given to overhaul its algorithms.