Garante per la protezione dei dati personali (Italy) - 10074601
From GDPRhub
| Garante per la protezione dei dati personali - 10074601 | |
|---|---|
 | |
| Authority: | Garante per la protezione dei dati personali (Italy) |
| Jurisdiction: | Italy |
| Relevant Law: | Article 5(1)(c) GDPR Article 5(1)(d) GDPR Article 5(1)(a) GDPR Article 6 GDPR Article 9(2)(b) GDPR Article 13 GDPR Article 14 GDPR Article 22(3) GDPR Article 25 GDPR Article 28 GDPR Article 32 GDPR Article 35 GDPR Article 88 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 13.11.2024 |
| Published: | |
| Fine: | 5,000,000 EUR |
| Parties: | Foodinho |
| National Case Number/Name: | 10074601 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Italian |
| Original Source: | Garante per la Protezione dei Dati Personali (in IT) |
| Initial Contributor: | elu |
The DPA imposed a €5,000,000 fine to the food delivery company Foodinho, part of the Glovo group, due to numerous and continuous violations of the GDPR concerning geolocation, rating and shift attribution.
English Summary
Facts
In this case the controller is Foodinho a food delivery company managing the service “Glovo” in Italy. This company is owned by Glovoapp23 SA, a Spanish holding. The DPA started its investigation following the death of one of its employees while he was delivering food.
The controller uses an online platform provided by Glovo ES (appointed as processor) to manage its employees and the deliveries. This platform allows to see a map of every place in the World where Glovo operates and the live location of each employee. The controller, by clicking on a “rider”, can view their location, the time slots in which they are available, the deliveries they performed and the track they followed.
The investigation showed that this geolocation function was active, in some cases, even outside working hours and when the app was not active. Moreover, the controller implemented a facial recognition function for identity verification purposes, provided by a processor, Jumio Corporation. According to this procedure, the data subjects (employees) needed to upload an ID card and take a selfie of themselves. After that, the data subjects were asked to take a selfie in random occasions. If they refused to do so, their possibility of getting further delivery time slots was blocked.
The controller argued that this processing was necessary to comply with Article 23 of the applicable collective agreement, stating that it’s forbidden for the employees to be replaced by a third party.
Furthermore, the investigation showed that the controller’s software allowed to rate the data subjects. The controller argued that this rating function is not active for Italy.
Holding
The DPA considered that the data processing is made by Foodinho, who fits the definition of controller as it decides the purposes and means of processing, as laid out in the privacy notice given to riders and in the contract with GlovoApp 23 SA. The case at hand does not concern a cross-border data processing activity as the data processing happened in the context of contracts stipulated by an Italian entity, having legal autonomous legal personality and registered in Italy. Thus the Italian DPA is competent to rule on this matter.
Once notified of the death of the rider, the controller set the status of the rider as “disabled” with an explicit note in description. The automatic notification was considered a mistake due to human error. The DPA found that the notification was not due to human error as, even if the deactivation of the account was done manually after the rider´s death, the message sent automatically is a product of the system settings of the company. Such automatic sending violates Article 5(1)(a), (c) and (d) GDPR and of Article 25 GDPR.
The DPA considered that the data processing, through the automatic and independent sending of a message without regards to the concrete circumstances of the deactivation of the account, shows that the controller did not put into respect the relevant data protection principles. Article 13 GDPR was violated as the controller failed to produce the relevant documents and, contrarily to what was claimed, did not use a “layered approach” to the provision of information. In fact, the absence of a coherent layered approach, as well as the lack of coordination between the different documents provided made it impossible to the requesting parties to have a clear overview of the types of data processing that the controller puts into place on personal data. Thus, as the controller did not provide information in a complete manner and did not provide them in a concise, transparent, intelligible and easily accessible form, the DPA found a violation of Article 13 GDPR.
The controller put forward four versions of their data privacy notice from 13-14 December 2022 to 29 February 2024. All of these versions present the same points of concern:
- The controller did not indicate specifically the categories of data that the controller processes, such as those related to handling orders chat and emails between riders and customer care.
- Different legal basis are mentioned even if, at point 4, the main legal basis is “processing necessary for the performance of a contract” as per Article 6(1)(b) GDPR.
- With regards to geolocation, vague legal bases like “fight against terrorism”, “money laundering” and “crimes against public health” were used, even if no reference to them is made anywhere else. In fact, the formulation of the notice does not allow to understand the scope of processing of geolocation data. While it is stated that the controller can process such data only when the rider activates the geolocation function while working, in practice the investigation found that GPS is active even when the app is in the background and, until August 2023, even when the app was closed.
A violation of Article 28 GDPR was found due to the designation of riders as “controllers”. This is unlawful as in concreto, riders do not have the characteristics to fulfil that definition.
The presence of automated decision making processes, such as the “excellence system”, the “shift assignment”, the “rating” of riders, the “deactivation and blocking of accounts” as well as absence of appropriate safeguard measures, brought forward a violation of Articles 5, 22(3) and 25 GDPR.
A violation of Articles 5(1)(a) and 9(2)(b) GDPR was found due to the linking of the processing of biometric data to the access to the rider´s account as well as the access to the available shifts.
Furthermore, the DPA considered that the controller failed to take into account the results of the already made DPIAs, i.e. the one dated October 2020 and the one of February 2024, as per Article 35 GDPR. The fact that the DPIA does not take into account the lawfulness requirement, especially with regards to the processing of biometric data in the context of employment relations. Article 32 GDPR was also violated as, during investigations it emerged that operators of controllers can access to personal data of riders working for other enterprises belonging to the Glovo group and active in different countries, both in and outside the EU.
Additionally, the DPA considered that Article 5(1)(e) GDPR was violated as the controller stores for 36 months the recordings of cellphone calls with riders. The grounds behind such processing are, according to the DPA, not aligned with such a long retention period.
The DPA also found that the controller shared personal data of the riders with third parties, among which Google Firebase, Braze and mParticle. This sharing violated Articles 5(1)(c), 6, 13, 14 and 25 GDPR.
Finally, the DPA found a violation of Articles 5(1)(a) and 88 GDPR as the modalities through which the controller organizes and handles its delivery service, i.e. the geolocation policy and assignment of shifts based on the “excellence” ranking are not “inextricably linked” to the activity but instead simply part of the organizational model chosen by the controller. To further confirm this, the DPA explicated that no element proves that the tasks of riders cannot be fulfilled without the technological instruments and modalities used by the controller.
Given the continuous duration of the violations, the extent of data subjects involved, the malicious character of the breach, the aggravating factor of having had a former decision and the level of gravity of the damage to data subjects in question, the DPA deemed it appropriate to impose a fine of €5,000,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
SEE ALSO: Press release of 22 November 2024
[web doc. no. 10074601]
Measure of 13 November 2024
Register of measures
no. 675 of 13 November 2024
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and the lawyer Guido Scorza, members and Councillor Fabio Mattei, Secretary General;
SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, “Regulation”);
HAVING SEEN the Personal Data Protection Code, containing provisions for the adaptation of the national legal system to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, no. 196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter “Code”);
HAVING SEEN the inspections carried out at the registered office of Foodinho s.r.l. on 13 and 14 December 2022, 28 February, 1 March, 26 and 27 July 2023;
HAVING EXAMINED the documentation in the files;
HAVING SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Guarantor's regulation no. 1/2000;
REPORTER Prof. Ginevra Cerrina Feroni;
WHEREAS
1. The inspection activity against the Company.
The Authority, following the publication of news reports regarding the disconnection of the account of a rider, Sebastian Galassi (S.G.), who died following a road accident that occurred in Florence on 1 October 2022, while making a delivery on behalf of Foodinho s.r.l. (hereinafter, the Company), within the scope of a proceeding initiated ex officio, has delegated to the Special Unit for the Protection of Privacy and Technological Fraud of the Guardia di Finanza the carrying out of inspections, carried out on 13 and 14 December 2022, 28 February and 1 March 2023, aimed at acquiring information, exhibiting documents and accessing databases pursuant to articles 157 and 158 of the Code.
On 26 and 27 July 2023, following the receipt of a report concerning the processing of riders' data by Foodinho s.r.l. through the Glovo Couriers application, a further inspection was carried out at the Company.
During the inspections of 13 and 14 December 2022, the Company declared that:
“the Glovo platform is owned by the Spanish company Glovoapp23 SL; Foodinho s.r.l. […] uses said platform […] to manage the riders' activity; the latter […] are assigned an account […], in order to provide the home delivery service” (see the minutes of operations carried out on 13/12/2022 cit., p. 3);
following access to the Glovo platform by an operator with the qualification of Head Operations of the Company, it emerged, among other things, that “the «Live Map» section allows you to view the map with the indication of the area of interest (any city in the world where Glovo operates), the orders (position of the commercial establishments), couriers (position of the riders) and the stretch, as the crow flies between the commercial establishments and the couriers”; “the map and the consequent positioning of the riders are constantly updated”; “by clicking on the courier icon, among the information that appears on the screen, there is: the numeric code of the courier, the telephone number, the vehicle used and the time slot of availability for its use”; “by clicking on the numeric code of the courier, the platform shows all the personal data of the rider and the documents relating to him that he has provided to start the collaboration relationship, together with the information relating to the orders taken in charge and the deliveries made”; “the «Jumio details» section concerns the procedure for verifying the identity of the courier via facial recognition, disabled in July 2022”; “the status of the rider [S.G.]’s account is «DISABLED (Reason-other)»”; “the courier’s status can be blocked, temporarily blocked or disabled by obligatory flagging one of the reasons (reason) provided”; “among the reasons cited, death or deceased is not indicated, which is why other was indicated to disable the account of [S.G.]”; “the platform stores the personal data and documents of riders with accounts deactivated since 2016”; “the information also includes the maps relating to the deliveries carried out which in 2017 show the start and end of the route without indicating the route taken by the rider, since October 2018 the route taken by the rider is also shown” (see the minutes of operations carried out 14/12/2023 cit., p. 7).
With a note acquired on file on 27 December 2022, and related attached documentation, the Company, in order to resolve the reservations formulated during the inspection, further stated that:
“The deactivation of the account [attributed to S.G.] had the purpose of disabling access to the Courier's profile at the time the incident occurred, in order to prevent third parties from using the account […]. The deactivation was not carried out by any automatic system, but manually by an employee of the Company, a member of the dedicated team, as soon as Foodinho S.r.l. became aware of the incident. […] after the account […] had been manually deactivated, the message concerning the deactivation of the account was automatically sent, by the system to the Courier, by mistake, since such deactivation did not originate from any violation of the Terms and Conditions, and furthermore there was no standard ad hoc response for such a dramatic situation” (see note of 27/12/2023 cit., letter B);
“[in] the “Expert Report on the “Grievance Process” […] the necessary manual intervention is highlighted for both the activation and deactivation of the Couriers’ account” (see note cit., letter B);
“the consequence of the deactivation of the account is that the Courier can no longer use it. Usually, deactivation is a permanent measure, but if reactivation is requested […], the request is taken into consideration and can be assessed” (note cit., letter E);
with regard to the “account monitoring” indicated in point 5.4.2 of the “Terms and conditions of use of the Glovo platform for couriers” the Company declared that “The monitoring, which is neither continuous nor systematic, is carried out through some dashboards used by the Ops Team, and is aimed at detecting potential improper uses of the Glovo Platform” (note cit., letter F);
with reference to the provisions of art. 47-quinquies, of Legislative Decree no. 81/2015 the Company declared that “a) accounts are never deactivated based on failure to accept the service; b) the reassignment of orders does not affect the Courier's possibilities of obtaining orders available in the APP, nor in any way on the score; c) Couriers are never excluded from the selected time slot based on refusal to carry out the activity” (note cit., letter G);
“Foodinho S.r.l. is the Data Controller of the personal data of Couriers operating in Italy while, in relation to such personal data, Glovoapp23, S.A. is appointed Data Processor” (see note cit., letter H);
“Foodinho S.r.l. uses the support of external call centers, Meritus Upravljanje, d.o.o. (MPLUS) and Comdata S.p.A. (COMDATA), limited to the Courier onboarding activity (MPLUS) and real-time Courier assistance (COMDATA). These call centers act as sub-processors pursuant to [the] data processing agreement […], as the relationship between them and Glovoapp23, S.A. and their services are provided to Foodinho S.r.l. pursuant to the License Agreement” (see note cit., letter I);
“subsequent to the delivery of orders to Customers by the Couriers, the APP allows the Customer to enter their […], both on the Courier side and on the Local Business side” (see note cit., letter J);
“through their account, the Couriers have the ability to view the metrics received in light of the delivery activity they provide to other users (Customers and Local Businesses), both thumbs up (i.e., good service) and thumbs down (i.e., bad service), although it is not possible to connect the metrics received to specific users or orders. In the event that the Couriers do not agree with the metrics they have received from the Customers, they can contact the Live Operations Support Team ("Live Ops Team") of Foodinho S.r.l., filing a general dispute” (see note cit., letter O);
“the Privacy Policy is made available to Couriers at various times: ● when they register for the first time on the APP, ● each time they access the APP, ● when they sign the contract” (see note cit., letter P);
with reference to the information provided by art. 1-bis of Legislative Decree 26/5/1997, n. 152, as amended by art. 4 of Legislative Decree 27 June 2022, n. 104, regarding the excellence score, some information is provided during the onboarding process on the Glovo platform through a video, through the website and the newsletter, during “voluntary meetings” as well as through what is indicated in the contract; furthermore “With regard to the offer of orders, more information is provided to Couriers through the Courier Assistance Center” (see note cit., letter Q);
“current number of “Active Couriers” using the APP in Italy as of January 2022: 36,545 (“Active Couriers” means any Courier, registered in the APP, who has placed at least one order using the Glovo Platform since January 2022. […]). Number of Couriers who have started using the APP in Italy since 1 August 2022: 7,405 ([…] this number refers to the definition of “Active Couriers” […])” (see note cit., letter R);
“Foodinho S.r.l. started processing biometric data of Couriers on 23 November 2020, as part of the first tests relating to the authentication procedure […] Foodinho S.r.l. has stopped using this authentication procedure and, consequently, collecting and processing biometric data of Couriers starting from July 2022” (see note cit., letter S).
During the inspections of February 28 and March 1, 2023, carried out in continuation of the activity carried out against Foodinho S.r.l. on December 13 and 14, 2022, following access to the platform and the declarations made by the Company, it emerged that:
as a result of access to the Glovo platform carried out by an operator with the qualification of Head Operations of the Company, it emerged, among other things, that "the system [...] allows [...] to search for each Italian city all the accounts of the riders disabled from the origin of the same platform to date" (see the minutes of operations carried out on 28/2/2023, p. 3);
following access to the Glovo platform carried out by an operator with the qualification of Operations Analyst of the Company, it emerged, among other things, that "the accounts of riders, operating in Italy, deactivated in the period 1 January 2022 - 31 December 2022, is 6,369, while the number of blocked accounts, in the same period, is equal to 53,861" (see the minutes cited, p. 4);
"the Grievance process in the event of the initiation of the deactivation procedure, consists of two communications. The first [...] consists of an email that is notified to the rider concerned, in which a potential fraudulent use of the platform or other event is represented [...] it is made explicit to the rider that he has a term of six days to present his counter-arguments, furthermore he is informed that pending a response his account is temporarily suspended. [if the rider does not respond] once the six-day period has elapsed, a second email is sent, internally identified as a termination letter (deactivation), informing the rider of the account deactivation. [if the rider responds, however] the counter-arguments are analyzed [by] the operations team. If they are considered suitable, they proceed to send a communication to reactivate the account. Otherwise, they proceed to send the termination letter (account deactivation) by email. Otherwise, the blocking process requires sending a communication by email to suspend the account directly to the rider, who is informed of the need to carry out a specific action, for example the request to open a VAT number, or the need to provide for the deposit of cash at the authorized points in the city. […]. If the documents are considered suitable, the rider obtains the reactivation of the account. This phase of the blocking process is manual, unlike the first in which the blocking communication is automated” (see minutes 1/3/2023, p. 6, 7);
“with reference to the communication received from Mr. [S.G.], however, it does not fall into any of the previous cases. This communication is sent, in addition to one of those previously mentioned, with each change in the rider’s status. […] [In this case], given the circumstances, the sending of this communication is due to human error” (see minutes cit., p. 7);
“the retention periods of riders’ data have been updated, as indicated in the new privacy legislation made available online and on the basis of the timeframes set out in the Italian Civil Code. […] the data is not retained for more than 10 years from the moment in which the purpose of the processing has been achieved. [the ten-year term] also extends and applies to data relating to geolocation […]” (see minutes cit., p. 8);
“the excellence score is made up of four parameters that are taken into consideration in relation to the last 28 days of use of the platform, even if not consecutive (hereinafter, the “Reference Period”). Each parameter ranges from 0 to 5, as does the overall excellence score. Likewise, each parameter, as well as the overall excellence score, is normalized in relation to the entire fleet of the city (e.g. if a parameter or the lower overall score in the reference rider population is 4 and the higher is 5, all values from 4 to 5 will be normalized from 0 to 5). These parameters have a different weight depending on the city. Specifically: “contribution” parameter ([...] “Sum Seniority Normalised” […]): takes into account the number of orders delivered in the Reference Period; “no show” parameter ([…] “Sum No Show Normalised” […]): takes into account the number of times the rider booked a slot but then did not check in in the Reference Period. […] the slot reservation takes place twice a week, on Mondays and Thursdays at 4 pm, […]; the rider has the possibility to check-in starting from 25 minutes before the slot start time up to 10 minutes after that time; furthermore, the rider can cancel the slot reservation up to one minute before the start time (regardless of having checked-in previously) without any penalty; “customer rating” parameter ([…] “Sum Customer Rating Normalised” […]): takes into account the feedback received exclusively from the customer […] due to the rider in the Reference Period […]; “high demand slot” parameter ([…] “Sum High Demand Normalised” […]): takes into account the time in which the rider is working in comparison to the total time on the HD slots (i.e. high demand slots) that occur weekly. “High demand slots” are those where there is a greater influx of orders and amount to six hours per week, which generally correspond to three hours for dinner on Saturday and three hours for dinner on Sunday” (see minutes cited, p. 8, 9);
“the parameters […] have a different weight in each city. For example, the weights for Florence (applied to the account of [S.G.]) are: a. Contribution: 45% b. No show: 5% c. Customer rating: 33% d. HD slot: 17%. Finally, the overall excellence score has a progressive and increasing weight in the Reference Period (e.g. the most recent performance has a more significant score than that of 28 days ago)” (see minutes cited, p. 9).
With a note acquired on file on 16 March 2023 and related attached documentation, the Company, in order to resolve the reservations formulated during the inspection, also specified that:
“each type of blocking communication is based on specific categories of data collected […]: [in relation to] Cash Balance […] the system only tracks the amount of money in the possession of the Courier”; [in relation to] Medical checks […] the “data collected relate to the number of deliveries made in the previous 50 days”; [in relation to] Limit 5K […] the “data collected are those relating to the compensation received by the Courier”; [in relation to] Expired documentation […] the “data collected are the expiry dates of the documents provided by the Courier for the activation of the account”; [in relation to] INAIL accident […] the “data collected are related to the circumstances of the accident and the prognosis”; [in relation to] Mandatory trainings” […] the “data collected is the activation date of the Courier’s account”. (see note 16/3/2023, letter e);
“in cases where the identification of a […] situation […] by the Company (i.e. in the absence of complaints or disputes by users) could trigger the sending of a […] deactivation communication to the Courier, the data on which such […] communication is based are extracted from the Company’s systems thanks to some queries carried out periodically.” (see note cit., letter f);
“the Glovo Platform is […] managed by GlovoApp23 S.A. and provided as a standard tool to all companies in the group […]. Therefore, some of the features and, therefore, some items that are used for the deactivation and blocking of the Couriers’ account in some countries are not […] used in others. With regard to Italy […] the two items in the question (i.e. "Many reassignments" and "Bad rating") are not actually used in Italy, neither for blocking nor for deactivation, although they appear as potential reasons for blocking in our IT systems” (see note cit., letter g);
“in any case, in order to avoid potential improper use of the Glovo Platform, the Company has asked GlovoApp 23 S.A. to deactivate such reasons in Italy” (see note cit., letter g);
with regard to the "Live Map" section, in relation to the profile used to access, in particular how many similar profiles, with the possibility of cross-country access, are active overall on the Glovo platform, the Company has declared that “the employees of Foodinho, S.r.l. as well as the agents employed by COMDATA and MPLUS (hereinafter, "Live Ops Provider/s"), can have access to the "Live Map" section (permission "livemap.view"). […] As regards the employees of Foodinho S.r.l. who are granted access to the "Live Map" section, the main teams granted the "livemap.view" permission are […] Team Ops […] Legal Team […] BIN Data […] IT Team […] Teach Team […] Live Ops Team […] Finance Team […] Expansion Team” (see note cit., letter j);
“as regards the external agents hired by COMDATA and MPLUS, the number of agents who have access to the "Live Map" section (permission "livemap.view") is […]: COMDATA or Agents: 82 or Team Leads: 7 • MPLUS or Agents: 149 or Team Leads” (see note cit., letter j);
“chat and e-mail are the preferred channels used by agents to get in touch with the Couriers. Voice recording can only take place if the agent concerned needs to contact the Courier directly” (see note cit., letter m);
“each team of agents has access only to conversations that took place in their own country of competence […] the retention period for conversations is 36 months” (see note cit., letterm);
“the purposes pursued through the processing of voice recordings are: • Quality • Evaluate the service provided by the local provider (COMDATA and MPLUS); and • measure compliance with the agents' process when supporting the Couriers. • Legal • have documentary support of all interactions carried out with a third party in the event of a complaint or process. • Manage and respond duly to requests made by the competent authorities […] and law enforcement […]. • Correctly manage and document the correct fulfillment of requests from data subjects, including requests for access and deletion of data pursuant to the GDPR” (see note cit., letter m);
“on 23 December 2022, the Company published a new privacy policy also updating the retention periods […]. The privacy policy shared […] during the inspection of 28 February-1 March is the one now published on the website. Subsequently, the Company realized that the privacy policy included in the contract with the Couriers had not yet been updated and therefore updated the retention period of that policy as well. Now the standard retention periods provided for in both privacy policies are aligned and do not provide for retention periods exceeding 10 years” (see note cit., letter n);
“with specific reference to geolocation data, they are stored on an AWS server located in Ireland. The stored data are associated only with the Courier ID (pseudonymization). The data are necessary to correctly quantify the Couriers' earnings and are also stored to justify the amount of the invoices issued by the Couriers in the event that this is required by the Tax Authorities or, in general, is necessary in proceedings or inspections in the field of labor law” (see note cit., letter n);
with regard to the processing of biometric data of riders, it is specified that “Information relating to facial recognition is provided to Couriers in the privacy policy and is also available at [l] link […]" Facial recognition - Italy (glovoapp.com). The software provided by the company Jumio Corporation (“Jumio”) as data controller […] is structured in two phases” (see note cit., letter p);
“the first phase involves the Courier receiving a message on his mobile phone in which he is asked to scan an identity document (with a photograph of himself) and, subsequently, to take a "selfie". […]. The data in the document will be checked taking into account the information already provided by the Courier during account activation. The photograph will be verified with the images contained in the document. The first "selfie" will be stored in the database and will be used as a reference for the next time facial recognition is necessary” (see note cit., letter p);
“the second phase involves, after the first recognition and randomly, the Courier being asked to perform the recognition through a "selfie". The Courier is also informed that the recognition is mandatory and that failure to perform it may lead to the deactivation of the account […]. In any case, if the Courier does not perform the recognition or in the event of failure to perform the recognition before the account is deactivated, the calendar through which the Courier books the slots will be blocked and the Courier will be asked to proceed with the recognition to reactivate the calendar” (see note cit., letter p);
“the processing of biometric data is necessary to fulfill the obligations in terms of labor law, safety and social protection undertaken by the data controller pursuant to Article 23 […] of the CCNL Rider” (see note cit., letter p);
“the Company has suffered from internal bugs that automatically closed the flow in the App […]. These "closures" of the App resulted in a "FAILED" attempt from the backend point of view and, consequently, led to potential unjustified blocks of the Couriers' profiles. For this reason, it was necessary to interrupt the Jumio verification process for some time" (see note cit., letter q);
"the Jumio test currently underway consists of the following phases: 1. at the beginning of February, an initial activation of facial recognition was carried out on 3.28% of the Couriers active in Italy. 2. On February 20, it was extended to 18.33% of the active Couriers. 3. On February 27, it was activated on a smaller percentage equal to 15.55%. 4. On March 13, the test was extended to 32.61%. 5. Starting from March 27, Foodinho S.r.l. plans to activate facial recognition again on all active Couriers. The test consists of requesting facial recognition once a day to all the Couriers involved and checking if there are errors in the process” (see note cit., letter q).
On March 17, 2023, the Company specified that, “in resolution of the reservation included in the response referred to in letter J of the response to the request for information […], the current number of employees who have the active “livemap.view” permission is 65”.
Following the receipt of a report on July 7, 2023, concerning the processing of riders’ data by Foodinho s.r.l. through the Glovo Couriers application, after merging the proceedings, a further inspection was carried out at the Company on 26 and 27 July 2023.
During the inspection it emerged that:
by accessing the web portal https://couriers.glovoapp.com/it/ to verify the content of the information provided to riders, it was verified that "the link immediately below the access form, under the label: "By selecting the button, you accept" is not accessible, while the information present at the link at the bottom of the page, in the "Legal Notes - Privacy Policy" area, is updated to 2019 and is not available in Italian" [...] The information present at the appropriate link at the bottom of the "Terms and Conditions" document was therefore displayed, which instead appears to be updated to December 2022" (see minutes 26/7/2023 cit. p. 3);
by accessing the Glovo courier app, it was verified that “even in this case the information is not accessible from the “Privacy Policy” link, while it is accessible from the “Terms and Conditions” link (version of 29 April 2022)” (see the minutes cited, p. 3);
with regard to what is reported in the “Terms and Conditions”, the Company specified that “this document also contains some elements regarding the privacy information for couriers, in particular in paragraph 9 […] with regard to the communication of data to third parties and the categories of recipients in the context of the use of the Glovo platform. The text of the “Terms and Conditions” also includes a link to the full text of the general privacy information on the website https://glovoapp.com/it/legal/privacy. In this document, the company indicated the characteristics of the communication of riders’ data to third parties […]. The documents indicated must therefore be read together for a comprehensive picture of the treatments carried out by Foodinho towards the couriers” (see minutes cited p. 3);
furthermore “the riders are provided with the complete privacy information also within the work collaboration contract” (see minutes cited p. 3);
with reference to the absence of the information for the riders placed at the bottom of the access form on the relevant portal and in the app, the Company represented that “what was detected is probably caused by a broken link” (see minutes cited p. 3);
with reference to the failure to load the page of the information for the riders “the event is attributable to a human error that occurred during the migration of the CMS from ButterCMS to Prismic. […] after the report by the Glovo legal team following what emerged during the investigation, the content of the page was corrected […]. In the period between July 20 and yesterday, the content of the page was not correctly made available” (see minutes of operations carried out on 7/27/2023, p. 2);
“Glovo has a contract with Braze, aimed at sending commercial communications via email, from which the rider can unsubscribe via opt-out” (see minutes cited p. 4);
the backend of the Glovo courier app was accessed to verify the third-party SDKs used and the data communicated; it was verified that the courier data sent to Braze are the email address, the courierID identifier and the telephone number (see minutes cited p. 4);
“the courier’s telephone number is sent to Braze only if present in the Glovo backend” (see minutes cited p. 4);
“in addition to the data explicitly sent by the Glovo Courier app to the third parties Braze, Firebase, mParticle […] other data may be communicated, through the SDKs made available by these third-party companies that the app uses” (see the minutes cited, p. 3);
it was also verified that the data sent to mParticle consists of the courierID and that the data sent to Firebase consists of the characteristics of the device, the operating system and the courierID (see the minutes cited, p. 4);
regarding the data relating to the telephone number, “this data is communicated to Braze for riders operating on Italian territory” (see the minutes cited, p. 2);
regarding the communications sent by Braze to the couriers, “in addition to commercial issues, this entity may also send riders communications relating to the functioning of the service (so-called transactional). In any case, the rider may opt-out of receiving messages” (see the minutes cited, p. 2);
as regards the rating, the party stated that it was not aware of the meaning of this parameter used by the app (see the minutes cited, p. 3);
by accessing the backend of the Glovo courier app, to verify the data exchanged between the app and the backend, it was verified that "both the excellence score and the "rating" are present among the exchanged data" (seeminutes cit., p. 3);
by accessing, via the backend of the Glovo systems, the databases used by the Company, for the purpose of storing information on riders, the fields of the table relating to riders were displayed and the table relating to the excellence score was displayed (see minutes cit., p. 3);
“the rating is a variable used by the excellence score” (see minutes cit., p. 3);
by accessing the database that stores the values relating to the rating scores, to view the information present, it was verified that “the database, in the courier_rating table, reports the values of the rating score, calculated on the basis of user feedback. The filtered table on riders operating in Italy was displayed” (see minutes cit., p. 4);
the query performed on riders operating in Italy was exported (see minutes cit., p. 4);
the Company stated that “the rating value in the courier_rating table is a value, from 0 to 1, used by the company in relation to the so-called flex business model which does not apply in Italy. The value is generated by the system even for riders operating on Italian territory […] the value used by the app backend is data left over from a previous version of the app, deprecated since 2021, and no longer used. From that moment on, the backend assigns a fixed value to the rating equal to 4.5 to each courier, by default” (see minutes cited, p. 4);
furthermore “the geolocalization of the courier is performed only when the courier is registered to a slot (countries with a free lance model) or is online on the app (countries with a flex model). If during this time the courier puts the app in the background, the localization continues” (see minutes cited, p. 4);
in order to verify the evidence presented during the inspection activity, the reporters accessed the backend of the Glovo Courier app. In particular, the response to the call to the backend systems endpoint was displayed, with the credentials of an operator with operations qualification and it was verified that the value of the rating variable is equal to 4.5 (see the report cited, p. 4);
“the app integrates Google Maps, which collects the rider's position according to its own timing, even when the rider is not active in the slot. This information is not used by the company, although it is received on its systems […]. Furthermore, in 2021, the command used to start tracking the couriers had a bug, which may have generated continuous geolocalization” (see the report cited, p. 5);
“the cases listed [by the Company] before the Court of Palermo [labor section, dated June 20, 2023] entail the disconnection from the slot, possibly operated by the company, which does not entail a definitive blocking of the rider's account” (see the minutes cited, p. 5);
“the assignment of an order takes into account various elements including: the collection and delivery point, the means of transport used, the maximum distance that can be traveled with a specific means of transport, any orders already assigned coming from the same store, the battery status of the rider's phone, the type of order based on the amount of cash in the rider's possession” (see the minutes cited, p. 5).
Finally, with a note dated September 15, 2023, to resolve the reservations formulated during the inspection, the Company represented that:
“all suppliers act as data controllers on behalf of Foodinho S.r.l. ("Glovo"). Therefore, the couriers' data are disclosed and/or made available to these companies on the basis of the respective art. 28 GDPR data processing agreements entered into by the parent company Glovoapp23, S.A. ("Glovo ES")” (note 15/9/2023 cit., p. 1);
“as regards the purpose of the processing and the legal basis identified by Glovo as the data controller for the processing activities in progress (in the context of which the suppliers can offer their services), these are indicated below. Braze: Glovo communicates the data to BRAZE in order to send transactional communications to the riders, as well as commercial ones. The legal basis for the processing of the riders' personal data is the performance of the contract with the couriers with regard to transactional communications (which may include, for example, problems with the platform, warnings about new features of the App, how it works for new users); and, as regards commercial communications, the courier's consent, or soft spam […] these are mainly incentives and/or potential bonuses (e.g. notification that, by booking a delivery slot on a certain day, the courier could earn more, or get a bonus)” (see note cit., p. 1, 2);
“Glovo communicates the data to mParticle which provides customer data platform (CDP) services that aggregate information (events) through various digital channels in order to send the right communication to the right recipient. For example, in the case of an order to be delivered only by bicycle (i.e. because the delivery point is located in an area where motorcycles are prohibited), mParticle collects this information and sends it to Braze to notify the order only to couriers with bicycles. The purpose of the underlying processing is to manage Glovo's business […]. The legal basis for such processing is the performance of the contract with the couriers. In addition, Foodinho may also share information with mParticle for analysis purposes. In this regard, the legal basis of the processing is Glovo's legitimate interest in understanding how couriers interact with the App, in developing new services and in analyzing the information derived from the services” (see note cit., p. 2);
“we use the Crashlytics function to detect and manage anomalous crashes in mobile and web applications used by couriers. Also in this case, the legal basis of such processing is the execution of the contract with the couriers” (see note cit., p. 2, 3);
with reference to the technical and organizational measures that the Company has adopted, also through the data exporter, to guarantee the interested parties a level of data protection adequate to European legislation, the “Transfer Impact Assessment conducted by Glovo ES as a contractor for the services provided by Google, mParticle and Braze for Glovo” was provided (see note cit., p. 3);
“the use of JUMIO was suspended and slowly implemented again after correcting bugs and errors in the application itself. The software is now back in use throughout the country” (see note cit., p. 3).
2. The initiation of the procedure for the adoption of corrective measures and the Company's deductions.
On 11 October 2023, the Office notified the Company, pursuant to art. 166, paragraph 5, of the Code, of the alleged violations of the Regulation found with regard to the data processing carried out through the digital platform used to carry out goods delivery activities, with reference to art. 5, par. 1, letter a), c), d), e), 6, 9, par. 2, letter b), 12, 13, 22, 25, 28, 32, 35, 88 of the Regulation; art. 2-septies and 114 of the Code; art. 1-bis, Legislative Decree 26/5/1997, n. 152, introduced with Legislative Decree 27/6/2022, n. 104; art. 47-quinquies, Legislative Decree 15/6/2015, n. 81.
With defensive briefs, sent on 11 December 2023, the Company, preliminarily and prejudicially contested the competence of the Guarantor "to decide issues related to the processing of personal data that occurs [...] through the Glovo platform and the Glovo and Glovo Courier apps [...] owned by GlovoApp23 SA [...] which also determines its operation and main functions".
Furthermore, the Company complained that the activity of the Guarantor "is a photocopy of that undertaken ex officio on 16 July 2019 through the inspection at the offices of Foodinho [which concluded with] provision n. 234 of 10 June 2021”. This would entail the violation of the principle of “ne bis in idem with respect to the previous proceedings opened against Foodinho and still sub iudice” and for this reason the Company has requested the suspension of the proceedings “at least until the judgment relating to the appeal of Provision no. 234/21 is concluded”.
On the merits, in relation to the individual disputes, the Company has declared that:
with reference to the sending of communications to riders at each change in status, “even if the sending of such communication occurs automatically (being generated by the system at the time of the change in the courier’s status), in the case of [deceased rider] the sending of the message depended on human error as the change in status (deactivation) prepared by an operator did not correspond to some of the cases foreseen by the system. On this point, while taking into account the Authority's observations (and the echo of the national press) regarding the inappropriate tone of the message, given the tragic circumstances of the specific case, it is believed that what happened is not sufficient to constitute a violation of the aforementioned GDPR provisions" (see note 11/12/2023 cit., p. 10);
"Since the Company opened in Italy in 2016, 120,857 couriers have been contracted. […] it is clear that it is inevitable to resort to a certain degree of standardization of automatic communication [which follows each change of status]" (see note cit., p. 11);
“it should be noted that the automatic communication in question was sent following the death of the courier (after the decision to deactivate the [rider] account) and, therefore, the data processing connected to the sending of this message must be considered excluded from the scope of the GDPR” (see note cit., p. 11-12);
“With respect to the alleged incompleteness of the information acquired during the Inspection […], the Company has voluntarily chosen to follow a “layered” approach”; […] “the completeness and clarity of the information provided must be assessed as a whole” (seenote cit., p. 13);
with regard to the absence of “an express reference to the “chats” and “emails” exchanged between couriers and customer care operators […] it is clear that if the contract reviewed and signed by the courier […] contains […] two express references to communications with a support channel, and in one of these a “written communication” is mentioned, the courier is necessarily aware of the processing of such communications” (see note cit., p. 13-14);
“based on an overall reading […] within the provisions of the Terms and Conditions and the information pursuant to art. 13 GDPR […], it is understood that the indication that geolocalization is “exclusively associated with the service” simply means that the activity in question is carried out to allow the courier to correctly provide its delivery services” (see note cit., p. 16);
“with regard to the processing of biometric data, the Company acknowledges that the language contained in the information notice in the files was not promptly updated following the temporary suspension of the biometric authentication mechanism due to the technical flaws found in July 2022. […] the processing of couriers’ biometric data was restored starting from March, so the current version of the information notice is correct and updated” (see note cit., p. 17);
“With respect to the appendix of the information notice […] attached to the Terms and Conditions […], containing an appointment as the courier’s data controller, it is specified that this is a material error. Indeed, such language - which refers specifically to the courier’s invoicing obligations […] is not applicable in the context of the contractual relationship between Foodinho and the couriers in Italy […]” (see note cit., p. 17);
“following receipt [of the notification of violations], Foodinho became aware of the error and promptly updated the information available online […], inserting the correct version of Annex I into the Terms and Conditions applicable in Italy, which refers to the processing carried out by the courier on behalf of Foodinho (i.e. as data controller) in the delivery of orders requested by users through the Platform” (see note cit., p. 17);
“Foodinho does not carry out fully automated processing pursuant to art. 22 GDPR” (see note cit., p. 18);
“with regard to the alleged violation of art. 1-bis of Legislative Decree 152/1997 on information obligations in the case of use of automated decision-making or monitoring systems, without prejudice to the absence of automated decision-making processes pursuant to art. 22 GDPR […] in order to further strengthen the transparency of its processes towards couriers, Foodinho has recently prepared a specific information notice regarding some of the processing that involves partially automated processes, including the logics relating to the Excellence Score and the slot assignment criteria […]. This information notice was adopted on 18 May 2023” (see note cit., p. 18);
“The number of human interventions that have taken place in the Excellence Score system and, in particular, those relating to the manual increase in capacity for a given time slot […] clearly constitutes “significant” supervision […]. And this is stated in the expert report” (see note cit., p. 20);
“even if one wanted to consider that the Excellence Score determines an automated processing […], there would be no violation of art. 22 GDPR since the applicability of this rule is expressly excluded in the case in which “the decision is necessary for the conclusion or performance of a contract between the data subject and a data controller” (art. 22, par. 2 GDPR)” (see note cit., p. 20);
“Even if the average data of deactivations emerging from the inspection acts is higher than that taken into consideration [in the expert report] this does not mean that the final output of the observation is not equal or even higher; which confirms the value of human intervention with respect to deactivations” (see note cit., p. 21);
“With reference to the other causes of disconnection that operate automatically (no show, out-of-area position, deactivation of geolocation, disconnection during the slot) ascertained during the inspection of 26-27.7.2023) it should be considered that they are not causes of disconnection of the account but only of loss of the slot” (see note cit., p. 21);
the expert report “provides an account of the human intervention in the grievance process; furthermore, the couriers are informed of the possibility of presenting their counter-arguments” (see note cit., p. 21);
“the possibility, on the part of Foodinho, to remove the so-called Guaranteed in the slots in correspondence with reassignments […] represents a form of protection towards the users of the Platform and the correct functioning of the service, without in fact representing a reduction in job opportunities” (see note cit., p. 22);
“the measure of facial recognition was adopted as a result of the negotiations of the experimental protocols of legality against gangmastering in the food delivery sector in the presence of the prefectural authority” (see note cit., p. 23);
“the measure of facial recognition was deemed by society to be adequate and effective against the commission of the crime in question or, at least, to counteract the negative effects and economic exploitation. […] It is clear that, as the Guarantor maintains, this measure in itself is not sufficient to avoid the phenomenon; however, it constitutes an effective deterrent” (see note cit., p. 23);
“it is believed that the measure of facial recognition can find a valid legal basis in art. 9, par. 2, lett. b) GDPR, since the right/duty of Foodinho as a company at risk of committing certain crimes such as gangmastering is to prepare an organizational model with exculpatory effect pursuant to Legislative Decree 231/01” (see note cit., p. 23);
“with respect to [the processing of biometric data], Foodinho has correctly carried out an impact assessment pursuant to art. 35 GDPR” (see note cit., p. 23);
with reference to the other processing operations involving data relating to riders carried out by the Company, “the DPIA was not mandatory pursuant to art. 35 GDPR, since it was demonstrated, both for the Excellence Score and for the grievance process, that there is no automated processing activity of courier data and profiling of the same” (see note cit., p. 24);
“the Platform does not allow viewing of data from couriers operating in other EU or non-EU countries. […] Access to limited categories of data with limited identifying power could be granted to a limited number of operators […]” (see note cit., p. 25);
“with regard to the finding that the Company did not provide feedback “despite the specific request in this regard” regarding the number of operators active on the Platform with the possibility of cross-country access, the reason for the lack of response lies in the fact that the request in question falls outside the jurisdiction of the Guarantor, as it concerns the levels of access and the technical specifications of the Platform (which […] is managed autonomously and entirely by GlovoApp23), as well as processing that pertains to other companies of the Glovo group as independent data controllers, subject to the control powers of the supervisory authority of the country of establishment” (see note cit., p. 25);
“the retention period relating to the processing carried out for the purposes of managing the relationship is dictated by specific provisions of law ([…] or, in any case, by general rules of the system that provide an indication of the reasonable period of time within which the data can still be considered “useful” for the owner” (see note cit., p. 26);
“data retention periods of ten years […] would be fully lawful also in relation to telephone call recordings […] in compliance with the principle of minimization of processing, pursuant to art. 5, par. 1, letter c) of the GDPR, as well as the principle of privacy by design pursuant to art. 25, par. 1 of the GDPR, the Company has decided to adopt a retention period of 36 months for telephone call recordings” (see note cit., p. 26);
also with reference to the retention period of the maps relating to the route taken by the couriers for each order, “the considerations set out [in relation to the recordings of telephone calls] apply” (see note cit., p. 26);
“the retention period [of the data contained in the maps], originally established at only ten months, has proven insufficient to guarantee the achievement of the purposes mentioned above, in particular with respect to requests for access by public authorities and Foodinho’s tax obligations” (see note cit., p. 26, 27);
with reference to the sending of data to third parties, “while recognizing that such errors are relevant for the purpose of assessing compliance with the data protection legislation by this Authority, reference is made […] not only to the good faith and spirit of cooperation of the Company […], but also to the diligent repentance of the same which, as soon as it became aware of such technical errors, immediately took steps to cease the irregularities” (see note cit., p. 27);
“these errors did not cause an improper communication of data to third parties, but rather a mere provision of information to contracted service providers” (see note cit., p. 27);
“with regard to the dispute relating to the lack of a legal basis for the processing of couriers for soft-spam or marketing purposes, the Authority’s interpretation according to which consent (or opt-out, limited to soft-spam) is not applicable in the context of the employment relationship existing with the couriers is rejected, given the fact that […] there is no subordinate employment relationship between the Company and the couriers” (seenote cit., p. 27);
“with regard to the “rating” item stored in the back-end of the Platform as an “empty” value and not actually used in the context of the processing of data of Italian couriers […] This is an item without any weight, which does not involve any further processing of the couriers’ data, but assigns a number, a mere mathematical value without any meaning and the same for everyone” (see note cit., p. 28);
“with regard to the violation of art. 88 GDPR, the rule does not apply as it does not impose obligations on private companies such as Foodinho, but only obligations to act on the part of the Member States” (see note cit., p. 28);
“with regard to the violation of art. 114 of the Privacy Code, however, this, containing a receptive reference to art. 4 of the Workers' Statute, is not applicable to Foodinho as couriers are not subordinate workers” (see note cit., p. 28);
“[t]he couriers are always free to give or not their availability for the various slots offered by Foodinho. The couriers decide in full autonomy whether and when to work” (see note cit., p. 28);
“the use of the Platform to organize delivery services, including geolocalization as well as the mechanism for assigning the Excellence Score for the opening of the slot calendar does not concern the exercise of a power of control and/or management, as erroneously pointed out by the Guarantor, but rather belongs to the intrinsic characteristics of the couriers' activity and to the performance of the service through the Platform itself” (see note cit., p. 29);
“even where art. 4 of the Workers' Statute, in any case, the tools that the Guarantor considers to be forms of remote control of couriers would be completely lawful as they would fall within the so-called "ordinary tools" necessary for the purpose of providing professional services" (see note cit., p. 31).
During the hearing requested by the Company, held on 21 December 2023, the Company stated that "the Company, with a view to collaborating with the Guarantor Authority, expressed its willingness to bring to the Authority's attention the initiatives it intends to propose regarding the processing of data relating to riders who were the subject of the dispute of 11 October 2023 with a communication that it undertakes to send by 15 January 2024".
On 15 January 2024, the Company presented further defensive briefs regarding "the proposed commitments" and on that occasion declared that "starting from 10 January 2023 [to be understood as 2024], the so-called fixed rating value of 4.5 assigned to each courier has been eliminated” (see note 15/01/2024, cit., p. 12).
The Company has also indicated some measures that it "proposes to adopt [...] with specific reference to the concerns raised" with the notification of violations of 11 October 2023, undertaking to send the Guarantor, by 29 February 2024, an update relating to: "ado[t] of a standard message specifically linked to the suspension of the courier account in the event of accidents", "revision of the] text of the standard message sent automatically at each change in the courier's status", "revision of all current versions of the information" provided to riders as well as the preparation of a "revised version of the specific information relating to the excellence score", the commitment to "improve transparency with respect to processing involving geolocation and partially automated processes as well as in the latter case the procedures available to the courier for disputes and complaints", "confirmation of the elimination, from the items potentially at the basis of a block or deactivation, those not applicable in Italy, namely "Bad rating" and "Many reassignments", "further elements supporting the legitimacy of the appeal to the processing of biometric data pursuant to art. 9.2., letter b) GDPR”, “a review and adaptation of the DPIA on facial recognition [and the preparation of] a DPIA relating to specific processing of couriers’ personal data, such as geo-localization and excellence score”, changes “in order to establish country-based segregation levels to prevent the viewing of courier personal data in other countries, except in a few limited cases supported by a documented need”, adoption of measures “in agreement with […] GlovoApp23 […] in the following six months”.
On 29 February 2024, the Company submitted a further memorandum in which it declared that: the items ““Bad rating” and “Many reassignments” […] starting from today […] will no longer appear in the Company’s systems as potential reasons for blocking or deactivation”, and that “it has eliminated those that, for operational reasons, are not used in Italy, specifically: Long delivery time; Courier not moving; High waiting time; B2B fraud; Data protection infringement”, has carried out “the DPIA relating to specific processing of personal data of couriers, such as geo-localization and excellence score”, has made some changes “regarding the levels of country-based segregation”, the access permission to the Livemap platform “as of today […] is not […] active for employees of Glovo group companies located in other countries”. The Company has represented that it has provided “the additional instructions provided to Comdata call center operators relating to the processing, […] having regard to any disconnections of the accounts [of] couriers carried out on the instructions of the Company” and that it has discontinued the service provided in Italy by Trizma.
The Company has also provided a copy of the standard messages, not yet implemented, to be sent to riders in the event of account suspension in the event of incidents, as well as at each change in the courier’s status. It has also provided a copy of the revised version of the information for riders and the revised version of the specific information relating to the excellence score.
With reference to the processing of biometric data, the Company provided a revised version of the DPIA on facial recognition and stated that biometric data are currently retained for the entire duration of the employment relationship although it is “currently discussing with Jumio the possibility of reducing these timeframes in light of the principle of proportionality”.
Finally, in the context of the impact assessment relating to the excellence score and geolocalisation, the Company stated that it intends to “adopt a series of corrective measures, including a remodulation of the methods of calculating the Score that allows it to be determined by further reducing the processing of data already used in the calculation process, eliminating the normalisation process […]. Furthermore, with reference to geolocalisation, the Company stated that it intends to adopt “further measures” namely “limiting the number of Foodinho teams and authorised personnel who need to access the Corriere information data available on “livemap.view”; [and] retaining the geolocalisation data for a limited period”.
Lastly, with a note dated 5 June 2024, the Company communicated that it had changed the retention periods for biometric data to “three (3) months from the last order in the case of inactive couriers” and “three (3) months from the deactivation of the account in the case of couriers whose accounts have been deactivated for reasons not attributable to facial recognition”. With reference to active couriers, “the Company will retain their Biometric Data for the entire duration of the collaboration with Foodinho. In this way, active couriers will be able to easily access and use their account for the entire duration of their collaboration with the Company”.
3. Preliminary questions: jurisdiction of the Guarantor and the principle of ne bis in idem.
Preliminarily, Foodinho s.r.l., with the defensive briefs of 11 December 2023, contested the jurisdiction of the Guarantor for the protection of personal data in relation to the processing of riders' personal data carried out through the operation of the digital platform owned by GlovoApp 23 SA, with registered office in Spain.
This dispute, for the following reasons, is unfounded. The Company, in fact, carries out data processing relating to the personnel responsible for the delivery of goods, on the basis of a standard contract which, for the performance of the work service, provides for the activation of an account on the Glovo Courier application to be accessed using credentials and password provided by the Company itself (see Annex 1, briefs 29/2/2024).
The data processing of couriers operating in Italy is therefore carried out through the platform by the Company (Foodinho s.r.l.), as data controller, i.e. the entity that decides the purposes and means of the processing itself (art. 4, n. 7 of the Regulation), as highlighted in the same information provided to riders (see Annex 2, p. 4, memos 29/2/2024, “Data controller ● Foodinho, S.R.L., Via Giovanni Battista Pirelli 31, 20124, Milan, Italy”) and in the agreement stipulated with GlovoApp 23 SA, relating to the use of the platform, where Foodinho s.r.l. expressly assumes the role of data controller for the processing carried out through it and the parent company GlovoApp (given that at present the parent company is no longer GlovoApp23 SA itself, but Delivery Hero SE) is designated as data controller (see Annex 3, inspection report 13/12/2022, Franchise agreement between Glovoapp23 S.L. and Foodinho s.r.l., 1/10/2019, point 18 “Personal Data Processing and Protection”).
Therefore, with respect to the processing carried out in Italy by Foodinho s.r.l., as an independent data controller, the only competent authority is the Guarantor for the protection of personal data.
In this case, in fact, contrary to what was believed, still preliminarily, in the defense briefs, the cooperation procedures provided for by the Regulation (Chapter VII, Section I) do not apply (otherwise, during the investigations that gave rise to provision no. 234 of 2021, the Authority had found evidence of some cross-border processing and had informed the Agencia Española de Protección de Datos - AEPD without delay).
The definition of “cross-border processing” contained in the Regulation − the implementation of which constitutes the prerequisite for the application of the aforementioned procedures (see art. 56. par. 1 of the Regulation) − refers to two distinct hypotheses.
The first concerns the “processing of personal data that takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State” (Article 4, No. 23, letter a) of the Regulation).
The second hypothesis refers instead to the “processing of personal data that takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State” (Article 4, No. 23, letter b) of the Regulation).
The investigation activity carried out by the Guarantor does not fall into either of the two aforementioned categories: in fact, it did not concern data processing carried out by GlovoApp23 SA, with registered office in Spain, towards interested parties operating on the national territory and in any case “in more than one Member State”, nor does the Italian company appear to be an “establishment” of the parent company given that Foodinho s.r.l. is an autonomous legal entity with registered office in Italy (see also, in this regard, paragraph 36 of the Regulation).
The processing operations subject to the control activity initiated by the Authority were in fact carried out in execution of contracts stipulated by the Italian company (contracts which therefore defined the reference framework for the purposes and methods of the processing itself), which excludes their possible cross-border nature, as instead erroneously envisaged by the Company.
Therefore, art. 13 of the Regulation applies to the case in question. 55, paragraph 1, of the Regulation, which establishes the competence of the national supervisory authorities to exercise the powers and perform the tasks assigned to them by the Regulation in relation to the processing carried out on the national territory by the entity established therein, for which the same acts as an independent controller (see also recital 122 of the Regulation).
Furthermore, the participation of Foodinho s.r.l. in a corporate group of which the Spanish parent company GlovoApp23 SL is also a part does not imply the loss of the competence of the Guarantor, pursuant to EU Regulation 2016/679, with regard to the processing carried out by the Italian company on data subjects working in Italy, nor does it imply the loss of the legal subjectivity of Foodinho, as an independent center of imputation.
As already clarified by the Authority, the existence of a group of companies does not result in the configuration of a new center of imputation of legal relationships that overlaps with the individual companies belonging to the group.
Participation in a corporate group, therefore, does not determine a formal legal unification of the corporate entities involved, which maintain their distinct legal subjectivity (see Provv. 5/12/2022, n. 427, 3.1., web doc. n. 9856694; in a similar sense see the Guidelines 07/2020 on the concepts of data controller and data processor under the GDPR, version 2.0, adopted by the European Data Protection Board (EDPB) on 7 July 2021, p. 32, point 89: “within a group of companies, a company other than that of the data controller or the data processor is a third party, even if it belongs to the same group to which the company acting as data controller or data processor belongs”).
In conclusion, for the reasons set out above, no provision of the Regulation attributes competence to the Agencia Española de Protección de Datos (AEPD), in relation to the processing described in the introduction, subject to investigation by the Italian Authority, as instead believed by the Company (in accordance with this, see Corte Cass., ord. 29/9/2023, n. 27189, concerning the previous provision adopted by the Guarantor specifically against the Company - on which more extensively below: "Even in the case of data processing via a platform, the processing carried out by an Italian company operating in the national territory, with its own autonomy of structure and negotiation, can (and indeed must) be kept separate from that carried out by a supranational parent company (in this case GlovoApp23). The processing carried out by Foodinho, according to the factual finding that can be deduced from the contested ruling, was (and is) a data processing independently managed by the Italian company as owner, by virtue - it is understood between the lines - of the contracts stipulated from time to time with the riders”).
From a different perspective, regarding the qualification of the proceeding in question as a “photocopy [of the initiative] undertaken ex officio on 16 July 2019 [by the Guarantor]”, it is observed that this assumption has no legal or factual value.
First of all, it should be emphasized that, in order to be able to envisage the violation of the prohibition of bis in idem, it is necessary, in general terms, that some specific conditions occur simultaneously: 1) that the subject subjected to the sanction is the same; 2) that the fact judged coincides in the two different proceedings; 3) that one of the two proceedings ended with a definitive sanction (on the necessary presence of such conditions see ECHR, judgment A and B v. Norway, 15 November 2016, which went beyond what was previously established with the judgment Grande Stevens and others v. Italy, 4 March 2014; Court of Justice, 20 March 2018, Case C524/15 Menci; see also Case C536/16 Garlsonn Real estate-Ricucci, Joined Cases 596/16 and 597/16 Di Puma and Zecca).
In the case in question, the proceedings were initiated by the Guarantor at different times and on different grounds against Foodinho s.r.l.
With regard to the provision of 10 June 2021 n. 234 (web doc. 9675440), it is specified that the same was challenged by the Company and initially annulled by the judge of merit (Milan Court, sentence no. 35612 of 12/4/2022). However, the Court of Cassation subsequently ordered the annulment of the sentence of the Milan Court (Cass., I civil section, order no. 27189 of 22/9/2023). At present, the Authority's provision has become unappealable, following the failure of the Company to resume the case before the competent court.
In this case, it is in any case clear that there is no sameness of fact in the two proceedings and therefore the risk of bis in idem cannot be envisaged, not even in theory.
The two proceedings have different treatments as their object, therefore there is no identity of the fact, that is, there is no historical-naturalistic correspondence between the object of the two proceedings, considering all the constituent elements (conduct, event, causal link) and taking into account the circumstances of time, place and person (see Constitutional Court, judgment of 8/3/2018, no. 53 on the notion of idem factum for the purposes of the operation of the principle of ne bis in idem, in the criminal field; this decision recalls Constitutional Court, 21/07/2016, no. 200 to which it refers, again in the criminal field and always with reference to the notion of idem factum, Criminal Court of Cassation, III section, judgment of 7 February – 22 March 2023, no. 12005).
Provision no. 234 of 2021 in fact concerned the processing of personal data of riders operating in Italy carried out by the Company as ascertained with an inspection on 16 and 17 July 2019. The object of the provision, therefore, concerns the data processing carried out by the Company up to that time; the present proceeding, instead, focuses on the data processing carried out by the Company, as ascertained during the inspections carried out on 13 and 14 December 2022, 28 February and 1 March 2023 and 26 and 27 July 2023, and analyses types of processing, albeit connected to the employment relationship with the riders, which were not assessed in the first proceeding (in particular: the processing of biometric data, which is the subject, as the Company itself highlights, only of the present proceeding, as well as the processing consisting in the communication of data to third parties, the deactivation and blocking of the riders' accounts, the processing in violation of art. 47-quinquies of Legislative Decree 81/2015 and art. 1-bis of Legislative Decree no. 152/1997).
These are therefore proceedings with which investigations were carried out relating to different treatments, having a non-overlapping object in concrete terms: the treatments taken into consideration, therefore, relate to different time periods, carried out with respect to different interested parties (given the partial and physiological turnover of the group of riders), whose treatment methods have been modified over time by the Company (for example, with regard to the documents containing the information, the retention periods of the collected data, the impact assessment, the methods of carrying out automated treatments) and with respect to which the Authority has examined aspects that do not coincide with those covered by the previous proceeding.
The Company itself, in the defensive documents of 11 December 2023, acknowledged that the new proceeding presents elements that distinguish it from the one that led to the adoption of provision no. 234 of 2021 (see note 11/12/2023, p. 8, 9). In particular, in fact, in a schematic table in which it listed the objections motivated funditus by the Authority, the Company specified, among other things, that:
- the objection relating to art. 5, par. 1, letters c) and d) of the Regulation in provision no. 234 of 2021 “was not raised because the case of [S.G.] that determined it had not yet occurred. Moreover, the new inspection investigation arose precisely from the news spread by the main newspapers of the affair related to the deceased courier”;
- with reference to art. 5, par. 1, letter a) and 13 of the Regulation, the processing of biometric data “was not carried out in 2019”;
- with reference to art. 5, par. 1, letter e) of the Regulation, the violations contested in the notification relating to the proceeding in question are “declined with respect to the current situation and the results resulting from the new accesses”;
- with reference to art. 22, par. 3, of the Regulation, with the notification relating to the proceeding in question “in addition to the processing connected to the courier excellence score system, the procedure of deactivation (grievance) and blocking of the account when certain predetermined conditions occur is also considered an automated processing of personal data.
This last consideration is the result of the case of Mr. [S.G.] on the basis of which the Guarantor initiated the second inspection”;
- with regard to art. 47-quinquies of Legislative Decree 81/2015, the dispute in question is “declined on the Galassi case and on the hypotheses of grievance for reassignment of the order”;
- “in addition to the previous Provision no. 234/21, in the new proceeding the violation of art. 5, par. 1, letter a), 9, par. 2, letter b) of the GDPR 11 December 2023 and art. 2-septies of the Privacy Code is contested in relation to the processing of biometric data of couriers. This is because before 2020 this processing was not carried out”;
- “with respect to the previous proceeding, the sending of courier data to third parties is relevant as part of the processing activity carried out through the Platform using systems such as Google Firebase, Braze and mParticle”.
It therefore emerges that the Company itself has perfectly perceived the many aspects of novelty and diversity of the present proceeding, compared to the one initiated in 2019 and concluded with provision no. 234 of 2021.
By reasoning differently - and therefore trying to follow the interpretation of the principle of ne bis in idem that was provided by the Company in the absence of any legal basis -, one would come to believe that the subjects against whom the Authority has already adopted a previous provision that has found the unlawfulness of specific processing could no longer be subjected, by the same Authority, to investigations aimed at examining other data processing similar to those for which a provision has already been adopted.
The vulnerability to the protection of rights that would thus be created is evident (see the aforementioned Constitutional Court, judgment of 8/3/2018, no. 53, which clarifies that "the case law of legitimacy appears to be firm in holding [...] that, with regard to the continuing crime, the prohibition of a second trial concerns only the conduct carried out in the period indicated in the indictment and ascertained with the irrevocable judgment, and not also the continuation or resumption of the same conduct at a later date, which constitutes a different "historical fact", not covered by the res judicata, for which there is no impediment to proceeding (among many, Court of Cassation, sixth criminal section, judgment of 5 March - 15 May 2015, no. 20315; third criminal section, judgment of 21 April - 11 May 2015, no. 19354; second criminal section, judgment of 12 July - 13 September 2011, no. 33838)”).
It is also considered appropriate to note that the references to art. 83 par. 3 of the Regulation and to the Guidelines 04/2022 on the calculation of administrative pecuniary sanctions pursuant to the GDPR adopted by the EDPB on 24 May 2023 (which the Company uses to support its reconstruction regarding the principle of ne bis in idem) are not at all relevant.
In particular, the Company argued, with reference to art. 83 par. 3 of the Regulation, that “the identification of the constituent elements of the right to ne bis in idem is also significant in the context of the GDPR, where, first of all, art. 83 (3) establishes the prohibition of cumulation between individual sanctions” (see note 11/12/2023, p. 9), therefore arguing that the principle would find application in par. 3 of art. 83 of the Regulation.
From reading the aforementioned provision (“If, in relation to the same or related processing, a controller or processor intentionally or negligently infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the most serious infringement”), it is clear that the same regulates a special form of legal accumulation of administrative fines, in the event that the processing (or related processing) infringes several provisions of the Regulation. It is therefore incomprehensible how such a reference can support the Company's reconstruction.
It should be added that even the reference to the aforementioned EDPB Guidelines is neither useful nor correct to support the Company's thesis; this is because the EDPB, analyzing art. 83 par. 2 lett. e) of the Regulation, has specified that, in calculating the sanction, the supervisory authority may consider as an aggravating factor the existence of previous relevant infringements committed by the controller.
In this regard, the cited Guidelines also underline that “the absence of previous violations […] cannot be considered a mitigating factor, as compliance with the GDPR is the norm. If there are no previous violations, this factor can be considered neutral” (see point 94 of the cited Guidelines).
Therefore, the commission of previous violations is among the circumstances that the Guarantor must evaluate, when adopting a measure relating to an unlawful processing (even more so if they are relevant violations, see point 88 of the cited Guidelines “violations having the same subject matter must be considered more important, as they are closer to the violation currently under investigation, especially when the data controller or processor has previously committed the same violation (repeated violations). Therefore, violations having the same subject matter must be considered more relevant than previous violations concerning a different matter”).
The aforementioned Guidelines therefore highlight the importance, for the purposes of increasing the administrative pecuniary sanction, of the assessment of previous types of unlawful acts against the controlled entity, which are even more relevant if pertinent (see point 87 of the aforementioned Guidelines “For the purposes of Article 83, paragraph 2, letter e), GDPR, previous violations having the same or different object from the one under investigation could be considered “pertinent”). The possibility for a supervisory authority to assess the conduct of a subject, even if it has already adopted a previous measure against the same, is therefore fully in line with the system.
Finally, it is recalled that the Authority, given Article 83 par. 1 of the Regulation, when adopting administrative pecuniary sanctions, ensures that they are “effective, proportionate and dissuasive” with regard to the specific case.
On the merits, following the examination of the declarations made to the Authority during the proceedings and the documentation acquired, it appears that the Company, as the data controller, has carried out some processing operations that are not compliant with the regulations on the protection of personal data.
In this regard, it should be noted that, unless the fact constitutes a more serious crime, anyone who, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false acts or documents is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor".
Considering that during the proceedings documents written in English were produced, among other things, not all accompanied by a translation into Italian, it is recalled that the documentation produced in the context of proceedings initiated by the Guarantor for the protection of personal data must be written in Italian as required for procedural documents by art. 122 of the Civil Procedure Code, also considering the more general regulatory provision (art. 1, L. 15 December 1999, n. 482, Provisions on the protection of linguistic minorities) which provides that the Italian language is the official language of the Italian Republic.
4.1. Violation of the principles of correctness, adequacy, relevance and accuracy of the processing (art. 5, par. 1, letters a), c) and d), of the Regulation). Violation of the principle of privacy by design and by default (art. 25 of the Regulation).
On the merits, following the investigation, it was ascertained that the Company, on 3/10/2022, sent, to the account of [S.G.], a message with the following content: “Important: account deactivated. Dear [S.G.], Glovo intends to offer an optimal experience to its couriers, partners and customers. To maintain a healthy and fair platform, it is sometimes necessary to take action when one of these users does not behave properly. We regret to inform you that your account has been deactivated for failure to comply with the Terms and Conditions. If you still have outstanding payments at the end of the next billing period, you will receive the details of the last order for invoicing. If you need to contact us for any reason, please use the form available on the courier website” (see screenshot on Repubblica, Florence news, 4/10/2022).
According to the Company’s statements, the head of external and institutional relations, […], at 5:57 PM on 2/10/2022 received an ANSA news item dated 2/10/2022 (“Car-scooter collision in Florence, victim is a rider”, where the text continues to specify that the boy, unidentified, was making deliveries on behalf of Glovo) together with other Glovo representatives.
The next day, 3/10/2022, at 9:01, the Team Operation manager contacted an operator with the following instruction: “I would say to do as for the others. We put it DISABLED and leave the note in the description” (minutes 28/2/2023, p. 3 and Attachment 6).
The operator stated that he “received the instruction to proceed with the deactivation verbally from the Team Operation Manager, […], and that he is not aware of the automatic email generation procedure as it is the responsibility of the parent company Glovoapp23 SL” (inspection minutes 14/12/2022, p. 8).
In this regard, the Company also stated that, “after [S.G.'s] account had been manually deactivated, the message concerning the deactivation of the account was sent automatically, by the system to the Courier, by mistake, since such deactivation did not originate from any violation of the Terms and Conditions, and furthermore there was no standard ad hoc response for such a dramatic situation” (Note on the dissolution of reserves 23/12/2022, letter B.).
Furthermore, “the communication received from Mr. [S.G.] is automatically transmitted when the system registers a change in status. In fact, Mr. [S.G.] should not have received any communication regarding the deactivation or blocking of the account as it was not requested based on the specific circumstances of the case” (Note on the dissolution of reserves cit., letter C.).
In confirmation of this, the Company specified that the “communication received from Mr. [S.G.] […] is sent, in addition to one of those [envisaged for the grievance and blocking procedures], at each change in the rider’s status. […] In the case of Mr. [S.G.], given the circumstances, the sending of this communication is due to human error” (inspection report 28/2/2023, p. 7).
Based on the statements in the documents, it therefore emerges that the sending of the message relating to the deactivation, received on S.G.’s account. two days after the fatal accident, was not due to “human error”. In fact, although the deactivation was carried out manually after the news of the rider’s death, the message received on the account was sent due to the configuration of the system used by the Company, which is set to automatically send a standard message at every change of status, regardless of the reasons for the deactivation itself.
Therefore, following the investigation into the specific case involving the rider who died in 2022, it emerged that the automatic sending of a standard message concerns the entire group of riders.
The automatic sending of the message at every change of status violates the principles of accuracy, adequacy, relevance and correctness in the cases in which, according to what was declared, the account is deactivated, i.e. in the cases of grievance/deactivation and blocking.
In fact, although it is possible, according to what the Company has declared, to reactivate the account both in the event of deactivation and blocking - if the rider presents counter-arguments deemed suitable or carries out the required actions - the standard message indicates that the disconnection has a definitive character ("your account has been deactivated for failure to comply with the Terms and Conditions"), without any reference to the possibility of taking action to modify the change in status (indeed, it is specified that "at the end of the next billing period you will receive the details of the last order for billing").
Finally, considering that the processing carried out, by sending the standard message reported above, based on the system configuration, occurs automatically and independently of the possible specific cases, it appears that the Company has not implemented the principles of data protection, from the design and by default. Correct observance of these principles in fact requires the data controller to implement measures aimed, among other things, at “providing transparency regarding the functions and processing of personal data” and “allowing the data subject to control the processing of data” (see recital 78 of the Regulation).
The employer must therefore adopt measures to ensure compliance with the principles of data protection by design and by default (Article 25 of the Regulation) throughout the entire life cycle of the data, “incorporating into the processing appropriate measures and safeguards to ensure the effectiveness of the principles of data protection and the rights and freedoms of data subjects” and ensuring that “by default only processing that is strictly necessary to achieve the specific and lawful purpose is carried out”, also with regard to the data retention period, “at all stages of the design of processing activities, including procurement, tendering, outsourcing, development, support, maintenance, testing, storage, deletion, etc.” (“Guidelines 4/2019 on Article 25 - Data protection by design and by default”, adopted by the EDPB on 20/10/2020).
In the case of the deceased rider, then, sending the message reported above resulted in a treatment in violation of the principles of accuracy, adequacy, relevance and correctness, considering that the disconnection did not occur due to a violation of the Terms and Conditions of use of the platform, as stated by the Company itself, but rather for the purpose of "preventing third parties from using the account" (see note 27/12/2022, letter B). On the other hand, it is the Company itself that declared that the deceased rider "should not have received any communication of deactivation or blocking of the account as it was not requested based on the specific circumstances of the case".
Furthermore, based on the excerpt of the messages exchanged on the SLACK messaging system, limited to what was made available to the Authority, it emerges that the Company had already adopted the same procedure in similar (if not identical) situations (the Team operation manager specified to the operator: "I would say to do as for the others").
During the proceedings, the Company objected that the objection made by the Guarantor would be unfounded since the processing relating to the sending of the message via email, after the death of the rider "must be considered excluded from the scope of the GDPR" considering that the Regulation "does not apply to deceased persons" (see defense briefs 11/12/023, p. 11-12).
This argument cannot be accepted.
In general terms, the Regulation, in recital 27, has delegated to the Member States the possibility of providing rules regarding the processing of data relating to deceased persons (so much so that the definitions of "personal data" and "processing" contained in art. 4 of the Regulation do not specify anything in this regard).
The Code, in art. 2-terdecies (Rights concerning deceased persons), establishes that the rights attributed to the interested party (by articles 15 to 22) can be exercised by those who have a personal interest or act to protect the interested party, as his agent, or for family reasons worthy of protection. Therefore, our legal system recognizes, under certain conditions, the protection of the personal data of deceased persons. The Guarantor has ruled on the point, underlining how “the rights referred to in Articles 15 to 22 of the GDPR […] are embodied in the right to request that the data controller comply with the sector provisions on the protection of personal data and with the “principles applicable to the processing of personal data” in compliance with the conditions of “lawfulness of processing”, as compatible (see provision no. 2 of 10/1/2019, in www.gpdp.it, web doc. no. 9084520. On the data of the deceased, see also provision no. 118 of 7/4/2022, ibid., web doc. no. 9772545; no. 90 of 23/3/2023, ibid., web doc. no. 9888188)” (Provv. no. 82, 22/02/2024, doc. web no. 9996647).
In this case, then, the Guarantor, starting from the text of the email sent by the Company to the rider's user, after the fatal accident that involved him, made known to the press by the boy's family, started a control activity starting from the methods with which the Company disconnected from the platform and made it known to the interested party, through the email communication of 3/10/2022. The processing activities subject to the inspection activity therefore concern the entire group of riders who carry out delivery activities on behalf of the Company.
It is noted that during the proceedings, after the notification of the violations made by the Authority, the Company has developed a standard message to be sent automatically in the event of deactivation carried out when "incidents" occur and a message to be sent automatically at each change of status, thus distinguishing the different deactivation hypotheses and announcing a further communication that will contain the details of what is contested to the rider and indications on how to provide clarifications (see note 29/2/2024, Annex 1). Even if, at present, these planned changes have not been concretely implemented by the Company.
Furthermore, the objections formulated by the Company, in the defense briefs, with regard to the occurrence of a "human error", cannot be accepted, given that - as already argued above - the sending of the message to the deceased rider occurred automatically, as indeed on the occasion of each change of status. Nor can the circumstance that the contracted riders are numerous, with the consequent “inevitable recourse to a certain standardization of automatic communication”, be considered suitable to affect the need to adopt messages, even standardized, however differentiated and complete with information relating to the methods for revoking the disconnection or blocking (an activity that the Company has undertaken to carry out).
Finally, it is noted that, at present, no changes have yet been made in order to send standard messages, therefore, without prejudice to any assessment regarding the compliance with the data protection principles of the new messages prepared by the Company (currently provided exclusively in English), it follows that the Company has violated, in the terms indicated above, Articles 5, paragraph 1, letters a), c) and d) (principles of correctness, adequacy, relevance and accuracy of processing) and 25 (data protection by design and data protection by default) of the Regulation.
4.2. Violation of the obligation to provide information (art. 13 of the Regulation).
With reference to the documents containing the information on the processing of data prepared by the Company acquired during the investigation, it is noted, preliminarily, that, despite the plurality of the same, the purpose of art. 13 of the Regulation cannot be considered to have been effectively achieved.
The mere preparation of a plurality of information documents, in fact, cannot be considered, as the Company erroneously claimed, the expression of a "layered approach" and, therefore, an element, in itself sufficient to prove compliance with art. 13 of the Regulation.
The Authority's assessments regarding the multiplicity of information documents prepared by the Company derive, among other things, from the consideration of the negative effects resulting from the confusion generated by non-homogeneous information content and not corresponding to the notion of "layered information" provided for by the Guidelines on transparency pursuant to Regulation 2016/679 adopted by the Article 29 Group on 29 November 2017 and amended on 11 April 2018, adopted by the EDPB, but which are discordant and absolutely not coordinated, as will be illustrated below.
In this regard, the reference to art. 12 par. 7 of the Regulation, which specifies that in order to provide an “overview of the intended processing” “the information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardized icons”, carried out by the Company, appears irrelevant, given that the object of examination and dispute by the Authority was not the reference to any standardized icons, but the numerous and uncoordinated documents that the Company has prepared, from the examination of which it emerged that the Company has confused the need for quality of information to be given to data subjects regarding the processing, with the quantity of documents that should contain the same.
Furthermore, the aforementioned Guidelines on transparency specify that “In light of the quantity of information to be provided to the data subject, in the digital environment the data controller may follow a layered approach, opting for a combination of methods in order to ensure transparency. In order to avoid information overload, the Working Party recommends in particular the use of layered privacy statements/information notices to link the various categories of information to be provided to the data subject, rather than inserting all the information in a single information notice on the screen” (see Guidelines cit., point 35). Among the aspects that must be taken into consideration to assess whether the controller has fulfilled the obligation to inform data subjects, “the consistency of the information both between the different layers of a […] information notice and within each individual layer” is indicated (see Guidelines cit., point 35).
The layered approach, therefore, means that, after a first level of information notice (i.e. “the main method with which the controller addresses the data subject”, see Guidelines cit., point 36), further layers of specification regarding the data processing carried out follow. The aforementioned approach, therefore, should allow the interested party to understand more clearly how their data is processed, avoiding an excess of details that could be useful to know, in certain cases, by accessing the further level of information.
From the examination of the documents prepared by the Company, however, the absence of a coherent "layered approach" emerges, as well as the total lack of real coordination of content between the various information documents with the consequent impossibility, for the interested parties, to have a clear (and realistic) picture of the variety of treatments that the Company carries out on their data collected in the context of the employment relationship.
Not only, therefore, from the examination of the individual documents as well as from the joint examination of the same, it emerges that the Company has not realized the need to provide the interested parties with the necessary complete information, but it is also evident that it has not even managed to realize the need to provide the aforementioned information in a concise, transparent, intelligible and easily accessible form (see Guidelines cit., point 34).
4.2.1. The information taken from the Company's website and the document containing "Terms and conditions of use of the Glovo platform for couriers", delivered by the Company during the inspection of 13 and 14 December 2022.
The document containing the information, undated, delivered by the Company during the inspection of 13 and 14 December 2022, taken from the Company's website (https://glovoapp.com/it/legal/privacy-couriers/) (Annex 7 of the minutes of 14/12/2022), which has the same content as the information attached to the copies of standard contracts provided during the first inspection (Annex 2 of the minutes of 13/12/2022) must be considered to have been drawn up in violation of Articles 5, paragraph 1, letter c). a) (principle of transparency and principle of fairness), 12 and 13 of the Regulation: the information contained in the aforementioned document is not in fact provided “in a concise, transparent, intelligible and easily accessible form” nor is it provided “all the information referred to in Articles 13 and 14”.
In the information in question, in particular, the categories of rider data that the Company processes are not identified in full, so much so that point 2 therein, dedicated to the “data collected”, introduces them with an exemplary statement (“below, we list an example of data that we collect and the related purposes of processing”); among other things, the data on order management are not indicated, nor the data relating to chats and emails exchanged between riders and customer care operators, data which, instead, from what emerged during the inspection, the Company processes.
With regard to the categories of data, the Company's observation that "the various information documents provided to couriers in the context of the relationship with Foodinho should not be understood as separate information, but should instead be considered as a whole" and "to start collaborating with the Platform, couriers are required to download the relevant app and accept the Terms and Conditions where [...] such categories of data are expressly mentioned" is devoid of merit for the reasons stated above (see paragraph 4.2), and it should be noted that the information in question here does not refer to any further document, not even to the "Terms and Conditions", for the complete indication of the data processed.
Furthermore, to argue, as the Company does, that “the courier is necessarily aware of the processing of such communications for support purposes” with regard to the data relating to the “chats” and “emails” exchanged between the couriers and the customer care operators, since in the contract signed by the riders to which the information is attached there is a reference to the “existence of exchanges with a “support” function” (see note of 11/12/2023, p. 13, 14), is not acceptable: as already underlined, in fact, with the information the data controller must provide the interested party with all the information in a concise, intelligible and easily accessible form, not generic information that must be interpreted, inferred and searched for within the various relevant documents that define the relationship with the rider.
Furthermore, in this regard, although the Company declares that the information regarding the processing of data relating to the "chats" and "emails" exchanged between couriers and customer care operators are "also provided during the interview that precedes registration on the Platform" (see note of 11/12/2023, p. 14), it is noted that no evidence of this has been produced before the Authority.
Furthermore, the information in question is not clear and intelligible, with reference to the identification of the conditions of lawfulness and the purposes of the processing (which, among other things, have been included in the same section), between which there is often no coordination: again within point 2, "Data collected", where the respective legal bases and the purposes of the processing are indicated for the selected data, in fact, it is not possible to distinguish one from the other.
Furthermore, although multiple legal bases are indicated within the aforementioned point 2, in point 4 - "purpose and legal basis of data processing" -, it is specified that "the data will be processed exclusively for the purpose of correctly executing the contractual relationship between the parties", thus making the lack of alignment between the two sections within the same document evident.
The Company's reference to the principle of accountability is also completely irrelevant with respect to the objections raised by the Authority, with reference to art. 13 of the Regulation.
The relevance attributed by the Regulation to the principle of accountability does not, in fact, entail the loss of the Authority's powers with regard to the assessment of the conformity of a data controller's conduct with respect to the personal data protection regulations, not even with regard to the obligation on the data controller to provide information on the processing pursuant to art. 13 of the Regulation.
The object of the dispute regarding the information on the conditions of lawfulness and the purposes of the processing, among other things, did not concern, as the Company would seem to believe, "the format and methods" with which such information was provided, but the fact that the information provided does not comply with the requirements of completeness and clarity required by the rules (articles 12 and 13 of the Regulation) and instead generates confusion and uncertainty in the interested party, with respect to the processing of his personal data.
Also with reference to the conditions of lawfulness of the processing, in relation to the indication, within point 4, of the "explicit consent of the courier" as the legal basis of the processing, it is first of all observed that the reference to the consent of the rider for the processing of unspecified data is so generic as not to allow the identification of the data in relation to which the Company deems the same suitable condition of lawfulness of the processing.
It is also noted that, as a rule, consent in the context of the employment relationship, given the asymmetry between the parties thereof, does not constitute a condition for the lawfulness of processing with regard to data relating to the employment relationship (see Opinion No. 2/2017 of the Article 29 Working Party, par. 2 “It is important to recognize that employees are rarely in a position to freely give, refuse or withdraw consent to data processing, given the dependence arising from the employer/employee relationship. Except in exceptional situations, employers should rely on a legal basis other than consent”).
In this regard, the Company's objection regarding the "loss of all reason to exist" of this dispute since "the qualification of the relationship between the Company and the couriers proposed by the Guarantor [...] in terms of an employment relationship is clearly not correct" (see defence briefs 11/12/2023, p. 15), appears not to be shared given that, as the Article 29 Working Party itself has underlined, the problems arising from the qualification of consent as a suitable legal basis do not only concern the employment relationship, but any work situation in which there is an imbalance between the position of the person performing the work and that of the person for whom the work is performed (see in particular Opinion no. 2/2017 of the Article 29 Working Party, par. 2). In recent decades, new business models served by different types of employment relationships have become more common, in particular the use of freelance workers. This opinion intends to address all employment relationship situations, regardless of whether such relationship is based on an employment contract”).
Furthermore, recital 42 of the Regulation specifies that “consent should not be considered to be freely given if the data subject is not in a position to make a genuinely free choice or is unable to refuse or withdraw consent without detriment”. Circumstances that cannot be considered to be present in the case at hand, given the specific characteristics of the relationship between the Company and the riders.
In this regard, it is also emphasized that the Authority has ascertained that the processing of personal data of the riders is carried out by the Company in the context of an employment relationship, now governed by art. 2, Legislative Decree no. 81/2015 (as amended by art. 1, paragraph 1, letter a), nos. 1 and 2, Legislative Decree no. 3.9.2019, n. 101, converted with amendments into l. 2.11.2019, n. 128) and therefore the “regulations of the subordinate employment relationship” apply to them (see funditus par. 4.12).
With reference to the “geolocalization” section (point 3), some legal bases are indicated in a generic way and seem to refer to the purposes of the processing (in particular: “fight against terrorism”, “money laundering”, “crimes against public health”), moreover, contrary to what the Company claims, they are not specified in any way in point 2 of the information.
With regard to the Company's statement that "the information included in the Terms and Conditions includes further information regarding geolocation processing, with a clear indication of the applicable legal bases" (see note 11/12/2023, p. 15), we simply specify that, in the aforementioned point 3 of the information in question, there is no reference to the document containing the "Terms and Conditions" through which the interested party could abstractly, according to the Company, understand that further information regarding geolocation would be contained therein (on the issues relating to the "Terms and Conditions" document, see below).
The processing methods (point 6, "processing methods") are then indicated in such vague terms as not to provide useful information for the interested parties.
In this regard, it is recalled that the need to provide information regarding the processing methods derives from the combined provisions of articles. 5 and 13 of the Regulation, given that knowing how your data is processed is the maximum expression of the principle of transparency: without indications regarding the methods of processing, the so-called information notice is missing a central and essential part to understand how the data controller actually carries out the processing itself.
In confirmation of this, the Transparency Guidelines cited, in illustrating the concept of transparency, recall recital 39 of the Regulation according to which “it should be transparent to natural persons how personal data concerning them are collected, used, consulted or otherwise processed, as well as the extent to which the personal data are or will be processed” (see Transparency Guidelines cited, point 6).
Furthermore, part of the content of the information notice is not consistent with what was found during the inspection.
In particular, within point 7, “metrics”, it is specified that “no profiles are created”, and that “the controller does not adopt decisions based on automated decision-making processes”. However, this contrasts with what emerged during the inspections, regarding the automated processing of data relating to riders and the creation of profiles: within the system of excellence and assignment of shifts (slots) to riders; within the system of assignment of orders; in the event of disconnection and blocking of the account (see document "Terms and conditions of use of the Glovo platform for couriers" delivered by the Company during the inspection of 13 and 14 December 2022).
The lack of transparency and clarity is also found with reference to what is indicated in the matter of geolocalization, again within point 7, "metrics", of the information in question; geolocation is, in fact, defined as “direct and exclusively associated with the service”, “temporary and not exhaustive, but rather limited to a short route between two mandatory points that the Courier cannot choose” despite the fact that the processing carried out through the rider’s geolocation systems has as its object the rider’s data and therefore constitutes in all respects personal data relating to the rider and not “to the service”.
This is also confirmed by what emerged from the inspection activity (see minutes of operations carried out, 14/12/2022, p. 7). The wording used by the Company does not allow interested parties to understand what the processing of geolocation data actually consists of.
The section relating to geolocation also indicates that “the owner may, only in the event that the Courier directly activates the geolocation function on his device and only during the hours in which the Courier carries out delivery tasks, receive information relating to the geographical position of the mobile device used”.
This information is not consistent with what emerged during the inspection regarding the fact that the GPS also works when the app is in the background and, until 8/22/2023, even when the app had not been opened.
From the analysis of the aforementioned information, it also emerged that the indications provided, regarding the processing of biometric data, are not clear nor do they correspond to what emerged from the investigation activity: in point 8 ("authentication process") it is specified that the processing of biometric data has been carried out "since November 2020" despite the Company having declared, during the investigation, that the processing of biometric data was interrupted in July 2022.
In this regard, the Company also declared that "the Jumio test currently underway consists of the following phases: 1. at the beginning of February, an initial activation of facial recognition was carried out on 3.28% of the Couriers active in Italy. 2. On February 20, it was extended to 18.33% of active Couriers. 3. On February 27, it was activated on a smaller percentage of 15.55%. 4. On March 13, the test was extended to 32.61%”.
The information examined was acquired on December 14, 2022, a period in which, according to the Company, it did not process biometric data.
In this regard, the Company acknowledged that “the language contained in the information on file was not promptly updated following the temporary suspension of the biometric authentication mechanism due to the technical flaws found in July 2022” (see note 11/12/2023, p. 17).
The indication that “This processing of biometric data is necessary to fulfill the obligations in terms of labor law, safety and social protection undertaken by the Data Controller pursuant to art. 23, (entitled “Contrast to gangmastering and irregular work”) of the CCNL Rider” is not correct; in fact, within the aforementioned collective agreement, there is no express provision that provides for the obligation of facial recognition.
Finally, it is believed that not even the section of the information entitled “Annex I - Retention Periods” has been drafted in a clear and intelligible form: in fact, the data processed is not clearly indicated; not all the categories of data that the Company processes have been indicated; furthermore, the indication of the categories of data processed with the purposes of the processing is superimposed.
The document containing the “Terms and conditions of use of the Glovo platform for couriers”, taken from the company’s website (https://glovoapp.com/it/legal/terms-couriers/), which indicates the last update date as 29 April 2022, delivered by the Company during the inspection of 13 and 14 December 2022, also appears to have been made in violation of Articles 5, paragraph 1, letter a) of the Regulation (principle of transparency and principle of fairness), 12 and 13 of the Regulation: the wording of the content therein is not clear (see paragraph 9.4, “Purpose and legal basis for processing”), furthermore, some indications relating to disconnection and blocking of the account are not correct or corresponding to what was declared during the inspection.
In this regard, in fact, the document states that “Glovo reserves the right in any case to remove or disable access to any Account for any reason or no reason, even if it believes, in its sole discretion, that your Account violates the rights of third parties or the rights protected by the Terms and Conditions” (see point 5.4.2.).
Differently, during the inspection, the Company declared that it had adopted a procedure that provides for deactivation/blocking only when specific cases occur (which therefore would not operate for “any reason or no reason”), with the possibility, moreover, for the rider to obtain the revocation of the measures (Annex 7 minutes 14/12/2022).
4.2.2. The version of the information, updated to December 2022, extracted from the Company's website during the inspection of 1 March 2023.
During the inspection, a version of the information updated to December 2022 was extracted from the Company's website (Annex 10 minutes of operations carried out 1/3/2023).
However, this document also does not comply with data protection regulations, in particular with Articles 5, par. 1, letter a) (principle of transparency and principle of correctness), 12 and 13 of the Regulation.
Furthermore, the Company declared that only "subsequently", with respect to the update on the website, the new information was attached to the contracts with the riders (see note of dissolution of the reservations of 16/3/2023). The latter, therefore, continued to have, until the insertion of the new version, an outdated information.
In this regard, the Company's statement that "the paper information attached to the contracts clearly indicates that any updates can be found online at the indicated hyperlink" is devoid of any merit (see defense briefs 11/12/2023, p. 18) since such indication, inserted within the information attached to the contracts signed by the riders, can be considered a useful tool for knowing updates to the information if, after the signing of the contract, it has undergone a change; certainly, however, the presence of the aforementioned indication does not justify (or compensate for) the communication of an information that is not updated, already at the time of the stipulation of the contract to which it is attached and that contained on its website, as the Company seems to claim.
The data protection regulations are considered to be violated because, overall, the document updated in December 2022 does not appear to comply with the transparency and intelligibility standards required by the Regulation (for some points the distribution of information is based on the interested party, e.g. point 6 is dedicated to the rider - courier -, but some information relating to the processing of riders' data is contained in other points, in particular only in points 13 and 14 are the chapters on automated decisions and profiles, without any internal reference), as well as completeness of information, given that not all the riders' data that the Company processes are indicated in an exhaustive manner: in point 6.2 the data relating to order management are not indicated; within the same point there is no mention of the processing of biometric data (it is in fact not clear whether the indication of "photo: road safety, prevention of accounting fraud and public safety" also includes the processing of biometric data); in point 15 on security measures no specific data is indicated, not even through a reference to a different document).
Furthermore, there is no reference to the deactivation/blocking of the rider's account by the Company.
The document is not clear and transparent, not even with reference to the conditions of lawfulness of the processing (in the initial section "1.scope", reference is made to the consent of the interested party without specifying in relation to which processing such consent would operate; furthermore, reference is made to the previous considerations relating to the unsuitability of consent as a legal basis in the workplace, see paragraph 4.2.1.; within point 6, the legal bases and purposes of the processing are also indicated in a confusing and contradictory manner).
Nor is the table contained in Annex I to the information updated in December 2022, "general retention periods", in the section dedicated to riders (point 6), clear as it is generic and not exhaustive; the same, among other things, is divided into two parts ("general" and "couriers") without the reason for the division being clear, given that the table in question is found in the section dedicated to riders.
The content of the information updated in December 2022 does not even appear to be entirely compliant with the effectiveness of the processing carried out, as detected during the inspection, given that it is stated that no automated decisions are taken or profiles are created pursuant to art. 22 of the Regulation (see points 13 and 14).
4.2.3. Further versions of the information relating to the processing of riders' data.
During the inspection of 26 and 27 July 2023, further versions of information documents relating to the processing of riders' data were also delivered by the Company.
In particular, some are almost identical to the information already made available to the Office during the investigation and for which reference is made to the observations already indicated in the previous paragraphs (Privacy information updated to December 2022, Terms and conditions of use of the Glovo platform for couriers updated to 29/4/2022), while the information attached to the "occasional contract" model and the information attached to the "VAT contract" model, in the versions updated to March 2023 (Annex 3, minutes 26/7/2023), albeit in a structure that follows that of the previously provided versions, present some changes.
In relation to the latter, the following is noted.
Despite the inclusion of some limited changes made to the versions of the information attached to the contract models stipulated with the riders (inclusion of some types of data collected that did not appear before, such as "data relating to delivery tasks" and "information on conversations", although the wording is not sufficiently clear; use of geolocation for the assignment of orders; indication of the retention periods of geolocation data and biometric data), it emerges that the aforementioned information still does not comply with the personal data protection regulations (articles 5, paragraph 1, letter a), 12 and 13 of the Regulation), in terms similar to what has already been ascertained in relation to the previous versions, as the information contained in the aforementioned documents is not provided "in a concise, transparent, intelligible and easily accessible form" nor is "all the information referred to in Articles 13 and 14" provided.
In particular, the categories of rider data that the Company processes are not fully identified, so much so that point 2, dedicated to the "data collected", continues to introduce them with an exemplary statement.
Furthermore, the information in question is not clear and intelligible with reference to the identification of the conditions of lawfulness and the purposes of the processing (among other things included in the same section), between which there is often no coordination.
With reference to the "geolocalization" section (point 3), some legal bases are indicated in a generic way (in particular: "fight against terrorism", "money laundering", "crimes against public health").
Again with reference to the conditions of lawfulness of the processing, it is emphasized that, within point 4, the "explicit consent of the courier" is also indicated, for which the considerations set out above apply.
The methods of processing (point 6, "methods of processing") are also indicated in such generic terms as not to provide useful information for the interested parties.
Furthermore, part of the content of the information is not consistent with what was found during the inspection. In particular, within point 7, “metrics”, it is specified that “no profiles are created”, and that “the owner does not adopt decisions based on automated decision-making processes”.
The lack of transparency and clarity is also found with reference to what is indicated in the matter of geolocalization (see point 7 “Metrics”, where geolocalization refers “to the service” and not to the rider).
Furthermore, with regard to the methods of geolocalization, the interested party was not made aware of the particular characteristics of the geographical detection which also concerned the hypothesis in which the rider was not engaged in work activity on behalf of the Company and without his knowledge, even when the rider is not operational in the slot and the app is in the background.
Furthermore, from the examination of the different versions of the information for riders delivered also recently, a discrepancy between them is noted based on the type of contract - not supported by any explicit motivation - from which derives an evident difficulty, for the interested parties, in reading and effectively understanding them in order to how the data referred to them are processed (see par. 3 relating to "geolocalization" within which there is a section only in the "occasional contract" model).
This therefore does not comply with the provisions of articles 5 par. 1 letter a), 12 and 13 of the Regulation.
4.2.4. Information delivered on 29 February 2024.
In the additional briefs of 15 January 2024, the Company, with reference to the documentation containing the information, indicated, among the measures that it “proposes to adopt in order to further improve compliance with the legislation for the protection of personal data, with specific reference to the findings raised by this Authority [with the notification of the violations]”, those of: “reviewing all current versions of the courier information […] in order to ensure that they have substantially uniform content”; “reviewing the Information […], also following a layered approach that refers to detailed information and/or dedicated help pages”.
In this way, the Company itself confirmed the need to review the information documents prepared by it, in order to comply with the data protection regulations.
With the additional memoranda of 29 February 2024, the Company sent a “revised” copy of the “Glovo privacy policy”, a copy of the “Terms and conditions of use of the Glovo platform for couriers” updated to February 2024, a copy of a “service contract pursuant to art. 2222 of the Italian Civil Code” and a copy of the “transparency information pursuant to Legislative Decree 104/2022”.
In this regard, it is noted that the aforementioned information documentation also does not comply with the personal data protection regulations for the reasons indicated below.
With regard to the “Glovo privacy policy” (Annex 2 note of 29/2/2024), it is preliminarily noted that the same is not dated nor, at present, available on the Company’s website.
Point 6, dedicated to couriers, contains indications that do not comply with the personal data protection regulations, in particular: in the list of types of data processed by the Company, with reference to "biometric characteristics", the document specifies that it operates "without processing biometric data", even though later, within the same section, "biometric data" is indicated for which it is specified "limited to the use of the facial recognition function via Jumio"; among the data processed by the Company, "traffic data" and "metadata" are also indicated, relating to the device and use of the app, in the absence of any indication regarding the purpose and legal basis of the related processing; processing operations also include communications of rider data to other companies in the group, despite the fact that, with the same note, the Company declared that "as of today, the Permission [to access the "livemap" platform] is also not active for employees of Glovo group companies located in other countries" (see note 29/2/2024, point 3.7, letter C); in point 6.5., the performance of "partially automated processing" is reported, specifying that these "could have an impact in relation to the assumption or assignment of deliveries, as well as could involve verification activities of the identity of the couriers and/or the evaluation by the same of compliance with the terms and conditions of use of the Platform", despite the fact that the outcome of the Authority's investigations revealed that such processing (excellence score, geolocalization, facial recognition system and authentication process, blocking/suspension and deactivation of the account) unfailingly involve verification and evaluation activities by the Company); with regard to the geolocalization of riders (point 6.5.2.2.), the indication remains that this operates exclusively during the hours in which the courier "actually carries out delivery tasks", despite the fact that, during the control activity, it emerged that the GPS also operates when the app is in the background and, until 22/8/2023, even when the app had not been opened.
The section relating to the processing of biometric data (facial recognition) also remains despite such processing, as will be better indicated later, not being compliant with the personal data protection regulations (point 6.5.3. of the information).
Annex I of the Terms and Conditions continues to contain the designation of the rider as data controller, in the terms already indicated above, i.e. in violation of art. 28 of the Regulation. The reference to this designation as data controller is also present in the standard contract model contained in Annex 4. Moreover, this standard contract model, which is not dated, contains the link to the privacy policy on the Company's website dated December 2022.
Overall, it does not appear that an adequate review of the information presented has been carried out, considering, among other things, that not all the documentation delivered to the Authority is actually accessible to the interested parties (as specified above, in fact, the "Glovo Privacy Policy", Annex 2 note of 29/2/2024, is not dated or available on the Company's website). Furthermore, the information documents most recently submitted to the Authority contain, in the terms indicated above, elements of unlawfulness already present in previous versions.
4.3. The obligation to provide information in the case of use of automated decision-making or monitoring systems.
Art. 1-bis of Legislative Decree no. 152 of 1997, introduced by art. 4 paragraph 1 letter. b) of Legislative Decree no. 104 of 2022 implementing Directive (EU) 2019/1152, amended by Legislative Decree no. 48 of 4/5/2023, converted into Law no. 85 of 23/7/2023 (“Further information obligations in the case of use of automated decision-making or monitoring systems”), has established that “The employer or the public and private client is required to inform the worker of the use of fully automated decision-making or monitoring systems designed to provide information relevant to the purposes of hiring or assigning the assignment, managing or terminating the employment relationship, assigning tasks or duties, as well as information affecting the supervision, evaluation, performance and fulfillment of workers’ contractual obligations. The provisions of Article 4 of Law no. 300 of 20 May 1970 remain unchanged”.
The provision also specifies what information must be provided to the worker “before the start of work”, in particular: a) the aspects of the employment relationship affected by the use of the systems; b) the aims and purposes of the systems; c) the logic and functioning of the systems; d) the categories of data and the main parameters used to program or train the systems […], including performance evaluation mechanisms; e) the control measures adopted for automated decisions, any correction processes and the person responsible for the quality management system; f) the level of accuracy, robustness and cybersecurity of the systems referred to in paragraph 1 and the metrics used to measure these parameters, as well as the potentially discriminatory impacts of the metrics themselves.
The Authority, with the document “First indications on Legislative Decree 27 June 2022, no. 104, so-called “transparency decree”” (web doc. no. 9844960) clarified that the new information obligations introduced by art. 4, Legislative Decree lgs.27/6/2022, n. 104 constitute a more specific and more protective discipline, for the interested parties, in the workplace, pursuant to the provisions of art. 88 of the Regulation.
As a result of the investigations, it emerged that, from the date of entry into force of the aforementioned specific obligations regarding transparency (1 August 2022) and until 18 May 2023 (the date on which the Company prepared an initial information document on the subject, Information on transparency pursuant to Legislative Decree 104/2022, see note 11/12/2023, p. 18), the Company has not adopted any information regarding the processing of data relating to riders carried out through fully automated decision-making or monitoring systems, as instead required by the aforementioned discipline.
This is also in light of the more stringent definition, in force from 4 May 2023, which added the adverb “fully” to the original definition of automated systems.
The Company, as argued in more detail in the following paragraph dedicated to automated processing, carries out a plurality of processing through fully automated systems, designed to provide relevant information for the purposes of assigning the task, management, termination of the employment relationship, assignment of tasks, as well as information affecting the supervision, evaluation, performance and fulfillment of the contractual obligations of riders.
Despite this, it failed to provide information relating to the existence and specific mode of operation of the aforementioned systems, not following up on what is required by art. 1-bis cited, before the start of work activity, in relation to a significant number of interested parties, equal to 7,405 riders (at the date on which the data relating to riders who began to provide their activity after 1 August 2022 was provided to the Authority, see note on the dissolution of reservations of 27/12/2022, letter R).
In this regard, it is in fact emphasized that, with regard to employment relationships established after 1 August 2022, the additional information obligations must be fulfilled, by express regulatory provision, before the start of work activity (art. 1, paragraph 2, of Legislative Decree 26 May 1997, no. 152).
Among other things, in the sense of the performance, by the Company, of automated processing in relation to which the provisions of art. 1-bis cited, the case law of merit has also ruled on several occasions (see Turin Court ruling no. 231 of 2024, published on 12/03/2024 “Foodinho uses systems that can be defined as fully automated to adopt decisions that affect the management of the employment relationship”.[…] the opposing company adopted a fully automated decision-making system to evaluate the reputation (i.e. the work) of the delivery drivers, which significantly affected the employment relationship since it involved the assignment of a score to access the calendar of bookable slots on the platform as a priority. The system also provided for the profiling of the delivery drivers […]. The company was therefore the recipient of the information obligations set out in the so-called transparency decree, also as amended by Legislative Decree no. 48/2023”.
Furthermore, according to the Court of Turin, the information pursuant to art. 1-bis cited, subsequently prepared by the Company, was deemed not compliant with the provisions of the same law.
See also the Court of Palermo 20/07/2023, according to which the “automated systems used by the defendant [Foodinho s.r.l.] are fully automated systems, given that the human intervention inferred (and not demonstrated) in any case would not occur in the final phase, but rather only in the data entry phase or activation of the system itself, in which the subsequent processing and treatment of the data and any final decision are entirely entrusted to algorithmic or computerized automatisms”; on that occasion it was also established that “the obligation of the defendant to provide the information required by art. 1bis, introduced by Legislative Decree no. 104 of 2022, to the appellant trade unions remains in place even after the entry into force of Legislative Decree no. 48 of 2023, with the obvious exclusion of those that affect systems or parts of them covered by industrial or commercial secrecy”.).
With regard to the excellence system, the Company stated that it provides “explanations on how the [score assignment] works at different times and through different means” (see note 27/12/2022, letter Q), including through an explanatory video made available to riders “during the onboarding process”, through information on the Company’s website, newsletters and meetings, of which no evidence was provided.
In this regard, first of all, it is recalled that pursuant to art. 12 of the Regulation, information on the processing must be provided to the interested parties in a concise, transparent, intelligible and easily accessible form, using clear and simple language; only where the interested party requests it, the information on the processing may be provided orally, but even in this case the data controller is required to demonstrate that it has implemented conduct in accordance with the data protection regulations (see also the accountability principle, art. 5 par. 2 of the Regulation).
The same art. 1-bis cited, in paragraph 6, provides that "The information and data referred to in paragraphs 1 to 5 of this article must be communicated by the employer or the client to the workers in a transparent manner, in a structured, commonly used and machine-readable format".
Secondly, it should be noted that the processing of data relating to the assignment of the score does not constitute the only automated processing carried out by the Company, as will also be stated later.
Furthermore, the information that was provided by the Company regarding the scoring system did not satisfy the requirements of the cited art. 1-bis.
With the defense briefs of December 11, 2023 (Annex 5), the Company then produced a “Transparency Notice pursuant to Legislative Decree 104/2022”, in relation to which it declared that it is “specific information regarding some of the treatments that involve partially automated processes, including the logics relating to the Excellence Score and the slot assignment criteria” (p. 18).
With regard to this version of the transparency notice - which the Company declared to have adopted on May 18, 2023 and made available both on its website and by sending it to all riders -, it is noted that it is not adequate, with respect to what is required by the legislation, as it lacks some of the information that must necessarily be contained therein.
In particular, the notice in question does not contain some of the information required by paragraph 2 of art. 1-bis: information on the logic and operation of fully automated decision-making or monitoring systems (letter c), on the categories of data and the main parameters used to program or train fully automated decision-making or monitoring systems, including performance evaluation mechanisms (letter d), on the control measures adopted for automated decisions, any correction processes and the person responsible for the quality management system (letter e), on the level of accuracy, robustness and cybersecurity (transparency regarding the number and type of Company operators who can access the data processed, protection from abusive or illicit access to the data, communication of data to third parties) of fully automated decision-making or monitoring systems and the metrics used to measure such parameters, as well as the potentially discriminatory impacts of the metrics themselves (letter f).
With the briefs of 29 February 2024 (annex 5), the Company also produced a revised version of the information, pursuant to art. 1-bis of Legislative Decree no. 152 of 1997; this latest version is currently published on the Company's website, although neither the date of the same nor of its publication are indicated. The text of the information can be accessed through the section relating to the excellence score, by activating the "find out more" button, always relating only to the functioning of the excellence score.
However, this version of the information does not comply with the reference regulation, as it does not contain some of the information required by art. 1-bis paragraph 2, even though some additional information has been included in it on the type of data processing carried out through fully automated decision-making or monitoring systems.
In particular, no indications are given regarding: the control measures for automated decisions and any correction processes (art. 1-bis, paragraph 2, letter e) - except limited to the so-called procedure grievance - nor the level of accuracy, robustness and cybersecurity of the fully automated decision-making and monitoring systems in use and the metrics used to measure such parameters, as well as the potentially discriminatory impacts of the metrics themselves (art. 1-bis, paragraph 2, letter f).
With regard to this last aspect, although the Company specifies that "no risks of discrimination have emerged due to the fact that the parameters do not even indirectly take into account factors of possible discrimination for union reasons, sex, religion, personal beliefs, handicap, age, sexual orientation, race and ethnic origin" (see p. 3 point 2.1), it is instead quite clear that an algorithm based on customer feedback is by its nature subject to potential discriminatory effects linked to the customer's perception of the rider, and, furthermore, the use of metrics based strictly on order delivery performance may discriminate riders on the basis of age, sex and health conditions.
The Company has therefore violated, starting from 1 August 2022, articles 5, par. 1, letter a) (also with reference to the provisions of art. 1-bis of Legislative Decree no. 152 of 1997), 12 and 13 of the Regulation.
4.4. Violation of art. 28 of the Regulation in relation to the designation of the rider as data controller and the designation of third-party companies operating as sub-processors.
The document “Terms and conditions of use of the Glovo platform for couriers”, taken from the company’s website (https://glovoapp.com/it/legal/terms-couriers/), which indicates the last update date as 29 April 2022, delivered by the Company during the inspection of 13 and 14 December 2022, also contains the designation of the rider as data controller, in relation to data relating to customers and orders.
In light of the specific characteristics of the treatments referred to the assignment and execution of orders, this qualification does not, however, comply with the provisions of art. 28 of the Regulation (doc. cit., “Annex 1 - Treatment order contract”, p. 21).
In particular, the Company provides (also in the updated version of the document) that the rider, as data controller, should, among other things, keep a record of processing activities, assist the controller in preparing the impact assessment and, where appropriate, in submitting the request for preliminary consultation to the Authority (through the following instructions given to the managers/riders: “have, in writing, a record of the processing activities carried out on behalf of the responsible entity” (in the updated version, the expression “responsible entity” has been replaced by “controller”), “support the responsible entity in carrying out data protection impact assessments and, where appropriate, assist it in carrying out preliminary consultations with the supervisory authority, where appropriate” (in the updated version, the expression “responsible entity” has been replaced by “controller”), “ensure that the employees of his organization who process personal data undertake to respect the confidentiality of personal information processed on behalf of the responsible entity” (in the updated version it has been specified “expressly and in writing”), “provide data subjects with the information they need to know about the processing of personal data ... information regarding the processing of their data carried out in the context of the processing, at the time of data collection”, see Annex 4, defense briefs 11/12/2023).
In this regard, while acknowledging that, following the notification of the violations by the Authority, the Company corrected the incorrect qualification in terms of “data controller” attributed to both the Company itself and the rider, it should be noted that the instructions given to the riders in their capacity as data controllers by the Company remained identical (see defense briefs 11/12/2023, p. 17).
Considering this, it is necessary to underline that the aforementioned designation, given the directives given to the rider contained therein, given the activity carried out, in concrete, by the riders and examined the type of working relationship that exists between the Company and the couriers, does not appear to correspond to the nature of the tasks specifically entrusted to the rider.
The designation of the rider as data controller, as provided for by the Company, therefore violates art. 28 of the Regulation given that the absence, in concrete, of the characteristics necessary for the performance of the tasks assigned by the controller is evident (see art. 28, par. 1 of the Regulation where it requires the controller to use only data controllers who in concrete present sufficient guarantees to guarantee that the processing carried out on their behalf meets the requirements of the Regulation and guarantees the protection of the rights of the interested parties).
Again with reference to what is established by art. 28 of the Regulation, during the investigations it emerged that the deactivation operations from the platform were carried out not only by operators of the Company, but also by sub-managers of Glovoapp23 SL, in particular by operators of Comdata and Trizma.
In this regard, it should be noted that the Company has represented in documents that “Foodinho S.r.l. uses the support of external call centers, Meritus Upravljanje, d.o.o. (MPLUS) and Comdata, S.p.A. (COMDATA), limited to the onboarding activity of the Courier (MPLUS) and assistance to the Courier in real time (COMDATA)”, note 27/12/2022, letter I).
From the examination of the documents acquired during the inspection activities (see file result.csv, present in Annex 5, inspection report 28/2/2023), it emerged that there are numerous cases in which even the deactivation of a rider (therefore not only the onboarding and real-time assistance activity) was carried out by operators belonging to the latter companies.
In light of the findings in the documents, it therefore emerges that the deactivation activity is also entrusted to personnel belonging to companies that operate as sub-managers, without, based on the examination of the documentation produced by the Company, such personnel (moreover numerically considerable, see note on the dissolution of the reserves 16/3/2023, p. 9, where a total of 256 operators is indicated) having been previously provided with the necessary instructions, as instead clearly required by art. 28 of the Regulation.
In this regard, it is noted that, during the proceedings, the Company declared that it had discontinued the service provided in Italy by Trizma and that it had provided “further instructions to the Comdata call center operators [in relation] to any disconnections of the accounts [of] the couriers” (see note 29/2/2024).
Taking into account that no evidence was provided of any previous regulation of the relationship with the sub-processors, in relation to the disconnection activity from the platform, the Company violated art. 28 of the Regulation up to the date of 29 February 2024.
4.5. Violation of art. 5 (principle of minimization), 22 (obligation to implement appropriate measures to protect data subjects in the event of automated decision-making processes) and 25 (principles of privacy by design and privacy by default).
Following the investigation, it also emerged that the Company carries out, as the owner, using the Glovo digital platform (see Franchising Agreement, 1/10/2019, Annex A, note on the dissolution of reserves 16/3/2023), automated decision-making processes, pursuant to art. 22 of the Regulation (defined as a “decision based solely on automated processing, including profiling, which produces legal effects […] or similarly significantly affects” the data subject).
4.5.1. The excellence system and the order assignment system within the shift.
The automated processing is carried out by the Company, first and foremost, through the operation of the so-called excellence system and the order assignment system, as currently configured.
The excellence score works by taking into account four parameters, which have a different weight, based on the different cities in which the riders carry out their activity, in the last 28 days of use of the platform, even if not consecutive (so-called reference period). The overall score “has a progressive and increasing weight in the Reference Period (e.g. the most recent performance has a more significant score than that of 28 days ago)”.
The parameters taken into consideration by the system are the following: “contribution” parameter (indicated as “Sum Seniority Normalised”) which refers to the number of orders delivered in the reference period; “no show” parameter (“Sum No Show Normalised”) relating to the number of times the rider booked a slot, but then did not check in (this taking into account that the rider can check in starting from 25 minutes before the start time of the slot up to 10 minutes after; furthermore, the booking can be cancelled up to one minute before the start time); “customer rating” parameter (“Sum Customer Rating Normalised”), relating to the feedback received from the customer; finally, the “high demand slot” parameter (“Sum High Demand Normalised”) takes into account the time in which the rider carries out the service within high demand slots that occur weekly (these are shifts during which there is normally a greater influx of orders and amount to six hours a week, which generally correspond to three hours for dinner on Saturday and three hours for dinner on Sunday).
The score automatically assigned to each rider, based on the operation of the parameters processed by the platform, allows for priority booking of the delivery shifts (slots) established by the Company and made available, through the platform, twice a week (Monday and Thursday at 4:00 p.m.).
The rider who obtains a higher score has priority access to the assignment of the work shift and the related orders, taking into account that some shifts allow for receiving a higher number of orders (so-called high demand slots).
Contrary to what the Company claims, riders cannot freely book the chosen work shift among the proposed slots. After examining the documentation in the files, it emerges that there are saturated slots, i.e. delivery shifts booked at 100%, in which the availability of the riders exceeds the request of the Company, which makes it impossible for those who obtain a lower score, within the excellence system, to access certain shifts, with a consequent reduction in job opportunities, which are more available in "high demand" shifts.
In particular, examining the table provided by the Company and relating to the percentage of filling of the individual slots (Annex F, note on the dissolution of reserves 27/12/2022), it emerges that there are numerous saturated slots (at 100.00%) and, in light of the parameters relating to the individual Italian cities subsequently provided at the request of the Authority, it emerges that, at least in relation to two large cities, Rome and Milan, saturated slots are recorded every day (Annex 4, inspection report 28/2/2023).
The same Company also stated that the purpose of the “No Shows” parameter is to “prevent the failure to connect without withdrawing the availability from harming other couriers who could have booked the slot in question”, on the assumption that the slot availability is lower than the request and the rider who is unable to book the shift is “harmed” (see defense briefs 11/12/2023, All 5, “Information on transparency pursuant to Legislative Decree 104/2022”).
Therefore, the automated attribution of the excellence score has a significant impact on the rider’s activity, influencing, as we have seen, the possibility of booking certain work shifts.
Even through the algorithm that allows the assignment of orders within the slot, the Company therefore makes decisions based solely on automated processing based on the operation of 5 parameters, as declared by the Company itself (note of the dissolution of reserves 27/12/2022, letter H.: "Courier vehicle; Courier position; distance between the Courier position and the collection point; distance between the collection point and the delivery point; Courier device battery").
Through the two algorithmic systems, the Company therefore carries out processing consisting in the making of decisions, based solely on automated processing, including profiling, relating to the assignment of work shifts and delivery orders, which significantly affect the interested party, through the increase or reduction of work opportunities, precisely as a result of the decisions made by the system.
The Regulation has regulated the matter with the aforementioned art. 22 as well as, with reference to the notion of profiling, with art. 4, n. 4 and cons. 71, where in particular profiling is defined as “a form of automated processing of personal data that evaluates personal aspects of a natural person, in particular to analyse or predict aspects concerning professional performance, […] reliability or behaviour, location or movements […] where this produces legal effects […] or similarly significantly affects him”.
This definition is specifically suited to the processing carried out using the parameters that make up the excellence score, aimed at analysing professional performance [“Sum Seniority Normalised” and “Sum High Demand Normalised”], reliability [“Sum No Show Normalised”] and behaviour [“Sum Customer Rating Normalised”], also taking into account location, with regard to the assignment of orders in the work shift.
Profiling is therefore used to make entirely automated decisions, through the excellence system, with effects that, as seen, significantly affect the interested party by significantly increasing or reducing the job opportunities offered through the platform (in accordance with this, with specific regard to the decisions taken by Foodinho s.r.l. through the excellence score, the Court of Turin, labor section, sentence 12/3/2024, no. 231, ruled).
On the other hand, what the Company claims in its defense briefs in support of the non-existence of automated processing pursuant to art. 22 of the Regulation cannot be accepted. With regard to the “number of human interventions that took place in the Excellence Score system and, in particular, those relating to the manual increase in capacity for a given time slot” that would emerge from the “Expert Report on the «Grievance Process»”, presented by the Company (Annex B, note of dissolution of reservations 27/12/2022, document also referred to in the Company's defense briefs, Annex 7, hereinafter “expertise”), it is noted that the expert report analysed the activities of manual modification (not attribution) of the excellence score (in the event, for example, of disputes by riders, which however occur in completely abstract cases, such as following the attribution of negative feedback by a customer, see below) and modification of the riders' operating slots and not the assignment of the excellence score. Therefore, the Company's thesis does not find any proof in this document. This is also confirmed by the small number of elements found in the expert's query: 198 changes, throughout the Italian territory during 7 days of activity, a value completely incompatible with the real operation of the thousands of riders used by Foodinho on the Italian territory.
With regard to the obligation to adopt measures to protect the rights and freedoms of the interested parties, placed on the data controller by art. 22 of the Regulation, the Company, in relation to customer feedback, has declared that "In the event that the Couriers do not agree with the metrics they have received from Customers, they can contact the Live Operations Support Team ("Team Live Ops") of Foodinho S.r.l., filing a general dispute" (note 27/12/2022, letter O).
In this regard, however, it is noted that, since the rider cannot "connect the metrics received to specific users and orders", as stated by the Company itself, it is - at the very least - extremely difficult for the interested party to have the necessary elements to dispute the feedback received, taking into account the circumstances of the specific case. In any case, the Company has not provided any element relating to the methods of managing the aforementioned disputes (which in any case refer to only one of the four parameters taken into consideration by the excellence score) and the possible outcomes of the same.
As for the further statement of the Company according to which "even if one wanted to consider that the Excellence Score determines an automated processing [...], there would be no violation of art. 22 GDPR since the applicability of this rule is expressly excluded in the event that "the decision is necessary for the conclusion or performance of a contract between the data subject and a data controller", it is noted that the Authority did not contest the absence of a legal basis for carrying out automated processing, but rather the failure to adopt the necessary measures, established to protect the data subjects (art. 22, par. 3 of the Regulation, on which infra). Therefore, the Company's objection is not valid.
4.5.2. The rider's "rating".
During the inspection of 26-27 July 2023, a further processing carried out by the Company also emerged, relating to the assignment of a rider "rating" score, data distinct from the "excellence score".
The “rating” score, stored by the Company in the table called courier_rating, can take a value from 0 to 1, related to customer feedback, and is associated with the so-called flex business model, not applied in Italy. Despite this, the “rating” score is generated and processed by the system, even for Italian riders, although it is not used.
For this reason, starting from 2021, instead of eliminating the score in countries where the flex business model is not adopted, a fixed “rating” value equal to 4.5 is assigned by the backend to each rider (Annex 7, 8, minutes 27/7/2023).
The assignment to the rider of this (additional) score with a fictitious value determines an incorrect, irrelevant and excessive processing of personal data, as it is the expression of a calculation system that is not applied in Italy.
The attribution of a fictitious value, albeit unique, for all Italian riders, leads the Company to associate a set of data with inaccurate values to the rider.
In this regard, it also emerged during the inspection (see minutes of 07/27/2023) that the Company was aware of the "rating" score only following the checks carried out during these checks.
From what emerged during the inspection, it therefore follows that the Company, in configuring the system, did not adopt adequate measures aimed at effectively implementing the principles of data protection.
While acknowledging that the Company has declared that it has eliminated this fixed value of the “rating”, starting from 10 January 2024 (see note of 15/1/2024), the use of the “rating” score, up to that date, has led to the violation of the obligation, placed on the data controller, to process only adequate, accurate, relevant and limited data to what is necessary in relation to the purposes for which they are processed (art. 5, par. 1, letter c) of the Regulation and to adopt measures to ensure that by default only the personal data necessary for each specific purpose of the processing are processed (art. 25 of the Regulation).
4.5.3. Deactivation and blocking of the account.
It is also established that, even with regard to the hypotheses of deactivation (grievance) and blocking of the account, the Company carries out automated processing.
In the event of “blocking” of the account, the disconnection, as represented by the Company itself, is carried out automatically by the system, upon occurrence of predetermined conditions that occur as a result of the processing of data collected and processed by the platform (Cash Balance, Medical checks, Limit 5K, Expired document, INAIL accident, Mandatory trainings): see note 16/3/2023, letter e).
With regard to deactivation/grievance, the Company, at least in relation to some of the hypotheses indicated, has not demonstrated the significance of the margin of autonomy reserved for the human operator, with respect to the operation of the algorithm, therefore of the automatic component, considering that these are hypotheses that, in concrete terms, do not allow margins of verification.
In particular, the Company has indicated some predetermined deactivation hypotheses in relation to which no effective and significant margins of possible human intervention emerge, nor have they been indicated by the Company itself: in the context of "Deactivations carried out in the absence of notification by the user", see in particular: no. 3 "Double accounts - Case of a courier with more than 1 account in different cities, with at least 1 account already disabled due to fraud"; or no. 4 "Same Nif, same slot", concerning the "case in which a courier uses two accounts registered to him, belonging to two different cities/areas at the same time, making it clear that one of the accounts has been transferred"; or no. 6 "Bots to book slots", where the data used by the system consists of the "slot booking time (we identify the slots booked at an anomalous time, impossible for a human) e.g. two or more slots on different days booked in less than a second” or “identification of bots used to book slots in progress at the exact moment another courier picked up the booking […] (sometimes even less than a second)”; or no. 9 “Other”, relating to “unidentified cases” highlighted on the basis of a “non-standard type of data collected” (see Annex E, note of dissolution of reservations 16/3/2023).
On the other hand, more generally, the Company, in relation to the deactivation from the platform, limited itself to affirming the existence of a “manual verification” of the data collected through the platform itself, by the Team Operation operators, without providing any evidence that such verification is significant in relation to the decision to disconnect (see note 16/3/2023, letter f).
In this regard, the Guidelines on automated individual decision-making and profiling for the purposes of Regulation 2016/679, adopted by the Article 29 Working Party (amended version adopted on 6 February 2018, WP 251 rev.01, p. 23), clarify the scope of human involvement considered significant in light of a plurality of concrete elements: “the controller must ensure that any review of the decision is meaningful and not just a token gesture. The review should be carried out by a person who has the authority and competence to change the decision. In the context of the analysis, that person should take into account all relevant data. As part of the data protection impact assessment, the controller should identify and record the degree of human involvement in the decision-making process and the stage at which it takes place”.
In this regard, furthermore, it is believed that the findings of the expert report are not conclusive, regarding the human review activity on the decisions relating to the inclusion on the platform (onboarding) and the deactivation of the riders' accounts in the systems used by the Company.
In fact, with regard to onboarding activities, the appraisal takes into consideration the average values relating to the number of documents validated in a unit of time, to affirm that this value is compatible with an activity carried out by an operator, without taking into account the peaks of activity, present in the detailed data, in which the number of documents analyzed, per unit of time, is significantly greater than that considered, by the same experts, compatible with a human activity (Annex 5, inspection report of 02/28/2023, Docs_check folder, file named _SELECT_date_ccp_docs_check_date_as_Docs_check_date_count_distin_202212201131.csv.).
Furthermore, with reference to deactivation activities, it is noted that the average number of deactivations, in the period examined by the expert report (3,768, in the period 1 March - 20 December 2022; see the expert report cit., p. 3), is significantly lower than the average number of deactivations that emerges from the inspection documents (6,369, in the period 1 January - 31 December 2022, with almost 40% daily increase compared to the expert data; see inspection report 28/2/2023, p. 4), to which must be added, in order to fully evaluate the operators' workload, the 53,861 operations to block riders' accounts.
Therefore, what was observed in this regard by the Company in its defense briefs does not appear to be relevant (“Even if the average data of deactivations emerging from the inspection documents is higher than that taken into consideration in the [expert report], this does not mean that the final output of the observation is not equal or even higher; which confirms the value of human intervention with respect to deactivations”), given that the significant increase in the average number of deactivations by operators, as emerges from the set of documentation present in the documents, means that the expert assumption according to which the low volume of the operators' workload constitutes confirmation of human intervention in the deactivations from the platform is not verified.
It also emerges that the selection of the records to be analyzed, with regard to the deactivations, to draw up the report, was carried out by inserting, among the parameters on which to perform the filter, a condition relating to the format of the email of the operator who would have carried out the activity in question (see WHERE clause of the SQL query “o.email ilike '%.%operator%'” in Annex 5, file garante_privacy_manual_deactivations.sql).
Therefore, the investigation did not take into consideration the cases in which the deactivation could have been carried out directly by the system and not by an operator, given that, as a result of the query indicated above, only the records in which the association with a defined operator was present were selected for the purposes of the analysis, setting, as a search parameter, the particular format of the operator's email address.
With regard to the disconnection and deactivation actions of riders' accounts, the information provided by the Company as a whole does not allow for a comprehensive definition of the causes and the concrete methods of carrying them out.
In fact, the causes for which deactivation is carried out, identified through access to the systems during the inspection carried out by the Authority, are additional to those resulting from the lists provided by the Company ("List of reasons for grievance and blocking", Annex C, note 27/12/2022, p. 5 and "Deactivations carried out in the absence of notification by the user", Annex E, note 16/3/2023) as they also included the items Reassignments and Bad rating, despite the Company having declared on this point that the two items "are not actually used in Italy, neither for blocking nor for deactivation, even though they appear as a potential reason for blocking in our IT systems" (note lifting of reservations 16/3/2023, letter g.).
In this last regard, it is noted that during the proceedings the Company declared that, starting from 29 February 2024, the items “Bad rating” and “Many Reassignments” no longer appear in the systems “as potential reasons for a block or deactivation” (see note 29/2/2024).
Up until that date, however, the aforementioned items were still present in the systems and used by the operators (see below reference to the result.csv file, present in Annex 5, inspection report 28/2/2023), together with others which, although present, “for operational reasons are not used in Italy” (Long delivery time; Courier not moving; High waiting time; B2B fraud; Data protection infringement).
On this point, furthermore, it is noted that, from the examination of the aforementioned documents relating to the causes of deactivation/blocking from the platform and their operation (if dependent on complaints or anomalies identified by the system), it emerges that they compose an imprecise picture since the "List of reasons for grievance and blocking" (document defined as "the complete overview of the reasons that may lead to the deactivation or blocking of a Courier's account") contains a series of hypotheses, including cases in which a complaint should be disregarded (e.g. no. 3, Reassign after PU [case in which the courier, after having collected the order, reassigns it to another courier to keep its contents]), which are not contemplated in the different list containing the list of "Deactivations carried out in the absence of notification by the user".
Still with regard to the causes of disconnection, it finally emerged that the Company has identified further cases of disconnection from the system that operate automatically, disclosed to the Authority during the inspection carried out on 26-27 July 2023. In particular, these are hypotheses (no show, position out of area, deactivation of geolocation, disconnection during the slot) in the event of which, according to what was declared, the system proceeds to disconnect from the slot (inspection report 26-27/7/2023, p. 5).
Although the indication of the specific causes of blocking and disconnection from the platform is imprecise, the outcome of the inspection activity shows that, also in relation to - at least - some of these treatments, the Company adopts decisions based solely on automated treatments that significantly affect the interested parties by preventing, for the period considered, from carrying out the work services covered by the contract with the rider.
As emerges from the decision of the Court of Justice of 7 December 2023 in case C-634/21, the notion of “decision”, the existence of which constitutes one of the conditions to which the applicability of Article 22 of the Regulation is subject, must be given a broad scope (it “may therefore include […] various acts which may affect the data subject in various ways”; see the judgment cited above, point 46).
Furthermore, the Court held that Article 22 of the Regulation also applies to the case in which the automated calculation of a probability rate based on personal data of a data subject is transmitted to a third party whose action is guided “in a decisive manner” by that rate (see the judgment cited above, point 48).
A less rigorous interpretation would entail “a risk of circumvention of Article 22”. It is therefore necessary, as indicated by the Court, to proceed to identify, in the specific case, the processing that involves specific risks for the rights, freedoms and legitimate interests of the data subject, also in order to assess the adoption by the controller of appropriate measures to protect rights and freedoms.
4.5.4. Absence of appropriate measures to protect data subjects.
In conclusion, it emerges that the Company, despite carrying out a plurality of types of automated processing, concerning a significant number of data subjects (the number of riders who work for the Company active in Italy is equal to 36,545; note 27/12/2022), by virtue of a contract that has as its object a work service carried out through the digital platform (with consequent application of art. 22, par. 2, letter a) of the Regulation), has not taken steps to prepare the appropriate measures, set up to protect their rights, freedoms and legitimate interests, provided for by art. 22 of the Regulation (“at least the right to obtain human intervention on the part of the controller, to express one's point of view and to contest the decision”; see also what is indicated on this point in cons. 71 of the Regulation “in order to ensure fair and transparent processing in compliance with the data subject, taking into account the specific circumstances and context in which the personal data are processed, it is appropriate that the controller uses appropriate mathematical or statistical procedures for profiling, implements appropriate technical and organizational measures to ensure, in particular, that factors leading to inaccuracies in the data are rectified and the risk of errors is minimized and in order to ensure the security of personal data in a manner that takes into account the potential risks existing for the interests and rights of the data subject and that prevents, inter alia, discriminatory effects against natural persons on the basis of racial or ethnic origin, political opinions, religion or personal beliefs, trade union membership, genetic status, health status or sexual orientation, or which involve measures having such effects”).
The need to adopt measures to protect the interested parties is also confirmed, in this specific case, by the decision of the Palermo court, labor and social security section, sentence 17/11/2023 which declared “the discriminatory nature pursuant to Legislative Decree 216/2003 of the criteria of “contribution”, “high demand hours” [and] “failure to show up (so-called no show)” used by Foodinho s.r.l. for the calculation of the so-called excellence score” and ordered the Company “to refrain from the ascertained discriminations by adopting […] a plan to remove the effects of the same discriminations”.
Therefore, for the reasons set out above, the Company has carried out (and still carries out) a plurality of automated processing operations, pursuant to art. 22 of the Regulation (excellence score, order assignment system, account blocking and certain cases of disconnection from the platform for which - as highlighted above - no significant contribution from operators emerged), without having adopted, in relation to each of them, the measures to protect the rights of the interested parties, in violation of art. 22, par. 3 of the Regulation.
This therefore entailed the violation of art. 22, par. 3, of the Regulation (“Automated decision-making relating to natural persons, including profiling”).
4.6. Violation of art. 5, par. 1, letter a), of the Regulation in relation to art. 47-quinquies, Legislative Decree no. 81/2015.
Based on the data provided by the Company during the inspection activities, used by the expert in charge of drafting the “Expert Report on the «Grievance Process»” (Annex B, note of dissolution of reserves 27/12/2022 and Annex 5, inspection report 28/2/2023, file result.csv), it emerges that one of the causes of disconnection from the platform, as reported by the same operators who carried out the disconnection, is the reassignment of the order (indicated with: "reason":"REASSIGNMENTS"; based on what is reported on the Company's website, the reassignment consists in the refusal of an order or in its cancellation once accepted: in https://delivery.glovoapp.com/it/faq/hc_excellence/reassignments/).
Therefore, differently from what was declared by the Company, from the same data processed by the system it emerges that the rider's request to reassign the booked order entails, in the event of conditions that have not been disclosed by the Company, exclusion from the platform.
Furthermore, it emerges that the reassignment of the order can also entail, at the very least, a reduction in job opportunities. In fact, in the slides used for staff training (Annex F, note of dissolution of reserves 16/3/2023) it is stated that "Guaranteed: By CCNL we are entitled to remove the Guaranteed from all slots adjacent to the slot in which the courier reassigns a single order.
To date we remove the guaranteed only in the slots in which the courier reassigns 100% of the orders assigned to him. This can be customized from city to city".
Therefore, when conditions that may vary from city to city occur, the reassignment of orders causes the slot reservation to be cancelled (the “Guaranteed” status is removed), with the consequent loss of work opportunities arising from orders that arrive in the relevant shift.
The Company itself, on the page dedicated to the explanation of the excellence score available on its website, under the heading “Reassignment”, clarifies to riders that “Reassigning orders often could have a negative impact on your earnings: when you reassign an order, the algorithm could take some time before finding a new order for you, thus wasting your time and slowing down the growth of your excellence score!” (in Glovo Italia Reassignments - Italy (glovoapp.com)).
In this regard, what was deduced by the Company in the defense briefs (“the possibility, by Foodinho, to remove the so-called Guaranteed in the slots in correspondence with reassignments […] represents a form of protection towards the users of the Platform and the correct functioning of the service, without in fact representing a reduction in job opportunities”) confirms that, in the presence of reassignments, the system eliminates the so-called Guaranteed, and the consequence is precisely the reduction in job opportunities conveyed by orders in the shift booked by the rider who carried out a reassignment.
More generally, the same parameters that make up the excellence system, aimed at assigning a higher score to the rider who makes a greater number of deliveries (“Sum Seniority Normalised”), who books a greater number of high-demand slots (“Sum High Demand Normalised”), who checks in in the booked slot within the expected terms (“Sum No Show Normalised”) and who does not receive bad feedback from customers (“Sum Customer Rating Normalised”), are intended to reduce job opportunities for riders who do not accept the service offered.
This therefore entails the violation of the provisions of art. 47-quinquies, Legislative Decree no. 81/2015, which established specific protections, in the context of work via digital platforms, in particular the prohibition of ordering "exclusion from the platform and [the] reduction of job opportunities attributable to failure to accept the service" which determines the loss of the condition of lawfulness of the processing required by art. 5, par. 1, letter a) of the Regulation.
4.7. Processing of biometric data, in the absence of the conditions of lawfulness provided for by the law (art. 5, par. 1, letter a), 9, par. 2, letter b, of the Regulation; art. 2-septies of the Code).
With reference to the processing of biometric data (in particular through facial recognition) of riders, the Company specified that it had started the processing on 23 November 2020, “as part of the first tests relating to the authentication procedure” and that it had “stopped using this authentication procedure and, consequently, collecting and processing biometric data of Couriers starting from July 2022” (see note 27/12/2022, letter s).
The Company subsequently specified that the processing, interrupted due to “internal bugs” as a result of which “potential unjustified blocks of Courier profiles” could be created, was resumed in some cities, such as Milan, “in order to identify any malfunctions” (see note 16/3/2023, letter q); in particular, at the beginning of February 2023 the test was activated on 3.28% of the Couriers active in Italy, on February 20 it was extended to 18.33% of the active Couriers, on February 27 it was activated on a smaller percentage equal to 15.55%, on March 13 the test was extended to 32.61%.
The Company also stated that, starting from March 27, 2023, it planned to activate facial recognition again on all active Couriers.
With a note of dissolution of the reservations of September 15, 2023, the Company finally represented that the system "is again in use throughout the country". The operation of the biometric recognition system is also confirmed by the use of the “high_sampling_sensor_rate” authorization, the purpose of which is “to allow the certainty that the person trying to be recognized is a real person and not just a photo of the account owner” (see note dissolution of reserves 09/15/2023, p. 3).
The fact that the Company has suspended the processing of biometric data for a period of over seven months highlights that such processing is not essential for the provision of the food delivery service.
In particular, with regard to the specific methods of processing, it emerged that the processing, carried out as a “test” by the Company, consists “in requesting facial recognition once a day from all the Couriers involved and checking whether there are errors in the process” (see note 03/16/2023, letter q).
It has also been ascertained that the Company, in carrying out the processing of biometric data, uses software provided by the US company Jumio Corporation which has assumed the role of data controller.
Based on what has been represented, the processing is divided into two phases: the first, aimed at scanning the photograph contained in an identity document of the rider and the second, in which the rider is asked to take a "selfie" in order to verify the latter with the scanned photo of his/her document.
In this regard, the Company has underlined that, not carrying out the recognition, can lead to the deactivation of the account for security reasons and that "if the Courier does not carry out the recognition or in the event of failure to recognise before the account is deactivated, the calendar through which the Courier books the slots will be blocked and the Courier will be asked to proceed with the recognition to reactivate the calendar. Please note that the account will still be active, but the Courier will not be able to book new slots in addition to those previously booked” (see note 16/3/2023, letter p).
According to the Company, the processing, consisting of biometric recognition, is aimed at countering events of “gangmastering in the food delivery sector” although it does not constitute a “measure in itself […] sufficient to avoid the phenomenon” but rather “an effective deterrent” with respect to the commission of criminally sanctioned conduct (see defense briefs, note 11/12/2023).
As for the legal basis, the processing of biometric data of riders would be attributable to art. 9, par. 2, letter b) of the Regulation in relation to the obligation to “prepare an organizational model with exculpatory effect pursuant to Legislative Decree 231/01” (see defense briefs cited). The Company also emphasized that it has carried out a data protection impact assessment, pursuant to art. 35 of the Regulation (an updated version of this document was delivered to the Authority with a note dated 29/2/2024, with which it was also specified that biometric data are retained for the entire duration of the employment relationship).
In this regard, it is noted that, based on the legislation on the protection of personal data, the processing of biometric data (generally prohibited pursuant to art. 9, par. 1 of the Regulation), is permitted only if one of the conditions indicated in art. 9, par. 2 of the Regulation and, with regard to processing carried out in the employment context, only when the processing is “necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law, insofar as it is authorised by Union or Member State law or by a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject” (Article 9, paragraph 2, letter b), of the Regulation; see also: Article 88, paragraph 1 and recitals 51-53 of the Regulation).
The current regulatory framework also provides that the processing of biometric data, in order to be lawfully carried out, must be carried out in compliance with "further conditions, including limitations" (see art. 9, par. 4, of the Regulation).
This last provision was implemented in national law with art. 2-septies (Guarantee measures for the processing of genetic, biometric and health-related data) of the Code. The rule provides that the processing of such categories of data is lawful when one of the conditions referred to in art. 9, par. 2, of the Regulation occurs "and in compliance with the guarantee measures established by the Guarantor", in relation to each category of data.
This was reiterated by the Guarantor with regard to the processing of biometric data (based on facial recognition) for the purposes of detecting presence with the provisions of 22/2/2024, nos. 105, 106, 107, 108 and 109, web doc. nos. 9995680, 9995701, 9995741, 9995762, 9995785 (see also, with regard to the processing of data taken from the fingerprint, the provisions of 10/11/2022, no. 369, web doc. no. 9832838 and 14/1/2021 no. 16, web doc. no. 9542071).
With regard to the specific case, it should be noted that, at present, the current legal system does not allow the processing of biometric data of workers for the purpose of identifying them (carried out after the first recognition and subsequently randomly) in order to prevent substitutions of person in the performance of the service, given that such processing does not find its basis in a regulatory provision that has the characteristics required by the data protection discipline, also in terms of proportionality of the regulatory intervention with respect to the purposes that are intended to be pursued.
Finally, it is stated that, in any case, the adoption of the biometric system by the Company is not suitable to prevent the phenomenon of mistaken identity, as recognized by the Company itself (the measure "in itself is not sufficient to avoid the phenomenon" of account transfer) given that, even where the degree of reliability and accuracy of the chosen biometric system was sufficiently high (a circumstance that in any case cannot be said to have been achieved considering that the Company itself decided, albeit for a limited period, to interrupt the processing of biometric data due to bugs within the system, following which it was necessary to start a "test" phase), it would always be possible to deliver the device to a different person, after having carried out the recognition (on the subject of facial recognition see also: Provv. n. 50 of 10/2/2022, web doc. n. 9751362).
Therefore, taking into account the aforementioned legislation, the Company's decision (communicated to the Authority with a note dated 5 June 2024) to reduce the retention periods for the biometric data collected - although the new terms are still considerable - ("three (3) months from the last order in the case of inactive couriers" and "three (3) months from the deactivation of the account in the case of couriers whose accounts have been deactivated for reasons not attributable to facial recognition", while for active couriers the data are retained for the entire duration of the employment relationship), does not change the assessment of the unlawfulness of the processing of biometric data.
Considering this, it appears that the Company carried out, from 23/11/2020 to the month of July 2022 (after the suspension, the processing resumed starting from the beginning of February 2023) and is still carrying out, the processing of biometric data in the absence of an appropriate legal basis in violation of Articles 5, paragraph 1, letter a), and 9, paragraph 2, letter b) of the Regulation.
4.8. Violation of the obligation to carry out a data protection impact assessment (Article 35 of the Regulation).
Pursuant to Article 35 of the Regulation, “Where a type of processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing on the protection of personal data”.
At the time of the inspections, the Company had carried out a data protection impact assessment, as required by Article 35 of the Regulation, with exclusive reference to the processing of biometric data (in particular: facial recognition).
The impact assessment relating to the processing of biometric data relating to riders is dated October 2020 (see note 16/3/2023, Annex B) and updated during the proceedings on 29 February 2024 (see note 29/2/2024, Annex 8).
Therefore, although the Company deemed it necessary to interrupt the processing in July 2022 due to internal bugs that led to “potential unjustified blocks of the Couriers’ profiles”, it did not proceed to promptly update it, at least in terms of residual risks for the interested parties, as was also abstractly foreseen three months after the publication of the first document (Annex B, note 16/3/2023 cit., p. 73).
Furthermore, and more radically, the impact assessment - even in the version updated at the end of February 2024 - does not adequately take into account the profile relating to the lawfulness of the processing of biometric data in the context of the management of the employment relationship.
In the section of the document dedicated to the assessment of the legal basis, in fact, the condition represented by the need to fulfill contractual obligations is considered applicable to the case in question, despite the fact that pursuant to art. 9, par. 2 of the Regulation in the case of processing of special data the need to perform a contract does not constitute a suitable legal basis for the processing.
Art. 9, par. 2, lett. b) of the Regulation, considering, however, that this rule can be integrated by the “collective agreement recently signed by Glovo” and by the “memorandum of understanding […] with the Prefecture” regarding the prevention of phenomena of illicit interposition and exploitation of labor (Annex B, note 16/3/2023 cit., p. 42 and Annex 8, note 29/2/2024, p. 40).
Given that the need to fulfill obligations and exercise rights in the field of employment law “insofar as authorised by Union or Member State law or by a collective agreement pursuant to Member State law” (Article 9, paragraph 2, letter b) of the Regulation) cannot be satisfied by a collective agreement, except to the extent provided for by national law, nor by a memorandum of understanding, the provision on the processing of special categories of personal data, referred to above, requires that the primary provision specifically provides for the processing of biometric data, in any case in the presence of appropriate guarantees for the fundamental rights and interests of the data subject.
This also applies in relation to the “fulfilment of a legal obligation”, put forward by the Company, with regard to Law 29/10/2016 n. 199 (“Provisions on combating the phenomena of undeclared work, exploitation of labor in agriculture and realignment of wages in the agricultural sector”), in relation to the liability provided for by Legislative Decree 8/6/2001, n. 231 (“Regulation of the administrative liability of legal persons, companies and associations including those without legal personality”) (Annex 8, note 29/2/2024, p. 37). The express reference to the processing of biometric data is not provided for, neither by the aforementioned collective agreement, nor by the memorandum of understanding, nor by the rules referred to by the Company.
Considering that the processing of the biometric data of the riders was found to be unlawful, for the reasons indicated in the previous paragraph, the aforementioned impact assessment, following which the Company deemed it could implement the processing of biometric data, must therefore be considered non-compliant with art. 35 of the Regulation, as the absence of lawfulness conditions for the processing in question was not correctly and preliminarily assessed.
Furthermore, as ascertained during the proceedings, the Company, in addition to biometric data, processes a multiplicity of data of a significant number of interested parties (riders) for the purposes of managing the employment relationship, through a digital platform that bases its operation on complex algorithms, also through automated decision-making processes governed by art. 22 of the Regulation.
In this regard, the Company's argument in its defense briefs cannot be accepted, namely that the preparation of an impact assessment would not have been "mandatory [...] since it has been demonstrated, both for the excellence score and for the grievance process, that there is no automated processing activity of the couriers' data and profiling of the same".
Based on the results of the procedure, it is established that the Company adopts decisions based solely on automated processing, including profiling, as argued in the paragraph relating to processing attributable to art. 22 of the Regulation (which is referred to here).
In light of the provisions of art. 35 of the Regulation, as well as the indications provided in this regard by the Guidelines adopted by the Article 29 Working Party (most recently on 4 October 2017, WP 248rev.01) and by the provision of the Guarantor of 11 October 2018, n. 467 (“List of the types of processing subject to the requirement of a data protection impact assessment pursuant to art. 35, paragraph 4, of Regulation (EU) no. 2016/679”, in the Official Journal, S. G. no. 269 of 19/11/2018), the processing activity carried out by Foodinho s.r.l., as it is characterised by the innovative use of a digital platform, by the collection and storage of a variety of personal data relating to the management of orders, including geographical location, and communications via chat and e-mail as well as the possibility of accessing the content of telephone calls between riders and customer care, by the performance of profiling activities and automated processing of a significant number of “vulnerable” data subjects (as they are parties to an employment relationship; see WP Guidelines 248rev.01 of 4.4.2017, chap. III, B, no. 7), presents “a high risk to the rights and freedoms of natural persons”, with the consequent need to carry out, before the start of the processing, an impact assessment pursuant to art. 35 of the Regulation.
Furthermore, the obligation to carry out an impact assessment has been reiterated by the legislator, with regard to the processing deriving from the use of automated decision-making or monitoring systems, by art. 1-bis, paragraph 4, Legislative Decree no. 152/1997, added by art. 4, paragraph 1, letter b), Legislative Decree no. 104/2022.
As for the number of data subjects involved in the processing, it should be noted that the "Active Couriers" (at the time of the dissolution of the reservations on 27/12/2023) who use the APP in Italy starting from January 2022 was indicated by the Company as 36,545 (with the clarification that ""Active Couriers"" means any Courier, registered in the APP, who has placed at least one order using the Glovo Platform since January 2022").
Among the riders who work for the Company, there are 7,405, according to what was declared by the Company itself, the "active couriers" who "started using the APP in Italy from 1 August 2022" (see note dissolution of the reserves 27/12/2022, letter R).
In any case, it is noted that, during the proceedings, the Company produced a copy of an impact assessment, dated 29/2/2024, concerning the processing carried out through the excellence system and the geolocalization of the riders, "with particular reference to the process of assigning orders, delivery and calculating the compensation of the Couriers" (see note 29/2/2024, Annex 9). The document emphasizes the commitment to keep the assessment updated "especially in the event of the introduction of new data processing activities in the Platform that could be particularly invasive for the Couriers in the Italian territory".
Although this impact assessment contains an in-depth description of some of the processing operations carried out by the Company (although processing operations that entail risks for the data subjects such as disconnection/blocking from the platform and the order assignment system have not been taken into account), of some measures adopted to protect the data subjects and of other measures that the Company is planning to adopt (in particular, reformulation of some information notices, minimization of the data processed in the excellence system, modification of some retention terms), it should be noted that the document does not take into consideration, either in the section relating to the identification of risks, or in the section dedicated to the measures envisaged to mitigate the risks, the specific risks arising from the automated processing operations carried out through the digital platform, nor does it provide for appropriate measures, aimed at protecting the rights, freedoms and legitimate interests of the data subject indicated in art. 22 of the Regulation, also suitable for ensuring that the factors that lead to inaccuracies in the data are rectified, that the risk of errors and discriminatory effects is minimized.
For the above reasons, the Company has violated art. 35 of the Regulation in the terms set out above.
4.9. Violation of the obligation to adopt adequate technical and organizational measures to guarantee a level of security appropriate to the risk (art. 32 of the Regulation).
Following direct access to the systems carried out during the inspection (using the credentials of Head of operations, see screenshot All. 2, minutes of operations carried out 28/2/2023), it emerged that the Company's operators can access some data of riders who operate for Glovo group companies both in countries other than Italy, in Europe and outside Europe.
In particular, by accessing the "Live Map" section, the operators of the Italian company can view, on the map of the city (EU and non-EU) taken as a reference, some personal data of the riders in service, in particular ID, telephone number and geographical position.
Given that the platform used by the Company operates in a uniform manner, regardless of the country in which it is used, operators of other companies in the Glovo group can, or have been able to, access some data of riders operating in Italy.
This is confirmed by what was declared by the Company itself, with the note of 15 January 2024, where it declared that it had taken action with GlovoApp23 "in order to establish country-based segregation levels to prevent the viewing of personal data of couriers in other countries, except in a few limited cases" (see note cited point 3.7).
Contrary to what was claimed in the defense briefs, the data processing carried out by operators operating outside Italy on riders operating in Italy does not “exclude [the] competences of the Guarantor, as [they] relate to the access levels and technical specifications of the Platform […], as well as to processing that pertains to other companies of the Glovo group as independent data controllers” (see note 11/12/2023, p. 25), considering that it is one of the duties of the Company, as data controller, to ensure that processing carried out by third parties, without a legal basis and for purposes not attributable to the management of the system, is not permitted.
In a subsequent note dated 29/2/2024, in any case, the Company declared that the changes relating to the introduction of country-based segregation levels have been applied to the platform, given that “as of today, the Permission [to access the “livemap” platform] is also not active for employees of Glovo group companies located in other countries” (see note 29/2/2024, point 3.7, letter C).
Therefore, at least until 29/2/2024, therefore for a significant period of time, the Company did not take action with GlovoApp23 S.L. to ensure that access to the personal data of riders operating in Italy was limited and relevant to the purposes of the processing and that the confidentiality of such data was guaranteed, through segregation measures, aimed at not allowing operators of other associated companies operating in other countries to access, through the Live Map platform, the personal data of riders operating in Italy (in particular ID, telephone number and geographical location).
The number of Foodinho employees who access the “Live Map” section is 65 (see note on the lifting of reservations 17/3/2023); the number of Comdata agents is 82; the number of Team Leads users who access it is 7 (see note on the lifting of reservations 16/3/2023, letter j); the number of Mplus agents is 149 and those of Team Leads is 18 (see note on the lifting of reservations 16/3/2023, letter j). According to the Company's declaration, therefore, the total number of operators who can access the "Live Map" section for the Company is 321. This is therefore a high number of operators with access privileges to the "Live Map" section (which contains a plurality of data relating to riders) taking into account that the Company does not appear to have carried out a detailed assessment of the specific needs that would legitimise access to such a number of operators.
The Company has not provided feedback, despite the specific request in this regard, regarding the total number of operators active on the Glovo platform who have accessed (in light of the changes made on 29/2/2024) the "Live map" section, with the possibility of access with cross-country operations.
However, it is noted that, with the note of 29/2/2024, the Company represented that it had introduced some changes consisting in the introduction of country-based segregation levels, also for the activity of operators operating in Italy (see note 29/2/2024 cit., point 3.7).
In conclusion, from the documents it emerged that until the changes introduced during the proceedings (with effect from 29/2/2024) the Company had not implemented adequate technical and organizational measures to guarantee a level of security appropriate to the risk, aimed at avoiding, in particular, that data relating to riders operating in Italy were also viewable by operators of other companies of the Glovo group, without this being in any way relevant for the purposes of the operation of the service.
Therefore, given the large number of operators who, on behalf of the Company and also from countries other than Italy - given the use of the same platform by all companies in the Glovo group - can access the personal data of riders stored in the systems of the Company itself, it is believed that the system has not been configured in such a way as to guarantee the confidentiality of personal data and adequate protection against accidental access, in violation of art. 5, par. 1, letter f) and art. 32 of the Regulation.
4.10. Violation of the obligation to determine retention periods for a period not exceeding the achievement of the purposes for which they are processed (art. 5, par. 1, letter e), of the Regulation).
It also emerged that the Company retains the recording of telephone calls made with riders for 36 months, in relation to the following purposes: to evaluate the quality of the service provided by COMDATA and MPLUS; “to have documentary support of all interactions carried out with a third party in the event of a complaint or trial”; “Manage and respond duly to requests made by competent authorities […] and law enforcement […]”; “Properly manage and document the correct fulfillment of requests from data subjects […] pursuant to the GDPR” (note of the dissolution of reserves 16/3/2023, letter m.).
This extended retention period, which is also related to a type of personal data supported by specific guarantees by the legal system, as it refers to communications (see articles 2 and 15 of the Constitution), does not appear to be appropriate for the pursuit of the purposes indicated (in particular, taking into account the terms within which it is possible to submit a complaint relating to a given order, or to evaluate the quality of the call center service provided by the companies sub-processors, which are certainly much less than three years; furthermore, the Company has not clarified what the legal obligations are that would impose such retention).
In this regard, it also emerged that the maps of the deliveries carried out by the riders have been stored since October 2018 (therefore, at the time of the investigation, for more than 4 years). While before that date, the data relating to the start and end of the route was stored, without details of the route (minutes 14/12/2022, p. 7).
In this respect, the Company did not indicate the specific reasons why, in relation to specific purposes, it was necessary to provide for such extensive data storage.
In this regard, the Company, in its defense briefs, argued that the terms of storage of telephone calls and maps could have been set in the broader time frame of 10 years, considering that "they actually relate to the management of the contractual relationship between the Company and the couriers, to the fulfillment of legal obligations (e.g. in the case of requests from authorities) and to security purposes" (see note 11/12/2023, p. 26). Therefore, the terms currently set, less than 10 years, would be in accordance with the principles of minimization and privacy by design.
This argument cannot be accepted, given that the retention period of the individual data collected must be commensurate with the specific purposes of the processing. It is not clear, nor has it been illustrated by the Company, how, in practice, the retention of telephone calls or even route maps could be necessary, for the owner, by virtue of tax, social security or limitation period rules.
Also in relation to the management of customer complaints or disputes over compensation received by riders or the reconstruction of accidents that have occurred or requests for access by public authorities, it is noted that the ten-year term and the terms, respectively, of 36 months (three years) and 4 years, do not appear at all appropriate, in relation to these purposes.
It is also noted that, according to what is indicated in the information updated in December 2022 (see inspection report 1/3/2023, Annex 10), in general terms the data relating to riders are retained, after the termination of the employment relationship, for a period "maximum of ten (10) years to comply with legal obligations [...] and defend against or take any action in relation to civil, criminal, tax and social security matters" (information cit., point 6.4).
The attached table relating to the "General retention periods" does not distinguish the retention times, in relation to the different types of data and processing carried out (therefore also including data relating to geolocation and all data relating to order management with the exception of the aforementioned maps), and in any case indicates the single term of 10 years, in relation to macro-categories of documents (accounting and tax documentation; commercial agreements or contracts; personal civil actions).
Similarly, in the information attached to the note of 29/2/2024 (Annex 2), which however is not currently available on the Company's website, it is specified that the retention period, with reference to "contracts and information relating to the Couriers' accounts (e.g. courier ID, other information processed within the contractual relationship)", "data relating to orders", "slot booked/in which the courier checked in", "excellence score" is equal to "10 years from the termination of the contractual relationship". With particular regard to "chat conversations", the term is indicated as "36 months from the day on which the conversation took place in the APP", while with regard to "geolocation data" the term is indicated as "1 year from the end of geolocation".
Furthermore, following the accesses made to the systems during the inspections, it emerged that "the platform retains the personal data and documents of riders with accounts deactivated since 2016" (inspection report 12/14/2023, p. 7).
Finally, it should be noted that the argument put forward in this regard by the Company in the defense briefs is not convincing ("the retention period relating to the processing carried out for the purposes of managing the relationship is dictated by specific laws (for example, those relating to tax, social security, etc.) or, in any case, by general rules of the system that provide an indication of the reasonable period of time within which the data can still be considered "useful" for the owner", see defense briefs 12/11/2023, p. 26).
The reference to the laws is in fact indicated in general terms, without specifying, in relation to each processing, why a specific law would require ten-year retention. From this point of view, storage must not be merely “useful” for the owner, but rather specifically aimed at achieving the purposes lawfully pursued with the processing.
Therefore, also following some partial changes introduced during the procedure, it emerges that the Company has identified a single retention period of 10 years, in relation to a plurality of different data collected during the assignment and management of orders, including the values assigned within the excellence score system, without parameterizing this period to the specific purposes pursued with each processing.
Furthermore, it emerged that, in addition to telephone communications, also communications via chat made with riders are stored, for an extended period of 36 months, in the absence of any indication relating to the purposes that would make this period appropriate. Even the identification of the term equal to 1 year for the retention time of data relating to the detection of the geographical position collected through the application, although reduced (but still significant in absolute terms) compared to what was previously provided, was not related to the need to pursue explicit and specific legitimate purposes.
For the reasons set out above, the Company has violated the principle of limitation of conservation, according to which the data controller has the obligation to retain the data in a form that allows the identification of the data subjects for a period of time not exceeding the achievement of the purposes for which they are processed (art. 5, par. 1, letter e) of the Regulation).
4.11. Sending rider data to third parties. Violation of arts. 5, par. 1, letter c), 6, 13, 14 and 25 of the Regulation.
Following the inspections of 26 and 27 July 2023, it emerged that the Company sends to third parties - in particular Google Firebase, Braze and mParticle - a plurality of personal data relating to riders.
In this regard, the Company has declared that these service providers "act as data controllers on behalf of Foodinho S.r.l. [...]. Therefore, the couriers' data are disclosed and/or made available to these companies on the basis of the respective art. 28 GDPR [and] data processing agreements stipulated by the parent company Glovoapp23, S.A. [...] also on behalf and for the benefit" of the Company (note lifting of reservations 15/9/2023).
It is therefore the Company that has identified, as the owner, "the purpose [...] and the legal basis [...] for the processing activities in progress (within which the suppliers can offer their services)" (note lifting of reservations cit.).
With regard to Google Firebase, which provides the Crashlytics function “to detect and manage abnormal crashes of mobile and web applications used by couriers”, the Company sends the following information: rider ID and “log information” (“metadata relating to what the user was doing when the event is recorded: The current screen they were on when the event occurs, The feature triggers enabled for that specific user, The action performed by the user to trigger the event, whether it be a click or a notification arrived”). The legal basis is the execution of the contract with the riders, also in relation to the possibility of resolving any malfunctions of the application.
Further information relating to the rider is then acquired through the Google Firebase SDK (Software Development Kit): information on the operating system, information on the device and “geographic information” (IP address, “where the device is connected”, i.e. the city and country from which the device connects).
The Company also specified that it also used the Firebase Analytics product, which is no longer used. However, “during the course of the investigation carried out to prepare this report, our technical teams discovered that, for technical reasons, a residual portion of the code was never removed and some information (such as, for example, the carrier ID, the city code or the transport) may still have been sent to Google, even though such data had no current use by us. To date, we confirm that the SDK and the respective data have been permanently cleaned from the App, as well as from our systems” (All. 7, note 15/9/2023, cit.).
The Company also sends to Braze, “in order to send transactional communications to riders, as well as commercial communications” (note 15/9/2023, cit.), the following data relating to riders: rider ID, email and telephone number (if present in the database).
Additional information collected through the SDK is: device information (language, model), operating system information, localization (country, Geolp position), start and end of the App usage session.
The Company, with regard to the sending of the “precise user location” data to Braze via the SDK, also clarified that “During the technical investigation in drafting this report, we realized that the courier app had this configuration permanently enabled. […] we confirm that it has been permanently resolved and starting from August 22, 2023 […] we have enabled this configuration” (All.5, note 15/9/2023, cit.).
Finally, the Company sends to mParticle, “which provides customer data platform (CDP) services that aggregate information (events) through various digital channels in order to send the right communication to the right recipient”, the following data relating to the rider: rider ID, last known location as well as “behavioral data (data relating to how the courier uses the app), the courier’s interactions with the […] app”.
The Company also “may […] share information with mParticle for analysis purposes [based on] Glovo’s legitimate interest in understanding how couriers interact with the App, in developing new services and in analyzing information derived from the services” (see note 15/9/2024).
Further information collected through the SDK is: device information, operating system information, location (country, Geolp position), use of the app (“every time the user accesses the app or the app is put in the background or finalized”).
Finally, with regard to “location tracking” (“This setting allows the SDK to collect the user’s location, it does not reveal when it acquires this data, so as long as the app has the location permission granted by the user, it can acquire this data at will”), the Company has “planned to disable location tracking and rely only on the last known location forwarding when using the screens” (All.6, note 15/9/2023, cit.).
The Company has therefore processed, through the use of services provided by companies designated as sub-processors, for a long period of time, a significant amount of personal data relating to riders, not necessary with respect to the purposes pursued and, sometimes, with processing methods not even known to the same, so much so that the Company itself has decided to interrupt some of these treatments, following the checks carried out by the Authority.
With regard to some of these data, therefore, it is noted that the Company has stopped sending them, during the proceedings: in particular, the processing of the data collected by the Braze SDK took place until August 22, 2023; instead, the processing of the data sent to Google through Firebase Analytics took place until an unspecified date, close to the sending of the notice of dissolution of the reserves of 15/9/2023.
With specific regard to the processing of data relating to the geographic position of the riders, it emerged that the collection and sending, to third parties, of such data also operates when the rider is not operating in the slot, the app is in the background and, at least until August 22, 2023, even when the app is not active.
Therefore, the information relating to the position and movements of the riders was systematically sent (to Google Maps and Braze), even when the rider was not engaged in work activities on behalf of the Company and without his knowledge.
In its defense briefs, the Company recalled “good faith and the spirit of cooperation” with the Authority, as well as “the diligent repentance [considering that] as soon as it became aware of such technical errors, it immediately took steps to stop the irregularities” (note 11/12/2023).
In reality, the only measures actually adopted were, as noted above, the interruption of the sending of some data to Braze and Firebase Analytics via the respective SDKs.
In fact, the Company, in the note dated 15/1/2024, announced that in the following six months it would adopt, in agreement with the parent company, some “measures” relating to the activities of sending data to third parties, in particular: deepening the functioning of the SDKs installed by Google Firebase, Braze and mParticle; increasing transparency towards riders on these treatments; plan, in agreement with the parent company, to carry out “periodic technical audits […] to verify the data flows towards the suppliers of the contracted services”.
However, no update on this point was provided by the Company, with the subsequent note of 29/2/2024. Beyond the announcements, therefore, no measures have been adopted (or even concretely planned) by the Company despite the existence of a flow of communications to third parties of data relating to riders having been verified during the inspection activities of 26 and 27 July 2023.
The Company, as data controller, should have assessed that the use of SDK necessarily involves the use of a code prepared by third parties for interaction with the reference platform, of which the Company did not fully know, nor the underlying operating logic, nor the interactions with third-party systems carried out through the SDK itself (with regard to the relationships between the data controller and the service provider, in relation to the need to proceed with the exact identification of the types of data collected and the purposes of the processing, see the decision of the E.D.P.S. - European Data Protection Supervisor of 8 March 2024, "EDPS investigation into use of Microsoft 365 by the European Commission (Case 2021-0518)").
Given that the owner does not have the possibility of exercising any preventive control over the data sent and the methods of sending, it is his precise duty and responsibility to adopt effective measures aimed at verifying the flows and above all to ensure that, by default, only the personal data necessary for each individual purpose of the processing are processed.
The described activity of sending a plurality of data relating to riders to third parties by the Company, in the absence of appropriate measures, has therefore led to (and still leads to) the violation of the principle of minimization (art. 5, par. 1, letter c) of the Regulation) given that the data collected, including those relating to geographic location through the Google Maps functionality integrated into the application, are not adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed.
The principle of privacy by design and by default (art. 25 of the Regulation) is also violated, which requires the owner to adopt adequate technical and organizational measures aimed at effectively implementing the principles of data protection and ensuring the processing of only the data necessary for the processing.
Furthermore, it does not appear that the Company has provided, in this regard, suitable information to riders regarding these data flows, given that, not even in the latest version of the information provided to the Authority with the note of 29/2/2024, the information required by art. 13 of the Regulation appears to be provided to interested parties, in particular the categories of data processed and the methods of processing (“Your data may be communicated to third parties […] such as providers of electronic communication services, communications support services, cloud providers, analytics services […] in compliance with the purposes of the processing and in light of the legal bases indicated in point 6 above”).
Finally, with reference to the legal basis for the processing of riders’ data, for the purpose of sending commercial communications, the Company has indicated the rider’s consent “or the soft-spam derogation pursuant to Article 130.4 of Legislative Decree no. 196/2003” (note 15/9/2023 cit., p.1-2).
Given that in the context of the employment relationship, consent is not generally a suitable legal basis for the employer to carry out processing and that the aforementioned regulation on unwanted communications is not applicable to the employment relationship, the processing, consisting in the sending of commercial communications, therefore occurred in the absence of a suitable legal basis.
English: The arguments put forward by the Company in its defence briefs regarding the alleged non-existence of “any employment relationship” with the riders from which the admissibility of using consent as a legal basis “for soft-spam or marketing purposes” would derive cannot be accepted, given that consent cannot generally constitute a suitable condition for the lawfulness of processing in the context of all those employment relationships characterised by an imbalance of power between the parties thereof (therefore between the person providing the work and the person for whom it is performed; in this regard, in particular, the aforementioned Opinion no. 2/2017 of the Article 29 Working Party, paragraph 2 “With the term ‘employee’, in this opinion the Working Party does not refer exclusively to persons subject to an employment contract recognised as such under the laws in force on the matter. In recent decades, new business models served by different types of employment relationship have become more common, in particular the use of freelance workers. This opinion intends to address all situations of employment relationship, regardless of whether such relationship is based on an employment contract”).
This therefore led to the violation of art. 6 of the Regulation.
4.12. Control over the activity of riders. Violation of art. 5, par. 1, letter a) and 88 of the Regulation and art. 114 of the Code.
Following the inspections, it emerged that the Company uses the work of riders who carry out the home delivery service of food and other goods on the basis of a standard contract prepared by the Company itself. The draft contract, with regard to its duration, provides that upon expiry “the contract will be automatically renewed from year to year for a period of 12 months” (see Annex 2, minutes 16/12/2022).
Riders are assigned an account to access the digital platform through which the delivery activity is organized and managed.
It is established that, for the performance of the riders' activity, the Company, through the platform, systematically collects and stores the geographic position of the courier according to the timeframes of Google Maps (very close), even when the rider is not active in the slot.
Furthermore, the Company collects geolocation data, even when the app is in the background and, until August 2023, even when the app was not active, when sending to third parties who act as data controllers on behalf of the Company itself (see par. 4.11. of this provision).
In the systems of the data controllers, the data relating to the geographical position of the rider are therefore available to the owner who has the concrete possibility of using them. This allows the Company to process the data relating to geolocation, even when the rider is not carrying out his/her work activity.
Also when sending to third parties, the Company processes, among other data, that relating to the behavior of the riders in using the app.
Furthermore, through the platform, the Company systematically collects and stores a wide range of data relating to the execution of the order, including maps of the routes taken, the estimated time and actual time of delivery, the history of orders placed, rejected and reassigned. Furthermore, the Company itself has declared that it carries out “monitoring” of the accounts assigned to the riders “aimed at detecting potential improper use of the platform”.
Also through the platform, the rider is profiled through the operation of the “excellence score”, designed to assign priority in the choice of work shifts (slots).
As already illustrated in the paragraph dedicated to the analysis of the automated treatments carried out by the Company, the parameters that make up the excellence system are aimed at assigning a higher score to the rider who makes a greater number of deliveries (“Sum Seniority Normalised”), who books a greater number of high-demand slots (“Sum High Demand Normalised”), who checks in to the booked slot within the expected timeframe (“Sum No Show Normalised”) and who does not receive bad feedback from customers (“Sum Customer Rating Normalised”).
The “excellence score” system is therefore configured in such a way as to assign greater job opportunities to those who make a greater number of deliveries and therefore to encourage continuity in the offer of work performance so much so that, in confirmation of this, the system reduces job opportunities for riders who do not accept the service offered (see paragraph 4.5. of this provision).
Therefore, not only does the Company assign work shifts to riders, but the assignment favors those who offer greater availability to make deliveries and actually make a greater number of them.
The Company also evaluates the performance, through the operation of customer feedback, and blocks and disconnects from the platform, when predetermined events occur, interrupting the rider's ability to perform the work, also through the performance of "monitoring" activities by the Team Ops operators, "aimed at detecting potential improper uses of the Glovo Platform" (among these events it emerged that the operators disconnected from the platform also following a "bad rating" on the rider's performance: Annex 5, inspection report 28/2/2023, result.csv file). Some of these events automatically lead to disconnection or blocking from the platform or from the booked slot (see paragraph 4.5. of this provision).
The Company also systematically collects and stores all the discussions that take place with the riders through telephone calls, chats and e-mails.
Finally, the company determines the compensation to be paid to the rider and prepares the relevant invoice.
Following the examination of the elements set out above, which characterize the processing of personal data, relating to riders, carried out by the Company in the context of the employment relationship governed by the standard contract acquired in the files, and documented during the inspection activities carried out at the registered office of the Company and the subsequent procedure for the adoption of corrective and sanctioning measures, it emerged that the Company organizes, mainly through the digital platform, the delivery activity consisting of a predominantly personal service, identifying the time and place of the service, offering job opportunities primarily to those who, with assiduity and continuity, carry out delivery activities (and on the other hand, the same standard contract provides for automatic renewal from year to year, demonstrating the Company's clear interest in the continuity of the service), checking the correct use of the platform and the correct performance of the service through the settings and functions of technological tools that operate remotely (digital platform, app, communication recording systems).
That said, the Guarantor, in order to verify compliance with the general principle of lawfulness of processing contained in art. 5, par. 1, letter a) of the Regulation, is required to also assess the processing carried out by the owner in accordance with the sector regulations applicable in the specific case.
The national legislator, with reference to the so-called hetero-organized collaborations (pursuant to art. 2, Legislative Decree 15/6/2015, no. 81), has established that "As of 1 January 2016, the rules on the subordinate employment relationship also apply to collaboration relationships that materialize in predominantly personal, continuous work performances and whose methods of execution are organized by the client. The provisions referred to in this paragraph also apply when the methods of execution of the service are organized through digital platforms".
In this regard, the Court of Cassation, with ruling dated 24 January 2020, no. 1663, in relation to the conditions of applicability of the discipline most recently recalled in a case concerning the employment relationship between a “food delivery” company and some riders, clarified that art. 2, Legislative Decree no. 81/2015 must be classified as a disciplinary rule that does not create a new case, given that “upon the occurrence of the characteristics of the collaborations identified by art. 2, paragraph 1, of Legislative Decree 81 of 2015, the law imperatively reconnects the application of the discipline of subordination”.
Having therefore deemed it necessary to apply to the case in question the aforementioned discipline relating to the so-called hetero-organized collaborations, it is noted that, within the scope of the discipline of the subordinate employment relationship, the protections established by Law 20/5/1970, no. 300, of which they constitute a significant manifestation, in particular those established by art. 4 regarding remote controls (the Court of Florence also ruled in accordance with this, in its judgment of 24/11/2021, no. 781 against a different company operating in the food delivery sector, establishing that the recognition of collaborations organised by the client pursuant to art. 2, paragraph 1, Legislative Decree 81/2015, of “equivalent protection” to that of subordinate workers with “full application of the rules on subordinate work” - as established by the Court of Cassation, Labour Section, judgment no. 1663 of 24/01/2020 - includes within the latter “the rights established in the Workers' Statute”; see also recently the Court of Civitavecchia, judgment of 15/5/2024, which confirmed that art. 2, paragraph 1, Legislative Decree 81/2015 “carries out a generic and full reference to the rules applicable to subordinate workers pursuant to art. 2094 of the Civil Code” and that “in the event that the legislator intended to exclude one or more legal institutions specific to the regulation of the subordinate employment relationship […] it did so expressly”).
On the other hand, also with regard to the guarantees provided for those who are part, in concrete terms, of a self-employed employment relationship, the legislator has provided for the application of the discipline established "to protect the freedom and dignity of the worker" provided for subordinate workers (see art. 47-bis, Legislative Decree no. 81/2015, which established "minimum levels of protection for self-employed workers who carry out delivery activities of goods on behalf of others [...] through platforms, including digital ones" and art. 47-quinquies, according to which "The anti-discrimination discipline and that to protect the freedom and dignity of the worker provided for subordinate workers, including access to the platform, apply to the workers referred to in article 47-bis") (in conformity with this, see INL circular 14 April 2023, "Operational instructions for the issuing of authorization measures pursuant to art. 4 of Law no. 300/1970").
Therefore, even if it were deemed necessary to apply, in this respect, the rules relating to self-employment relationships, the rules on remote controls would also apply.
In fact, as is known, Title I of Law no. 300/1970, which also includes art. 4, contains in the title “On the freedom and dignity of the worker” (in the same sense see Circular of the Ministry of Labour 19.11.2020).
Precisely in relation to the processing carried out within the employment relationship, in consideration of the peculiarities that characterise them and the specific needs for the protection of the interested parties deriving from the asymmetry of the parties which, as a rule, characterises the employer/employee relationship, art. 88 of the Regulation has safeguarded the national rules of greater protection (“more specific rules”) aimed at ensuring the protection of the rights and freedoms with regard to the processing of workers’ personal data, regardless of the specific type of employment relationship.
Among the rules of greater protection, as notified by Italy to the Commission, pursuant to the same art. 88, par. 3, also art. 114 of the Code (“Guarantees regarding remote monitoring”) which identifies, among the conditions of lawfulness of the processing, compliance with art. 4, law 20 May 1970, n. 300.
The aforementioned art. 4, law no. 300/1970 establishes that “Audiovisual systems and other instruments from which the possibility of remote control of workers’ activity derives can be used exclusively for organizational and production needs, for workplace safety and for the protection of company assets and can be installed following a collective agreement stipulated by the unitary trade union representation or by the company trade union representatives. Alternatively, in the case of companies with production units located in different provinces of the same region or in more than one region, such agreement can be stipulated by the comparatively most representative trade union associations at national level. In the absence of an agreement, the systems and instruments referred to in the first period can be installed following authorization from the territorial headquarters of the National Labour Inspectorate”.
In this case, the Company, despite carrying out a systematic monitoring of the work performance carried out by the riders, through the settings and functions of technological tools that operate remotely (digital platform, app, communication recording systems), in the terms set out above, did not comply with the provisions of art. 4, paragraph 1, Law 300/1970, given that it did not verify that the tools used are attributable to the purposes strictly permitted by the law (organizational and production needs, workplace safety and protection of company assets) nor did it activate the guarantee procedure envisaged in the event of the existence of one of the aforementioned purposes (collective agreement stipulated with the trade union representatives or, in the absence thereof, authorization from the National Labor Inspectorate).
In this regard, it should be noted that several rulings by the ordinary judicial authorities have established that the guarantees established by the law to protect subordinate work apply to the Company: Turin Court, labor section, sentence 12/3/2024, no. 231; Turin App. Court, labor section, judgment 11/7/2023, no. 340; Palermo Court, labor section, 20/6/2023; Milan Court, labor section, judgment 29/11/2022, no. 2864; Turin Court, labor section, judgment 15/11/2022; Palermo Court, labor section, order 3/8/2022; Palermo Court, labor section, judgment 24/11/2020, no. 3570.
In this regard, the arguments advanced by the Company in its defense briefs cannot be accepted.
First of all, it is stated that, differently from what was claimed by the Company in relation to the contested violation of art. 88 of the Regulation (“the provision does not apply because it does not impose obligations on private companies such as Foodinho, but only obligations to do so on the Member States”), it is the same Regulation that has provided for the imposition of an administrative pecuniary sanction in the event of violation of “any obligation under the laws of the Member States adopted pursuant to Chapter IX” (chapter that includes art. 88, “Processing of data in the context of employment relationships”; on art. 88 of the Regulation and the notion of “more specific rules” to ensure the protection of the rights and freedoms of employees with regard to the processing of their personal data in the context of employment relationships, see ECJ, 30/3/2023, case C-34/21).
The Company also argued that riders “are not subordinate workers” and “are always free to make themselves available for the various slots offered by Foodinho”. Furthermore, riders “decide in full autonomy whether and when to work without having to communicate and/or justify their decisions in any way, even in terms of unavailability”.
Given that the Authority does not intend to qualify the nature of the employment relationship between the Company and the riders, but rather to apply the rules of the system, based on the principle of lawfulness of processing, the results of the control activity carried out on the processing of riders' data have highlighted that the booking of work shifts offered by the Company is not “free” but rather conditioned by the operation of the excellence score mechanisms. Therefore, the rider's work performance is not carried out “in full autonomy”, also considering that the lack of availability to carry out the service penalises him/her even following the reassignment of the order.
Nor can the thesis be accepted according to which the Company does not exercise any control over the activity of the riders since "the geolocalization as well as the mechanism for assigning the Excellence Score" constitute the "intrinsic characteristics of the courier activity and [of] the performance of the service through the Platform itself".
The methods with which the Company manages and organizes the delivery service are not "intrinsic" to the activity but rather determined in their concrete characteristics by the organizational model chosen and determined by the Company.
Similarly, with reference to the applicability, put forward by the Company as a subordinate matter, of art. 4, co. 2, law no. 300/1970 on the basis of the qualification of the tools used by the Company as "tools used by the worker to perform the work performance", it is noted that, based on the findings of the investigation, no element has emerged that would represent that the performance requested from the riders cannot be performed except through the technological tools and methods currently used.
It has instead emerged that the complex systems used by the Company perform processing that goes well beyond what is essential to provide the service having as its object the efficient delivery of a good (see, for example, the detection of the geographic position of the rider with the close timing of Google Maps even when the app is in the background; the attribution of a score and the profiling of the rider; the collection and storage of a large amount of data relating to the management of orders through a plurality of tools (app, digital platform, customer service) that allow further processing by the owner).
Given all of the above, the violation of the principle of lawfulness of processing (art. 5, par. 1, letter a) of the Regulation in relation to art. 114 of the Code) and of art. 88 of the Regulation which allows national law to provide for "more specific measures to ensure the protection of the rights and freedoms with regard to the processing of employees' personal data in the context of employment relationships" has been ascertained.
5. Conclusions: declaration of unlawfulness of processing. Corrective measures pursuant to art. 58, par. 2, Regulation.
For the above reasons, in light of the findings as a whole, the Authority believes that the statements, documentation and reconstructions provided by the data controller during the investigation, which are also characterized by unjustified narrative verbosity and sometimes inconsistent reconstructions, do not allow the findings notified by the Office with the act initiating the proceeding to be overcome and are therefore unsuitable to allow the archiving of this proceeding, since none of the cases provided for by art. 11 of the Regulation of the Guarantor no. 1/2019 apply.
The processing of personal data carried out by the Company and in particular the processing of rider data carried out mostly through the digital platform is in fact unlawful, in the terms set out above, in relation to art. 5, par. 1, letter a) - also with reference to the provisions of art. 1-bis of Legislative Decree no. 152 of 1997 -, c) and d) (principles of transparency, correctness, adequacy, relevance and accuracy of processing), e), 6, 9, par. 2, letter b), 12, 13, 22, par. 3, 25, 28, 32, 35, 88 of the Regulation, to articles 2-septies and 114 of the Code and to art. 47-quinquies, Legislative Decree no. 81/2015.
Although the Company, during the proceedings, has adopted some - limited - changes to the processing subject to notification of violations by the Guarantor (dated 11/10/2023), these are for the most part, at present, still active. This, moreover, despite the adoption of a previous provision by this Authority with regard to the processing of riders' data carried out through the digital platform (Provision 10 June 2021 no. 234).
The violation, ascertained in the terms set out in the reasons, cannot be considered "minor", taking into account the nature of the violation which concerned, among other things, the general principles and conditions of lawfulness of the processing of special data (biometric data) as well as the seriousness of the violation itself, the degree of responsibility and the manner in which the supervisory authority became aware of the violation (see Recital 148 of the Regulation).
The Authority also considered that the level of seriousness of the violation is high, in light of all the relevant factors in the specific case, and in particular the nature, seriousness and duration of the violation, taking into account the nature, object or purpose of the processing in question as well as the number of data subjects harmed by the damage and the level of damage suffered by them.
The Authority also took into account the criteria relating to the intentional or negligent nature of the infringement and the categories of personal data affected by the infringement as well as the manner in which the supervisory authority became aware of the infringement (see Article 83, paragraph 2 and Recital 148 of the Regulation).
Therefore, given the corrective powers granted by Article 58, paragraph 2 of the Regulation, it is deemed necessary to assign the Company a deadline to bring the data processing operations still in progress into conformity with the Regulation.
In light of the above, the Authority:
prohibits the Company from further processing the biometric data of the riders (Article 58, paragraph 2, letter f), of the Regulation);
orders the erasure of the biometric data processed as part of the rider authentication procedure;
orders the reformulation of the messages sent to the riders, following the deactivation and/or blocking, within the terms set out in the reasons (Article58, par. 2, letter d), Regulation);
orders to conform its processing to the Regulation, with reference to the correct preparation of the documents containing the information and the impact assessment, in the terms set out in the motivation (art. 58, par. 2, letter d), Regulation);
orders to conform its processing to the Regulation, with reference to the identification of the retention periods of the data processed, in the terms set out in the motivation (art. 58, par. 2, letter d), Regulation);
orders to bring its processing operations into conformity with the Regulation, with reference to the identification of appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, at least the right to obtain human intervention by the data controller, to express one's opinion and to contest the decision, in relation to automated processing including profiling carried out through the platform, ensuring adequate training of the operators in charge as well as the possibility for the operators themselves to ignore, if applicable, the output of the algorithmic process, to avoid the possible tendency to automatically rely on it (Article 58, paragraph 2, letter d), Regulation);
orders to identify appropriate measures aimed at periodically verifying the correctness and accuracy of the results of the algorithmic systems, also in order to ensure that the risk of errors is minimized as well as the use of excessive, outdated or inaccurate data, to be started within 60 days of receipt of this provision, concluding the verification activity within the following 90 days;
orders to conform its processing to the Regulation, with reference to the identification of appropriate measures, aimed at introducing tools to avoid improper and discriminatory use of reputational mechanisms based on feedback; this verification must be repeated with each change to the algorithm regarding the use of feedback for calculating the score (art. 58, par. 2, letter d), Regulation);
orders to comply with the provisions of art. 47-quinquies, Legislative Decree no. 81/2015, with reference to the prohibition to order "exclusion from the platform and [the] reduction of job opportunities attributable to failure to accept the service" (art. 58, par. 2, letter d), Regulation);
orders to conform its processing operations relating to the sending of personal data relating to riders to third parties to the Regulation, with reference to the application of the principles of minimisation and privacy by design and by default, in the terms set out in the grounds (Article 58, paragraph 2, letter d), Regulation);
orders to carry out a specific analysis aimed at verifying the categories of personal data exchanged with third parties, through the use of SDKs or APIs, created by the latter entities;
orders to verify, at least every six months, the list of operators who, with cross-country access authorization, can access the data of riders operating on Italian territory;
orders to conform its processing operations to the Regulation, with reference to the deactivation of GPS localization when the app is in the background and in any case the activation on the rider's device of an icon indicating that the GPS is active (Article 58, paragraph 2, letter d), Regulation);
orders to conform its own treatments to the Regulation, with regard to the designation of riders pursuant to art. 28 of the Regulation in the terms set out in the reasons (art. 58, par. 2, letter d), Regulation);
orders the Company to conform its own treatments to the Regulation, with reference to compliance with the provisions of art. 4, paragraph 1, law 20.5.1970, n. 300, in the terms set out in the reasons (art. 58, par. 2, letter d), Regulation).
6. Adoption of the injunction order for the application of the administrative pecuniary sanction and accessory sanctions (arts. 58, par. 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).
At the end of the proceedings, it appears that Foodinho s.r.l. has violated art. 5, par. 1, letter a) - also with reference to the provisions of art. 1-bis of Legislative Decree no. 152 of 1997 -, c), d) and e) (principles of lawfulness, correctness, transparency, minimization and accuracy of processing), 6, 9, par. 2, letter b), 12, 13, 22, par. 3, 25, 28, 32, 35, 88 of the Regulation, arts. 2-septies and 114 of the Code and art. 47-quinquies, Legislative Decree no. 81/2015. Violation of the aforementioned provisions will result in the application of the administrative pecuniary sanction provided for by art. 83 of the Regulation.
The Guarantor, pursuant to art. 58, par. 2, letter i) of the Regulation and art. 166 of the Code, has the power to impose a pecuniary administrative sanction provided for by art. 83 of the Regulation, by adopting an injunction order (art. 18. L. 24 November 1981 n. 689), in relation to the processing of personal data carried out by Foodinho s.r.l., which has been found to be unlawful, in the terms set out above.
Considering it necessary to apply paragraph 3 of art. 83 of the Regulation where it provides that "If, in relation to the same processing or connected processing, a data controller [...] violates, with intent or negligence, several provisions of this Regulation, the total amount of the administrative pecuniary sanction shall not exceed the amount specified for the most serious violation", the total amount of the sanction is calculated so as not to exceed the maximum amount provided for by the same art. 83, par. 5.
With reference to the elements listed in art. 83, par. 2 of the Regulation for the purposes of applying the administrative pecuniary sanction and the related quantification, considering that the level of seriousness of the violation is high, taking into account that the sanction must "in each individual case [be] effective, proportionate and dissuasive" (Article 83, paragraph 1 of the Regulation), it is represented that, in the case in question, the following circumstances were considered:
a) in relation to the nature of the violation, this also involved cases punished more severely pursuant to Article 83, paragraph 5, of the Regulation by reason of the interest protected by the violated rules (concerning the general principles of lawfulness, fairness and transparency, minimization, accuracy, limitation of storage, integrity and confidentiality of the processing; the conditions of lawfulness also for the processing of special data; the right to information; the rights of the interested parties in the face of the adoption of decisions based solely on automated processing; the more specific provisions on remote controls expressly referred to in the personal data protection legislation);
b) in relation to the seriousness of the violation, the nature of the processing was taken into account, which concerned, at national level, a plurality of data relating to vulnerable data subjects, including special data and data relating to communications; such processing is characterised by the use of complex algorithmic systems in a work context characterised by significant asymmetry of the powers of the parties to the relationship, also taking into account the central relevance of the processing with respect to the main activities of the controller;
c) with regard to the duration of the violation, its extended duration was considered, considering, among other things, that most of the processing is still ongoing (in particular, for the processing indicated in paragraphs 4.2., , 4.5., 4.6., , 4.8., 4.9., 4.10., 4.12. the processing was carried out in violation of the personal data protection regulations for an unspecified period of time, at least since the inspection of 13 and 14 December 2022; for the processing indicated in paragraph 4.1. the processing was carried out in violation of the personal data protection regulations for an unspecified period of time, at least since 3/10/2022, the date of sending a message to S.G.'s account; for the processing indicated in paragraph 4.3. the processing was carried out in violation of the personal data protection regulations for an unspecified period of time, at least since 3/10/2022, the date of sending a message to S.G.'s account; from 08/01/2022, the date of entry into force of art. 1-bis of Legislative Decree no. 152 of 1997; for the processing operations relating to the designation of the rider as data controller, indicated in par. 4.4., the violation was carried out for an indefinite period, at least from 04/29/2022, the date indicated in the Terms and Conditions document delivered during the inspection of 13 and 14 December 2022; for the processing operations relating to the designation of the sub-processors of GlovoApp23 SL (Comdata and Trizma operators) as data controller, indicated in par. 4.4., the violation continued until 02/29/2024, the date on which the Company stated that it had provided instructions to the call center operators; for the processing operations relating to the rating, indicated in par. 4.5.2., the processing was carried out in violation of the personal data protection regulations from the inspection of 26, 27 July 2023 until 10/01/2024, the date on which the Company eliminated this value; for the processing relating to biometric data indicated in par. 4.7. the processing in violation of the data protection regulations began on 23/11/2020; for the processing indicated in par. 4.11. the processing was carried out in violation of the personal data protection regulations for an indeterminate period, at least since the inspections of 26, 27 July 2023);
d) the significant number of data subjects actually involved was also considered (36,545 active riders as of 27 December 2022) also taking into account the additional data subjects potentially involved after the date of 27 December 2022;
e) with reference to the intentional or negligent nature of the violation and the degree of responsibility of the owner, the objective elements of the conduct of the Company and the degree of responsibility of the same have been taken into consideration, as it has violated the obligation of diligence provided for by the law and has not complied with the data protection regulations, in relation to a plurality of provisions.In relation to this parameter, it was also considered that the Company, during the proceedings, represented, with regard to the attribution of a fixed rating to riders and the communication of data to third parties also through the SDKs of the latter, that it was not aware of the related processing; this denotes a grossly negligent conduct, considering that the processing was carried out with particularly complex technologies, in relation to which it is necessary to implement adequate verification and control activities. Furthermore, at present, no specific measures to protect the interested parties appear to have been concretely implemented (except for the cancellation of the attribution of the fixed rating to riders);
f) as an aggravating factor, it was considered that the Company was the recipient of the provision of the Guarantor no. 234 of 2021, following the ascertainment of the violation of articles 5, par. 1, lett. a), c) and e); 13; 22, par. 3; 25; 30, par. 1, lett. a), b), c), f) and g); 32; 35; 37, par. 7; 88 of the Regulation; 114 of the Code. Although this provision has ascertained that the Company has committed previous relevant violations with reference to the processing of riders' data, the Company has not implemented any significant changes regarding the processing of riders' data carried out by it;
g) the level of damage suffered by the interested parties due to the processing carried out, mostly through the digital platform, in the absence of the overall precautions required by the personal data protection system, has also been considered as an aggravating factor, given the high risks posed by the use of complex and highly invasive technological systems that allow the evaluation and control of the actions of the interested parties and the adoption of decisions that significantly affect the interested parties, in relation to the possibility of obtaining job opportunities;
h) as a mitigating factor, in favor of the Company, the latter's willingness, represented to the Authority during the proceedings, to make and plan some changes to the processing carried out, was taken into account, which, although limited to specific aspects, allowed to limit the negative consequences on the rights of the interested parties in relation to these aspects.
It is also believed that in the case in question, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness to which the Authority must adhere in determining the amount of the sanction (Article 83, paragraph 1, of the Regulation), the economic conditions of the offender, determined on the basis of the revenues achieved with reference to the turnover of the Company relating to the 2023 tax period, are relevant in the first place.
In light of the elements indicated above and the assessments carried out, it is believed, in the case in question, to apply to Foodinho s.r.l. the administrative sanction of the payment of a sum equal to Euro 5,000,000 (five million).
In this context, it is also believed that pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, it is necessary to proceed with the publication of this chapter containing the injunction order on the website of the Guarantor.
This is in consideration of the type of violations found that concerned the general principles of processing, the conditions of lawfulness also for the processing of particular data, the right to information, the right not to be subjected to a decision based solely on automated processing, the more specific provisions on remote controls, as well as the significant number of data subjects involved.
GIVEN ALL THE ABOVE, THE GUARANTOR
pursuant to art. 57, paragraph 1, letter. f) and 83 of the Regulation, the unlawfulness of the processing carried out by Foodinho s.r.l., in the person of its legal representative, with registered office in Via Giovanni Battista Pirelli, 31, Milan (MI), C.F. 09080990964, in the terms set out in the reasons, is detected for the violation of articles. articles 5, par. 1, letter a) - also with reference to the provisions of art. 1-bis of Legislative Decree no. 152 of 1997 -, c) and d) (principles of transparency, correctness, adequacy, relevance and accuracy of processing), e), 6, 9, par. 2, letter b), 12, 13, 22, par. 3, 25, 28, 32, 35, 88 of the Regulation, articles 2-septies and 114 of the Code and art. 47-quinquies, Legislative Decree no. 81/2015;
pursuant to art. 58, par. 2, letter f) of the Regulation, imposes on Foodinho s.r.l. the prohibition of further processing of the biometric data of riders;
pursuant to art. 58, par. 2, letter g), of the Regulation, orders Foodinho s.r.l. to delete the biometric data of riders within 30 days of receiving this provision;
pursuant to art. 58, par. 2, letter d), of the Regulation, requires Foodinho s.r.l. to conform its processing to the Regulation with reference to:
- the reformulation of messages sent to riders following deactivation and/or blocking within the terms set out in the justification within 60 days of notification of this provision;
- the correct preparation of the documents containing the information and the impact assessment within the terms set out in the motivation within 60 days of notification of this provision;
- the identification of the retention periods of the data processed, within the terms set out in the motivation within 60 days of notification of this provision;
- the identification of appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, at least the right to obtain human intervention by the data controller, to express his or her opinion and to contest the decision, in relation to automated processing including profiling carried out through the platform, ensuring adequate training of the operators in charge as well as the possibility for the operators themselves to ignore, if applicable, the output of the algorithmic process, to avoid the possible tendency to automatically rely on it, within 60 days of notification of this provision;
- to identify appropriate measures aimed at periodically verifying the correctness and accuracy of the results of the algorithmic systems, also in order to ensure that the risk of errors is minimized as well as the use of excessive, outdated or inaccurate data, to be started within 60 days of notification of this provision, concluding the verification activity within the following 90 days;
- to identify appropriate measures aimed at introducing tools to avoid improper and discriminatory use of reputational mechanisms based on feedback; this verification must be repeated with each change to the algorithm regarding the use of feedback for calculating the score, to be started within 60 days of notification of this provision, concluding the verification activity within the following 90 days;
- to comply with the provisions of art. 47-quinquies, Legislative Decree no. 81/2015 with reference to the prohibition of ordering “the exclusion from the platform and the reduction of job opportunities attributable to the failure to accept the service”, to be started within 60 days of notification of this provision, concluding the verification activity within the following 90 days;
- the application of the principles of minimization and privacy by design and by default in relation to the sending of personal data relating to riders to third parties, within the terms set out in the motivation, to be started within 60 days of notification of this provision, concluding the verification activity within the following 120 days;
- the performance of a specific analysis aimed at verifying the categories of personal data exchanged with third parties through the use of SDKs or APIs created by the latter entities to be started within 60 days of notification of this provision, concluding the verification activity within the following 90 days;
- to verify, at least every six months, the list of operators who, with cross-country access authorization, can access the data of riders operating on Italian territory within 60 days of notification of this provision, concluding the verification activity within the following 90 days;
- to deactivate GPS localization when the app is in the background and in any case to activate an icon on the rider's device indicating that the GPS is active within 60 days of notification of this provision;
- to designate riders pursuant to art. 28 of the Regulation within the terms set out in the justification within 60 days of notification of this provision;
- to comply with the provisions of art. 4, paragraph 1, law 20/5/1970, no. 300, within the terms set out in the justification within 60 days of notification of this provision;
Foodinho s.r.l. is requested to communicate what initiatives have been undertaken in order to implement the provisions of this provision and to provide adequately documented feedback pursuant to art. 157 of the Code, within 90 days from the date of notification of this provision; any failure to provide feedback may result in the application of the administrative sanction provided for by art. 83, paragraph 5, letter e) of the Regulation.
ORDERS
pursuant to art. 58, paragraph 2, letter i) of the Regulation to Foodinho s.r.l., to pay the sum of Euro 5,000,000 (five million) as an administrative pecuniary sanction for the violations indicated in this provision;
ORDER
therefore to pay the aforementioned sum of Euro 5,000,000 (five million) according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive actions pursuant to art. 27 of Law no. 689/1981. It is recalled that the right of the offender to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed, within the deadline referred to in art. 10, paragraph 3, of Legislative Decree no. 150 of 1.9.2011 provided for the filing of the appeal as indicated below (art. 166, paragraph 8, of the Code);
ORDERS
a) pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, the publication of the injunction order on the website of the Guarantor;
b) pursuant to art. 154-bis, paragraph 3 of the Code and art. 37 of the Guarantor Regulation no. 1/2019, the publication of this provision on the website of the Guarantor;
c) pursuant to art. 17 of Regulation no. 1/2019, the annotation of the violations and measures adopted in accordance with art. 58, paragraph 2 of the Regulation, in the internal register of the Authority provided for by art. 57, paragraph 1, letter u) of the Regulation.
Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, an appeal against this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.
Rome, 13 November 2024
THE PRESIDENT
Stanzione
THE REPORTER
Cerrina Feroni
THE SECRETARY GENERAL
Mattei
SEE ALSO: Press release of 22 November 2024
[web doc. no. 10074601]
Provision of 13 November 2024
Register of provisions
no. 675 of 13 November 2024
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and the lawyer Guido Scorza, members and Councillor Fabio Mattei, Secretary General;
SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the “Regulation”);
SEEN the Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, no. 196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter the “Code”);
HAVING SEEN the inspections carried out at the registered office of Foodinho s.r.l. on 13 and 14 December 2022, 28 February, 1 March, 26 and 27 July 2023;
HAVING EXAMINED the documentation in the files;
HAVING SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Guarantor's regulation no. 1/2000;
REPORTER Prof. Ginevra Cerrina Feroni;
WHEREAS
1. The inspection activity against the Company.
The Authority, following the publication of news reports regarding the disconnection of the account of a rider, Sebastian Galassi (S.G.), who died following a road accident that occurred in Florence on 1 October 2022, while making a delivery on behalf of Foodinho s.r.l. (hereinafter, the Company), within the scope of a proceeding initiated ex officio, delegated to the Special Unit for the Protection of Privacy and Technological Fraud of the Guardia di Finanza the carrying out of inspections, carried out on 13 and 14 December 2022, 28 February and 1 March 2023, aimed at acquiring information, displaying documents and accessing databases pursuant to Articles 157 and 158 of the Code.
On 26 and 27 July 2023, following the receipt of a report concerning the processing of riders' data by Foodinho s.r.l. through the Glovo Couriers application, a further inspection was carried out at the Company.
During the inspections of 13 and 14 December 2022, the Company declared that:
“the Glovo platform is owned by the Spanish company Glovoapp23 SL; Foodinho s.r.l. […] uses the said platform […] to manage the riders' activity; the latter […] are assigned an account […], in order to provide the home delivery service” (see the minutes of operations carried out on 12/13/2022 cit., p. 3);
following access to the Glovo platform carried out by an operator with the qualification of Head Operations of the Company, it emerged, among other things, that “the «Live Map» section allows you to view the map with the indication of the area of interest (any city in the world where Glovo operates), the orders (position of the commercial establishments), couriers (position of the riders) and the stretch, as the crow flies between the commercial establishments and the couriers”; “the map and the consequent positioning of the riders are constantly updated”; “by clicking on the courier icon, among the information that appears on the screen, there is: the numeric code of the courier, the telephone number, the vehicle used and the time slot of availability for its use”; “by clicking on the courier's numeric code, the platform displays all the rider's personal data and the documents relating to him that he provided to start the collaboration relationship, together with information relating to the orders taken in charge and the deliveries made”; “the «Jumio details» section concerns the procedure for verifying the courier's identity via facial recognition, disabled in July 2022”; “the status of the rider [S.G.]'s account is «DISABLED (Reason-other)»”; “the courier's status can be blocked, temporarily blocked or disabled by obligatorily placing a flag on one of the reasons (reason) provided”; “among the reasons mentioned, death or decease is not indicated, which is why other was indicated to disable [S.G.]'s account”; “the platform stores the personal data and documents of riders with accounts deactivated since 2016”; “among the information there are also the maps relating to the deliveries carried out which in 2017 show the start and end of the route without indicating the route taken by the rider, since October 2018 the route taken by the rider is also reported” (see the minutes of operations carried out 14/12/2023 cit., p. 7).
With a note acquired in the files on 27 December 2022, and related attached documentation, the Company, in order to resolve the reservations formulated during the inspection, further represented that:
“The deactivation of the account [attributed to S.G.] had the purpose of disabling access to the Courier's profile at the time the incident occurred, in order to prevent third parties from using the account […]. The deactivation was not carried out by any automatic system, but manually by an employee of the Company, a member of the dedicated team, as soon as Foodinho S.r.l. became aware of the incident. […] after the account […] had been manually deactivated, the message concerning the deactivation of the account was automatically sent, by the system to the Courier, by mistake, since such deactivation did not originate from any violation of the Terms and Conditions, and furthermore there was no standard ad hoc response for such a dramatic situation” (see note of 27/12/2023 cit., letter B);
“[in] the “Expert Report on the “Grievance Process” […] the necessary manual intervention is highlighted for both the activation and deactivation of the Couriers’ account” (see note cit., letter B);
“the consequence of the deactivation of the account is that the Courier can no longer use it. Usually, deactivation is a permanent measure, but if reactivation is requested […], the request is taken into consideration and can be assessed” (note cit., letter E);
with regard to the “account monitoring” indicated in point 5.4.2 of the “Terms and conditions of use of the Glovo platform for couriers” the Company declared that “The monitoring, which is neither continuous nor systematic, is carried out through some dashboards used by the Ops Team, and is aimed at detecting potential improper uses of the Glovo Platform” (note cit., letter F);
with reference to the provisions of art. 47-quinquies, of Legislative Decree no. 81/2015 the Company declared that “a) accounts are never deactivated based on failure to accept the service; b) the reassignment of orders does not affect the Courier's possibilities of obtaining orders available in the APP, nor in any way on the score; c) Couriers are never excluded from the selected time slot based on refusal to carry out the activity” (note cit., letter G);
“Foodinho S.r.l. is the Data Controller of the personal data of Couriers operating in Italy while, in relation to such personal data, Glovoapp23, S.A. is appointed Data Processor” (see note cit., letter H);
“Foodinho S.r.l. uses the support of external call centers, Meritus Upravljanje, d.o.o. (MPLUS) and Comdata S.p.A. (COMDATA), limited to the Courier onboarding activity (MPLUS) and real-time Courier assistance (COMDATA). These call centers act as sub-processors pursuant to [the] data processing agreement […], as the relationship between them and Glovoapp23, S.A. and their services are provided to Foodinho S.r.l. pursuant to the License Agreement” (see note cit., letter I);
“subsequent to the delivery of orders to Customers by the Couriers, the APP allows the Customer to enter their […], both on the Courier side and on the Local Business side” (see note cit., letter J);
“through their account, the Couriers have the ability to view the metrics received in light of the delivery activity they provide to other users (Customers and Local Businesses), both thumbs up (i.e., good service) and thumbs down (i.e., bad service), although it is not possible to connect the metrics received to specific users or orders. In the event that the Couriers do not agree with the metrics they have received from the Customers, they can contact the Live Operations Support Team ("Live Ops Team") of Foodinho S.r.l., filing a general dispute” (see note cit., letter O);
“the Privacy Policy is made available to Couriers at various times: ● when they register for the first time on the APP, ● each time they access the APP, ● when they sign the contract” (see note cit., letter P);
with reference to the information provided by art. 1-bis of Legislative Decree 26/5/1997, n. 152, as amended by art. 4 of Legislative Decree 27 June 2022, n. 104, regarding the excellence score, some information is provided during the onboarding process on the Glovo platform through a video, through the website and the newsletter, during “voluntary meetings” as well as through what is indicated in the contract; furthermore “With regard to the offer of orders, more information is provided to Couriers through the Courier Assistance Center” (see note cit., letter Q);
“current number of “Active Couriers” using the APP in Italy as of January 2022: 36,545 (“Active Couriers” means any Courier, registered in the APP, who has placed at least one order using the Glovo Platform since January 2022. […]). Number of Couriers who have started using the APP in Italy since 1 August 2022: 7,405 ([…] this number refers to the definition of “Active Couriers” […])” (see note cit., letter R);
“Foodinho S.r.l. started processing biometric data of Couriers on 23 November 2020, as part of the first tests relating to the authentication procedure […] Foodinho S.r.l. has stopped using this authentication procedure and, consequently, collecting and processing biometric data of Couriers starting from July 2022” (see note cit., letter S).
During the inspections of February 28 and March 1, 2023, carried out in continuation of the activity carried out against Foodinho S.r.l. on December 13 and 14, 2022, following access to the platform and the declarations made by the Company, it emerged that:
as a result of access to the Glovo platform carried out by an operator with the qualification of Head Operations of the Company, it emerged, among other things, that "the system [...] allows [...] to search for each Italian city all the accounts of the riders disabled from the origin of the same platform to date" (see the minutes of operations carried out on 28/2/2023, p. 3);
following access to the Glovo platform carried out by an operator with the qualification of Operations Analyst of the Company, it emerged, among other things, that "the accounts of riders, operating in Italy, deactivated in the period 1 January 2022 - 31 December 2022, is 6,369, while the number of blocked accounts, in the same period, is equal to 53,861" (see the minutes cited, p. 4);
"the Grievance process in the event of the initiation of the deactivation procedure, consists of two communications. The first [...] consists of an email that is notified to the rider concerned, in which a potential fraudulent use of the platform or other event is represented [...] it is made explicit to the rider that he has a term of six days to present his counter-arguments, furthermore he is informed that pending a response his account is temporarily suspended. [if the rider does not respond] once the six-day period has elapsed, a second email is sent, internally identified as a termination letter (deactivation), informing the rider of the account deactivation. [if the rider responds, however] the counter-arguments are analyzed [by] the operations team. If they are considered suitable, they proceed to send a communication to reactivate the account. Otherwise, they proceed to send the termination letter (account deactivation) by email. Otherwise, the blocking process requires sending a communication by email to suspend the account directly to the rider, who is informed of the need to carry out a specific action, for example the request to open a VAT number, or the need to provide for the deposit of cash at the authorized points in the city. […]. If the documents are considered suitable, the rider obtains the reactivation of the account. This phase of the blocking process is manual, unlike the first in which the blocking communication is automated” (see minutes 1/3/2023, p. 6, 7);
“with reference to the communication received from Mr. [S.G.], however, it does not fall into any of the previous cases. This communication is sent, in addition to one of those previously mentioned, with each change in the rider’s status. […] [In this case], given the circumstances, the sending of this communication is due to human error” (see minutes cit., p. 7);
“the retention periods of riders’ data have been updated, as indicated in the new privacy legislation made available online and on the basis of the timeframes set out in the Italian Civil Code. […] the data is not retained for more than 10 years from the moment in which the purpose of the processing has been achieved. [the ten-year term] also extends and applies to data relating to geolocation […]” (see minutes cit., p. 8);
“the excellence score is made up of four parameters that are taken into consideration in relation to the last 28 days of use of the platform, even if not consecutive (hereinafter, the “Reference Period”). Each parameter ranges from 0 to 5, as does the overall excellence score. Likewise, each parameter, as well as the overall excellence score, is normalized in relation to the entire fleet of the city (e.g. if a parameter or the lower overall score in the reference rider population is 4 and the higher is 5, all values from 4 to 5 will be normalized from 0 to 5). These parameters have a different weight depending on the city. Specifically: “contribution” parameter ([...] “Sum Seniority Normalised” […]): takes into account the number of orders delivered in the Reference Period; “no show” parameter ([…] “Sum No Show Normalised” […]): takes into account the number of times the rider booked a slot but then did not check in in the Reference Period. […] the slot reservation takes place twice a week, on Mondays and Thursdays at 4 pm, […]; the rider has the possibility to check-in starting from 25 minutes before the slot start time up to 10 minutes after that time; furthermore, the rider can cancel the slot reservation up to one minute before the start time (regardless of having checked-in previously) without any penalty; “customer rating” parameter ([…] “Sum Customer Rating Normalised” […]): takes into account the feedback received exclusively from the customer […] due to the rider in the Reference Period […]; “high demand slot” parameter ([…] “Sum High Demand Normalised” […]): takes into account the time in which the rider is working in comparison to the total time on the HD slots (i.e. high demand slots) that occur weekly. “High demand slots” are those where there is a greater influx of orders and amount to six hours per week, which generally correspond to three hours for dinner on Saturday and three hours for dinner on Sunday” (see minutes cit., p. 8, 9);
“the parameters […] have a different weight in each city. For example, the weights for Florence (applied to the account of [S.G.]) are: a. Contribution: 45% b. No show: 5% c. Customer rating: 33% d. HD slot: 17%. Finally, the overall excellence score has a progressive and increasing weight in the Reference Period (e.g. the most recent performance has a more significant score than that of 28 days ago)” (see minutes cit., p. 9).
With a note acquired on file on 16 March 2023 and related attached documentation, the Company, in order to resolve the reservations formulated during the inspection, also specified that:
“each type of blocking communication is based on specific categories of data collected […]: [in relation to] Cash Balance […] the system only tracks the amount of money in the possession of the Courier”; [in relation to] Medical checks […] the “data collected relate to the number of deliveries made in the previous 50 days”; [in relation to] Limit 5K […] the “data collected are those relating to the compensation received by the Courier”; [in relation to] Expired documentation […] the “data collected are the expiry dates of the documents provided by the Courier for the activation of the account”; [in relation to] INAIL accident […] the “data collected are related to the circumstances of the accident and the prognosis”; [in relation to] Mandatory trainings” […] the “data collected is the activation date of the Courier’s account”. (see note 16/3/2023, letter e);
“in cases where the identification of a […] situation […] by the Company (i.e. in the absence of complaints or disputes by users) could trigger the sending of a […] deactivation communication to the Courier, the data on which such […] communication is based are extracted from the Company’s systems thanks to some queries carried out periodically.” (see note cit., letter f);
“the Glovo Platform is […] managed by GlovoApp23 S.A. and provided as a standard tool to all companies in the group […]. Therefore, some of the features and, therefore, some items that are used for the deactivation and blocking of the Couriers’ account in some countries are not […] used in others. With regard to Italy […] the two items in the question (i.e. "Many reassignments" and "Bad rating") are not actually used in Italy, neither for blocking nor for deactivation, although they appear as potential reasons for blocking in our IT systems” (see note cit., letter g);
“in any case, in order to avoid potential improper use of the Glovo Platform, the Company has asked GlovoApp 23 S.A. to deactivate such reasons in Italy” (see note cit., letter g);
with regard to the "Live Map" section, in relation to the profile used to access, in particular how many similar profiles, with the possibility of cross-country access, are active overall on the Glovo platform, the Company has declared that “the employees of Foodinho, S.r.l. as well as the agents employed by COMDATA and MPLUS (hereinafter, "Live Ops Provider/s"), can have access to the "Live Map" section (permission "livemap.view"). […] As regards the employees of Foodinho S.r.l. who are granted access to the "Live Map" section, the main teams granted the "livemap.view" permission are […] Team Ops […] Legal Team […] BIN Data […] IT Team […] Teach Team […] Live Ops Team […] Finance Team […] Expansion Team” (see note cit., letter j);
“as regards the external agents hired by COMDATA and MPLUS, the number of agents who have access to the "Live Map" section (permission "livemap.view") is […]: COMDATA or Agents: 82 or Team Leads: 7 • MPLUS or Agents: 149 or Team Leads” (see note cit., letter j);
“chat and e-mail are the preferred channels used by agents to get in touch with the Couriers. Voice recording can only take place if the agent concerned needs to contact the Courier directly” (see note cit., letter m);
“each team of agents has access only to conversations that took place in their own country of competence […] the retention period for conversations is 36 months” (see note cit., letterm);
“the purposes pursued through the processing of voice recordings are: • Quality • Evaluate the service provided by the local provider (COMDATA and MPLUS); and • measure compliance with the agents' process when supporting the Couriers. • Legal • have documentary support of all interactions carried out with a third party in the event of a complaint or process. • Manage and respond duly to requests made by the competent authorities […] and law enforcement […]. • Correctly manage and document the correct fulfillment of requests from data subjects, including requests for access and deletion of data pursuant to the GDPR” (see note cit., letter m);
“on 23 December 2022, the Company published a new privacy policy also updating the retention periods […]. The privacy policy shared […] during the inspection of 28 February-1 March is the one now published on the website. Subsequently, the Company realized that the privacy policy included in the contract with the Couriers had not yet been updated and therefore updated the retention period of that policy as well. Now the standard retention periods provided for in both privacy policies are aligned and do not provide for retention periods exceeding 10 years” (see note cit., letter n);
“with specific reference to geolocation data, they are stored on an AWS server located in Ireland. The stored data are associated only with the Courier ID (pseudonymization). The data are necessary to correctly quantify the Couriers' earnings and are also stored to justify the amount of the invoices issued by the Couriers in the event that this is required by the Tax Authorities or, in general, is necessary in proceedings or inspections in the field of labor law” (see note cit., letter n);
with regard to the processing of biometric data of riders, it is specified that “Information relating to facial recognition is provided to Couriers in the privacy policy and is also available at [l] link […]" Facial recognition - Italy (glovoapp.com). The software provided by the company Jumio Corporation (“Jumio”) as data controller […] is structured in two phases” (see note cit., letter p);
“the first phase involves the Courier receiving a message on his mobile phone in which he is asked to scan an identity document (with a photograph of himself) and, subsequently, to take a "selfie". […]. The data in the document will be checked taking into account the information already provided by the Courier during account activation. The photograph will be verified with the images contained in the document. The first "selfie" will be stored in the database and will be used as a reference for the next time facial recognition is necessary” (see note cit., letter p);
“the second phase involves, after the first recognition and randomly, the Courier being asked to perform the recognition through a "selfie". The Courier is also informed that the recognition is mandatory and that failure to perform it may lead to the deactivation of the account […]. In any case, if the Courier does not perform the recognition or in the event of failure to perform the recognition before the account is deactivated, the calendar through which the Courier books the slots will be blocked and the Courier will be asked to proceed with the recognition to reactivate the calendar” (see note cit., letter p);
“the processing of biometric data is necessary to fulfill the obligations in terms of labor law, safety and social protection undertaken by the data controller pursuant to Article 23 […] of the CCNL Rider” (see note cit., letter p);
“the Company has suffered from internal bugs that automatically closed the flow in the App […]. These "closures" of the App resulted in a "FAILED" attempt from the backend point of view and, consequently, led to potential unjustified blocks of the Couriers' profiles. For this reason, it was necessary to interrupt the Jumio verification process for some time" (see note cit., letter q);
"the Jumio test currently underway consists of the following phases: 1. at the beginning of February, an initial activation of facial recognition was carried out on 3.28% of the Couriers active in Italy. 2. On February 20, it was extended to 18.33% of the active Couriers. 3. On February 27, it was activated on a smaller percentage equal to 15.55%. 4. On March 13, the test was extended to 32.61%. 5. Starting from March 27, Foodinho S.r.l. plans to activate facial recognition again on all active Couriers. The test consists of requesting facial recognition once a day to all the Couriers involved and checking if there are errors in the process” (see note cit., letter q).
On March 17, 2023, the Company specified that, “in resolution of the reservation included in the response referred to in letter J of the response to the request for information […], the current number of employees who have the active “livemap.view” permission is 65”.
Following the receipt of a report on July 7, 2023, concerning the processing of riders’ data by Foodinho s.r.l. through the Glovo Couriers application, after merging the proceedings, a further inspection was carried out at the Company on 26 and 27 July 2023.
During the inspection it emerged that:
by accessing the web portal https://couriers.glovoapp.com/it/ to verify the content of the information provided to riders, it was verified that "the link immediately below the access form, under the label: "By selecting the button, you accept" is not accessible, while the information present at the link at the bottom of the page, in the "Legal Notes - Privacy Policy" area, is updated to 2019 and is not available in Italian" [...] The information present at the appropriate link at the bottom of the "Terms and Conditions" document was therefore displayed, which instead appears to be updated to December 2022" (see minutes 26/7/2023 cit. p. 3);
by accessing the Glovo courier app, it was verified that “even in this case the information is not accessible from the “Privacy Policy” link, while it is accessible from the “Terms and Conditions” link (version of 29 April 2022)” (see the minutes cited, p. 3);
with regard to what is reported in the “Terms and Conditions”, the Company specified that “this document also contains some elements regarding the privacy information for couriers, in particular in paragraph 9 […] with regard to the communication of data to third parties and the categories of recipients in the context of the use of the Glovo platform. The text of the “Terms and Conditions” also includes a link to the full text of the general privacy information on the website https://glovoapp.com/it/legal/privacy. In this document, the company indicated the characteristics of the communication of riders’ data to third parties […]. The documents indicated must therefore be read together for a comprehensive picture of the treatments carried out by Foodinho towards the couriers” (see minutes cited p. 3);
furthermore “the riders are provided with the complete privacy information also within the work collaboration contract” (see minutes cited p. 3);
with reference to the absence of the information for the riders placed at the bottom of the access form on the relevant portal and in the app, the Company represented that “what was detected is probably caused by a broken link” (see minutes cited p. 3);
with reference to the failure to load the page of the information for the riders “the event is attributable to a human error that occurred during the migration of the CMS from ButterCMS to Prismic. […] after the report by the Glovo legal team following what emerged during the investigation, the content of the page was corrected […]. In the period between July 20 and yesterday, the content of the page was not correctly made available” (see minutes of operations carried out on 7/27/2023, p. 2);
“Glovo has a contract with Braze, aimed at sending commercial communications via email, from which the rider can unsubscribe via opt-out” (see minutes cited p. 4);
the backend of the Glovo courier app was accessed to verify the third-party SDKs used and the data communicated; it was verified that the courier data sent to Braze are the email address, the courierID identifier and the telephone number (see minutes cited p. 4);
“the courier’s telephone number is sent to Braze only if present in the Glovo backend” (see minutes cited p. 4);
“in addition to the data explicitly sent by the Glovo Courier app to the third parties Braze, Firebase, mParticle […] other data may be communicated, through the SDKs made available by these third-party companies that the app uses” (see the minutes cited, p. 3);
it was also verified that the data sent to mParticle consists of the courierID and that the data sent to Firebase consists of the characteristics of the device, the operating system and the courierID (see the minutes cited, p. 4);
regarding the data relating to the telephone number, “this data is communicated to Braze for riders operating on Italian territory” (see the minutes cited, p. 2);
regarding the communications sent by Braze to the couriers, “in addition to commercial issues, this entity may also send riders communications relating to the functioning of the service (so-called transactional). In any case, the rider may opt-out of receiving messages” (see the minutes cited, p. 2);
as regards the rating, the party stated that it was not aware of the meaning of this parameter used by the app (see the minutes cited, p. 3);
by accessing the backend of the Glovo courier app, to verify the data exchanged between the app and the backend, it was verified that "both the excellence score and the "rating" are present among the exchanged data" (seeminutes cit., p. 3);
by accessing, via the backend of the Glovo systems, the databases used by the Company, for the purpose of storing information on riders, the fields of the table relating to riders were displayed and the table relating to the excellence score was displayed (see minutes cit., p. 3);
“the rating is a variable used by the excellence score” (see minutes cit., p. 3);
by accessing the database that stores the values relating to the rating scores, to view the information present, it was verified that “the database, in the courier_rating table, reports the values of the rating score, calculated on the basis of user feedback. The filtered table on riders operating in Italy was displayed” (see minutes cit., p. 4);
the query performed on riders operating in Italy was exported (see minutes cit., p. 4);
the Company stated that “the rating value in the courier_rating table is a value, from 0 to 1, used by the company in relation to the so-called flex business model which does not apply in Italy. The value is generated by the system even for riders operating on Italian territory […] the value used by the app backend is data left over from a previous version of the app, deprecated since 2021, and no longer used. From that moment on, the backend assigns a fixed value to the rating equal to 4.5 to each courier, by default” (see minutes cited, p. 4);
furthermore “the geolocalization of the courier is performed only when the courier is registered to a slot (countries with a free lance model) or is online on the app (countries with a flex model). If during this time the courier puts the app in the background, the localization continues” (see minutes cited, p. 4);
in order to verify the evidence presented during the inspection activity, the reporters accessed the backend of the Glovo Courier app. In particular, the response to the call to the backend systems endpoint was displayed, with the credentials of an operator with operations qualification and it was verified that the value of the rating variable is equal to 4.5 (see the report cited, p. 4);
“the app integrates Google Maps, which collects the rider's position according to its own timing, even when the rider is not active in the slot. This information is not used by the company, although it is received on its systems […]. Furthermore, in 2021, the command used to start tracking the couriers had a bug, which may have generated continuous geolocalization” (see the report cited, p. 5);
“the cases listed [by the Company] before the Court of Palermo [labor section, dated June 20, 2023] entail the disconnection from the slot, possibly operated by the company, which does not entail a definitive blocking of the rider's account” (see the minutes cited, p. 5);
“the assignment of an order takes into account various elements including: the collection and delivery point, the means of transport used, the maximum distance that can be traveled with a specific means of transport, any orders already assigned coming from the same store, the battery status of the rider's phone, the type of order based on the amount of cash in the rider's possession” (see the minutes cited, p. 5).
Finally, with a note dated September 15, 2023, to resolve the reservations formulated during the inspection, the Company represented that:
“all suppliers act as data controllers on behalf of Foodinho S.r.l. ("Glovo"). Therefore, the couriers' data are disclosed and/or made available to these companies on the basis of the respective art. 28 GDPR data processing agreements entered into by the parent company Glovoapp23, S.A. ("Glovo ES")” (note 15/9/2023 cit., p. 1);
“as regards the purpose of the processing and the legal basis identified by Glovo as the data controller for the processing activities in progress (in the context of which the suppliers can offer their services), these are indicated below. Braze: Glovo communicates the data to BRAZE in order to send transactional communications to the riders, as well as commercial ones. The legal basis for the processing of the riders' personal data is the performance of the contract with the couriers with regard to transactional communications (which may include, for example, problems with the platform, warnings about new features of the App, how it works for new users); and, as regards commercial communications, the courier's consent, or soft spam […] these are mainly incentives and/or potential bonuses (e.g. notification that, by booking a delivery slot on a certain day, the courier could earn more, or get a bonus)” (see note cit., p. 1, 2);
“Glovo communicates the data to mParticle which provides customer data platform (CDP) services that aggregate information (events) through various digital channels in order to send the right communication to the right recipient. For example, in the case of an order to be delivered only by bicycle (i.e. because the delivery point is located in an area where motorcycles are prohibited), mParticle collects this information and sends it to Braze to notify the order only to couriers with bicycles. The purpose of the underlying processing is to manage Glovo's business […]. The legal basis for such processing is the performance of the contract with the couriers. In addition, Foodinho may also share information with mParticle for analysis purposes. In this regard, the legal basis of the processing is Glovo's legitimate interest in understanding how couriers interact with the App, in developing new services and in analyzing the information derived from the services” (see note cit., p. 2);
“we use the Crashlytics function to detect and manage anomalous crashes in mobile and web applications used by couriers. Also in this case, the legal basis of such processing is the execution of the contract with the couriers” (see note cit., p. 2, 3);
with reference to the technical and organizational measures that the Company has adopted, also through the data exporter, to guarantee the interested parties a level of data protection adequate to European legislation, the “Transfer Impact Assessment conducted by Glovo ES as a contractor for the services provided by Google, mParticle and Braze for Glovo” was provided (see note cit., p. 3);
“the use of JUMIO was suspended and slowly implemented again after correcting bugs and errors in the application itself. The software is now back in use throughout the country” (see note cit., p. 3).
2. The initiation of the procedure for the adoption of corrective measures and the Company's deductions.
On 11 October 2023, the Office notified the Company, pursuant to art. 166, paragraph 5, of the Code, of the alleged violations of the Regulation found with regard to the data processing carried out through the digital platform used to carry out goods delivery activities, with reference to art. 5, par. 1, letter a), c), d), e), 6, 9, par. 2, letter b), 12, 13, 22, 25, 28, 32, 35, 88 of the Regulation; art. 2-septies and 114 of the Code; art. 1-bis, Legislative Decree 26/5/1997, n. 152, introduced with Legislative Decree 27/6/2022, n. 104; art. 47-quinquies, Legislative Decree 15/6/2015, n. 81.
With defensive briefs, sent on 11 December 2023, the Company, preliminarily and prejudicially contested the competence of the Guarantor "to decide issues related to the processing of personal data that occurs [...] through the Glovo platform and the Glovo and Glovo Courier apps [...] owned by GlovoApp23 SA [...] which also determines its operation and main functions".
Furthermore, the Company complained that the activity of the Guarantor "is a photocopy of that undertaken ex officio on 16 July 2019 through the inspection at the offices of Foodinho [which concluded with] provision n. 234 of 10 June 2021”. This would entail the violation of the principle of “ne bis in idem with respect to the previous proceedings opened against Foodinho and still sub iudice” and for this reason the Company has requested the suspension of the proceedings “at least until the judgment relating to the appeal of Provision no. 234/21 is concluded”.
On the merits, in relation to the individual disputes, the Company has declared that:
with reference to the sending of communications to riders at each change in status, “even if the sending of such communication occurs automatically (being generated by the system at the time of the change in the courier’s status), in the case of [deceased rider] the sending of the message depended on human error as the change in status (deactivation) prepared by an operator did not correspond to some of the cases foreseen by the system. On this point, while taking into account the Authority's observations (and the echo of the national press) regarding the inappropriate tone of the message, given the tragic circumstances of the specific case, it is believed that what happened is not sufficient to constitute a violation of the aforementioned GDPR provisions" (see note 11/12/2023 cit., p. 10);
"Since the Company opened in Italy in 2016, 120,857 couriers have been contracted. […] it is clear that it is inevitable to resort to a certain degree of standardization of automatic communication [which follows each change of status]" (see note cit., p. 11);
“it should be noted that the automatic communication in question was sent following the death of the courier (after the decision to deactivate the [rider] account) and, therefore, the data processing connected to the sending of this message must be considered excluded from the scope of the GDPR” (see note cit., p. 11-12);
“With respect to the alleged incompleteness of the information acquired during the Inspection […], the Company has voluntarily chosen to follow a “layered” approach”; […] “the completeness and clarity of the information provided must be assessed as a whole” (seenote cit., p. 13);
with regard to the absence of “an express reference to the “chats” and “emails” exchanged between couriers and customer care operators […] it is clear that if the contract reviewed and signed by the courier […] contains […] two express references to communications with a support channel, and in one of these a “written communication” is mentioned, the courier is necessarily aware of the processing of such communications” (see note cit., p. 13-14);
“based on an overall reading […] within the provisions of the Terms and Conditions and the information pursuant to art. 13 GDPR […], it is understood that the indication that geolocalization is “exclusively associated with the service” simply means that the activity in question is carried out to allow the courier to correctly provide its delivery services” (see note cit., p. 16);
“with regard to the processing of biometric data, the Company acknowledges that the language contained in the information notice in the files was not promptly updated following the temporary suspension of the biometric authentication mechanism due to the technical flaws found in July 2022. […] the processing of couriers’ biometric data was restored starting from March, so the current version of the information notice is correct and updated” (see note cit., p. 17);
“With respect to the appendix of the information notice […] attached to the Terms and Conditions […], containing an appointment as the courier’s data controller, it is specified that this is a material error. Indeed, such language - which refers specifically to the courier’s invoicing obligations […] is not applicable in the context of the contractual relationship between Foodinho and the couriers in Italy […]” (see note cit., p. 17);
“following receipt [of the notification of violations], Foodinho became aware of the error and promptly updated the information available online […], inserting the correct version of Annex I into the Terms and Conditions applicable in Italy, which refers to the processing carried out by the courier on behalf of Foodinho (i.e. as data controller) in the delivery of orders requested by users through the Platform” (see note cit., p. 17);
“Foodinho does not carry out fully automated processing pursuant to art. 22 GDPR” (see note cit., p. 18);
“with regard to the alleged violation of art. 1-bis of Legislative Decree 152/1997 on information obligations in the case of use of automated decision-making or monitoring systems, without prejudice to the absence of automated decision-making processes pursuant to art. 22 GDPR […] in order to further strengthen the transparency of its processes towards couriers, Foodinho has recently prepared a specific information notice regarding some of the processing that involves partially automated processes, including the logics relating to the Excellence Score and the slot assignment criteria […]. This information notice was adopted on 18 May 2023” (see note cit., p. 18);
“The number of human interventions that have taken place in the Excellence Score system and, in particular, those relating to the manual increase in capacity for a given time slot […] clearly constitutes “significant” supervision […]. And this is stated in the expert report” (see note cit., p. 20);
“even if one wanted to consider that the Excellence Score determines an automated processing […], there would be no violation of art. 22 GDPR since the applicability of this rule is expressly excluded in the case in which “the decision is necessary for the conclusion or performance of a contract between the data subject and a data controller” (art. 22, par. 2 GDPR)” (see note cit., p. 20);
“Even if the average data of deactivations emerging from the inspection acts is higher than that taken into consideration [in the expert report] this does not mean that the final output of the observation is not equal or even higher; which confirms the value of human intervention with respect to deactivations” (see note cit., p. 21);
“With reference to the other causes of disconnection that operate automatically (no show, out-of-area position, deactivation of geolocation, disconnection during the slot) ascertained during the inspection of 26-27.7.2023) it should be considered that they are not causes of disconnection of the account but only of loss of the slot” (see note cit., p. 21);
the expert report “provides an account of the human intervention in the grievance process; furthermore, the couriers are informed of the possibility of presenting their counter-arguments” (see note cit., p. 21);
“the possibility, on the part of Foodinho, to remove the so-called Guaranteed in the slots in correspondence with reassignments […] represents a form of protection towards the users of the Platform and the correct functioning of the service, without in fact representing a reduction in job opportunities” (see note cit., p. 22);
“the measure of facial recognition was adopted as a result of the negotiations of the experimental protocols of legality against gangmastering in the food delivery sector in the presence of the prefectural authority” (see note cit., p. 23);
“the measure of facial recognition was deemed by society to be adequate and effective against the commission of the crime in question or, at least, to counteract the negative effects and economic exploitation. […] It is clear that, as the Guarantor maintains, this measure in itself is not sufficient to avoid the phenomenon; however, it constitutes an effective deterrent” (see note cit., p. 23);
“it is believed that the measure of facial recognition can find a valid legal basis in art. 9, par. 2, lett. b) GDPR, since the right/duty of Foodinho as a company at risk of committing certain crimes such as gangmastering is to prepare an organizational model with exculpatory effect pursuant to Legislative Decree 231/01” (see note cit., p. 23);
“with respect to [the processing of biometric data], Foodinho has correctly carried out an impact assessment pursuant to art. 35 GDPR” (see note cit., p. 23);
with reference to the other processing operations involving data relating to riders carried out by the Company, “the DPIA was not mandatory pursuant to art. 35 GDPR, since it was demonstrated, both for the Excellence Score and for the grievance process, that there is no automated processing activity of courier data and profiling of the same” (see note cit., p. 24);
“the Platform does not allow viewing of data from couriers operating in other EU or non-EU countries. […] Access to limited categories of data with limited identifying power could be granted to a limited number of operators […]” (see note cit., p. 25);
“with regard to the finding that the Company did not provide feedback “despite the specific request in this regard” regarding the number of operators active on the Platform with the possibility of cross-country access, the reason for the lack of response lies in the fact that the request in question falls outside the jurisdiction of the Guarantor, as it concerns the levels of access and the technical specifications of the Platform (which […] is managed autonomously and entirely by GlovoApp23), as well as processing that pertains to other companies of the Glovo group as independent data controllers, subject to the control powers of the supervisory authority of the country of establishment” (see note cit., p. 25);
“the retention period relating to the processing carried out for the purposes of managing the relationship is dictated by specific provisions of law ([…] or, in any case, by general rules of the system that provide an indication of the reasonable period of time within which the data can still be considered “useful” for the owner” (see note cit., p. 26);
“data retention periods of ten years […] would be fully lawful also in relation to telephone call recordings […] in compliance with the principle of minimization of processing, pursuant to art. 5, par. 1, letter c) of the GDPR, as well as the principle of privacy by design pursuant to art. 25, par. 1 of the GDPR, the Company has decided to adopt a retention period of 36 months for telephone call recordings” (see note cit., p. 26);
also with reference to the retention period of the maps relating to the route taken by the couriers for each order, “the considerations set out [in relation to the recordings of telephone calls] apply” (see note cit., p. 26);
“the retention period [of the data contained in the maps], originally established at only ten months, has proven insufficient to guarantee the achievement of the purposes mentioned above, in particular with respect to requests for access by public authorities and Foodinho’s tax obligations” (see note cit., p. 26, 27);
with reference to the sending of data to third parties, “while recognizing that such errors are relevant for the purpose of assessing compliance with the data protection legislation by this Authority, reference is made […] not only to the good faith and spirit of cooperation of the Company […], but also to the diligent repentance of the same which, as soon as it became aware of such technical errors, immediately took steps to cease the irregularities” (see note cit., p. 27);
“these errors did not cause an improper communication of data to third parties, but rather a mere provision of information to contracted service providers” (see note cit., p. 27);
“with regard to the dispute relating to the lack of a legal basis for the processing of couriers for soft-spam or marketing purposes, the Authority’s interpretation according to which consent (or opt-out, limited to soft-spam) is not applicable in the context of the employment relationship existing with the couriers is rejected, given the fact that […] there is no subordinate employment relationship between the Company and the couriers” (seenote cit., p. 27);
“with regard to the “rating” item stored in the back-end of the Platform as an “empty” value and not actually used in the context of the processing of data of Italian couriers […] This is an item without any weight, which does not involve any further processing of the couriers’ data, but assigns a number, a mere mathematical value without any meaning and the same for everyone” (see note cit., p. 28);
“with regard to the violation of art. 88 GDPR, the rule does not apply as it does not impose obligations on private companies such as Foodinho, but only obligations to act on the part of the Member States” (see note cit., p. 28);
“with regard to the violation of art. 114 of the Privacy Code, however, this, containing a receptive reference to art. 4 of the Workers' Statute, is not applicable to Foodinho as couriers are not subordinate workers” (see note cit., p. 28);
“[t]he couriers are always free to give or not their availability for the various slots offered by Foodinho. The couriers decide in full autonomy whether and when to work” (see note cit., p. 28);
“the use of the Platform to organize delivery services, including geolocalization as well as the mechanism for assigning the Excellence Score for the opening of the slot calendar does not concern the exercise of a power of control and/or management, as erroneously pointed out by the Guarantor, but rather belongs to the intrinsic characteristics of the couriers' activity and to the performance of the service through the Platform itself” (see note cit., p. 29);
“even where art. 4 of the Workers' Statute, in any case, the tools that the Guarantor considers to be forms of remote control of couriers would be completely lawful as they would fall within the so-called "ordinary tools" necessary for the purpose of providing professional services" (see note cit., p. 31).
During the hearing requested by the Company, held on 21 December 2023, the Company stated that "the Company, with a view to collaborating with the Guarantor Authority, expressed its willingness to bring to the Authority's attention the initiatives it intends to propose regarding the processing of data relating to riders who were the subject of the dispute of 11 October 2023 with a communication that it undertakes to send by 15 January 2024".
On 15 January 2024, the Company presented further defensive briefs regarding "the proposed commitments" and on that occasion declared that "starting from 10 January 2023 [to be understood as 2024], the so-called fixed rating value of 4.5 assigned to each courier has been eliminated” (see note 15/01/2024, cit., p. 12).
The Company has also indicated some measures that it "proposes to adopt [...] with specific reference to the concerns raised" with the notification of violations of 11 October 2023, undertaking to send the Guarantor, by 29 February 2024, an update relating to: "ado[t] of a standard message specifically linked to the suspension of the courier account in the event of accidents", "revision of the] text of the standard message sent automatically at each change in the courier's status", "revision of all current versions of the information" provided to riders as well as the preparation of a "revised version of the specific information relating to the excellence score", the commitment to "improve transparency with respect to processing involving geolocation and partially automated processes as well as in the latter case the procedures available to the courier for disputes and complaints", "confirmation of the elimination, from the items potentially at the basis of a block or deactivation, those not applicable in Italy, namely "Bad rating" and "Many reassignments", "further elements supporting the legitimacy of the appeal to the processing of biometric data pursuant to art. 9.2., letter b) GDPR”, “a review and adaptation of the DPIA on facial recognition [and the preparation of] a DPIA relating to specific processing of couriers’ personal data, such as geo-localization and excellence score”, changes “in order to establish country-based segregation levels to prevent the viewing of courier personal data in other countries, except in a few limited cases supported by a documented need”, adoption of measures “in agreement with […] GlovoApp23 […] in the following six months”.
On 29 February 2024, the Company submitted a further memorandum in which it declared that: the items ““Bad rating” and “Many reassignments” […] starting from today […] will no longer appear in the Company’s systems as potential reasons for blocking or deactivation”, and that “it has eliminated those that, for operational reasons, are not used in Italy, specifically: Long delivery time; Courier not moving; High waiting time; B2B fraud; Data protection infringement”, has carried out “the DPIA relating to specific processing of personal data of couriers, such as geo-localization and excellence score”, has made some changes “regarding the levels of country-based segregation”, the access permission to the Livemap platform “as of today […] is not […] active for employees of Glovo group companies located in other countries”. The Company has represented that it has provided “the additional instructions provided to Comdata call center operators relating to the processing, […] having regard to any disconnections of the accounts [of] couriers carried out on the instructions of the Company” and that it has discontinued the service provided in Italy by Trizma.
The Company has also provided a copy of the standard messages, not yet implemented, to be sent to riders in the event of account suspension in the event of incidents, as well as at each change in the courier’s status. It has also provided a copy of the revised version of the information for riders and the revised version of the specific information relating to the excellence score.
With reference to the processing of biometric data, the Company provided a revised version of the DPIA on facial recognition and stated that biometric data are currently retained for the entire duration of the employment relationship although it is “currently discussing with Jumio the possibility of reducing these timeframes in light of the principle of proportionality”.
Finally, in the context of the impact assessment relating to the excellence score and geolocalisation, the Company stated that it intends to “adopt a series of corrective measures, including a remodulation of the methods of calculating the Score that allows it to be determined by further reducing the processing of data already used in the calculation process, eliminating the normalisation process […]. Furthermore, with reference to geolocalisation, the Company stated that it intends to adopt “further measures” namely “limiting the number of Foodinho teams and authorised personnel who need to access the Corriere information data available on “livemap.view”; [and] retaining the geolocalisation data for a limited period”.
Lastly, with a note dated 5 June 2024, the Company communicated that it had changed the retention periods for biometric data to “three (3) months from the last order in the case of inactive couriers” and “three (3) months from the deactivation of the account in the case of couriers whose accounts have been deactivated for reasons not attributable to facial recognition”. With reference to active couriers, “the Company will retain their Biometric Data for the entire duration of the collaboration with Foodinho. In this way, active couriers will be able to easily access and use their account for the entire duration of their collaboration with the Company”.
3. Preliminary questions: jurisdiction of the Guarantor and the principle of ne bis in idem.
Preliminarily, Foodinho s.r.l., with the defensive briefs of 11 December 2023, contested the jurisdiction of the Guarantor for the protection of personal data in relation to the processing of riders' personal data carried out through the operation of the digital platform owned by GlovoApp 23 SA, with registered office in Spain.
This dispute, for the following reasons, is unfounded. The Company, in fact, carries out data processing relating to the personnel responsible for the delivery of goods, on the basis of a standard contract which, for the performance of the work service, provides for the activation of an account on the Glovo Courier application to be accessed using credentials and password provided by the Company itself (see Annex 1, briefs 29/2/2024).
The data processing of couriers operating in Italy is therefore carried out through the platform by the Company (Foodinho s.r.l.), as data controller, i.e. the entity that decides the purposes and means of the processing itself (art. 4, n. 7 of the Regulation), as highlighted in the same information provided to riders (see Annex 2, p. 4, memos 29/2/2024, “Data controller ● Foodinho, S.R.L., Via Giovanni Battista Pirelli 31, 20124, Milan, Italy”) and in the agreement stipulated with GlovoApp 23 SA, relating to the use of the platform, where Foodinho s.r.l. expressly assumes the role of data controller for the processing carried out through it and the parent company GlovoApp (given that at present the parent company is no longer GlovoApp23 SA itself, but Delivery Hero SE) is designated as data controller (see Annex 3, inspection report 13/12/2022, Franchise agreement between Glovoapp23 S.L. and Foodinho s.r.l., 1/10/2019, point 18 “Personal Data Processing and Protection”).
Therefore, with respect to the processing carried out in Italy by Foodinho s.r.l., as an independent data controller, the only competent authority is the Guarantor for the protection of personal data.
In this case, in fact, contrary to what was believed, still preliminarily, in the defense briefs, the cooperation procedures provided for by the Regulation (Chapter VII, Section I) do not apply (otherwise, during the investigations that gave rise to provision no. 234 of 2021, the Authority had found evidence of some cross-border processing and had informed the Agencia Española de Protección de Datos - AEPD without delay).
The definition of “cross-border processing” contained in the Regulation − the implementation of which constitutes the prerequisite for the application of the aforementioned procedures (see art. 56. par. 1 of the Regulation) − refers to two distinct hypotheses.
The first concerns the “processing of personal data that takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State” (Article 4, No. 23, letter a) of the Regulation).
The second hypothesis refers instead to the “processing of personal data that takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State” (Article 4, No. 23, letter b) of the Regulation).
The investigation activity carried out by the Guarantor does not fall into either of the two aforementioned categories: in fact, it did not concern data processing carried out by GlovoApp23 SA, with registered office in Spain, towards interested parties operating on the national territory and in any case “in more than one Member State”, nor does the Italian company appear to be an “establishment” of the parent company given that Foodinho s.r.l. is an autonomous legal entity with registered office in Italy (see also, in this regard, paragraph 36 of the Regulation).
The processing operations subject to the control activity initiated by the Authority were in fact carried out in execution of contracts stipulated by the Italian company (contracts which therefore defined the reference framework for the purposes and methods of the processing itself), which excludes their possible cross-border nature, as instead erroneously envisaged by the Company.
Therefore, art. 13 of the Regulation applies to the case in question. 55, paragraph 1, of the Regulation, which establishes the competence of the national supervisory authorities to exercise the powers and perform the tasks assigned to them by the Regulation in relation to the processing carried out on the national territory by the entity established therein, for which the same acts as an independent controller (see also recital 122 of the Regulation).
Furthermore, the participation of Foodinho s.r.l. in a corporate group of which the Spanish parent company GlovoApp23 SL is also a part does not imply the loss of the competence of the Guarantor, pursuant to EU Regulation 2016/679, with regard to the processing carried out by the Italian company on data subjects working in Italy, nor does it imply the loss of the legal subjectivity of Foodinho, as an independent center of imputation.
As already clarified by the Authority, the existence of a group of companies does not result in the configuration of a new center of imputation of legal relationships that overlaps with the individual companies belonging to the group.
Participation in a corporate group, therefore, does not determine a formal legal unification of the corporate entities involved, which maintain their distinct legal subjectivity (see Provv. 5/12/2022, n. 427, 3.1., web doc. n. 9856694; in a similar sense see the Guidelines 07/2020 on the concepts of data controller and data processor under the GDPR, version 2.0, adopted by the European Data Protection Board (EDPB) on 7 July 2021, p. 32, point 89: “within a group of companies, a company other than that of the data controller or the data processor is a third party, even if it belongs to the same group to which the company acting as data controller or data processor belongs”).
In conclusion, for the reasons set out above, no provision of the Regulation attributes competence to the Agencia Española de Protección de Datos (AEPD), in relation to the processing described in the introduction, subject to investigation by the Italian Authority, as instead believed by the Company (in accordance with the Court of Cassation, order 29/9/2023, no. 27189, concerning the previous provision adopted by the Guarantor specifically against the Company - on which more extensively below: "Even in the case of data processing via a platform, the processing carried out by an Italian company operating in the national territory, with its own autonomy of structure and negotiation, can (and indeed must) be kept separate from that carried out by a supranational parent company (in this case GlovoApp23). The processing carried out by Foodinho, according to the factual finding that can be deduced from the contested ruling, was (and is) a data processing independently managed by the Italian company as owner, by virtue - it is understood between the lines - of the contracts stipulated from time to time with the riders”).
From a different perspective, regarding the qualification of the proceeding in question as a “photocopy [of the initiative] undertaken ex officio on 16 July 2019 [by the Guarantor]”, it is observed that this assumption has no legal or factual value.
First of all, it should be emphasized that, in order to be able to envisage the violation of the prohibition of bis in idem, it is necessary, in general terms, that some specific conditions occur simultaneously: 1) that the subject subjected to the sanction is the same; 2) that the fact judged coincides in the two different proceedings; 3) that one of the two proceedings ended with a definitive sanction (on the necessary presence of such conditions see ECHR, judgment A and B v. Norway, 15 November 2016, which went beyond what was previously established with the judgment Grande Stevens and others v. Italy, 4 March 2014; Court of Justice, 20 March 2018, Case C524/15 Menci; see also Case C536/16 Garlsonn Real estate-Ricucci, Joined Cases 596/16 and 597/16 Di Puma and Zecca).
In the case in question, the proceedings were initiated by the Guarantor at different times and on different grounds against Foodinho s.r.l.
With regard to the provision of 10 June 2021 n. 234 (web doc. 9675440), it is specified that the same was challenged by the Company and initially annulled by the judge of merit (Milan Court, sentence no. 35612 of 12/4/2022). However, the Court of Cassation subsequently ordered the annulment of the sentence of the Milan Court (Cass., I civil section, order no. 27189 of 22/9/2023). At present, the Authority's provision has become unappealable, following the failure of the Company to resume the case before the competent court.
In this case, it is in any case clear that there is no sameness of fact in the two proceedings and therefore the risk of bis in idem cannot be envisaged, not even in theory.
The two proceedings have different treatments as their object, therefore there is no identity of the fact, that is, there is no historical-naturalistic correspondence between the object of the two proceedings, considering all the constituent elements (conduct, event, causal link) and taking into account the circumstances of time, place and person (see Constitutional Court, judgment of 8/3/2018, no. 53 on the notion of idem factum for the purposes of the operation of the principle of ne bis in idem, in the criminal field; this decision recalls Constitutional Court, 21/07/2016, no. 200 to which it refers, again in the criminal field and always with reference to the notion of idem factum, Criminal Court of Cassation, III section, judgment of 7 February – 22 March 2023, no. 12005).
Provision no. 234 of 2021 in fact concerned the processing of personal data of riders operating in Italy carried out by the Company as ascertained with an inspection on 16 and 17 July 2019. The object of the provision, therefore, concerns the data processing carried out by the Company up to that time; the present proceeding, instead, focuses on the data processing carried out by the Company, as ascertained during the inspections carried out on 13 and 14 December 2022, 28 February and 1 March 2023 and 26 and 27 July 2023, and analyses types of processing, albeit connected to the employment relationship with the riders, which were not assessed in the first proceeding (in particular: the processing of biometric data, which is the subject, as the Company itself highlights, only of the present proceeding, as well as the processing consisting in the communication of data to third parties, the deactivation and blocking of the riders' accounts, the processing in violation of art. 47-quinquies of Legislative Decree 81/2015 and art. 1-bis of Legislative Decree no. 152/1997).
These are therefore proceedings with which investigations were carried out relating to different treatments, having a non-overlapping object in concrete terms: the treatments taken into consideration, therefore, relate to different time periods, carried out with respect to different interested parties (given the partial and physiological turnover of the group of riders), whose treatment methods have been modified over time by the Company (for example, with regard to the documents containing the information, the retention periods of the collected data, the impact assessment, the methods of carrying out automated treatments) and with respect to which the Authority has examined aspects that do not coincide with those covered by the previous proceeding.
The Company itself, in the defensive documents of 11 December 2023, acknowledged that the new proceeding presents elements that distinguish it from the one that led to the adoption of provision no. 234 of 2021 (see note 11/12/2023, p. 8, 9). In particular, in fact, in a schematic table in which it listed the objections motivated funditus by the Authority, the Company specified, among other things, that:
- the objection relating to art. 5, par. 1, letters c) and d) of the Regulation in provision no. 234 of 2021 “was not raised because the case of [S.G.] that determined it had not yet occurred. Moreover, the new inspection investigation arose precisely from the news spread by the main newspapers of the affair related to the deceased courier”;
- with reference to art. 5, par. 1, letter a) and 13 of the Regulation, the processing of biometric data “was not carried out in 2019”;
- with reference to art. 5, par. 1, letter e) of the Regulation, the violations contested in the notification relating to the proceeding in question are “declined with respect to the current situation and the results resulting from the new accesses”;
- with reference to art. 22, par. 3, of the Regulation, with the notification relating to the proceeding in question “in addition to the processing connected to the courier excellence score system, the procedure of deactivation (grievance) and blocking of the account when certain predetermined conditions occur is also considered an automated processing of personal data.
This last consideration is the result of the case of Mr. [S.G.] on the basis of which the Guarantor initiated the second inspection”;
- with regard to art. 47-quinquies of Legislative Decree 81/2015, the dispute in question is “declined on the Galassi case and on the hypotheses of grievance for reassignment of the order”;
- “in addition to the previous Provision no. 234/21, in the new proceeding the violation of art. 5, par. 1, letter a), 9, par. 2, letter b) of the GDPR 11 December 2023 and art. 2-septies of the Privacy Code is contested in relation to the processing of biometric data of couriers. This is because before 2020 this processing was not carried out”;
- “with respect to the previous proceeding, the sending of courier data to third parties is relevant as part of the processing activity carried out through the Platform using systems such as Google Firebase, Braze and mParticle”.
It therefore emerges that the Company itself has perfectly perceived the many aspects of novelty and diversity of the present proceeding, compared to the one initiated in 2019 and concluded with provision no. 234 of 2021.
By reasoning differently - and therefore trying to follow the interpretation of the principle of ne bis in idem that was provided by the Company in the absence of any legal basis -, one would come to believe that the subjects against whom the Authority has already adopted a previous provision that has found the unlawfulness of specific processing could no longer be subjected, by the same Authority, to investigations aimed at examining other data processing similar to those for which a provision has already been adopted.
The vulnerability to the protection of rights that would thus be created is evident (see the aforementioned Constitutional Court, judgment of 8/3/2018, no. 53, which clarifies that "the case law of legitimacy appears to be firm in holding [...] that, with regard to the continuing crime, the prohibition of a second trial concerns only the conduct carried out in the period indicated in the indictment and ascertained with the irrevocable judgment, and not also the continuation or resumption of the same conduct at a later date, which constitutes a different "historical fact", not covered by the res judicata, for which there is no impediment to proceeding (among many, Court of Cassation, sixth criminal section, judgment of 5 March - 15 May 2015, no. 20315; third criminal section, judgment of 21 April - 11 May 2015, no. 19354; second criminal section, judgment of 12 July - 13 September 2011, no. 33838)”).
It is also considered appropriate to note that the references to art. 83 par. 3 of the Regulation and to the Guidelines 04/2022 on the calculation of administrative pecuniary sanctions pursuant to the GDPR adopted by the EDPB on 24 May 2023 (which the Company uses to support its reconstruction regarding the principle of ne bis in idem) are not at all relevant.
In particular, the Company argued, with reference to art. 83 par. 3 of the Regulation, that “the identification of the constituent elements of the right to ne bis in idem is also significant in the context of the GDPR, where, first of all, art. 83 (3) establishes the prohibition of cumulation between individual sanctions” (see note 11/12/2023, p. 9), therefore arguing that the principle would find application in par. 3 of art. 83 of the Regulation.
From reading the aforementioned provision (“If, in relation to the same or related processing, a controller or processor intentionally or negligently infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the most serious infringement”), it is clear that the same regulates a special form of legal accumulation of administrative fines, in the event that the processing (or related processing) infringes several provisions of the Regulation. It is therefore incomprehensible how such a reference can support the Company's reconstruction.
It should be added that even the reference to the aforementioned EDPB Guidelines is neither useful nor correct to support the Company's thesis; this is because the EDPB, analyzing art. 83 par. 2 lett. e) of the Regulation, has specified that, in calculating the sanction, the supervisory authority may consider as an aggravating factor the existence of previous relevant infringements committed by the controller.
In this regard, the cited Guidelines also underline that “the absence of previous violations […] cannot be considered a mitigating factor, as compliance with the GDPR is the norm. If there are no previous violations, this factor can be considered neutral” (see point 94 of the cited Guidelines).
Therefore, the commission of previous violations is among the circumstances that the Guarantor must evaluate, when adopting a measure relating to an unlawful processing (even more so if they are relevant violations, see point 88 of the cited Guidelines “violations having the same subject matter must be considered more important, as they are closer to the violation currently under investigation, especially when the data controller or processor has previously committed the same violation (repeated violations). Therefore, violations having the same subject matter must be considered more relevant than previous violations concerning a different matter”).
The aforementioned Guidelines therefore highlight the importance, for the purposes of increasing the administrative pecuniary sanction, of the assessment of previous types of unlawful acts against the controlled entity, which are even more relevant if pertinent (see point 87 of the aforementioned Guidelines “For the purposes of Article 83, paragraph 2, letter e), GDPR, previous violations having the same or different object from the one under investigation could be considered “pertinent”). The possibility for a supervisory authority to assess the conduct of a subject, even if it has already adopted a previous measure against the same, is therefore fully in line with the system.
Finally, it is recalled that the Authority, given Article 83 par. 1 of the Regulation, when adopting administrative pecuniary sanctions, ensures that they are “effective, proportionate and dissuasive” with regard to the specific case.
On the merits, following the examination of the declarations made to the Authority during the proceedings and the documentation acquired, it appears that the Company, as the data controller, has carried out some processing operations that are not compliant with the regulations on the protection of personal data.
In this regard, it should be noted that, unless the fact constitutes a more serious crime, anyone who, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false acts or documents is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor".
Considering that during the proceedings documents written in English were produced, among other things, not all accompanied by a translation into Italian, it is recalled that the documentation produced in the context of proceedings initiated by the Guarantor for the protection of personal data must be written in Italian as required for procedural documents by art. 122 of the Civil Procedure Code, also considering the more general regulatory provision (art. 1, L. 15 December 1999, n. 482, Provisions on the protection of linguistic minorities) which provides that the Italian language is the official language of the Italian Republic.
4.1. Violation of the principles of correctness, adequacy, relevance and accuracy of the processing (art. 5, par. 1, letters a), c) and d), of the Regulation). Violation of the principle of privacy by design and by default (art. 25 of the Regulation).
On the merits, following the investigation, it was ascertained that the Company, on 3/10/2022, sent, to the account of [S.G.], a message with the following content: “Important: account deactivated. Dear [S.G.], Glovo intends to offer an optimal experience to its couriers, partners and customers. To maintain a healthy and fair platform, it is sometimes necessary to take action when one of these users does not behave properly. We regret to inform you that your account has been deactivated for failure to comply with the Terms and Conditions. If you still have outstanding payments at the end of the next billing period, you will receive the details of the last order for invoicing. If you need to contact us for any reason, please use the form available on the courier website” (see screenshot on Repubblica, Florence news, 4/10/2022).
According to the Company’s statements, the head of external and institutional relations, […], at 5:57 PM on 2/10/2022 received an ANSA news item dated 2/10/2022 (“Car-scooter collision in Florence, victim is a rider”, where the text continues to specify that the boy, unidentified, was making deliveries on behalf of Glovo) together with other Glovo representatives.
The next day, 3/10/2022, at 9:01, the Team Operation manager contacted an operator with the following instruction: “I would say to do as for the others. We put it DISABLED and leave the note in the description” (minutes 28/2/2023, p. 3 and Attachment 6).
The operator stated that he “received the instruction to proceed with the deactivation verbally from the Team Operation Manager, […], and that he is not aware of the automatic email generation procedure as it is the responsibility of the parent company Glovoapp23 SL” (inspection minutes 14/12/2022, p. 8).
In this regard, the Company also stated that, “after [S.G.'s] account had been manually deactivated, the message concerning the deactivation of the account was sent automatically, by the system to the Courier, by mistake, since such deactivation did not originate from any violation of the Terms and Conditions, and furthermore there was no standard ad hoc response for such a dramatic situation” (Note on the dissolution of reserves 23/12/2022, letter B.).
Furthermore, “the communication received from Mr. [S.G.] is automatically transmitted when the system registers a change in status. In fact, Mr. [S.G.] should not have received any communication regarding the deactivation or blocking of the account as it was not requested based on the specific circumstances of the case” (Note on the dissolution of reserves cit., letter C.).
In confirmation of this, the Company specified that the “communication received from Mr. [S.G.] […] is sent, in addition to one of those [envisaged for the grievance and blocking procedures], at each change in the rider’s status. […] In the case of Mr. [S.G.], given the circumstances, the sending of this communication is due to human error” (inspection report 28/2/2023, p. 7).
Based on the statements in the documents, it therefore emerges that the sending of the message relating to the deactivation, received on S.G.’s account. two days after the fatal accident, was not due to “human error”. In fact, although the deactivation was carried out manually after the news of the rider’s death, the message received on the account was sent due to the configuration of the system used by the Company, which is set to automatically send a standard message at every change of status, regardless of the reasons for the deactivation itself.
Therefore, following the investigation into the specific case involving the rider who died in 2022, it emerged that the automatic sending of a standard message concerns the entire group of riders.
The automatic sending of the message at every change of status violates the principles of accuracy, adequacy, relevance and correctness in the cases in which, according to what was declared, the account is deactivated, i.e. in the cases of grievance/deactivation and blocking.
In fact, although it is possible, according to what the Company has declared, to reactivate the account both in the event of deactivation and blocking - if the rider presents counter-arguments deemed suitable or carries out the required actions - the standard message indicates that the disconnection has a definitive character ("your account has been deactivated for failure to comply with the Terms and Conditions"), without any reference to the possibility of taking action to modify the change in status (indeed, it is specified that "at the end of the next billing period you will receive the details of the last order for billing").
Finally, considering that the processing carried out, by sending the standard message reported above, based on the system configuration, occurs automatically and independently of the possible specific cases, it appears that the Company has not implemented the principles of data protection, from the design and by default. Correct observance of these principles in fact requires the data controller to implement measures aimed, among other things, at “providing transparency regarding the functions and processing of personal data” and “allowing the data subject to control the processing of data” (see recital 78 of the Regulation).
The employer must therefore adopt measures to ensure compliance with the principles of data protection by design and by default (Article 25 of the Regulation) throughout the entire life cycle of the data, “incorporating into the processing appropriate measures and safeguards to ensure the effectiveness of the principles of data protection and the rights and freedoms of data subjects” and ensuring that “by default only processing that is strictly necessary to achieve the specific and lawful purpose is carried out”, also with regard to the data retention period, “at all stages of the design of processing activities, including procurement, tendering, outsourcing, development, support, maintenance, testing, storage, deletion, etc.” (“Guidelines 4/2019 on Article 25 - Data protection by design and by default”, adopted by the EDPB on 20/10/2020).
In the case of the deceased rider, then, sending the message reported above resulted in a treatment in violation of the principles of accuracy, adequacy, relevance and correctness, considering that the disconnection did not occur due to a violation of the Terms and Conditions of use of the platform, as stated by the Company itself, but rather for the purpose of "preventing third parties from using the account" (see note 27/12/2022, letter B). On the other hand, it is the Company itself that declared that the deceased rider "should not have received any communication of deactivation or blocking of the account as it was not requested based on the specific circumstances of the case".
Furthermore, based on the excerpt of the messages exchanged on the SLACK messaging system, limited to what was made available to the Authority, it emerges that the Company had already adopted the same procedure in similar (if not identical) situations (the Team operation manager specified to the operator: "I would say to do as for the others").
During the proceedings, the Company objected that the objection made by the Guarantor would be unfounded since the processing relating to the sending of the message via email, after the death of the rider "must be considered excluded from the scope of the GDPR" considering that the Regulation "does not apply to deceased persons" (see defense briefs 11/12/023, p. 11-12).
This argument cannot be accepted.
In general terms, the Regulation, in recital 27, has delegated to the Member States the possibility of providing rules regarding the processing of data relating to deceased persons (so much so that the definitions of "personal data" and "processing" contained in art. 4 of the Regulation do not specify anything in this regard).
The Code, in art. 2-terdecies (Rights concerning deceased persons), establishes that the rights attributed to the interested party (by articles 15 to 22) can be exercised by those who have a personal interest or act to protect the interested party, as his agent, or for family reasons worthy of protection. Therefore, our legal system recognizes, under certain conditions, the protection of the personal data of deceased persons. The Guarantor has ruled on the point, underlining how “the rights referred to in Articles 15 to 22 of the GDPR […] are embodied in the right to request that the data controller comply with the sector provisions on the protection of personal data and with the “principles applicable to the processing of personal data” in compliance with the conditions of “lawfulness of processing”, as compatible (see provision no. 2 of 10/1/2019, in www.gpdp.it, web doc. no. 9084520. On the data of the deceased, see also provision no. 118 of 7/4/2022, ibid., web doc. no. 9772545; no. 90 of 23/3/2023, ibid., web doc. no. 9888188)” (Provv. no. 82, 22/02/2024, doc. web no. 9996647).
In this case, then, the Guarantor, starting from the text of the email sent by the Company to the rider's user, after the fatal accident that involved him, made known to the press by the boy's family, started a control activity starting from the methods with which the Company disconnected from the platform and made it known to the interested party, through the email communication of 3/10/2022. The processing activities subject to the inspection activity therefore concern the entire group of riders who carry out delivery activities on behalf of the Company.
It is noted that during the proceedings, after the notification of the violations made by the Authority, the Company has developed a standard message to be sent automatically in the event of deactivation carried out when "incidents" occur and a message to be sent automatically at each change of status, thus distinguishing the different deactivation hypotheses and announcing a further communication that will contain the details of what is contested to the rider and indications on how to provide clarifications (see note 29/2/2024, Annex 1). Even if, at present, these planned changes have not been concretely implemented by the Company.
Furthermore, the objections formulated by the Company, in the defense briefs, with regard to the occurrence of a "human error", cannot be accepted, given that - as already argued above - the sending of the message to the deceased rider occurred automatically, as indeed on the occasion of each change of status. Nor can the circumstance that the contracted riders are numerous, with the consequent “inevitable recourse to a certain standardization of automatic communication”, be considered suitable to affect the need to adopt messages, even standardized, however differentiated and complete with information relating to the methods for revoking the disconnection or blocking (an activity that the Company has undertaken to carry out).
Finally, it is noted that, at present, no changes have yet been made in order to send standard messages, therefore, without prejudice to any assessment regarding the compliance with the data protection principles of the new messages prepared by the Company (currently provided exclusively in English), it follows that the Company has violated, in the terms indicated above, Articles 5, paragraph 1, letters a), c) and d) (principles of correctness, adequacy, relevance and accuracy of processing) and 25 (data protection by design and data protection by default) of the Regulation.
4.2. Violation of the obligation to provide information (art. 13 of the Regulation).
With reference to the documents containing the information on the processing of data prepared by the Company acquired during the investigation, it is noted, preliminarily, that, despite the plurality of the same, the purpose of art. 13 of the Regulation cannot be considered to have been effectively achieved.
The mere preparation of a plurality of information documents, in fact, cannot be considered, as the Company erroneously claimed, the expression of a "layered approach" and, therefore, an element, in itself sufficient to prove compliance with art. 13 of the Regulation.
The Authority's assessments regarding the multiplicity of information documents prepared by the Company derive, among other things, from the consideration of the negative effects resulting from the confusion generated by non-homogeneous information content and not corresponding to the notion of "layered information" provided for by the Guidelines on transparency pursuant to Regulation 2016/679 adopted by the Article 29 Group on 29 November 2017 and amended on 11 April 2018, adopted by the EDPB, but which are discordant and absolutely not coordinated, as will be illustrated below.
In this regard, the reference to art. 12 par. 7 of the Regulation, which specifies that in order to provide an “overview of the intended processing” “the information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardized icons”, carried out by the Company, appears irrelevant, given that the object of examination and dispute by the Authority was not the reference to any standardized icons, but the numerous and uncoordinated documents that the Company has prepared, from the examination of which it emerged that the Company has confused the need for quality of information to be given to data subjects regarding the processing, with the quantity of documents that should contain the same.
Furthermore, the aforementioned Guidelines on transparency specify that “In light of the quantity of information to be provided to the data subject, in the digital environment the data controller may follow a layered approach, opting for a combination of methods in order to ensure transparency. In order to avoid information overload, the Working Party recommends in particular the use of layered privacy statements/information notices to link the various categories of information to be provided to the data subject, rather than inserting all the information in a single information notice on the screen” (see Guidelines cit., point 35). Among the aspects that must be taken into consideration to assess whether the controller has fulfilled the obligation to inform data subjects, “the consistency of the information both between the different layers of a […] information notice and within each individual layer” is indicated (see Guidelines cit., point 35).
The layered approach, therefore, means that, after a first level of information notice (i.e. “the main method with which the controller addresses the data subject”, see Guidelines cit., point 36), further layers of specification regarding the data processing carried out follow. The aforementioned approach, therefore, should allow the interested party to understand more clearly how their data is processed, avoiding an excess of details that could be useful to know, in certain cases, by accessing the further level of information.
From the examination of the documents prepared by the Company, however, the absence of a coherent "layered approach" emerges, as well as the total lack of real coordination of content between the various information documents with the consequent impossibility, for the interested parties, to have a clear (and realistic) picture of the variety of treatments that the Company carries out on their data collected in the context of the employment relationship.
Not only, therefore, from the examination of the individual documents as well as from the joint examination of the same, it emerges that the Company has not realized the need to provide the interested parties with the necessary complete information, but it is also evident that it has not even managed to realize the need to provide the aforementioned information in a concise, transparent, intelligible and easily accessible form (see Guidelines cit., point 34).
4.2.1. The information taken from the Company's website and the document containing "Terms and conditions of use of the Glovo platform for couriers", delivered by the Company during the inspection of 13 and 14 December 2022.
The document containing the information, undated, delivered by the Company during the inspection of 13 and 14 December 2022, taken from the Company's website (https://glovoapp.com/it/legal/privacy-couriers/) (Annex 7 of the minutes of 14/12/2022), which has the same content as the information attached to the copies of standard contracts provided during the first inspection (Annex 2 of the minutes of 13/12/2022) must be considered to have been drawn up in violation of Articles 5, paragraph 1, letter c). a) (principle of transparency and principle of fairness), 12 and 13 of the Regulation: the information contained in the aforementioned document is not in fact provided “in a concise, transparent, intelligible and easily accessible form” nor is it provided “all the information referred to in Articles 13 and 14”.
In the information in question, in particular, the categories of rider data that the Company processes are not identified in full, so much so that point 2 therein, dedicated to the “data collected”, introduces them with an exemplary statement (“below, we list an example of data that we collect and the related purposes of processing”); among other things, the data on order management are not indicated, nor the data relating to chats and emails exchanged between riders and customer care operators, data which, instead, from what emerged during the inspection, the Company processes.
With regard to the categories of data, the Company's observation that "the various information documents provided to couriers in the context of the relationship with Foodinho should not be understood as separate information, but should instead be considered as a whole" and "to start collaborating with the Platform, couriers are required to download the relevant app and accept the Terms and Conditions where [...] such categories of data are expressly mentioned" is devoid of merit for the reasons stated above (see paragraph 4.2), and it should be noted that the information in question here does not refer to any further document, not even to the "Terms and Conditions", for the complete indication of the data processed.
Furthermore, to argue, as the Company does, that “the courier is necessarily aware of the processing of such communications for support purposes” with regard to the data relating to the “chats” and “emails” exchanged between the couriers and the customer care operators, since in the contract signed by the riders to which the information is attached there is a reference to the “existence of exchanges with a “support” function” (see note of 11/12/2023, p. 13, 14), is not acceptable: as already underlined, in fact, with the information the data controller must provide the interested party with all the information in a concise, intelligible and easily accessible form, not generic information that must be interpreted, inferred and searched for within the various relevant documents that define the relationship with the rider.
Furthermore, in this regard, although the Company declares that the information regarding the processing of data relating to the "chats" and "emails" exchanged between couriers and customer care operators are "also provided during the interview that precedes registration on the Platform" (see note of 11/12/2023, p. 14), it is noted that no evidence of this has been produced before the Authority.
Furthermore, the information in question is not clear and intelligible, with reference to the identification of the conditions of lawfulness and the purposes of the processing (which, among other things, have been included in the same section), between which there is often no coordination: again within point 2, "Data collected", where the respective legal bases and the purposes of the processing are indicated for the selected data, in fact, it is not possible to distinguish one from the other.
Furthermore, although multiple legal bases are indicated within the aforementioned point 2, in point 4 - "purpose and legal basis of data processing" -, it is specified that "the data will be processed exclusively for the purpose of correctly executing the contractual relationship between the parties", thus making the lack of alignment between the two sections within the same document evident.
The Company's reference to the principle of accountability is also completely irrelevant with respect to the objections raised by the Authority, with reference to art. 13 of the Regulation.
The relevance attributed by the Regulation to the principle of accountability does not, in fact, entail the loss of the Authority's powers with regard to the assessment of the conformity of a data controller's conduct with respect to the personal data protection regulations, not even with regard to the obligation on the data controller to provide information on the processing pursuant to art. 13 of the Regulation.
The object of the dispute regarding the information on the conditions of lawfulness and the purposes of the processing, among other things, did not concern, as the Company would seem to believe, "the format and methods" with which such information was provided, but the fact that the information provided does not comply with the requirements of completeness and clarity required by the rules (articles 12 and 13 of the Regulation) and instead generates confusion and uncertainty in the interested party, with respect to the processing of his personal data.
Also with reference to the conditions of lawfulness of the processing, in relation to the indication, within point 4, of the "explicit consent of the courier" as the legal basis of the processing, it is first of all observed that the reference to the consent of the rider for the processing of unspecified data is so generic as not to allow the identification of the data in relation to which the Company deems the same a suitable condition of lawfulness of the processing.
It is also noted that, as a rule, consent in the context of the employment relationship, given the asymmetry between the parties thereof, does not constitute a condition for the lawfulness of processing with regard to data relating to the employment relationship (see Opinion No. 2/2017 of the Article 29 Working Party, par. 2 “It is important to recognize that employees are rarely in a position to freely give, refuse or withdraw consent to data processing, given the dependence arising from the employer/employee relationship. Except in exceptional situations, employers should rely on a legal basis other than consent”).
In this regard, the Company's objection regarding the "loss of all reason to exist" of this dispute since "the qualification of the relationship between the Company and the couriers proposed by the Guarantor [...] in terms of an employment relationship is clearly not correct" (see defence briefs 11/12/2023, p. 15), appears not to be shared given that, as the Article 29 Working Party itself has underlined, the problems arising from the qualification of consent as a suitable legal basis do not only concern the employment relationship, but any work situation in which there is an imbalance between the position of the person performing the work and that of the person for whom the work is performed (see in particular Opinion no. 2/2017 of the Article 29 Working Party, par. 2). In recent decades, new business models served by different types of employment relationships have become more common, in particular the use of freelance workers. This opinion intends to address all employment relationship situations, regardless of whether such relationship is based on an employment contract”).
Furthermore, recital 42 of the Regulation specifies that “consent should not be considered to be freely given if the data subject is not in a position to make a genuinely free choice or is unable to refuse or withdraw consent without detriment”. Circumstances that cannot be considered to be present in the case at hand, given the specific characteristics of the relationship between the Company and the riders.
In this regard, it is also emphasized that the Authority has ascertained that the processing of personal data of the riders is carried out by the Company in the context of an employment relationship, now governed by art. 2, Legislative Decree no. 81/2015 (as amended by art. 1, paragraph 1, letter a), nos. 1 and 2, Legislative Decree no. 3.9.2019, n. 101, converted with amendments into l. 2.11.2019, n. 128) and therefore the “regulations of the subordinate employment relationship” apply to them (see funditus par. 4.12).
With reference to the “geolocalization” section (point 3), some legal bases are indicated in a generic way and seem to refer to the purposes of the processing (in particular: “fight against terrorism”, “money laundering”, “crimes against public health”), moreover, contrary to what the Company claims, they are not specified in any way in point 2 of the information.
With regard to the Company's statement that "the information included in the Terms and Conditions includes further information regarding geolocation processing, with a clear indication of the applicable legal bases" (see note 11/12/2023, p. 15), we simply specify that, in the aforementioned point 3 of the information in question, there is no reference to the document containing the "Terms and Conditions" through which the interested party could abstractly, according to the Company, understand that further information regarding geolocation would be contained therein (on the issues relating to the "Terms and Conditions" document, see below).
The processing methods (point 6, "processing methods") are then indicated in such vague terms as not to provide useful information for the interested parties.
In this regard, it is recalled that the need to provide information regarding the processing methods derives from the combined provisions of articles. 5 and 13 of the Regulation, given that knowing how your data is processed is the maximum expression of the principle of transparency: without indications regarding the methods of processing, the so-called information notice is missing a central and essential part to understand how the data controller actually carries out the processing itself.
In confirmation of this, the Transparency Guidelines cited, in illustrating the concept of transparency, recall recital 39 of the Regulation according to which “it should be transparent to natural persons how personal data concerning them are collected, used, consulted or otherwise processed, as well as the extent to which the personal data are or will be processed” (see Transparency Guidelines cited, point 6).
Furthermore, part of the content of the information notice is not consistent with what was found during the inspection.
In particular, within point 7, “metrics”, it is specified that “no profiles are created”, and that “the controller does not adopt decisions based on automated decision-making processes”. However, this contrasts with what emerged during the inspections, regarding the automated processing of data relating to riders and the creation of profiles: within the system of excellence and assignment of shifts (slots) to riders; within the system of assignment of orders; in the event of disconnection and blocking of the account (see document "Terms and conditions of use of the Glovo platform for couriers" delivered by the Company during the inspection of 13 and 14 December 2022).
The lack of transparency and clarity is also found with reference to what is indicated in the matter of geolocalization, again within point 7, "metrics", of the information in question; geolocation is, in fact, defined as “direct and exclusively associated with the service”, “temporary and not exhaustive, but rather limited to a short route between two mandatory points that the Courier cannot choose” despite the fact that the processing carried out through the rider’s geolocation systems has as its object the rider’s data and therefore constitutes in all respects personal data relating to the rider and not “to the service”.
This is also confirmed by what emerged from the inspection activity (see minutes of operations carried out, 14/12/2022, p. 7). The wording used by the Company does not allow interested parties to understand what the processing of geolocation data actually consists of.
The section relating to geolocation also indicates that “the owner may, only in the event that the Courier directly activates the geolocation function on his device and only during the hours in which the Courier carries out delivery tasks, receive information relating to the geographical position of the mobile device used”.
This information is not consistent with what emerged during the inspection regarding the fact that the GPS also works when the app is in the background and, until 8/22/2023, even when the app had not been opened.
From the analysis of the aforementioned information, it also emerged that the indications provided, regarding the processing of biometric data, are not clear nor do they correspond to what emerged from the investigation activity: in point 8 ("authentication process") it is specified that the processing of biometric data has been carried out "since November 2020" despite the Company having declared, during the investigation, that the processing of biometric data was interrupted in July 2022.
In this regard, the Company also declared that "the Jumio test currently underway consists of the following phases: 1. at the beginning of February, an initial activation of facial recognition was carried out on 3.28% of the Couriers active in Italy. 2. On February 20, it was extended to 18.33% of active Couriers. 3. On February 27, it was activated on a smaller percentage of 15.55%. 4. On March 13, the test was extended to 32.61%”.
The information examined was acquired on December 14, 2022, a period in which, according to the Company, it did not process biometric data.
In this regard, the Company acknowledged that “the language contained in the information on file was not promptly updated following the temporary suspension of the biometric authentication mechanism due to the technical flaws found in July 2022” (see note 11/12/2023, p. 17).
The indication that “This processing of biometric data is necessary to fulfill the obligations in terms of labor law, safety and social protection undertaken by the Data Controller pursuant to art. 23, (entitled “Contrast to gangmastering and irregular work”) of the CCNL Rider” is not correct; in fact, within the aforementioned collective agreement, there is no express provision that provides for the obligation of facial recognition.
Finally, it is believed that not even the section of the information entitled “Annex I - Retention Periods” has been drafted in a clear and intelligible form: in fact, the data processed is not clearly indicated; not all the categories of data that the Company processes have been indicated; furthermore, the indication of the categories of data processed with the purposes of the processing is superimposed.
The document containing the “Terms and conditions of use of the Glovo platform for couriers”, taken from the company’s website (https://glovoapp.com/it/legal/terms-couriers/), which indicates the last update date as 29 April 2022, delivered by the Company during the inspection of 13 and 14 December 2022, also appears to have been made in violation of Articles 5, paragraph 1, letter a) of the Regulation (principle of transparency and principle of fairness), 12 and 13 of the Regulation: the wording of the content therein is not clear (see paragraph 9.4, “Purpose and legal basis for processing”), furthermore, some indications relating to disconnection and blocking of the account are not correct or corresponding to what was declared during the inspection.
In this regard, in fact, the document states that “Glovo reserves the right in any case to remove or disable access to any Account for any reason or no reason, even if it believes, in its sole discretion, that your Account violates the rights of third parties or the rights protected by the Terms and Conditions” (see point 5.4.2.).
Differently, during the inspection, the Company declared that it had adopted a procedure that provides for deactivation/blocking only when specific cases occur (which therefore would not operate for “any reason or no reason”), with the possibility, moreover, for the rider to obtain the revocation of the measures (Annex 7 minutes 14/12/2022).
4.2.2. The version of the information, updated to December 2022, extracted from the Company's website during the inspection of 1 March 2023.
During the inspection, a version of the information updated to December 2022 was extracted from the Company's website (Annex 10 minutes of operations carried out 1/3/2023).
However, this document also does not comply with data protection regulations, in particular with Articles 5, par. 1, letter a) (principle of transparency and principle of correctness), 12 and 13 of the Regulation.
Furthermore, the Company declared that only "subsequently", with respect to the update on the website, the new information was attached to the contracts with the riders (see note of dissolution of the reservations of 16/3/2023). The latter, therefore, continued to have, until the insertion of the new version, an outdated information.
In this regard, the Company's statement that "the paper information attached to the contracts clearly indicates that any updates can be found online at the indicated hyperlink" is devoid of any merit (see defense briefs 11/12/2023, p. 18) since such indication, inserted within the information attached to the contracts signed by the riders, can be considered a useful tool for knowing updates to the information if, after the signing of the contract, it has undergone a change; certainly, however, the presence of the aforementioned indication does not justify (or compensate for) the communication of an information that is not updated, already at the time of the stipulation of the contract to which it is attached and that contained on its website, as the Company seems to claim.
The data protection regulations are considered to be violated because, overall, the document updated in December 2022 does not appear to comply with the transparency and intelligibility standards required by the Regulation (for some points the distribution of information is based on the interested party, e.g. point 6 is dedicated to the rider - courier -, but some information relating to the processing of riders' data is contained in other points, in particular only in points 13 and 14 are the chapters on automated decisions and profiles, without any internal reference), as well as completeness of information, given that not all the riders' data that the Company processes are indicated in an exhaustive manner: in point 6.2 the data relating to order management are not indicated; within the same point there is no mention of the processing of biometric data (it is in fact not clear whether the indication of "photo: road safety, prevention of accounting fraud and public safety" also includes the processing of biometric data); in point 15 on security measures no specific data is indicated, not even through a reference to a different document).
Furthermore, there is no reference to the deactivation/blocking of the rider's account by the Company.
The document is not clear and transparent, not even with reference to the conditions of lawfulness of the processing (in the initial section "1.scope", reference is made to the consent of the interested party without specifying in relation to which processing such consent would operate; furthermore, reference is made to the previous considerations relating to the unsuitability of consent as a legal basis in the workplace, see paragraph 4.2.1.; within point 6, the legal bases and purposes of the processing are also indicated in a confusing and contradictory manner).
Nor is the table contained in Annex I to the information updated in December 2022, "general retention periods", in the section dedicated to riders (point 6), clear as it is generic and not exhaustive; the same, among other things, is divided into two parts ("general" and "couriers") without the reason for the division being clear, given that the table in question is found in the section dedicated to riders.
The content of the information updated in December 2022 does not even appear to be entirely compliant with the effectiveness of the processing carried out, as detected during the inspection, given that it is stated that no automated decisions are taken or profiles are created pursuant to art. 22 of the Regulation (see points 13 and 14).
4.2.3. Further versions of the information relating to the processing of riders' data.
During the inspection of 26 and 27 July 2023, further versions of information documents relating to the processing of riders' data were also delivered by the Company.
In particular, some are almost identical to the information already made available to the Office during the investigation and for which reference is made to the observations already indicated in the previous paragraphs (Privacy information updated to December 2022, Terms and conditions of use of the Glovo platform for couriers updated to 29/4/2022), while the information attached to the "occasional contract" model and the information attached to the "VAT contract" model, in the versions updated to March 2023 (Annex 3, minutes 26/7/2023), albeit in a structure that follows that of the previously provided versions, present some changes.
In relation to the latter, the following is noted.
Despite the inclusion of some limited changes made to the versions of the information attached to the contract models stipulated with the riders (inclusion of some types of data collected that did not appear before, such as "data relating to delivery tasks" and "information on conversations", although the wording is not sufficiently clear; use of geolocation for the assignment of orders; indication of the retention periods of geolocation data and biometric data), it emerges that the aforementioned information still does not comply with the personal data protection regulations (articles 5, paragraph 1, letter a), 12 and 13 of the Regulation), in terms similar to what has already been ascertained in relation to the previous versions, as the information contained in the aforementioned documents is not provided "in a concise, transparent, intelligible and easily accessible form" nor is "all the information referred to in Articles 13 and 14" provided.
In particular, the categories of rider data that the Company processes are not fully identified, so much so that point 2, dedicated to the "data collected", continues to introduce them with an exemplary statement.
Furthermore, the information in question is not clear and intelligible with reference to the identification of the conditions of lawfulness and the purposes of the processing (among other things included in the same section), between which there is often no coordination.
With reference to the "geolocalization" section (point 3), some legal bases are indicated in a generic way (in particular: "fight against terrorism", "money laundering", "crimes against public health").
Again with reference to the conditions of lawfulness of the processing, it is emphasized that, within point 4, the "explicit consent of the courier" is also indicated, for which the considerations set out above apply.
The methods of processing (point 6, "methods of processing") are also indicated in such generic terms as not to provide useful information for the interested parties.
Furthermore, part of the content of the information is not consistent with what was found during the inspection. In particular, within point 7, “metrics”, it is specified that “no profiles are created”, and that “the owner does not adopt decisions based on automated decision-making processes”.
The lack of transparency and clarity is also found with reference to what is indicated in the matter of geolocalization (see point 7 “Metrics”, where geolocalization refers “to the service” and not to the rider).
Furthermore, with regard to the methods of geolocalization, the interested party was not made aware of the particular characteristics of the geographical detection which also concerned the hypothesis in which the rider was not engaged in work activity on behalf of the Company and without his knowledge, even when the rider is not operational in the slot and the app is in the background.
Furthermore, from the examination of the different versions of the information for riders delivered also recently, a discrepancy between them is noted based on the type of contract - not supported by any explicit motivation - from which derives an evident difficulty, for the interested parties, in reading and effectively understanding them in order to how the data referred to them are processed (see par. 3 relating to "geolocalization" within which there is a section only in the "occasional contract" model).
This therefore does not comply with the provisions of articles 5 par. 1 letter a), 12 and 13 of the Regulation.
4.2.4. Information delivered on 29 February 2024.
In the additional briefs of 15 January 2024, the Company, with reference to the documentation containing the information, indicated, among the measures that it “proposes to adopt in order to further improve compliance with the legislation for the protection of personal data, with specific reference to the findings raised by this Authority [with the notification of the violations]”, those of: “reviewing all current versions of the courier information […] in order to ensure that they have substantially uniform content”; “reviewing the Information […], also following a layered approach that refers to detailed information and/or dedicated help pages”.
In this way, the Company itself confirmed the need to review the information documents prepared by it, in order to comply with the data protection regulations.
With the additional memoranda of 29 February 2024, the Company sent a “revised” copy of the “Glovo privacy policy”, a copy of the “Terms and conditions of use of the Glovo platform for couriers” updated to February 2024, a copy of a “service contract pursuant to art. 2222 of the Italian Civil Code” and a copy of the “transparency information pursuant to Legislative Decree 104/2022”.
In this regard, it is noted that the aforementioned information documentation also does not comply with the personal data protection regulations for the reasons indicated below.
With regard to the “Glovo privacy policy” (Annex 2 note of 29/2/2024), it is preliminarily noted that the same is not dated nor, at present, available on the Company’s website.
Point 6, dedicated to couriers, contains indications that do not comply with the personal data protection regulations, in particular: in the list of types of data processed by the Company, with reference to "biometric characteristics", the document specifies that it operates "without processing biometric data", even though later, within the same section, "biometric data" is indicated for which it is specified "limited to the use of the facial recognition function via Jumio"; among the data processed by the Company, "traffic data" and "metadata" are also indicated, relating to the device and use of the app, in the absence of any indication regarding the purpose and legal basis of the related processing; processing operations also include communications of rider data to other companies in the group, despite the fact that, with the same note, the Company declared that "as of today, the Permission [to access the "livemap" platform] is also not active for employees of Glovo group companies located in other countries" (see note 29/2/2024, point 3.7, letter C); in point 6.5., the performance of "partially automated processing" is reported, specifying that these "could have an impact in relation to the assumption or assignment of deliveries, as well as could involve verification activities of the identity of the couriers and/or the evaluation by the same of compliance with the terms and conditions of use of the Platform", despite the fact that the outcome of the Authority's investigations revealed that such processing (excellence score, geolocalization, facial recognition system and authentication process, blocking/suspension and deactivation of the account) unfailingly involve verification and evaluation activities by the Company); with regard to the geolocalization of riders (point 6.5.2.2.), the indication remains that this operates exclusively during the hours in which the courier "actually carries out delivery tasks", despite the fact that, during the control activity, it emerged that the GPS also operates when the app is in the background and, until 22/8/2023, even when the app had not been opened.
The section relating to the processing of biometric data (facial recognition) also remains despite such processing, as will be better indicated later, not being compliant with the personal data protection regulations (point 6.5.3. of the information).
Annex I of the Terms and Conditions continues to contain the designation of the rider as data controller, in the terms already indicated above, i.e. in violation of art. 28 of the Regulation. The reference to this designation as data controller is also present in the standard contract model contained in Annex 4. Moreover, this standard contract model, which is not dated, contains the link to the privacy policy on the Company's website dated December 2022.
Overall, it does not appear that an adequate review of the information presented has been carried out, considering, among other things, that not all the documentation delivered to the Authority is actually accessible to the interested parties (as specified above, in fact, the "Glovo Privacy Policy", Annex 2 note of 29/2/2024, is not dated or available on the Company's website). Furthermore, the information documents most recently submitted to the Authority contain, in the terms indicated above, elements of unlawfulness already present in previous versions.
4.3. The obligation to provide information in the case of use of automated decision-making or monitoring systems.
Art. 1-bis of Legislative Decree no. 152 of 1997, introduced by art. 4 paragraph 1 letter. b) of Legislative Decree no. 104 of 2022 implementing Directive (EU) 2019/1152, amended by Legislative Decree no. 48 of 4/5/2023, converted into Law no. 85 of 23/7/2023 (“Further information obligations in the case of use of automated decision-making or monitoring systems”), has established that “The employer or the public and private client is required to inform the worker of the use of fully automated decision-making or monitoring systems designed to provide information relevant to the purposes of hiring or assigning the assignment, managing or terminating the employment relationship, assigning tasks or duties, as well as information affecting the supervision, evaluation, performance and fulfillment of workers’ contractual obligations. The provisions of Article 4 of Law no. 300 of 20 May 1970 remain unchanged”.
The provision also specifies what information must be provided to the worker “before the start of work”, in particular: a) the aspects of the employment relationship affected by the use of the systems; b) the aims and purposes of the systems; c) the logic and functioning of the systems; d) the categories of data and the main parameters used to program or train the systems […], including performance evaluation mechanisms; e) the control measures adopted for automated decisions, any correction processes and the person responsible for the quality management system; f) the level of accuracy, robustness and cybersecurity of the systems referred to in paragraph 1 and the metrics used to measure these parameters, as well as the potentially discriminatory impacts of the metrics themselves.
The Authority, with the document “First indications on Legislative Decree 27 June 2022, no. 104, so-called “transparency decree”” (web doc. no. 9844960) clarified that the new information obligations introduced by art. 4, Legislative Decree lgs.27/6/2022, n. 104 constitute a more specific and more protective discipline, for the interested parties, in the workplace, pursuant to the provisions of art. 88 of the Regulation.
As a result of the investigations, it emerged that, from the date of entry into force of the aforementioned specific obligations regarding transparency (1 August 2022) and until 18 May 2023 (the date on which the Company prepared an initial information document on the subject, Information on transparency pursuant to Legislative Decree 104/2022, see note 11/12/2023, p. 18), the Company has not adopted any information regarding the processing of data relating to riders carried out through fully automated decision-making or monitoring systems, as instead required by the aforementioned discipline.
This is also in light of the more stringent definition, in force from 4 May 2023, which added the adverb “fully” to the original definition of automated systems.
The Company, as argued in more detail in the following paragraph dedicated to automated processing, carries out a plurality of processing through fully automated systems, designed to provide relevant information for the purposes of assigning the task, management, termination of the employment relationship, assignment of tasks, as well as information affecting the supervision, evaluation, performance and fulfillment of the contractual obligations of riders.
Despite this, it failed to provide information relating to the existence and specific mode of operation of the aforementioned systems, not following up on what is required by art. 1-bis cited, before the start of work activity, in relation to a significant number of interested parties, equal to 7,405 riders (at the date on which the data relating to riders who began to provide their activity after 1 August 2022 was provided to the Authority, see note on the dissolution of reservations of 27/12/2022, letter R).
In this regard, it is in fact emphasized that, with regard to employment relationships established after 1 August 2022, the additional information obligations must be fulfilled, by express regulatory provision, before the start of work activity (art. 1, paragraph 2, of Legislative Decree 26 May 1997, no. 152).
Among other things, in the sense of the performance, by the Company, of automated processing in relation to which the provisions of art. 1-bis cited, the case law of merit has also ruled on several occasions (see Turin Court ruling no. 231 of 2024, published on 12/03/2024 “Foodinho uses systems that can be defined as fully automated to adopt decisions that affect the management of the employment relationship”.[…] the opposing company adopted a fully automated decision-making system to evaluate the reputation (i.e. the work) of the delivery drivers, which significantly affected the employment relationship since it involved the assignment of a score to access the calendar of bookable slots on the platform as a priority. The system also provided for the profiling of the delivery drivers […]. The company was therefore the recipient of the information obligations set out in the so-called transparency decree, also as amended by Legislative Decree no. 48/2023”.
Furthermore, according to the Court of Turin, the information pursuant to art. 1-bis cited, subsequently prepared by the Company, was deemed not compliant with the provisions of the same law.
See also the Court of Palermo 20/07/2023, according to which the “automated systems used by the defendant [Foodinho s.r.l.] are fully automated systems, given that the human intervention inferred (and not demonstrated) in any case would not occur in the final phase, but rather only in the data entry phase or activation of the system itself, in which the subsequent processing and treatment of the data and any final decision are entirely entrusted to algorithmic or computerized automatisms”; on that occasion it was also established that “the obligation of the defendant to provide the information required by art. 1bis, introduced by Legislative Decree no. 104 of 2022, to the appellant trade unions remains in place even after the entry into force of Legislative Decree no. 48 of 2023, with the obvious exclusion of those that affect systems or parts of them covered by industrial or commercial secrecy”.).
With regard to the excellence system, the Company stated that it provides “explanations on how the [score assignment] works at different times and through different means” (see note 27/12/2022, letter Q), including through an explanatory video made available to riders “during the onboarding process”, through information on the Company’s website, newsletters and meetings, of which no evidence was provided.
In this regard, first of all, it is recalled that pursuant to art. 12 of the Regulation, information on the processing must be provided to the interested parties in a concise, transparent, intelligible and easily accessible form, using clear and simple language; only where the interested party requests it, the information on the processing may be provided orally, but even in this case the data controller is required to demonstrate that it has implemented conduct in accordance with the data protection regulations (see also the accountability principle, art. 5 par. 2 of the Regulation).
The same art. 1-bis cited, in paragraph 6, provides that "The information and data referred to in paragraphs 1 to 5 of this article must be communicated by the employer or the client to the workers in a transparent manner, in a structured, commonly used and machine-readable format".
Secondly, it should be noted that the processing of data relating to the assignment of the score does not constitute the only automated processing carried out by the Company, as will also be stated later.
Furthermore, the information that was provided by the Company regarding the scoring system did not satisfy the requirements of the cited art. 1-bis.
With the defense briefs of December 11, 2023 (Annex 5), the Company then produced a “Transparency Notice pursuant to Legislative Decree 104/2022”, in relation to which it declared that it is “specific information regarding some of the treatments that involve partially automated processes, including the logics relating to the Excellence Score and the slot assignment criteria” (p. 18).
With regard to this version of the transparency notice - which the Company declared to have adopted on May 18, 2023 and made available both on its website and by sending it to all riders -, it is noted that it is not adequate, with respect to what is required by the legislation, as it lacks some of the information that must necessarily be contained therein.
In particular, the notice in question does not contain some of the information required by paragraph 2 of art. 1-bis: information on the logic and operation of fully automated decision-making or monitoring systems (letter c), on the categories of data and the main parameters used to program or train fully automated decision-making or monitoring systems, including performance evaluation mechanisms (letter d), on the control measures adopted for automated decisions, any correction processes and the person responsible for the quality management system (letter e), on the level of accuracy, robustness and cybersecurity (transparency regarding the number and type of Company operators who can access the data processed, protection from abusive or illicit access to the data, communication of data to third parties) of fully automated decision-making or monitoring systems and the metrics used to measure such parameters, as well as the potentially discriminatory impacts of the metrics themselves (letter f).
With the briefs of 29 February 2024 (annex 5), the Company also produced a revised version of the information, pursuant to art. 1-bis of Legislative Decree no. 152 of 1997; this latest version is currently published on the Company's website, although neither the date of the same nor of its publication are indicated. The text of the information can be accessed through the section relating to the excellence score, by activating the "find out more" button, which always relates only to the functioning of the excellence score.
However, this version of the information does not comply with the reference legislation, as it does not contain some of the information required by art. 1-bis paragraph 2, even though some additional information has been included in it on the type of data processing carried out through fully automated decision-making or monitoring systems.
In particular, no indications are given regarding: the control measures for automated decisions and any correction processes (art. 1-bis, paragraph 2, letter e) - except limited to the so-called "remediation" procedure. grievance - nor the level of accuracy, robustness and cybersecurity of the fully automated decision-making and monitoring systems in use and the metrics used to measure such parameters, as well as the potentially discriminatory impacts of the metrics themselves (art. 1-bis, paragraph 2, letter f).
With regard to this last aspect, although the Company specifies that "no risks of discrimination have emerged due to the fact that the parameters do not even indirectly take into account factors of possible discrimination for union reasons, sex, religion, personal beliefs, handicap, age, sexual orientation, race and ethnic origin" (see p. 3 point 2.1), it is instead quite clear that an algorithm based on customer feedback is by its nature subject to potential discriminatory effects linked to the customer's perception of the rider, and, furthermore, the use of metrics based strictly on order delivery performance may discriminate riders on the basis of age, sex and health conditions.
The Company has therefore violated, starting from 1 August 2022, articles 5, par. 1, letter a) (also with reference to the provisions of art. 1-bis of Legislative Decree no. 152 of 1997), 12 and 13 of the Regulation.
4.4. Violation of art. 28 of the Regulation in relation to the designation of the rider as data controller and the designation of third-party companies operating as sub-processors.
The document “Terms and conditions of use of the Glovo platform for couriers”, taken from the company’s website (https://glovoapp.com/it/legal/terms-couriers/), which indicates the last update date as 29 April 2022, delivered by the Company during the inspection of 13 and 14 December 2022, also contains the designation of the rider as data controller, in relation to data relating to customers and orders.
In light of the specific characteristics of the treatments referred to the assignment and execution of orders, this qualification does not, however, comply with the provisions of art. 28 of the Regulation (doc. cit., “Annex 1 - Treatment order contract”, p. 21).
In particular, the Company provides (also in the updated version of the document) that the rider, as data controller, should, among other things, keep a record of processing activities, assist the controller in preparing the impact assessment and, where appropriate, in submitting the request for preliminary consultation to the Authority (through the following instructions given to the managers/riders: “have, in writing, a record of the processing activities carried out on behalf of the responsible entity” (in the updated version, the expression “responsible entity” has been replaced by “controller”), “support the responsible entity in carrying out data protection impact assessments and, where appropriate, assist it in carrying out preliminary consultations with the supervisory authority, where appropriate” (in the updated version, the expression “responsible entity” has been replaced by “controller”), “ensure that the employees of his organization who process personal data undertake to respect the confidentiality of personal information processed on behalf of the responsible entity” (in the updated version it has been specified “expressly and in writing”), “provide data subjects with the necessary information on the processing of personal data” (in the updated version it has been specified “expressly and in writing”), “provide the ... information regarding the processing of their data carried out in the context of the processing, at the time of data collection”, see Annex 4, defense briefs 11/12/2023).
In this regard, while acknowledging that, following the notification of the violations by the Authority, the Company corrected the incorrect qualification in terms of “data controller” attributed to both the Company itself and the rider, it should be noted that the instructions given to the riders in their capacity as data controllers by the Company remained identical (see defense briefs 11/12/2023, p. 17).
Considering this, it is necessary to underline that the aforementioned designation, given the directives given to the rider contained therein, given the activity carried out, in concrete, by the riders and examined the type of working relationship that exists between the Company and the couriers, does not appear to correspond to the nature of the tasks specifically entrusted to the rider.
The designation of the rider as data controller, as provided for by the Company, therefore violates art. 28 of the Regulation given that the absence, in concrete, of the characteristics necessary for the performance of the tasks assigned by the controller is evident (see art. 28, par. 1 of the Regulation where it requires the controller to use only data controllers who in concrete present sufficient guarantees to guarantee that the processing carried out on their behalf meets the requirements of the Regulation and guarantees the protection of the rights of the interested parties).
Again with reference to what is established by art. 28 of the Regulation, during the investigations it emerged that the deactivation operations from the platform were carried out not only by operators of the Company, but also by sub-managers of Glovoapp23 SL, in particular by operators of Comdata and Trizma.
In this regard, it should be noted that the Company has represented in documents that “Foodinho S.r.l. uses the support of external call centers, Meritus Upravljanje, d.o.o. (MPLUS) and Comdata, S.p.A. (COMDATA), limited to the onboarding activity of the Courier (MPLUS) and assistance to the Courier in real time (COMDATA)”, note 27/12/2022, letter I).
From the examination of the documents acquired during the inspection activities (see file result.csv, present in Annex 5, inspection report 28/2/2023), it emerged that there are numerous cases in which even the deactivation of a rider (therefore not only the onboarding and real-time assistance activity) was carried out by operators belonging to the latter companies.
In light of the findings in the documents, it therefore emerges that the deactivation activity is also entrusted to personnel belonging to companies that operate as sub-managers, without, based on the examination of the documentation produced by the Company, such personnel (moreover numerically considerable, see note on the dissolution of the reserves 16/3/2023, p. 9, where a total of 256 operators is indicated) having been previously provided with the necessary instructions, as instead clearly required by art. 28 of the Regulation.
In this regard, it is noted that, during the proceedings, the Company declared that it had discontinued the service provided in Italy by Trizma and that it had provided “further instructions to the Comdata call center operators [in relation] to any disconnections of the accounts [of] the couriers” (see note 29/2/2024).
Taking into account that no evidence was provided of any previous regulation of the relationship with the sub-processors, in relation to the disconnection activity from the platform, the Company violated art. 28 of the Regulation up to the date of 29 February 2024.
4.5. Violation of art. 5 (principle of minimization), 22 (obligation to implement appropriate measures to protect data subjects in the event of automated decision-making processes) and 25 (principles of privacy by design and privacy by default).
Following the investigation, it also emerged that the Company carries out, as the owner, using the Glovo digital platform (see Franchising Agreement, 1/10/2019, Annex A, note on the dissolution of reserves 16/3/2023), automated decision-making processes, pursuant to art. 22 of the Regulation (defined as a “decision based solely on automated processing, including profiling, which produces legal effects […] or similarly significantly affects” the data subject).
4.5.1. The excellence system and the order assignment system within the shift.
The automated processing is carried out by the Company, first and foremost, through the operation of the so-called excellence system and the order assignment system, as currently configured.
The excellence score works by taking into account four parameters, which have a different weight, based on the different cities in which the riders carry out their activity, in the last 28 days of use of the platform, even if not consecutive (so-called reference period). The overall score “has a progressive and increasing weight in the Reference Period (e.g. the most recent performance has a more significant score than that of 28 days ago)”.
The parameters taken into consideration by the system are the following: “contribution” parameter (indicated as “Sum Seniority Normalised”) which refers to the number of orders delivered in the reference period; “no show” parameter (“Sum No Show Normalised”) relating to the number of times the rider booked a slot, but then did not check in (this taking into account that the rider can check in starting from 25 minutes before the start time of the slot up to 10 minutes after; furthermore, the booking can be cancelled up to one minute before the start time); “customer rating” parameter (“Sum Customer Rating Normalised”), relating to the feedback received from the customer; finally, the “high demand slot” parameter (“Sum High Demand Normalised”) takes into account the time in which the rider carries out the service within high demand slots that occur weekly (these are shifts during which there is normally a greater influx of orders and amount to six hours a week, which generally correspond to three hours for dinner on Saturday and three hours for dinner on Sunday).
The score automatically assigned to each rider, based on the operation of the parameters processed by the platform, allows for priority booking of the delivery shifts (slots) established by the Company and made available, through the platform, twice a week (Monday and Thursday at 4:00 p.m.).
The rider who obtains a higher score has priority access to the assignment of the work shift and the related orders, taking into account that some shifts allow for receiving a higher number of orders (so-called high demand slots).
Contrary to what the Company claims, riders cannot freely book the chosen work shift among the proposed slots. After examining the documentation in the files, it emerges that there are saturated slots, i.e. delivery shifts booked at 100%, in which the availability of the riders exceeds the request of the Company, which makes it impossible for those who obtain a lower score, within the excellence system, to access certain shifts, with a consequent reduction in job opportunities, which are more available in "high demand" shifts.
In particular, examining the table provided by the Company and relating to the percentage of filling of the individual slots (Annex F, note on the dissolution of reserves 27/12/2022), it emerges that there are numerous saturated slots (at 100.00%) and, in light of the parameters relating to the individual Italian cities subsequently provided at the request of the Authority, it emerges that, at least in relation to two large cities, Rome and Milan, saturated slots are recorded every day (Annex 4, inspection report 28/2/2023).
The same Company also stated that the purpose of the “No Shows” parameter is to “prevent the failure to connect without withdrawing the availability from harming other couriers who could have booked the slot in question”, on the assumption that the slot availability is lower than the request and the rider who is unable to book the shift is “harmed” (see defense briefs 11/12/2023, All 5, “Information on transparency pursuant to Legislative Decree 104/2022”).
Therefore, the automated attribution of the excellence score has a significant impact on the rider’s activity, influencing, as we have seen, the possibility of booking certain work shifts.
Even through the algorithm that allows the assignment of orders within the slot, the Company therefore makes decisions based solely on automated processing based on the operation of 5 parameters, as declared by the Company itself (note of the dissolution of reserves 27/12/2022, letter H.: "Courier vehicle; Courier position; distance between the Courier position and the collection point; distance between the collection point and the delivery point; Courier device battery").
Through the two algorithmic systems, the Company therefore carries out processing consisting in the making of decisions, based solely on automated processing, including profiling, relating to the assignment of work shifts and delivery orders, which significantly affect the interested party, through the increase or reduction of work opportunities, precisely as a result of the decisions made by the system.
The Regulation has regulated the matter with the aforementioned art. 22 as well as, with reference to the notion of profiling, with art. 4, n. 4 and cons. 71, where in particular profiling is defined as “a form of automated processing of personal data that evaluates personal aspects of a natural person, in particular to analyse or predict aspects concerning professional performance, […] reliability or behaviour, location or movements […] where this produces legal effects […] or similarly significantly affects him”.
This definition is specifically suited to the processing carried out using the parameters that make up the excellence score, aimed at analysing professional performance [“Sum Seniority Normalised” and “Sum High Demand Normalised”], reliability [“Sum No Show Normalised”] and behaviour [“Sum Customer Rating Normalised”], also taking into account location, with regard to the assignment of orders in the work shift.
Profiling is therefore used to make entirely automated decisions, through the excellence system, with effects that, as seen, significantly affect the interested party by significantly increasing or reducing the job opportunities offered through the platform (in accordance with this, with specific regard to the decisions taken by Foodinho s.r.l. through the excellence score, the Court of Turin, labor section, sentence 12/3/2024, no. 231, ruled).
On the other hand, what the Company claims in its defense briefs in support of the non-existence of automated processing pursuant to art. 22 of the Regulation cannot be accepted. With regard to the “number of human interventions that took place in the Excellence Score system and, in particular, those relating to the manual increase in capacity for a given time slot” that would emerge from the “Expert Report on the «Grievance Process»”, presented by the Company (Annex B, note of dissolution of reservations 27/12/2022, document also referred to in the Company's defense briefs, Annex 7, hereinafter “expertise”), it is noted that the expert report analysed the activities of manual modification (not attribution) of the excellence score (in the event, for example, of disputes by riders, which however occur in completely abstract cases, such as following the attribution of negative feedback by a customer, see below) and modification of the riders' operating slots and not the assignment of the excellence score. Therefore, the Company's thesis does not find any proof in this document. This is also confirmed by the small number of elements found in the expert's query: 198 changes, throughout the Italian territory during 7 days of activity, a value completely incompatible with the real operation of the thousands of riders used by Foodinho on the Italian territory.
With regard to the obligation to adopt measures to protect the rights and freedoms of the interested parties, placed on the data controller by art. 22 of the Regulation, the Company, in relation to customer feedback, has declared that "In the event that the Couriers do not agree with the metrics they have received from Customers, they can contact the Live Operations Support Team ("Team Live Ops") of Foodinho S.r.l., filing a general dispute" (note 27/12/2022, letter O).
In this regard, however, it is noted that, since the rider cannot "connect the metrics received to specific users and orders", as stated by the Company itself, it is - at the very least - extremely difficult for the interested party to have the necessary elements to contest the feedback received, taking into account the circumstances of the specific case. In any case, the Company has not provided any element relating to the methods of managing the aforementioned disputes (which in any case refer to only one of the four parameters taken into consideration by the excellence score) and the possible outcomes of the same.
As for the further statement of the Company according to which "even if one wanted to consider that the Excellence Score determines an automated processing [...], there would be no violation of art. 22 GDPR since the applicability of this rule is expressly excluded in the event that "the decision is necessary for the conclusion or performance of a contract between the data subject and a data controller", it is noted that the Authority did not contest the absence of a legal basis for carrying out automated processing, but rather the failure to adopt the necessary measures, established to protect the data subjects (art. 22, par. 3 of the Regulation, on which infra). Therefore, the Company's objection is not valid.
4.5.2. The rider's "rating".
During the inspection of 26-27 July 2023, a further processing carried out by the Company also emerged, relating to the assignment of a rider "rating" score, data distinct from the "excellence score".
The “rating” score, stored by the Company in the table called courier_rating, can take a value from 0 to 1, related to customer feedback, and is associated with the so-called flex business model, not applied in Italy. Despite this, the “rating” score is generated and processed by the system, even for Italian riders, although it is not used.
For this reason, starting from 2021, instead of eliminating the score in countries where the flex business model is not adopted, a fixed “rating” value equal to 4.5 is assigned by the backend to each rider (Annex 7, 8, minutes 27/7/2023).
The assignment to the rider of this (additional) score with a fictitious value determines an incorrect, irrelevant and excessive processing of personal data, as it is the expression of a calculation system that is not applied in Italy.
The attribution of a fictitious value, albeit unique, for all Italian riders, leads the Company to associate a set of data with inaccurate values to the rider.
In this regard, it also emerged during the inspection (see minutes of 07/27/2023) that the Company was aware of the "rating" score only following the checks carried out during these checks.
From what emerged during the inspection, it therefore follows that the Company, in configuring the system, did not adopt adequate measures aimed at effectively implementing the principles of data protection.
While acknowledging that the Company has declared that it has eliminated this fixed value of the “rating”, starting from 10 January 2024 (see note of 15/1/2024), the use of the “rating” score, up to that date, has led to the violation of the obligation, placed on the data controller, to process only adequate, accurate, relevant and limited data to what is necessary in relation to the purposes for which they are processed (art. 5, par. 1, letter c) of the Regulation and to adopt measures to ensure that by default only the personal data necessary for each specific purpose of the processing are processed (art. 25 of the Regulation).
4.5.3. Deactivation and blocking of the account.
It is also established that, even with regard to the hypotheses of deactivation (grievance) and blocking of the account, the Company carries out automated processing.
In the event of “blocking” of the account, the disconnection, as represented by the Company itself, is carried out automatically by the system, upon occurrence of predetermined conditions that occur as a result of the processing of data collected and processed by the platform (Cash Balance, Medical checks, Limit 5K, Expired document, INAIL accident, Mandatory trainings): see note 16/3/2023, letter e).
With regard to deactivation/grievance, the Company, at least in relation to some of the hypotheses indicated, has not demonstrated the significance of the margin of autonomy reserved for the human operator, with respect to the operation of the algorithm, therefore of the automatic component, considering that these are hypotheses that, in concrete terms, do not allow margins of verification.
In particular, the Company has indicated some predetermined deactivation hypotheses in relation to which no effective and significant margins of possible human intervention emerge, nor have they been indicated by the Company itself: in the context of "Deactivations carried out in the absence of notification by the user", see in particular: no. 3 "Double accounts - Case of a courier with more than 1 account in different cities, with at least 1 account already disabled due to fraud"; or no. 4 "Same Nif, same slot", concerning the "case in which a courier uses two accounts registered to him, belonging to two different cities/areas at the same time, making it clear that one of the accounts has been transferred"; or no. 6 "Bots to book slots", where the data used by the system consists of the "slot booking time (we identify the slots booked at an anomalous time, impossible for a human) e.g. two or more slots on different days booked in less than a second” or “identification of bots used to book slots in progress at the exact moment another courier picked up the booking […] (sometimes even less than a second)”; or no. 9 “Other”, relating to “unidentified cases” highlighted on the basis of a “non-standard type of data collected” (see Annex E, note of dissolution of reservations 16/3/2023).
On the other hand, more generally, the Company, in relation to the deactivation from the platform, limited itself to affirming the existence of a “manual verification” of the data collected through the platform itself, by the Team Operation operators, without providing any evidence that such verification is significant in relation to the decision to disconnect (see note 16/3/2023, letter f).
In this regard, the Guidelines on automated individual decision-making and profiling for the purposes of Regulation 2016/679, adopted by the Article 29 Working Party (amended version adopted on 6 February 2018, WP 251 rev.01, p. 23), clarify the scope of human involvement considered significant in light of a plurality of concrete elements: “the controller must ensure that any review of the decision is meaningful and not just a token gesture. The review should be carried out by a person who has the authority and competence to change the decision. In the context of the analysis, that person should take into account all relevant data. As part of the data protection impact assessment, the controller should identify and record the degree of human involvement in the decision-making process and the stage at which it takes place”.
In this regard, furthermore, it is believed that the findings of the expert report are not conclusive, regarding the human review activity on the decisions relating to the inclusion on the platform (onboarding) and the deactivation of the riders' accounts in the systems used by the Company.
In fact, with regard to onboarding activities, the appraisal takes into consideration the average values relating to the number of documents validated in a unit of time, to affirm that this value is compatible with an activity carried out by an operator, without taking into account the peaks of activity, present in the detailed data, in which the number of documents analyzed, per unit of time, is significantly greater than that considered, by the same experts, compatible with a human activity (Annex 5, inspection report of 02/28/2023, Docs_check folder, file named _SELECT_date_ccp_docs_check_date_as_Docs_check_date_count_distin_202212201131.csv.).
Furthermore, with reference to deactivation activities, it is noted that the average number of deactivations, in the period examined by the expert report (3,768, in the period 1 March - 20 December 2022; see the expert report cit., p. 3), is significantly lower than the average number of deactivations that emerges from the inspection documents (6,369, in the period 1 January - 31 December 2022, with almost 40% daily increase compared to the expert data; see inspection report 28/2/2023, p. 4), to which must be added, in order to fully evaluate the operators' workload, the 53,861 operations to block riders' accounts.
Therefore, what was observed in this regard by the Company in its defense briefs does not appear to be relevant (“Even if the average data of deactivations emerging from the inspection documents is higher than that taken into consideration in the [expert report], this does not mean that the final output of the observation is not equal or even higher; which confirms the value of human intervention with respect to deactivations”), given that the significant increase in the average number of deactivations by operators, as emerges from the set of documentation present in the documents, means that the expert assumption according to which the low volume of the operators' workload constitutes confirmation of human intervention in the deactivations from the platform is not verified.
It also emerges that the selection of the records to be analyzed, with regard to the deactivations, to draw up the report, was carried out by inserting, among the parameters on which to perform the filter, a condition relating to the format of the email of the operator who would have carried out the activity in question (see WHERE clause of the SQL query “o.email ilike '%.%operator%'” in Annex 5, file garante_privacy_manual_deactivations.sql).
Therefore, the investigation did not take into consideration the cases in which the deactivation could have been carried out directly by the system and not by an operator, given that, as a result of the query indicated above, only the records in which the association with a defined operator was present were selected for the purposes of the analysis, setting, as a search parameter, the particular format of the operator's email address.
With regard to the disconnection and deactivation actions of riders' accounts, the information provided by the Company as a whole does not allow for a comprehensive definition of the causes and the concrete methods of carrying them out.
In fact, the causes for which deactivation is carried out, identified through access to the systems during the inspection carried out by the Authority, are additional to those resulting from the lists provided by the Company ("List of reasons for grievance and blocking", Annex C, note 27/12/2022, p. 5 and "Deactivations carried out in the absence of notification by the user", Annex E, note 16/3/2023) as they also included the items Reassignments and Bad rating, despite the Company having declared on this point that the two items "are not actually used in Italy, neither for blocking nor for deactivation, even though they appear as a potential reason for blocking in our IT systems" (note lifting of reservations 16/3/2023, letter g.).
In this last regard, it is noted that during the proceedings the Company declared that, starting from 29 February 2024, the items “Bad rating” and “Many Reassignments” no longer appear in the systems “as potential reasons for a block or deactivation” (see note 29/2/2024).
Up until that date, however, the aforementioned items were still present in the systems and used by the operators (see below reference to the result.csv file, present in Annex 5, inspection report 28/2/2023), together with others which, although present, “for operational reasons are not used in Italy” (Long delivery time; Courier not moving; High waiting time; B2B fraud; Data protection infringement).
On this point, furthermore, it is noted that, from the examination of the aforementioned documents relating to the causes of deactivation/blocking from the platform and their operation (if dependent on complaints or anomalies identified by the system), it emerges that they compose an imprecise picture since the "List of reasons for grievance and blocking" (document defined as "the complete overview of the reasons that may lead to the deactivation or blocking of a Courier's account") contains a series of hypotheses, including cases in which a complaint should be disregarded (e.g. no. 3, Reassign after PU [case in which the courier, after having collected the order, reassigns it to another courier to keep its contents]), which are not contemplated in the different list containing the list of "Deactivations carried out in the absence of notification by the user".
Still with regard to the causes of disconnection, it finally emerged that the Company has identified further cases of disconnection from the system that operate automatically, disclosed to the Authority during the inspection carried out on 26-27 July 2023. In particular, these are hypotheses (no show, position out of area, deactivation of geolocation, disconnection during the slot) in the event of which, according to what was declared, the system proceeds to disconnect from the slot (inspection report 26-27/7/2023, p. 5).
Although the indication of the specific causes of blocking and disconnection from the platform is imprecise, the outcome of the inspection activity shows that, also in relation to - at least - some of these treatments, the Company adopts decisions based solely on automated treatments that significantly affect the interested parties by preventing, for the period considered, from carrying out the work services covered by the contract with the rider.
As emerges from the decision of the Court of Justice of 7 December 2023 in case C-634/21, the notion of “decision”, the existence of which constitutes one of the conditions to which the applicability of Article 22 of the Regulation is subject, must be given a broad scope (it “may therefore include […] various acts which may affect the data subject in various ways”; see the judgment cited above, point 46).
Furthermore, the Court held that Article 22 of the Regulation also applies to the case in which the automated calculation of a probability rate based on personal data of a data subject is transmitted to a third party whose action is guided “in a decisive manner” by that rate (see the judgment cited above, point 48).
A less rigorous interpretation would entail “a risk of circumvention of Article 22”. It is therefore necessary, as indicated by the Court, to proceed to identify, in the specific case, the processing that involves specific risks for the rights, freedoms and legitimate interests of the data subject, also in order to assess the adoption by the controller of appropriate measures to protect rights and freedoms.
4.5.4. Absence of appropriate measures to protect data subjects.
In conclusion, it emerges that the Company, despite carrying out a plurality of types of automated processing, concerning a significant number of data subjects (the number of riders who work for the Company active in Italy is equal to 36,545; note 27/12/2022), by virtue of a contract that has as its object a work service carried out through the digital platform (with consequent application of art. 22, par. 2, letter a) of the Regulation), has not taken steps to prepare the appropriate measures, set up to protect their rights, freedoms and legitimate interests, provided for by art. 22 of the Regulation (“at least the right to obtain human intervention on the part of the controller, to express one's point of view and to contest the decision”; see also what is indicated on this point in cons. 71 of the Regulation “in order to ensure fair and transparent processing in compliance with the data subject, taking into account the specific circumstances and context in which the personal data are processed, it is appropriate that the controller uses appropriate mathematical or statistical procedures for profiling, implements appropriate technical and organizational measures to ensure, in particular, that factors leading to inaccuracies in the data are rectified and the risk of errors is minimized and in order to ensure the security of personal data in a manner that takes into account the potential risks existing for the interests and rights of the data subject and that prevents, inter alia, discriminatory effects against natural persons on the basis of racial or ethnic origin, political opinions, religion or personal beliefs, trade union membership, genetic status, health status or sexual orientation, or which involve measures having such effects”).
The need to adopt measures to protect the interested parties is also confirmed, in this specific case, by the decision of the Palermo court, labor and social security section, sentence 17/11/2023 which declared “the discriminatory nature pursuant to Legislative Decree 216/2003 of the criteria of “contribution”, “high demand hours” [and] “failure to show up (so-called no show)” used by Foodinho s.r.l. for the calculation of the so-called excellence score” and ordered the Company “to refrain from the ascertained discriminations by adopting […] a plan to remove the effects of the same discriminations”.
Therefore, for the reasons set out above, the Company has carried out (and still carries out) a plurality of automated processing operations, pursuant to art. 22 of the Regulation (excellence score, order assignment system, account blocking and certain cases of disconnection from the platform for which - as highlighted above - no significant contribution from operators emerged), without having adopted, in relation to each of them, the measures to protect the rights of the interested parties, in violation of art. 22, par. 3 of the Regulation.
This therefore entailed the violation of art. 22, par. 3, of the Regulation (“Automated decision-making relating to natural persons, including profiling”).
4.6. Violation of art. 5, par. 1, letter a), of the Regulation in relation to art. 47-quinquies, Legislative Decree no. 81/2015.
Based on the data provided by the Company during the inspection activities, used by the expert in charge of drafting the “Expert Report on the «Grievance Process»” (Annex B, note of dissolution of reserves 27/12/2022 and Annex 5, inspection report 28/2/2023, file result.csv), it emerges that one of the causes of disconnection from the platform, as reported by the same operators who carried out the disconnection, is the reassignment of the order (indicated with: "reason":"REASSIGNMENTS"; based on what is reported on the Company's website, the reassignment consists in the refusal of an order or in its cancellation once accepted: in https://delivery.glovoapp.com/it/faq/hc_excellence/reassignments/).
Therefore, differently from what was declared by the Company, from the same data processed by the system it emerges that the rider's request to reassign the booked order entails, in the event of conditions that have not been disclosed by the Company, exclusion from the platform.
Furthermore, it emerges that the reassignment of the order can also entail, at the very least, a reduction in job opportunities. In fact, in the slides used for staff training (Annex F, note of dissolution of reserves 16/3/2023) it is stated that "Guaranteed: By CCNL we are entitled to remove the Guaranteed from all slots adjacent to the slot in which the courier reassigns a single order.
To date we remove the guaranteed only in the slots in which the courier reassigns 100% of the orders assigned to him. This can be customized from city to city".
Therefore, when conditions that may vary from city to city occur, the reassignment of orders causes the slot reservation to be cancelled (the “Guaranteed” status is removed), with the consequent loss of work opportunities arising from orders that arrive in the relevant shift.
The Company itself, on the page dedicated to the explanation of the excellence score available on its website, under the heading “Reassignment”, clarifies to riders that “Reassigning orders often could have a negative impact on your earnings: when you reassign an order, the algorithm could take some time before finding a new order for you, thus wasting your time and slowing down the growth of your excellence score!” (in Glovo Italia Reassignments - Italy (glovoapp.com)).
In this regard, what was deduced by the Company in the defense briefs (“the possibility, by Foodinho, to remove the so-called Guaranteed in the slots in correspondence with reassignments […] represents a form of protection towards the users of the Platform and the correct functioning of the service, without in fact representing a reduction in job opportunities”) confirms that, in the presence of reassignments, the system eliminates the so-called Guaranteed, and the consequence is precisely the reduction in job opportunities conveyed by orders in the shift booked by the rider who carried out a reassignment.
More generally, the same parameters that make up the excellence system, aimed at assigning a higher score to the rider who makes a greater number of deliveries (“Sum Seniority Normalised”), who books a greater number of high-demand slots (“Sum High Demand Normalised”), who checks in in the booked slot within the expected terms (“Sum No Show Normalised”) and who does not receive bad feedback from customers (“Sum Customer Rating Normalised”), are intended to reduce job opportunities for riders who do not accept the service offered.
This therefore entails the violation of the provisions of art. 47-quinquies, Legislative Decree no. 81/2015, which established specific protections, in the context of work via digital platforms, in particular the prohibition of ordering "exclusion from the platform and [the] reduction of job opportunities attributable to failure to accept the service" which determines the loss of the condition of lawfulness of the processing required by art. 5, par. 1, letter a) of the Regulation.
4.7. Processing of biometric data, in the absence of the conditions of lawfulness provided for by the law (art. 5, par. 1, letter a), 9, par. 2, letter b, of the Regulation; art. 2-septies of the Code).
With reference to the processing of biometric data (in particular through facial recognition) of riders, the Company specified that it had started the processing on 23 November 2020, “as part of the first tests relating to the authentication procedure” and that it had “stopped using this authentication procedure and, consequently, collecting and processing biometric data of Couriers starting from July 2022” (see note 27/12/2022, letter s).
The Company subsequently specified that the processing, interrupted due to “internal bugs” as a result of which “potential unjustified blocks of Courier profiles” could be created, was resumed in some cities, such as Milan, “in order to identify any malfunctions” (see note 16/3/2023, letter q); in particular, at the beginning of February 2023 the test was activated on 3.28% of the Couriers active in Italy, on February 20 it was extended to 18.33% of the active Couriers, on February 27 it was activated on a smaller percentage equal to 15.55%, on March 13 the test was extended to 32.61%.
The Company also stated that, starting from March 27, 2023, it planned to activate facial recognition again on all active Couriers.
With a note of dissolution of the reservations of September 15, 2023, the Company finally represented that the system "is again in use throughout the country". The operation of the biometric recognition system is also confirmed by the use of the “high_sampling_sensor_rate” authorization, the purpose of which is “to allow the certainty that the person trying to be recognized is a real person and not just a photo of the account owner” (see note dissolution of reserves 09/15/2023, p. 3).
The fact that the Company has suspended the processing of biometric data for a period of over seven months highlights that such processing is not essential for the provision of the food delivery service.
In particular, with regard to the specific methods of processing, it emerged that the processing, carried out as a “test” by the Company, consists “in requesting facial recognition once a day from all the Couriers involved and checking whether there are errors in the process” (see note 03/16/2023, letter q).
It has also been ascertained that the Company, in carrying out the processing of biometric data, uses software provided by the US company Jumio Corporation which has assumed the role of data controller.
Based on what has been represented, the processing is divided into two phases: the first, aimed at scanning the photograph contained in an identity document of the rider and the second, in which the rider is asked to take a "selfie" in order to verify the latter with the scanned photo of his/her document.
In this regard, the Company has underlined that, not carrying out the recognition, can lead to the deactivation of the account for security reasons and that "if the Courier does not carry out the recognition or in the event of failure to recognise before the account is deactivated, the calendar through which the Courier books the slots will be blocked and the Courier will be asked to proceed with the recognition to reactivate the calendar. Please note that the account will still be active, but the Courier will not be able to book new slots in addition to those previously booked” (see note 16/3/2023, letter p).
According to the Company, the processing, consisting of biometric recognition, is aimed at countering events of “gangmastering in the food delivery sector” although it does not constitute a “measure in itself […] sufficient to avoid the phenomenon” but rather “an effective deterrent” with respect to the commission of criminally sanctioned conduct (see defense briefs, note 11/12/2023).
As for the legal basis, the processing of biometric data of riders would be attributable to art. 9, par. 2, letter b) of the Regulation in relation to the obligation to “prepare an organizational model with exculpatory effect pursuant to Legislative Decree 231/01” (see defense briefs cited). The Company also emphasized that it has carried out a data protection impact assessment, pursuant to art. 35 of the Regulation (an updated version of this document was delivered to the Authority with a note dated 29/2/2024, with which it was also specified that biometric data are retained for the entire duration of the employment relationship).
In this regard, it is noted that, based on the legislation on the protection of personal data, the processing of biometric data (generally prohibited pursuant to art. 9, par. 1 of the Regulation), is permitted only if one of the conditions indicated in art. 9, par. 2 of the Regulation and, with regard to processing carried out in the employment context, only when the processing is “necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law, insofar as it is authorised by Union or Member State law or by a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject” (Article 9, paragraph 2, letter b), of the Regulation; see also: Article 88, paragraph 1 and recitals 51-53 of the Regulation).
The current regulatory framework also provides that the processing of biometric data, in order to be lawfully carried out, must be carried out in compliance with "further conditions, including limitations" (see art. 9, par. 4, of the Regulation).
This last provision was implemented in national law with art. 2-septies (Guarantee measures for the processing of genetic, biometric and health-related data) of the Code. The rule provides that the processing of such categories of data is lawful when one of the conditions referred to in art. 9, par. 2, of the Regulation occurs "and in compliance with the guarantee measures established by the Guarantor", in relation to each category of data.
This was reiterated by the Guarantor with regard to the processing of biometric data (based on facial recognition) for the purposes of detecting presence with the provisions of 22/2/2024, nos. 105, 106, 107, 108 and 109, web doc. nos. 9995680, 9995701, 9995741, 9995762, 9995785 (see also, with regard to the processing of data taken from the fingerprint, the provisions of 10/11/2022, no. 369, web doc. no. 9832838 and 14/1/2021 no. 16, web doc. no. 9542071).
With regard to the specific case, it should be noted that, at present, the current legal system does not allow the processing of biometric data of workers for the purpose of identifying them (carried out after the first recognition and subsequently randomly) in order to prevent substitutions of person in the performance of the service, given that such processing does not find its basis in a regulatory provision that has the characteristics required by the data protection discipline, also in terms of proportionality of the regulatory intervention with respect to the purposes that are intended to be pursued.
Finally, it is stated that, in any case, the adoption of the biometric system by the Company is not suitable to prevent the phenomenon of mistaken identity, as recognized by the Company itself (the measure "in itself is not sufficient to avoid the phenomenon" of account transfer) given that, even where the degree of reliability and accuracy of the chosen biometric system was sufficiently high (a circumstance that in any case cannot be said to have been achieved considering that the Company itself decided, albeit for a limited period, to interrupt the processing of biometric data due to bugs within the system, following which it was necessary to start a "test" phase), it would always be possible to deliver the device to a different person, after having carried out the recognition (on the subject of facial recognition see also: Provv. n. 50 of 10/2/2022, web doc. n. 9751362).
Therefore, taking into account the aforementioned legislation, the Company's decision (communicated to the Authority with a note dated 5 June 2024) to reduce the retention periods for the biometric data collected - although the new terms are still considerable - ("three (3) months from the last order in the case of inactive couriers" and "three (3) months from the deactivation of the account in the case of couriers whose accounts have been deactivated for reasons not attributable to facial recognition", while for active couriers the data are retained for the entire duration of the employment relationship), does not change the assessment of the unlawfulness of the processing of biometric data.
Considering this, it appears that the Company carried out, from 23/11/2020 to the month of July 2022 (after the suspension, the processing resumed starting from the beginning of February 2023) and is still carrying out, the processing of biometric data in the absence of an appropriate legal basis in violation of Articles 5, paragraph 1, letter a), and 9, paragraph 2, letter b) of the Regulation.
4.8. Violation of the obligation to carry out a data protection impact assessment (Article 35 of the Regulation).
Pursuant to Article 35 of the Regulation, “Where a type of processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing on the protection of personal data”.
At the time of the inspections, the Company had carried out a data protection impact assessment, as required by Article 35 of the Regulation, with exclusive reference to the processing of biometric data (in particular: facial recognition).
The impact assessment relating to the processing of biometric data relating to riders is dated October 2020 (see note 16/3/2023, Annex B) and updated during the proceedings on 29 February 2024 (see note 29/2/2024, Annex 8).
Therefore, although the Company deemed it necessary to interrupt the processing in July 2022 due to internal bugs that led to “potential unjustified blocks of the Couriers’ profiles”, it did not proceed to promptly update it, at least in terms of residual risks for the interested parties, as was also abstractly foreseen three months after the publication of the first document (Annex B, note 16/3/2023 cit., p. 73).
Furthermore, and more radically, the impact assessment - even in the version updated at the end of February 2024 - does not adequately take into account the profile relating to the lawfulness of the processing of biometric data in the context of the management of the employment relationship.
In the section of the document dedicated to the assessment of the legal basis, in fact, the condition represented by the need to fulfill contractual obligations is considered applicable to the case in question, despite the fact that pursuant to art. 9, par. 2 of the Regulation in the case of processing of special data the need to perform a contract does not constitute a suitable legal basis for the processing.
Art. 9, par. 2, lett. b) of the Regulation, considering, however, that this rule can be integrated by the “collective agreement recently signed by Glovo” and by the “memorandum of understanding […] with the Prefecture” regarding the prevention of phenomena of illicit interposition and exploitation of labor (Annex B, note 16/3/2023 cit., p. 42 and Annex 8, note 29/2/2024, p. 40).
Given that the need to fulfill obligations and exercise rights in the field of employment law “insofar as authorised by Union or Member State law or by a collective agreement pursuant to Member State law” (Article 9, paragraph 2, letter b) of the Regulation) cannot be satisfied by a collective agreement, except to the extent provided for by national law, nor by a memorandum of understanding, the provision on the processing of special categories of personal data, referred to above, requires that the primary provision specifically provides for the processing of biometric data, in any case in the presence of appropriate guarantees for the fundamental rights and interests of the data subject.
This also applies in relation to the “fulfilment of a legal obligation”, put forward by the Company, with regard to Law 29/10/2016 n. 199 (“Provisions on combating the phenomena of undeclared work, exploitation of labor in agriculture and realignment of wages in the agricultural sector”), in relation to the liability provided for by Legislative Decree 8/6/2001, n. 231 (“Regulation of the administrative liability of legal persons, companies and associations including those without legal personality”) (Annex 8, note 29/2/2024, p. 37). The express reference to the processing of biometric data is not provided for, neither by the aforementioned collective agreement, nor by the memorandum of understanding, nor by the rules referred to by the Company.
Considering that the processing of the biometric data of the riders was found to be unlawful, for the reasons indicated in the previous paragraph, the aforementioned impact assessment, following which the Company deemed it could implement the processing of biometric data, must therefore be considered non-compliant with art. 35 of the Regulation, as the absence of lawfulness conditions for the processing in question was not correctly and preliminarily assessed.
Furthermore, as ascertained during the proceedings, the Company, in addition to biometric data, processes a multiplicity of data of a significant number of interested parties (riders) for the purposes of managing the employment relationship, through a digital platform that bases its operation on complex algorithms, also through automated decision-making processes governed by art. 22 of the Regulation.
In this regard, the Company's argument in its defense briefs cannot be accepted, namely that the preparation of an impact assessment would not have been "mandatory [...] since it has been demonstrated, both for the excellence score and for the grievance process, that there is no automated processing activity of the couriers' data and profiling of the same".
Based on the results of the procedure, it is established that the Company adopts decisions based solely on automated processing, including profiling, as argued in the paragraph relating to processing attributable to art. 22 of the Regulation (which is referred to here).
In light of the provisions of art. 35 of the Regulation, as well as the indications provided in this regard by the Guidelines adopted by the Article 29 Working Party (most recently on 4 October 2017, WP 248rev.01) and by the provision of the Guarantor of 11 October 2018, n. 467 (“List of the types of processing subject to the requirement of a data protection impact assessment pursuant to art. 35, paragraph 4, of Regulation (EU) no. 2016/679”, in the Official Journal, S. G. no. 269 of 19/11/2018), the processing activity carried out by Foodinho s.r.l., as it is characterised by the innovative use of a digital platform, by the collection and storage of a variety of personal data relating to the management of orders, including geographical location, and communications via chat and e-mail as well as the possibility of accessing the content of telephone calls between riders and customer care, by the performance of profiling activities and automated processing of a significant number of “vulnerable” data subjects (as they are parties to an employment relationship; see WP Guidelines 248rev.01 of 4.4.2017, chap. III, B, no. 7), presents “a high risk to the rights and freedoms of natural persons”, with the consequent need to carry out, before the start of the processing, an impact assessment pursuant to art. 35 of the Regulation.
Furthermore, the obligation to carry out an impact assessment has been reiterated by the legislator, with regard to the processing deriving from the use of automated decision-making or monitoring systems, by art. 1-bis, paragraph 4, Legislative Decree no. 152/1997, added by art. 4, paragraph 1, letter b), Legislative Decree no. 104/2022.
As for the number of data subjects involved in the processing, it should be noted that the "Active Couriers" (at the time of the dissolution of the reservations on 27/12/2023) who use the APP in Italy starting from January 2022 was indicated by the Company as 36,545 (with the clarification that ""Active Couriers"" means any Courier, registered in the APP, who has placed at least one order using the Glovo Platform since January 2022").
Among the riders who work for the Company, there are 7,405, according to what was declared by the Company itself, the "active couriers" who "started using the APP in Italy from 1 August 2022" (see note dissolution of the reserves 27/12/2022, letter R).
In any case, it is noted that, during the proceedings, the Company produced a copy of an impact assessment, dated 29/2/2024, concerning the processing carried out through the excellence system and the geolocalization of the riders, "with particular reference to the process of assigning orders, delivery and calculating the compensation of the Couriers" (see note 29/2/2024, Annex 9). The document emphasizes the commitment to keep the assessment updated "especially in the event of the introduction of new data processing activities in the Platform that could be particularly invasive for the Couriers in the Italian territory".
Although this impact assessment contains an in-depth description of some of the processing operations carried out by the Company (although processing operations that entail risks for the data subjects such as disconnection/blocking from the platform and the order assignment system have not been taken into account), of some measures adopted to protect the data subjects and of other measures that the Company is planning to adopt (in particular, reformulation of some information notices, minimization of the data processed in the excellence system, modification of some retention terms), it should be noted that the document does not take into consideration, either in the section relating to the identification of risks, or in the section dedicated to the measures envisaged to mitigate the risks, the specific risks arising from the automated processing operations carried out through the digital platform, nor does it provide for appropriate measures, aimed at protecting the rights, freedoms and legitimate interests of the data subject indicated in art. 22 of the Regulation, also suitable for ensuring that the factors that lead to inaccuracies in the data are rectified, that the risk of errors and discriminatory effects is minimized.
For the above reasons, the Company has violated art. 35 of the Regulation in the terms set out above.
4.9. Violation of the obligation to adopt adequate technical and organizational measures to guarantee a level of security appropriate to the risk (art. 32 of the Regulation).
Following direct access to the systems carried out during the inspection (using the credentials of Head of operations, see screenshot All. 2, minutes of operations carried out 28/2/2023), it emerged that the Company's operators can access some data of riders who operate for Glovo group companies both in countries other than Italy, in Europe and outside Europe.
In particular, by accessing the "Live Map" section, the operators of the Italian company can view, on the map of the city (EU and non-EU) taken as a reference, some personal data of the riders in service, in particular ID, telephone number and geographical position.
Given that the platform used by the Company operates in a uniform manner, regardless of the country in which it is used, operators of other companies in the Glovo group can, or have been able to, access some data of riders operating in Italy.
This is confirmed by what was declared by the Company itself, with the note of 15 January 2024, where it declared that it had taken action with GlovoApp23 "in order to establish country-based segregation levels to prevent the viewing of personal data of couriers in other countries, except in a few limited cases" (see note cited point 3.7).
Contrary to what was claimed in the defense briefs, the data processing carried out by operators operating outside Italy on riders operating in Italy does not “exclude [the] competences of the Guarantor, as [they] relate to the access levels and technical specifications of the Platform […], as well as to processing that pertains to other companies of the Glovo group as independent data controllers” (see note 11/12/2023, p. 25), considering that it is one of the duties of the Company, as data controller, to ensure that processing carried out by third parties, without a legal basis and for purposes not attributable to the management of the system, is not permitted.
In a subsequent note dated 29/2/2024, in any case, the Company declared that the changes relating to the introduction of country-based segregation levels have been applied to the platform, given that “as of today, the Permission [to access the “livemap” platform] is also not active for employees of Glovo group companies located in other countries” (see note 29/2/2024, point 3.7, letter C).
Therefore, at least until 29/2/2024, therefore for a significant period of time, the Company did not take action with GlovoApp23 S.L. to ensure that access to the personal data of riders operating in Italy was limited and relevant to the purposes of the processing and that the confidentiality of such data was guaranteed, through segregation measures, aimed at not allowing operators of other associated companies operating in other countries to access, through the Live Map platform, the personal data of riders operating in Italy (in particular ID, telephone number and geographical location).
The number of Foodinho employees who access the “Live Map” section is 65 (see note on the lifting of reservations 17/3/2023); the number of Comdata agents is 82; the number of Team Leads users who access it is 7 (see note on the lifting of reservations 16/3/2023, letter j); the number of Mplus agents is 149 and those of Team Leads is 18 (see note on the lifting of reservations 16/3/2023, letter j). According to the Company's declaration, therefore, the total number of operators who can access the "Live Map" section for the Company is 321. This is therefore a high number of operators with access privileges to the "Live Map" section (which contains a plurality of data relating to riders) taking into account that the Company does not appear to have carried out a detailed assessment of the specific needs that would legitimise access to such a number of operators.
The Company has not provided feedback, despite the specific request in this regard, regarding the total number of operators active on the Glovo platform who have accessed (in light of the changes made on 29/2/2024) the "Live map" section, with the possibility of access with cross-country operations.
However, it is noted that, with the note of 29/2/2024, the Company represented that it had introduced some changes consisting in the introduction of country-based segregation levels, also for the activity of operators operating in Italy (see note 29/2/2024 cit., point 3.7).
In conclusion, from the documents it emerged that until the changes introduced during the proceedings (with effect from 29/2/2024) the Company had not implemented adequate technical and organizational measures to guarantee a level of security appropriate to the risk, aimed at avoiding, in particular, that data relating to riders operating in Italy were also viewable by operators of other companies of the Glovo group, without this being in any way relevant for the purposes of the operation of the service.
Therefore, given the large number of operators who, on behalf of the Company and also from countries other than Italy - given the use of the same platform by all companies in the Glovo group - can access the personal data of riders stored in the systems of the Company itself, it is believed that the system has not been configured in such a way as to guarantee the confidentiality of personal data and adequate protection against accidental access, in violation of art. 5, par. 1, letter f) and art. 32 of the Regulation.
4.10. Violation of the obligation to determine retention periods for a period not exceeding the achievement of the purposes for which they are processed (art. 5, par. 1, letter e), of the Regulation).
It also emerged that the Company retains the recording of telephone calls made with riders for 36 months, in relation to the following purposes: to evaluate the quality of the service provided by COMDATA and MPLUS; “to have documentary support of all interactions carried out with a third party in the event of a complaint or trial”; “Manage and respond duly to requests made by competent authorities […] and law enforcement […]”; “Properly manage and document the correct fulfillment of requests from data subjects […] pursuant to the GDPR” (note of the dissolution of reserves 16/3/2023, letter m.).
This extended retention period, which is also related to a type of personal data supported by specific guarantees by the legal system, as it refers to communications (see articles 2 and 15 of the Constitution), does not appear to be appropriate for the pursuit of the purposes indicated (in particular, taking into account the terms within which it is possible to submit a complaint relating to a given order, or to evaluate the quality of the call center service provided by the companies sub-processors, which are certainly much less than three years; furthermore, the Company has not clarified what the legal obligations are that would impose such retention).
In this regard, it also emerged that the maps of the deliveries carried out by the riders have been stored since October 2018 (therefore, at the time of the investigation, for more than 4 years). While before that date, the data relating to the start and end of the route was stored, without details of the route (minutes 14/12/2022, p. 7).
In this respect, the Company did not indicate the specific reasons why, in relation to specific purposes, it was necessary to provide for such extensive data storage.
In this regard, the Company, in its defense briefs, argued that the terms of storage of telephone calls and maps could have been set in the broader time frame of 10 years, considering that "they actually relate to the management of the contractual relationship between the Company and the couriers, to the fulfillment of legal obligations (e.g. in the case of requests from authorities) and to security purposes" (see note 11/12/2023, p. 26). Therefore, the terms currently set, less than 10 years, would be in accordance with the principles of minimization and privacy by design.
This argument cannot be accepted, given that the retention period of the individual data collected must be commensurate with the specific purposes of the processing. It is not clear, nor has it been illustrated by the Company, how, in practice, the retention of telephone calls or even route maps could be necessary, for the owner, by virtue of tax, social security or limitation period rules.
Also in relation to the management of customer complaints or disputes over compensation received by riders or the reconstruction of accidents that have occurred or requests for access by public authorities, it is noted that the ten-year term and the terms, respectively, of 36 months (three years) and 4 years, do not appear at all appropriate, in relation to these purposes.
It is also noted that, according to what is indicated in the information updated in December 2022 (see inspection report 1/3/2023, Annex 10), in general terms the data relating to riders are retained, after the termination of the employment relationship, for a period "maximum of ten (10) years to comply with legal obligations [...] and defend against or take any action in relation to civil, criminal, tax and social security matters" (information cit., point 6.4).
The attached table relating to the "General retention periods" does not distinguish the retention times, in relation to the different types of data and processing carried out (therefore also including data relating to geolocation and all data relating to order management with the exception of the aforementioned maps), and in any case indicates the single term of 10 years, in relation to macro-categories of documents (accounting and tax documentation; commercial agreements or contracts; personal civil actions).
Similarly, in the information attached to the note of 29/2/2024 (Annex 2), which however is not currently available on the Company's website, it is specified that the retention period, with reference to "contracts and information relating to the Couriers' accounts (e.g. courier ID, other information processed within the contractual relationship)", "data relating to orders", "slot booked/in which the courier checked in", "excellence score" is equal to "10 years from the termination of the contractual relationship". With particular regard to "chat conversations", the term is indicated as "36 months from the day on which the conversation took place in the APP", while with regard to "geolocation data" the term is indicated as "1 year from the end of geolocation".
Furthermore, following the accesses made to the systems during the inspections, it emerged that "the platform retains the personal data and documents of riders with accounts deactivated since 2016" (inspection report 12/14/2023, p. 7).
Finally, it should be noted that the argument put forward in this regard by the Company in the defense briefs is not convincing ("the retention period relating to the processing carried out for the purposes of managing the relationship is dictated by specific laws (for example, those relating to tax, social security, etc.) or, in any case, by general rules of the system that provide an indication of the reasonable period of time within which the data can still be considered "useful" for the owner", see defense briefs 12/11/2023, p. 26).
The reference to the laws is in fact indicated in general terms, without specifying, in relation to each processing, why a specific law would require ten-year retention. From this point of view, storage must not be merely “useful” for the owner, but rather specifically aimed at achieving the purposes lawfully pursued with the processing.
Therefore, also following some partial changes introduced during the procedure, it emerges that the Company has identified a single retention period of 10 years, in relation to a plurality of different data collected during the assignment and management of orders, including the values assigned within the excellence score system, without parameterizing this period to the specific purposes pursued with each processing.
Furthermore, it emerged that, in addition to telephone communications, also communications via chat made with riders are stored, for an extended period of 36 months, in the absence of any indication relating to the purposes that would make this period appropriate. Even the identification of the term equal to 1 year for the retention time of data relating to the detection of the geographical position collected through the application, although reduced (but still significant in absolute terms) compared to what was previously provided, was not related to the need to pursue explicit and specific legitimate purposes.
For the reasons set out above, the Company has violated the principle of limitation of conservation, according to which the data controller has the obligation to retain the data in a form that allows the identification of the data subjects for a period of time not exceeding the achievement of the purposes for which they are processed (art. 5, par. 1, letter e) of the Regulation).
4.11. Sending rider data to third parties. Violation of arts. 5, par. 1, letter c), 6, 13, 14 and 25 of the Regulation.
Following the inspections of 26 and 27 July 2023, it emerged that the Company sends to third parties - in particular Google Firebase, Braze and mParticle - a plurality of personal data relating to riders.
In this regard, the Company has declared that these service providers "act as data controllers on behalf of Foodinho S.r.l. [...]. Therefore, the couriers' data are disclosed and/or made available to these companies on the basis of the respective art. 28 GDPR [and] data processing agreements stipulated by the parent company Glovoapp23, S.A. [...] also on behalf and for the benefit" of the Company (note lifting of reservations 15/9/2023).
It is therefore the Company that has identified, as the owner, "the purpose [...] and the legal basis [...] for the processing activities in progress (within which the suppliers can offer their services)" (note lifting of reservations cit.).
With regard to Google Firebase, which provides the Crashlytics function “to detect and manage abnormal crashes of mobile and web applications used by couriers”, the Company sends the following information: rider ID and “log information” (“metadata relating to what the user was doing when the event is recorded: The current screen they were on when the event occurs, The feature triggers enabled for that specific user, The action performed by the user to trigger the event, whether it be a click or a notification arrived”). The legal basis is the execution of the contract with the riders, also in relation to the possibility of resolving any malfunctions of the application.
Further information relating to the rider is then acquired through the Google Firebase SDK (Software Development Kit): information on the operating system, information on the device and “geographic information” (IP address, “where the device is connected”, i.e. the city and country from which the device connects).
The Company also specified that it also used the Firebase Analytics product, which is no longer used. However, “during the course of the investigation carried out to prepare this report, our technical teams discovered that, for technical reasons, a residual portion of the code was never removed and some information (such as, for example, the carrier ID, the city code or the transport) may still have been sent to Google, even though such data had no current use by us. To date, we confirm that the SDK and the respective data have been permanently cleaned from the App, as well as from our systems” (All. 7, note 15/9/2023, cit.).
The Company also sends to Braze, “in order to send transactional communications to riders, as well as commercial communications” (note 15/9/2023, cit.), the following data relating to riders: rider ID, email and telephone number (if present in the database).
Additional information collected through the SDK is: device information (language, model), operating system information, localization (country, Geolp position), start and end of the App usage session.
The Company, with regard to the sending of the “precise user location” data to Braze via the SDK, also clarified that “During the technical investigation in the drafting of this report, we realized that the courier app had this configuration permanently enabled. […] we confirm that it has been permanently resolved and starting from August 22, 2023 […] we have enabled this configuration” (All.5, note 15/9/2023, cit.).
Finally, the Company sends to mParticle, “which provides customer data platform (CDP) services that aggregate information (events) through various digital channels in order to send the right communication to the right recipient”, the following data relating to the rider: rider ID, last known location as well as “behavioral data (data relating to how the courier uses the app), the courier’s interactions with the […] app”.
The Company also “may […] share information with mParticle for analysis purposes [based on] Glovo’s legitimate interest in understanding how couriers interact with the App, in developing new services and in analyzing information derived from the services” (see note 15/9/2024).
Further information collected through the SDK is: device information, operating system information, location (country, Geolp position), use of the app (“every time the user accesses the app or the app is put in the background or finalized”).
Finally, with regard to “location tracking” (“This setting allows the SDK to collect the user’s location, it does not reveal when it acquires this data, so as long as the app has the location permission granted by the user, it can acquire this data at will”), the Company has “planned to disable location tracking and rely only on the last known location forwarding when using the screens” (All.6, note 15/9/2023, cit.).
The Company has therefore processed, through the use of services provided by companies designated as sub-processors, for a long period of time, a significant amount of personal data relating to riders, not necessary with respect to the purposes pursued and, sometimes, with processing methods not even known to the same, so much so that the Company itself has decided to interrupt some of these treatments, following the checks carried out by the Authority.
With regard to some of these data, therefore, it is noted that the Company has stopped sending them, during the proceedings: in particular, the processing of the data collected by the Braze SDK took place until August 22, 2023; instead, the processing of the data sent to Google through Firebase Analytics took place until an unspecified date, close to the sending of the notice of dissolution of the reserves of 15/9/2023.
With specific regard to the processing of data relating to the geographic position of the riders, it emerged that the collection and sending, to third parties, of such data also operates when the rider is not operating in the slot, the app is in the background and, at least until August 22, 2023, even when the app is not active.
Therefore, the information relating to the position and movements of the riders was systematically sent (to Google Maps and Braze), even when the rider was not engaged in work activities on behalf of the Company and without his knowledge.
In its defense briefs, the Company recalled “good faith and the spirit of cooperation” with the Authority, as well as “the diligent repentance [considering that] as soon as it became aware of such technical errors, it immediately took steps to stop the irregularities” (note 11/12/2023).
In reality, the only measures actually adopted were, as noted above, the interruption of the sending of some data to Braze and Firebase Analytics via the respective SDKs.
In fact, the Company, in the note dated 15/1/2024, announced that in the following six months it would adopt, in agreement with the parent company, some “measures” relating to the activities of sending data to third parties, in particular: deepening the functioning of the SDKs installed by Google Firebase, Braze and mParticle; increasing transparency towards riders on these treatments; plan, in agreement with the parent company, to carry out “periodic technical audits […] to verify the data flows towards the suppliers of the contracted services”.
However, no update on this point was provided by the Company, with the subsequent note of 29/2/2024. Beyond the announcements, therefore, no measures have been adopted (or even concretely planned) by the Company despite the existence of a flow of communications to third parties of data relating to riders having been verified during the inspection activities of 26 and 27 July 2023.
The Company, as data controller, should have assessed that the use of SDK necessarily involves the use of a code prepared by third parties for interaction with the reference platform, of which the Company did not fully know, nor the underlying operating logic, nor the interactions with third-party systems carried out through the SDK itself (with regard to the relationships between the data controller and the service provider, in relation to the need to proceed with the exact identification of the types of data collected and the purposes of the processing, see the decision of the E.D.P.S. - European Data Protection Supervisor of 8 March 2024, "EDPS investigation into use of Microsoft 365 by the European Commission (Case 2021-0518)").
Given that the owner does not have the possibility of exercising any preventive control over the data sent and the methods of sending, it is his precise duty and responsibility to adopt effective measures aimed at verifying the flows and above all to ensure that, by default, only the personal data necessary for each individual purpose of the processing are processed.
The described activity of sending a plurality of data relating to riders to third parties by the Company, in the absence of appropriate measures, has therefore led to (and still leads to) the violation of the principle of minimization (art. 5, par. 1, letter c) of the Regulation) given that the data collected, including those relating to geographic location through the Google Maps functionality integrated into the application, are not adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed.
The principle of privacy by design and by default (art. 25 of the Regulation) is also violated, which requires the owner to adopt adequate technical and organizational measures aimed at effectively implementing the principles of data protection and ensuring the processing of only the data necessary for the processing.
Furthermore, it does not appear that the Company has provided, in this regard, suitable information to riders regarding these data flows, given that, not even in the latest version of the information provided to the Authority with the note of 29/2/2024, the information required by art. 13 of the Regulation appears to be provided to interested parties, in particular the categories of data processed and the methods of processing (“Your data may be communicated to third parties […] such as providers of electronic communication services, communications support services, cloud providers, analytics services […] in compliance with the purposes of the processing and in light of the legal bases indicated in point 6 above”).
Finally, with reference to the legal basis for the processing of riders’ data, for the purpose of sending commercial communications, the Company has indicated the rider’s consent “or the soft-spam derogation pursuant to Article 130.4 of Legislative Decree no. 196/2003” (note 15/9/2023 cit., p.1-2).
Given that in the context of the employment relationship, consent is not generally a suitable legal basis for the employer to carry out processing and that the aforementioned regulation on unwanted communications is not applicable to the employment relationship, the processing, consisting in the sending of commercial communications, therefore occurred in the absence of a suitable legal basis.
English: The arguments put forward by the Company in its defence briefs regarding the alleged non-existence of “any employment relationship” with the riders from which the admissibility of using consent as a legal basis “for soft-spam or marketing purposes” would derive cannot be accepted, given that consent cannot generally constitute a suitable condition for the lawfulness of processing in the context of all those employment relationships characterised by an imbalance of power between the parties thereof (therefore between the person providing the work and the person for whom it is performed; in this regard, in particular, the aforementioned Opinion no. 2/2017 of the Article 29 Working Party, paragraph 2 “With the term ‘employee’, in this opinion the Working Party does not refer exclusively to persons subject to an employment contract recognised as such under the laws in force on the matter. In recent decades, new business models served by different types of employment relationship have become more common, in particular the use of freelance workers. This opinion intends to address all situations of employment relationship, regardless of whether such relationship is based on an employment contract”).
This therefore led to the violation of art. 6 of the Regulation.
4.12. Control over the activity of riders. Violation of art. 5, par. 1, letter a) and 88 of the Regulation and art. 114 of the Code.
Following the inspections, it emerged that the Company uses the work of riders who carry out the home delivery service of food and other goods on the basis of a standard contract prepared by the Company itself. The draft contract, with regard to its duration, provides that upon expiry “the contract will be automatically renewed from year to year for a period of 12 months” (see Annex 2, minutes 16/12/2022).
Riders are assigned an account to access the digital platform through which the delivery activity is organized and managed.
It is established that, for the performance of the riders' activity, the Company, through the platform, systematically collects and stores the geographic position of the courier according to the timeframes of Google Maps (very close), even when the rider is not active in the slot.
Furthermore, the Company collects geolocation data, even when the app is in the background and, until August 2023, even when the app was not active, when sending to third parties who act as data controllers on behalf of the Company itself (see par. 4.11. of this provision).
In the systems of the data controllers, the data relating to the geographical position of the rider are therefore available to the owner who has the concrete possibility of using them. This allows the Company to process the data relating to geolocation, even when the rider is not carrying out his/her work activity.
Also when sending to third parties, the Company processes, among other data, that relating to the behavior of the riders in using the app.
Furthermore, through the platform, the Company systematically collects and stores a wide range of data relating to the execution of the order, including maps of the routes taken, the estimated time and actual time of delivery, the history of orders placed, rejected and reassigned. Furthermore, the Company itself has declared that it carries out “monitoring” of the accounts assigned to the riders “aimed at detecting potential improper use of the platform”.
Also through the platform, the rider is profiled through the operation of the “excellence score”, designed to assign priority in the choice of work shifts (slots).
As already illustrated in the paragraph dedicated to the analysis of the automated treatments carried out by the Company, the parameters that make up the excellence system are aimed at assigning a higher score to the rider who makes a greater number of deliveries (“Sum Seniority Normalised”), who books a greater number of high-demand slots (“Sum High Demand Normalised”), who checks in to the booked slot within the expected timeframe (“Sum No Show Normalised”) and who does not receive bad feedback from customers (“Sum Customer Rating Normalised”).
The “excellence score” system is therefore configured in such a way as to assign greater job opportunities to those who make a greater number of deliveries and therefore to encourage continuity in the offer of work performance so much so that, in confirmation of this, the system reduces job opportunities for riders who do not accept the service offered (see paragraph 4.5. of this provision).
Therefore, not only does the Company assign work shifts to riders, but the assignment favors those who offer greater availability to make deliveries and actually make a greater number of them.
The Company also evaluates the performance, through the operation of customer feedback, and blocks and disconnects from the platform, when predetermined events occur, interrupting the rider's ability to perform the work, also through the performance of "monitoring" activities by the Team Ops operators, "aimed at detecting potential improper uses of the Glovo Platform" (among these events it emerged that the operators disconnected from the platform also following a "bad rating" on the rider's performance: Annex 5, inspection report 28/2/2023, result.csv file). Some of these events automatically lead to disconnection or blocking from the platform or from the booked slot (see paragraph 4.5. of this provision).
The Company also systematically collects and stores all the discussions that take place with the riders through telephone calls, chats and e-mails.
Finally, the company determines the compensation to be paid to the rider and prepares the relevant invoice.
Following the examination of the elements set out above, which characterize the processing of personal data, relating to riders, carried out by the Company in the context of the employment relationship governed by the standard contract acquired in the files, and documented during the inspection activities carried out at the registered office of the Company and the subsequent procedure for the adoption of corrective and sanctioning measures, it emerged that the Company organizes, mainly through the digital platform, the delivery activity consisting of a predominantly personal service, identifying the time and place of the service, offering job opportunities primarily to those who, with assiduity and continuity, carry out delivery activities (and on the other hand, the same standard contract provides for automatic renewal from year to year, demonstrating the Company's clear interest in the continuity of the service), checking the correct use of the platform and the correct performance of the service through the settings and functions of technological tools that operate remotely (digital platform, app, communication recording systems).
That said, the Guarantor, in order to verify compliance with the general principle of lawfulness of processing contained in art. 5, par. 1, letter a) of the Regulation, is required to also assess the processing carried out by the owner in accordance with the sector regulations applicable in the specific case.
The national legislator, with reference to the so-called hetero-organized collaborations (pursuant to art. 2, Legislative Decree 15/6/2015, no. 81), has established that "As of 1 January 2016, the rules on the subordinate employment relationship also apply to collaboration relationships that materialize in predominantly personal, continuous work performances and whose methods of execution are organized by the client. The provisions referred to in this paragraph also apply when the methods of execution of the service are organized through digital platforms".
In this regard, the Court of Cassation, with ruling dated 24 January 2020, no. 1663, in relation to the conditions of applicability of the discipline most recently recalled in a case concerning the employment relationship between a “food delivery” company and some riders, clarified that art. 2, Legislative Decree no. 81/2015 must be classified as a disciplinary rule that does not create a new case, given that “upon the occurrence of the characteristics of the collaborations identified by art. 2, paragraph 1, of Legislative Decree 81 of 2015, the law imperatively reconnects the application of the discipline of subordination”.
Having therefore deemed it necessary to apply to the case in question the aforementioned discipline relating to the so-called hetero-organized collaborations, it is noted that, within the scope of the discipline of the subordinate employment relationship, the protections established by Law 20/5/1970, no. 300, of which they constitute a significant manifestation, in particular those established by art. 4 regarding remote controls (the Court of Florence also ruled in accordance with this, in its judgment of 24/11/2021, no. 781 against a different company operating in the food delivery sector, establishing that the recognition of collaborations organised by the client pursuant to art. 2, paragraph 1, Legislative Decree 81/2015, of “equivalent protection” to that of subordinate workers with “full application of the rules on subordinate work” - as established by the Court of Cassation, Labour Section, judgment no. 1663 of 24/01/2020 - includes within the latter “the rights established in the Workers' Statute”; see also recently the Court of Civitavecchia, judgment of 15/5/2024, which confirmed that art. 2, paragraph 1, Legislative Decree 81/2015 “carries out a generic and full reference to the rules applicable to subordinate workers pursuant to art. 2094 of the Civil Code” and that “in the event that the legislator intended to exclude one or more legal institutions specific to the regulation of the subordinate employment relationship […] it did so expressly”).
On the other hand, also with regard to the guarantees provided for those who are part, in concrete terms, of a self-employed employment relationship, the legislator has provided for the application of the discipline established "to protect the freedom and dignity of the worker" provided for subordinate workers (see art. 47-bis, Legislative Decree no. 81/2015, which established "minimum levels of protection for self-employed workers who carry out delivery activities of goods on behalf of others [...] through platforms, including digital ones" and art. 47-quinquies, according to which "The anti-discrimination discipline and that to protect the freedom and dignity of the worker provided for subordinate workers, including access to the platform, apply to the workers referred to in article 47-bis") (in conformity with this, see INL circular 14 April 2023, "Operational instructions for the issuing of authorization measures pursuant to art. 4 of Law no. 300/1970").
Therefore, even if it were deemed necessary to apply, in this respect, the rules relating to self-employment relationships, the rules on remote controls would also apply.
In fact, as is known, Title I of Law no. 300/1970, which also includes art. 4, contains in the title “On the freedom and dignity of the worker” (in the same sense see Circular of the Ministry of Labour 19.11.2020).
Precisely in relation to the processing carried out within the employment relationship, in consideration of the peculiarities that characterise them and the specific needs for the protection of the interested parties deriving from the asymmetry of the parties which, as a rule, characterises the employer/employee relationship, art. 88 of the Regulation has safeguarded the national rules of greater protection (“more specific rules”) aimed at ensuring the protection of the rights and freedoms with regard to the processing of workers’ personal data, regardless of the specific type of employment relationship.
Among the rules of greater protection, as notified by Italy to the Commission, pursuant to the same art. 88, par. 3, also art. 114 of the Code (“Guarantees in the field of remote control”) which identifies, among the conditions of lawfulness of the processing, compliance with art. 4, law 20 May 1970, n. 300.
The aforementioned art. 4, law no. 300/1970 establishes that “Audiovisual systems and other instruments from which the possibility of remote control of workers’ activity derives can be used exclusively for organizational and production needs, for workplace safety and for the protection of company assets and can be installed following a collective agreement stipulated by the unitary trade union representation or by the company trade union representatives. Alternatively, in the case of companies with production units located in different provinces of the same region or in more than one region, such agreement can be stipulated by the comparatively most representative trade union associations at national level. In the absence of an agreement, the systems and instruments referred to in the first period can be installed following authorization from the territorial headquarters of the National Labour Inspectorate”.
In this case, the Company, despite carrying out a systematic monitoring of the work performance carried out by the riders, through the settings and functions of technological tools that operate remotely (digital platform, app, communication recording systems), in the terms set out above, did not comply with the provisions of art. 4, paragraph 1, Law 300/1970, given that it did not verify that the tools used are attributable to the purposes strictly permitted by the law (organizational and production needs, workplace safety and protection of company assets) nor did it activate the guarantee procedure envisaged in the event of the existence of one of the aforementioned purposes (collective agreement stipulated with the trade union representatives or, in the absence thereof, authorization from the National Labor Inspectorate).
In this regard, it should be noted that several rulings by the ordinary judicial authorities have established that the guarantees established by the law to protect subordinate work apply to the Company: Turin Court, labor section, sentence 12/3/2024, no. 231; Turin App. Court, labor section, judgment 11/7/2023, no. 340; Palermo Court, labor section, 20/6/2023; Milan Court, labor section, judgment 29/11/2022, no. 2864; Turin Court, labor section, judgment 15/11/2022; Palermo Court, labor section, order 3/8/2022; Palermo Court, labor section, judgment 24/11/2020, no. 3570.
In this regard, the arguments advanced by the Company in its defense briefs cannot be accepted.
First of all, it is stated that, differently from what was claimed by the Company in relation to the contested violation of art. 88 of the Regulation (“the provision does not apply because it does not impose obligations on private companies such as Foodinho, but only obligations to do so on the Member States”), it is the same Regulation that has provided for the imposition of an administrative pecuniary sanction in the event of violation of “any obligation under the laws of the Member States adopted pursuant to Chapter IX” (chapter that includes art. 88, “Processing of data in the context of employment relationships”; on art. 88 of the Regulation and the notion of “more specific rules” to ensure the protection of the rights and freedoms of employees with regard to the processing of their personal data in the context of employment relationships, see ECJ, 30/3/2023, case C-34/21).
The Company also argued that riders “are not subordinate workers” and “are always free to make themselves available for the various slots offered by Foodinho”. Furthermore, riders “decide in full autonomy whether and when to work without having to communicate and/or justify their decisions in any way, even in terms of unavailability”.
Given that the Authority does not intend to qualify the nature of the employment relationship between the Company and the riders, but rather to apply the rules of the system, based on the principle of lawfulness of processing, the results of the control activity carried out on the processing of riders' data have highlighted that the booking of work shifts offered by the Company is not “free” but rather conditioned by the operation of the excellence score mechanisms. Therefore, the rider's work performance is not carried out “in full autonomy”, also considering that the lack of availability to carry out the service penalises him/her even following the reassignment of the order.
Nor can the thesis be accepted according to which the Company does not exercise any control over the activity of the riders since "the geolocalization as well as the mechanism for assigning the Excellence Score" constitute the "intrinsic characteristics of the courier activity and [of] the performance of the service through the Platform itself".
The methods with which the Company manages and organizes the delivery service are not "intrinsic" to the activity but rather determined in their concrete characteristics by the organizational model chosen and determined by the Company.
Similarly, with reference to the applicability, put forward by the Company as a subordinate matter, of art. 4, co. 2, law no. 300/1970 on the basis of the qualification of the tools used by the Company as "tools used by the worker to perform the work performance", it is noted that, based on the findings of the investigation, no element has emerged that would represent that the performance requested from the riders cannot be performed except through the technological tools and methods currently used.
It has instead emerged that the complex systems used by the Company perform processing that goes well beyond what is essential to provide the service having as its object the efficient delivery of a good (see, for example, the detection of the geographic position of the rider with the close timing of Google Maps even when the app is in the background; the attribution of a score and the profiling of the rider; the collection and storage of a large amount of data relating to the management of orders through a plurality of tools (app, digital platform, customer service) that allow further processing by the owner).
Given all of the above, the violation of the principle of lawfulness of processing (art. 5, par. 1, letter a) of the Regulation in relation to art. 114 of the Code) and of art. 88 of the Regulation which allows national law to provide for "more specific measures to ensure the protection of the rights and freedoms with regard to the processing of employees' personal data in the context of employment relationships" has been ascertained.
5. Conclusions: declaration of unlawfulness of processing. Corrective measures pursuant to art. 58, par. 2, Regulation.
For the above reasons, in light of the findings as a whole, the Authority believes that the statements, documentation and reconstructions provided by the data controller during the investigation, which are also characterized by unjustified narrative verbosity and sometimes inconsistent reconstructions, do not allow the findings notified by the Office with the act initiating the proceeding to be overcome and are therefore unsuitable to allow the archiving of this proceeding, since none of the cases provided for by art. 11 of the Regulation of the Guarantor no. 1/2019 apply.
The processing of personal data carried out by the Company and in particular the processing of rider data carried out mostly through the digital platform is in fact unlawful, in the terms set out above, in relation to art. 5, par. 1, letter a) - also with reference to the provisions of art. 1-bis of Legislative Decree no. 152 of 1997 -, c) and d) (principles of transparency, correctness, adequacy, relevance and accuracy of processing), e), 6, 9, par. 2, letter b), 12, 13, 22, par. 3, 25, 28, 32, 35, 88 of the Regulation, to articles 2-septies and 114 of the Code and to art. 47-quinquies, Legislative Decree no. 81/2015.
Although the Company, during the proceedings, has adopted some - limited - changes to the processing subject to notification of violations by the Guarantor (dated 11/10/2023), these are for the most part, at present, still active. This, moreover, despite the adoption of a previous provision by this Authority with regard to the processing of riders' data carried out through the digital platform (Provision 10 June 2021 no. 234).
The violation, ascertained in the terms set out in the reasons, cannot be considered "minor", taking into account the nature of the violation which concerned, among other things, the general principles and conditions of lawfulness of the processing of special data (biometric data) as well as the seriousness of the violation itself, the degree of responsibility and the manner in which the supervisory authority became aware of the violation (see Recital 148 of the Regulation).
The Authority also considered that the level of seriousness of the violation is high, in light of all the relevant factors in the specific case, and in particular the nature, seriousness and duration of the violation, taking into account the nature, object or purpose of the processing in question as well as the number of data subjects harmed by the damage and the level of damage suffered by them.
The Authority also took into account the criteria relating to the intentional or negligent nature of the infringement and the categories of personal data affected by the infringement as well as the manner in which the supervisory authority became aware of the infringement (see Article 83, paragraph 2 and Recital 148 of the Regulation).
Therefore, given the corrective powers granted by Article 58, paragraph 2 of the Regulation, it is deemed necessary to assign the Company a deadline to bring the data processing operations still in progress into conformity with the Regulation.
In light of the above, the Authority:
prohibits the Company from further processing the biometric data of the riders (Article 58, paragraph 2, letter f), of the Regulation);
orders the erasure of the biometric data processed as part of the rider authentication procedure;
orders the reformulation of the messages sent to the riders, following the deactivation and/or blocking, within the terms set out in the reasons (Article58, par. 2, letter d), Regulation);
orders to conform its processing to the Regulation, with reference to the correct preparation of the documents containing the information and the impact assessment, in the terms set out in the motivation (art. 58, par. 2, letter d), Regulation);
orders to conform its processing to the Regulation, with reference to the identification of the retention periods of the data processed, in the terms set out in the motivation (art. 58, par. 2, letter d), Regulation);
orders to bring its processing operations into conformity with the Regulation, with reference to the identification of appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, at least the right to obtain human intervention by the data controller, to express one's opinion and to contest the decision, in relation to automated processing including profiling carried out through the platform, ensuring adequate training of the operators in charge as well as the possibility for the operators themselves to ignore, if applicable, the output of the algorithmic process, to avoid the possible tendency to automatically rely on it (Article 58, paragraph 2, letter d), Regulation);
orders to identify appropriate measures aimed at periodically verifying the correctness and accuracy of the results of the algorithmic systems, also in order to ensure that the risk of errors is minimized as well as the use of excessive, outdated or inaccurate data, to be started within 60 days of receipt of this provision, concluding the verification activity within the following 90 days;
orders to conform its processing to the Regulation, with reference to the identification of appropriate measures, aimed at introducing tools to avoid improper and discriminatory use of reputational mechanisms based on feedback; this verification must be repeated with each change to the algorithm regarding the use of feedback for calculating the score (art. 58, par. 2, letter d), Regulation);
orders to comply with the provisions of art. 47-quinquies, Legislative Decree no. 81/2015, with reference to the prohibition to order "exclusion from the platform and [the] reduction of job opportunities attributable to failure to accept the service" (art. 58, par. 2, letter d), Regulation);
orders to conform its processing operations relating to the sending of personal data relating to riders to third parties to the Regulation, with reference to the application of the principles of minimisation and privacy by design and by default, in the terms set out in the grounds (Article 58, paragraph 2, letter d), Regulation);
orders to carry out a specific analysis aimed at verifying the categories of personal data exchanged with third parties, through the use of SDKs or APIs, created by the latter entities;
orders to verify, at least every six months, the list of operators who, with cross-country access authorization, can access the data of riders operating on Italian territory;
orders to conform its processing operations to the Regulation, with reference to the deactivation of GPS localization when the app is in the background and in any case the activation on the rider's device of an icon indicating that the GPS is active (Article 58, paragraph 2, letter d), Regulation);
orders to conform its own treatments to the Regulation, with regard to the designation of riders pursuant to art. 28 of the Regulation in the terms set out in the reasons (art. 58, par. 2, letter d), Regulation);
orders the Company to conform its own treatments to the Regulation, with reference to compliance with the provisions of art. 4, paragraph 1, law 20.5.1970, n. 300, in the terms set out in the reasons (art. 58, par. 2, letter d), Regulation).
6. Adoption of the injunction order for the application of the administrative pecuniary sanction and accessory sanctions (arts. 58, par. 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).
At the end of the proceedings, it appears that Foodinho s.r.l. has violated art. 5, par. 1, letter a) - also with reference to the provisions of art. 1-bis of Legislative Decree no. 152 of 1997 -, c), d) and e) (principles of lawfulness, correctness, transparency, minimization and accuracy of processing), 6, 9, par. 2, letter b), 12, 13, 22, par. 3, 25, 28, 32, 35, 88 of the Regulation, arts. 2-septies and 114 of the Code and art. 47-quinquies, Legislative Decree no. 81/2015. Violation of the aforementioned provisions will result in the application of the administrative pecuniary sanction provided for by art. 83 of the Regulation.
The Guarantor, pursuant to art. 58, par. 2, letter i) of the Regulation and art. 166 of the Code, has the power to impose a pecuniary administrative sanction provided for by art. 83 of the Regulation, by adopting an injunction order (art. 18. L. 24 November 1981 n. 689), in relation to the processing of personal data carried out by Foodinho s.r.l., which has been found to be unlawful, in the terms set out above.
Considering it necessary to apply paragraph 3 of art. 83 of the Regulation where it provides that "If, in relation to the same processing or connected processing, a data controller [...] violates, with intent or negligence, several provisions of this Regulation, the total amount of the administrative pecuniary sanction shall not exceed the amount specified for the most serious violation", the total amount of the sanction is calculated so as not to exceed the maximum amount provided for by the same art. 83, par. 5.
With reference to the elements listed in art. 83, par. 2 of the Regulation for the purposes of applying the administrative pecuniary sanction and the related quantification, considering that the level of seriousness of the violation is high, taking into account that the sanction must "in each individual case [be] effective, proportionate and dissuasive" (Article 83, paragraph 1 of the Regulation), it is represented that, in the case in question, the following circumstances were considered:
a) in relation to the nature of the violation, this also involved cases punished more severely pursuant to Article 83, paragraph 5, of the Regulation by reason of the interest protected by the violated rules (concerning the general principles of lawfulness, fairness and transparency, minimization, accuracy, limitation of storage, integrity and confidentiality of the processing; the conditions of lawfulness also for the processing of special data; the right to information; the rights of the interested parties in the face of the adoption of decisions based solely on automated processing; the more specific provisions on remote controls expressly referred to in the personal data protection legislation);
b) in relation to the seriousness of the violation, the nature of the processing was taken into account, which concerned, at national level, a plurality of data relating to vulnerable data subjects, including special data and data relating to communications; such processing is characterised by the use of complex algorithmic systems in a work context characterised by significant asymmetry of the powers of the parties to the relationship, also taking into account the central relevance of the processing with respect to the main activities of the controller;
c) with regard to the duration of the violation, its extended duration was considered, considering, among other things, that most of the processing is still ongoing (in particular, for the processing indicated in paragraphs 4.2., , 4.5., 4.6., , 4.8., 4.9., 4.10., 4.12. the processing was carried out in violation of the personal data protection regulations for an unspecified period of time, at least since the inspection of 13 and 14 December 2022; for the processing indicated in paragraph 4.1. the processing was carried out in violation of the personal data protection regulations for an unspecified period of time, at least since 3/10/2022, the date of sending a message to S.G.'s account; for the processing indicated in paragraph 4.3. the processing was carried out in violation of the personal data protection regulations for an unspecified period of time, at least since 3/10/2022, the date of sending a message to S.G.'s account; from 08/01/2022, the date of entry into force of art. 1-bis of Legislative Decree no. 152 of 1997; for the processing operations relating to the designation of the rider as data controller, indicated in par. 4.4., the violation was carried out for an indefinite period, at least from 04/29/2022, the date indicated in the Terms and Conditions document delivered during the inspection of 13 and 14 December 2022; for the processing operations relating to the designation of the sub-processors of GlovoApp23 SL (Comdata and Trizma operators) as data controller, indicated in par. 4.4., the violation continued until 02/29/2024, the date on which the Company stated that it had provided instructions to the call center operators; for the processing operations relating to the rating, indicated in par. 4.5.2., the processing was carried out in violation of the personal data protection regulations from the inspection of 26, 27 July 2023 until 10/01/2024, the date on which the Company eliminated this value; for the processing relating to biometric data indicated in par. 4.7. the processing in violation of the data protection regulations began on 23/11/2020; for the processing indicated in par. 4.11. the processing was carried out in violation of the personal data protection regulations for an indeterminate period, at least since the inspections of 26, 27 July 2023);
d) the significant number of data subjects actually involved was also considered (36,545 active riders as of 27 December 2022) also taking into account the additional data subjects potentially involved after the date of 27 December 2022;
e) with reference to the intentional or negligent nature of the violation and the degree of responsibility of the owner, the objective elements of the conduct of the Company and the degree of responsibility of the same have been taken into consideration, as it has violated the obligation of diligence provided for by the law and has not complied with the data protection regulations, in relation to a plurality of provisions.In relation to this parameter, it was also considered that the Company, during the proceedings, represented, with regard to the attribution of a fixed rating to riders and the communication of data to third parties also through the SDKs of the latter, that it was not aware of the related processing; this denotes a grossly negligent conduct, considering that the processing was carried out with particularly complex technologies, in relation to which it is necessary to implement adequate verification and control activities. Furthermore, at present, no specific measures to protect the interested parties appear to have been concretely implemented (except for the cancellation of the attribution of the fixed rating to riders);
f) as an aggravating factor, it was considered that the Company was the recipient of the provision of the Guarantor no. 234 of 2021, following the ascertainment of the violation of articles 5, par. 1, lett. a), c) and e); 13; 22, par. 3; 25; 30, par. 1, lett. a), b), c), f) and g); 32; 35; 37, par. 7; 88 of the Regulation; 114 of the Code. Although this provision has ascertained that the Company has committed previous relevant violations with reference to the processing of riders' data, the Company has not implemented any significant changes regarding the processing of riders' data carried out by it;
g) the level of damage suffered by the interested parties due to the processing carried out, mostly through the digital platform, in the absence of the overall precautions required by the personal data protection system, has also been considered as an aggravating factor, given the high risks posed by the use of complex and highly invasive technological systems that allow the evaluation and control of the actions of the interested parties and the adoption of decisions that significantly affect the interested parties, in relation to the possibility of obtaining job opportunities;
h) as a mitigating factor, in favor of the Company, the latter's willingness, represented to the Authority during the proceedings, to make and plan some changes to the processing carried out, was taken into account, which, although limited to specific aspects, allowed to limit the negative consequences on the rights of the interested parties in relation to these aspects.
It is also believed that in the case in question, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness to which the Authority must adhere in determining the amount of the sanction (Article 83, paragraph 1, of the Regulation), the economic conditions of the offender, determined on the basis of the revenues achieved with reference to the turnover of the Company relating to the 2023 tax period, are relevant in the first place.
In light of the elements indicated above and the assessments carried out, it is believed, in the case in question, to apply to Foodinho s.r.l. the administrative sanction of the payment of a sum equal to Euro 5,000,000 (five million).
In this context, it is also believed that pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, it is necessary to proceed with the publication of this chapter containing the injunction order on the website of the Guarantor.
This is in consideration of the type of violations found that concerned the general principles of processing, the conditions of lawfulness also for the processing of particular data, the right to information, the right not to be subjected to a decision based solely on automated processing, the more specific provisions on remote controls, as well as the significant number of data subjects involved.
GIVEN ALL THE ABOVE, THE GUARANTOR
pursuant to art. 57, paragraph 1, letter. f) and 83 of the Regulation, the unlawfulness of the processing carried out by Foodinho s.r.l., in the person of its legal representative, with registered office in Via Giovanni Battista Pirelli, 31, Milan (MI), C.F. 09080990964, in the terms set out in the reasons, is detected for the violation of articles. articles 5, par. 1, letter a) - also with reference to the provisions of art. 1-bis of Legislative Decree no. 152 of 1997 -, c) and d) (principles of transparency, correctness, adequacy, relevance and accuracy of processing), e), 6, 9, par. 2, letter b), 12, 13, 22, par. 3, 25, 28, 32, 35, 88 of the Regulation, articles 2-septies and 114 of the Code and art. 47-quinquies, Legislative Decree no. 81/2015;
pursuant to art. 58, par. 2, letter f) of the Regulation, imposes on Foodinho s.r.l. the prohibition of further processing of the biometric data of riders;
pursuant to art. 58, par. 2, letter g), of the Regulation, orders Foodinho s.r.l. to delete the biometric data of riders within 30 days of receiving this provision;
pursuant to art. 58, par. 2, letter d), of the Regulation, requires Foodinho s.r.l. to conform its processing to the Regulation with reference to:
- the reformulation of messages sent to riders following deactivation and/or blocking within the terms set out in the justification within 60 days of notification of this provision;
- the correct preparation of the documents containing the information and the impact assessment within the terms set out in the motivation within 60 days of notification of this provision;
- the identification of the retention periods of the data processed, within the terms set out in the motivation within 60 days of notification of this provision;
- the identification of appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, at least the right to obtain human intervention by the data controller, to express his or her opinion and to contest the decision, in relation to automated processing including profiling carried out through the platform, ensuring adequate training of the operators in charge as well as the possibility for the operators themselves to ignore, if applicable, the output of the algorithmic process, to avoid the possible tendency to automatically rely on it, within 60 days of notification of this provision;
- to identify appropriate measures aimed at periodically verifying the correctness and accuracy of the results of the algorithmic systems, also in order to ensure that the risk of errors is minimized as well as the use of excessive, outdated or inaccurate data, to be started within 60 days of notification of this provision, concluding the verification activity within the following 90 days;
- to identify appropriate measures aimed at introducing tools to avoid improper and discriminatory use of reputational mechanisms based on feedback; this verification must be repeated with each change to the algorithm regarding the use of feedback for calculating the score, to be started within 60 days of notification of this provision, concluding the verification activity within the following 90 days;
- to comply with the provisions of art. 47-quinquies, Legislative Decree no. 81/2015 with reference to the prohibition of ordering “the exclusion from the platform and the reduction of job opportunities attributable to the failure to accept the service”, to be started within 60 days of notification of this provision, concluding the verification activity within the following 90 days;
- the application of the principles of minimization and privacy by design and by default in relation to the sending of personal data relating to riders to third parties, within the terms set out in the motivation, to be started within 60 days of notification of this provision, concluding the verification activity within the following 120 days;
- the performance of a specific analysis aimed at verifying the categories of personal data exchanged with third parties through the use of SDKs or APIs created by the latter entities to be started within 60 days of notification of this provision, concluding the verification activity within the following 90 days;
- to verify, at least every six months, the list of operators who, with cross-country access authorization, can access the data of riders operating on Italian territory within 60 days of notification of this provision, concluding the verification activity within the following 90 days;
- to deactivate GPS localization when the app is in the background and in any case to activate an icon on the rider's device indicating that the GPS is active within 60 days of notification of this provision;
- to designate riders pursuant to art. 28 of the Regulation within the terms set out in the justification within 60 days of notification of this provision;
- to comply with the provisions of art. 4, paragraph 1, law 20/5/1970, no. 300, within the terms set out in the justification within 60 days of notification of this provision;
Foodinho s.r.l. is requested to communicate what initiatives have been undertaken in order to implement the provisions of this provision and to provide adequately documented feedback pursuant to art. 157 of the Code, within 90 days from the date of notification of this provision; any failure to provide feedback may result in the application of the administrative sanction provided for by art. 83, paragraph 5, letter e) of the Regulation.
ORDERS
pursuant to art. 58, paragraph 2, letter i) of the Regulation to Foodinho s.r.l., to pay the sum of Euro 5,000,000 (five million) as an administrative pecuniary sanction for the violations indicated in this provision;
ORDER
therefore to pay the aforementioned sum of Euro 5,000,000 (five million) according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive actions pursuant to art. 27 of Law no. 689/1981. It is recalled that the right of the offender to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed, within the deadline referred to in art. 10, paragraph 3, of Legislative Decree no. 150 of 1.9.2011 provided for the filing of the appeal as indicated below (art. 166, paragraph 8, of the Code);
ORDERS
a) pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, the publication of the injunction order on the website of the Guarantor;
b) pursuant to art. 154-bis, paragraph 3 of the Code and art. 37 of the Guarantor Regulation no. 1/2019, the publication of this provision on the website of the Guarantor;
c) pursuant to art. 17 of Regulation no. 1/2019, the annotation of the violations and measures adopted in accordance with art. 58, paragraph 2 of the Regulation, in the internal register of the Authority provided for by art. 57, paragraph 1, letter u) of the Regulation.
Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.
Rome, November 13, 2024
THE PRESIDENT
Stanzione
THE REPORTER
Cerrina Feroni
THE GENERAL SECRETARY
Mattei
