Garante per la protezione dei dati personali (Italy) - 9685994
Garante per la protezione dei dati personali (Italy) - 9685994 | |
---|---|
Authority: | Garante per la protezione dei dati personali (Italy) |
Jurisdiction: | Italy |
Relevant Law: | Article 5(1)(c) GDPR Article 5(1)(a) GDPR Article 5(1)(e) GDPR Article 13 GDPR Article 22(3) GDPR Article 25 GDPR Article 30(1)(f) GDPR Article 30(1)(c) GDPR Article 30(1)(g) GDPR Article 32 GDPR Article 35 GDPR Article 37 GDPR Article 88 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 22/07/2021 |
Published: | |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | 9685994 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Italian |
Original Source: | GPDP (in IT) |
Initial Contributor: | n/a |
The Italian DPA fined Deliveroo Italy €2,500,000 because its app for riders failed to provide transparent information about the algorithms used to manage work shifts. Furthermore, its app collected disproportionate amounts of data on riders in violation of the principles of lawfulness, transparency, data minimisation and storage limitation.
English Summary
Facts
Deliveroo Italy is owned by the UK company Roofoods LTD, whose data center is located in Ireland. They are joint controllers of rider data. When the Garante started to investigate Deliveroo Italy, Roofoods clarified that Deliveroo Italy had 8,000 riders who use the Deliveroo rider app. Roofoods acquires personal and contract data, payment data, data relating to the vehicle used for deliveries, and determines how to process riders’ data. It claims that the rider booking system in Italy is based on availability during critical time slots and reliability of the rider (ie actual participation in the reserved shifts or cancellation prior to the start of the shift). The app also tracks the management of an order by a rider (from acceptance of the order to delivery) and tracks the location of the rider every twelve seconds.
After investigation, the Garante notified Deliveroo Italy and Roofoods that it had found violations of Articles 5(1)(a)(c)(e), 13, 22(3), 25, 30(1)(c)(f)(g), 32, 35, 37(7), and 88 of the GDPR.
In defensive briefs, UK Roofoods contended that it was going to review its data retention policies, that Deliveroo riders were sufficiently informed about the data processed on them, and that data collected on riders (such as geographical position) was necessary for the service. It also argued that statistics about the algorithms behind the booking system are available to riders on a dedicated page in the app, and that on Sunday each rider is informed about their access to booking times for the following week.
Holding
Just one month after Foodinho was fined €2,600,000 for intransparent rider management algorithms, the Garante decided to issue a very similar fine against Deliveroo.
First, the Garante held that Deliveroo had provided inadequate information amount management algorithms to interested parties (riders) and to failed to comply with the principle of transparency. The privacy policy provided to riders failed to indicate the concrete methods of processing data relating to the geographic position of the riders. The Garante explained that the particular invasiveness of location sharing imposes the need to provide information on the specific methods and timing of the detection of the geographical position. Furthermore, automated processing of geographic location amounts to a kind of profiling under Article 22, necessitating enhanced disclosure obligations. Deliveroo failed to provide information on the logic used, as well as the importance and expected consequences of such profiling.
Profiling carried out by the company in this area certainly produces a significant effect on the rider concerned, consisting in the possibility of allowing (or denying) access to job opportunities, in certain pre-established time slots, and therefore offering (or denying) an opportunity of use. The system is designed to present, with priority, the choice of work shifts to those who have acquired a higher score and penalizes riders with a lower score, even though a score can be lowered by simply not logging into the app at the right time. There is a fundamental lack of transparency about these assignment algorithms, information about which has not been made publicly available.
Secondly, Deliveroo had failed to provide information on the criteria used to determine its data retention policies, violating Article 13. The company had provided for the retention for 6 years, after the termination of the employment relationship, of different types of data of the riders collected for a variety of purposes. In light of the need to identify retention times deemed appropriate in relation to each of the purposes actually pursued with the processing of the various types of personal data, the company cannot simply retain all data for blocks of homogeneous time bands.
Deliveroo thus violated Article 5 GDPR, which provides that personal data must be kept "in a form that allows the identification of the data subjects for a period of time not exceeding the achievement of the purposes for which they are processed". In particular, the data controller has the obligation "to ensure that the retention period of personal data is limited to the minimum necessary" (see Recital 39).
Thirdly, Deliveroo provided misleading information to riders about their rights as data subjects, for example, suggesting that they could file a complaint with the Information Commissioner's Office (ICO) despite being in Italy. In this way it failed to facilitate the exercise of rights by riders.
Fourth, Deliveroo violated the principle of data minimization and protection by design and by default. The app systems are configured in such a way as to collect and store all data relating to the management of the order, and to allow authorized operators to pass simple functions from one system to another, with consequent sharing of the data collected across the various systems. Despite defensive briefs, Deliveroo did not provide any specific reasons why all this data collection and data sharing is necessary for the provision of its services.
Deliveroo also failed to take adequate technical and organizational measures to guarantee adequate security of the processing, in violation of Article 32 GDPR, and failed to undertake a data protection impact assessment, in violation of Article 35.
For the above reasons, the Garante fined Deliveroo Italy €2,500,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
- SEE ALSO NEWSLETTER OF 2 AUGUST 2021 [doc. web n. 9685994] Order injunction against Deliveroo Italy s.r.l. - July 22, 2021 Record of measures n. 285 of 22 July 2021 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, which was attended by prof. Pasquale Stanzione, president, professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members and the cons. Fabio Mattei, general secretary; GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016 (hereinafter, the "Regulation"); GIVEN the Code regarding the protection of personal data, containing provisions for the adaptation of the national system to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, n.196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter the "Code"); GIVEN the inspections carried out by the Authority at the registered office of Deliveroo Italy s.r.l. on 19 and 20 June 2019; EXAMINED the documentation in deeds; HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000; RAPPORTEUR prof. Pasquale Stanzione; WHEREAS 1. Inspection of the company. 1.1. As part of a complex investigation launched ex officio by the Authority, on 19 and 20 June 2019 an on-site investigation was carried out at Deliveroo Italy s.r.l. (hereinafter, the company), with registered office in Italy, which carries out, by means of a digital platform, an activity consisting in the delivery, following orders placed by customers, of food or other goods supplied by multiple operators, using staff specifically dedicated to this (cd rider). The Authority's control activity and this provision concern the processing of the personal data of the riders. During the assessment, which was also attended by the representative of the parent company Roofoods LTD (company that controls 100% Deliveroo Italy srl) and the group DPO, and during which direct access to the computer systems was made, it was declared that: to. "The company uses a centralized system managed exclusively by Roofoods, located in the datacenter in Ireland" (see minutes of operations carried out 19.6.2019, p. 3); b. “The riders have a collaboration agreement with the company […]. At the moment the contracted riders in Italy are about 8,000 ”(see minutes quoted, p. 4); c. "After signing the collaboration agreement, the company provides the rider with the code for accessing the" Deliveroo riders "app [which] the employee must install on their mobile device, associating it with their phone number or email "(See minutes cit., P. 4); d. "The rider is provided with a kit (jacket, backpack with thermal bag inside) and [...] at the time of taking into service [the same] must be within the reference area" (see minutes cit., P . 4); And. "The data of the riders is shared at group level" (see minutes cit., P. 4); f. "With regard to the riders, the platform acquires personal and contract data, payment data and data relating to the vehicle used for deliveries (for insurance coverage)" (see minutes cited, p. 5); g. the group DPO specified that "the determination of the logic relating to the processing of riders' data is established by the UK owner" (see minutes cited, p. 5); h. in this regard, the company specified that "in a logic of separation of roles with respect to the parent company, it has access only to the data it can influence, feeding the shared DB, without deciding the logic of the processing" (see minutes cit., p. 5); the. “The shift booking system provides for three access bands at 11/15/17, through weekly booking on Mondays. […] The criterion of access to the time slots is based, in Italy, on two criteria: availability [of the rider] in the critical time slots (Friday, Saturday and Sunday evening); reliability of availability (ie actual participation [of the rider] in the booked shifts or cancellation prior to the start of the shift) "(see minutes cited, p. 5); j. “The cancellation of the shift before its start does not affect the percentage, and is stored on the systems; while not logging in after the start of the shift has a negative impact on the percentage. […] Refusing an order, in the online state, does not generate any effect on the percentage but is stored in the system ”(see minutes cit., P. 5-6); k. "Once the work shift for which availability has started, to accept the orders the riders, to receive the orders within the predetermined area served by the service, must switch, in the app, to the" online "status from" offline »" (See minutes cit., P. 6); L. "In relation to the attribution of remuneration [...] the online rider, who is not assigned the minimum number of orders (1.5), still receives a consideration connected with this, while if he refuses or does not take charge of all the orders, this behavior has no effect on the score but on the remuneration that is linked to the single delivery "(see minutes cit., p. 6); m. "An order assigned to a rider and not taken over within 60 seconds, is automatically reassigned to another rider" (see minutes cit., P. 6); n. "The management of the order by a rider involves several phases, all traced, through the app, by the system also for subsequent order analysis activities. These phases are: acceptance of the order; signaling of arrival at the restaurant; goods collection notification; notification of arrival at the customer; notification of order delivered to the customer. [...] The data relating to the order as a whole are stored in the system "(see minutes quoted, p. 6); or. "The position of the rider is used by the system when assigning the order, to allow maximum efficiency of the delivery, also taking into account the position of the restaurant, the customer and the means of transport indicated by the rider himself" (see report cit ., p. 7); p. "The delivery time proposed to the customer is estimated by the system before the assignment of the rider" (see minutes quoted, p. 7); q. "At the conclusion of the order, the customer can provide an evaluation that is associated with the order and not with the rider" (see minutes cited, p. 7); r. "The geographical position is detected only when the rider is online in the app, as the app does not geolocate the position in the offline state. The position of the rider is provided exclusively to the customer to monitor the status of his order, starting from when the rider collects the product "(see minutes cited, p. 7); s. the group DPO specified that “the rider's position is detected every 12 seconds, memorized for a period of time which reserves the right to verify […]. This memorization is functional to the improvement of the times of the different phases of the service (eg: waiting at the restaurant, waiting by the customer, travel time ...) "(see minutes quoted, p. 7); t. "No one can access the position of the riders except customer care who, in the event of orders with anomalies (eg: delivery with delay compared to the estimated time), can view the position of the rider who is delivering the order" (see minutes cit., p. 7-8) u. "The position of the rider is also treated for collaboration with the police in case of theft during the course. Furthermore, the position […] is also used internally for anti-fraud purposes ”(see minutes cit., P. 8); v. "The communication of the DPO was sent to the Authority on May 31, 2019" (see minutes 20.6.2019, p. 2); w. during access to the systems and in particular to the "management software of the company called Atlas, via the web portal [...]" it was ascertained that "the access landing page displays the data of the riders of any company in the group (even from extra countries EU), being able to set the filter by "Country" only after access "(see minutes cit., P. 2); x. in this regard, the group DPO stated that "technically the possibility of access is the same regardless of the accessing country" (see minutes quoted, p. 2); y. with reference to the possibility of viewing the data of active riders in another European country (Spain), the group DPO stated that "this operation is not permitted on the basis of the organizational measures adopted with the aim of protecting personal data" (v. minutes cit., p. 2); z. in this regard, the company and the group DPO specified that "the system allows you to view the data of the riders of any company in the group, EU and non-EU, although instructions have been given to the operators aimed at not accessing the related data under any circumstances to riders from other countries "(see minutes cit., p. 2); aa. during the access to the systems it was ascertained that: "The default access view shows the data without geographic restriction" (see minutes cit., p. 2); bb. in this regard, the representative of the parent company stated that "the group is implementing a large GDPR project and, as part of the project, a team of dedicated engineers is reviewing the entire access permit system, which will involve a geographic segregation mechanism, in relation to the data of the riders. This change will presumably be effective by September 2019 "(see minutes cit., P. 2); cc. when accessing the Atlas system "the detail of a rider was displayed, with the" Atlas History "which contains the list of" issues / triggers ", or discrepancies with respect to the estimates programmed automatically by the system and found by the customer care in relation to that order "(see minutes cit., p. 2); dd. in this regard, the group DPO stated that "the data relating to these discrepancies do not currently have a specific cancellation date, in addition to that envisaged by the company policy which is equal to 6 years" (see minutes cit., p. 2); and and. when accessing the system, "the order in progress by the riders and an order already delivered were displayed, displaying the path taken by the rider, as well as his position detected by the system. Different statuses of the order were displayed [...] and the map of the rider's route to deliver the order "(see minutes cited, p. 2); ff. the “information relating to past orders managed by a particular rider was also accessed directly, also displaying the path taken in past orders” (see minutes quoted, p. 2); days with reference to the "Add order log" function present in the Atlas system, the company specified that "this function is used, generally by customer care operators, to enter information elements relating to the order (for example, a customer complaint for the quality of the food delivered) "(see minutes cit., p. 2); hh. again in relation to the Atlas system, the representative of the parent company represented that "although prohibited by company policy, the system potentially allows you to view the history of the same data also referring to riders from other countries, however [...] the team of engineers in the UK is working on the limitation of accesses "(see minutes cit., p. 2); ii. when accessing the various menus of the Atlas system, it was verified that "by default the system offers screens containing the data relating to all the countries in which the service is active" (see minutes, p. 2); jj. with reference to the communication channels between the company and the riders, the same specified that “the various communications are stored in different systems depending on the type of channel (email, chat, phone calls). The consultation must be carried out separately on each platform in the absence of a specific interface that jointly shows all the communications that have taken place "(see minutes cit., P. 2); kk. the group DPO stated that "the emails exchanged with the riders are kept for 6 years, according to the company privacy policy" (see minutes quoted, p. 3); ll. when accessing the system that preserves chat conversations with riders, it was ascertained that "the content of the chats appears [and] directly to the operator without the need for further steps"; in this regard, the group DPO specified that "the chats exchanged with the riders are kept for 6 years, according to the company privacy policy" (see minutes quoted, p. 3); mm. when accessing the system that preserves telephone conversations with the riders, it was ascertained that "the search in the system can be carried out by« Call-ID »or by« Agent »" (see minutes quoted, p. 3); nos. the group DPO specified that "telephone conversations with riders are kept for one year, according to the corporate privacy policy [...] presumably by the end of July, the retention time for telephone calls will be set to 28 days, to comply with the Regulations European Commission on the processing of personal data […] ”(see minutes cit., p. 3); oo. with reference to the reasons for setting the retention times for telephone communications, the company stated that "these decisions are not taken by Deliveroo Italy but by the UK parent company" (see minutes cited, p. 4); pp. with reference to the declared use of the location data of the riders for "internal anti-fraud purposes", the company stated that "such data can be used for the management of customer complaints relating, for example, to the non-delivery of an order" (see report cited ., p. 4); qq. with reference to the methods of calculating the amounts to be paid to the riders, the company stated that “the accounting has an integrated system in the« Rider portal »which automatically records the deliveries made by the riders with the relative amount […]. Deliveries may include extra payments related to eg. on specific days (eg 1st May). The accounting calculates the amount to be paid to the rider, also manually calculating other items (eg: promotions linked to specific campaigns such as "Bring a friend") "(see minutes quoted, p. 4); rr. when accessing the system used for accounting, it was verified that even in this “data of the riders of any country, EU and non-EU, in which the service is active, is shown by default. […] The accounts can access the details of the orders and relative history and therefore also the route taken by the rider for delivery "(see minutes quoted, p. 4); ss. with reference to the regulation of relations between the Italian company and the parent company, the group DPO stated that "the member companies sign the document called« Intra Group Data processing Agreement »" (see minutes cited, p. 4); tt. with reference to the impact assessment on data protection, the group DPO stated that "at the moment the DPIA relating to the processing of personal data of riders has not been prepared since the company did not consider that the treatments in question met the criteria in on the basis of which this evaluation is required. This decision is constantly monitored due to the evolution of the state of implementation and the interpretative practices of the data protection authorities of the individual countries "(see minutes cited, p. 4). 1.3.1. On 10 July 2019, dissolving the reservation made during the inspections, the company sent the required documentation and a supplementary note to the Authority in which it stated that: to. "With regard to Italy, the company [...] has successfully completed the technological process of segregation of accesses on a territorial basis of the system called Atlas. Consequently, no Italian employee is currently in any way able to access data of riders from other countries. This technical project is currently underway and completion for all relevant markets is estimated for the month of September "(see company note 10.7.219, p. 2); b. "With respect to the Atlas system, it should be noted that since technical access control systems have been implemented for each jurisdiction, the previously existing organizational security measures are no longer applicable [...]. […] Regarding the situation prior to the remedial activities completed, it is emphasized that Italian employees are contractually bound to comply with the legislation on the protection of personal data, as well as with the relevant company policies. Furthermore, during the GDPR training session of 23 May 2018, the legal meaning of "processing of personal data" was clarified and specified that any processing activity should have respected the principles of proportionality and minimization "(see note cit. , p. 3); c. “Deliveroo's other relevant systems have implemented segregation by individual jurisdiction, with exceptions for a limited number of supervisors, where necessary. All this is specified in the […] document on access control […], together with the remediation plans for three further systems, currently subject to the GDPR remedial program ”(see note cit., P. 3); d. "On the subject of data retention, we wish to confirm that the retention period of 28 days for recorded calls has been successfully implemented by the Deliveroo UK company for the data of each relevant market (including Italy), online with the existing project […] ”(see cit. note, p. 3); And. in addition to what was declared during the inspections "the geolocation data of the riders are not collected when the rider's status is set to" offline ", however it is desired to clarify that such data is collected when the rider requests an offline service , for example when you want to find an operational zone or use the zone sector while it is offline ”(see cit. note, p. 3); f. with reference to the register of processing activities "since the Deliveroo processing register was provided on 19 June 2019, some minor updates have been made: the location of the managers has been updated; removed the conservation of telephone calls recorded as activities of Deliveroo Italy, to align with the recent decision of the parent company ". 2. Start of the procedure for the adoption of corrective measures. 2.1. On February 20, 2020, the Office notified the company, pursuant to art. 166, paragraph 5, of the Code, the alleged violations found, with reference to art. 5, par. 1, lett. a), c) and e) (principles of lawfulness, correctness and transparency, minimization principle and conservation limitation principle); 13 (information); 22 (automated decision-making process including profiling); 25 (privacy by design and by default); 30 (register of processing activities); 32 (security of treatment); 35 (impact assessment on data protection); 37 (data protection officer); 88 (more specific provisions at national level) of the Regulation; art. 114 (guarantees regarding remote control) of the Code. With defensive briefs of 12 June 2020, the company stated that: to. "Deliveroo is a subsidiary of the UK Roofoods Ltd holding [...] and its operation in Italy is aimed at the implementation on the national market of a business model conceived, pursued and constantly updated by the Holding itself [...]. […] There is a clear distinction between the obligations (and responsibilities) as owner of Roofoods and of the Company (and of any other affiliate in the various countries), each being an independent data controller "(note 12.6.2021, p. 1-2); b. with reference to the information to the riders, this "provides the essential core of the information necessary for the interested party to know the nature and impact of the treatments carried out by Deliveroo. The riders are in fact put in a position to understand how and what data is processed "; in any case "in the spirit of loyal collaboration with the Authority [...] the Company [...] undertakes to adapt its information to the recommendations of the Authority" (see note cit., p. 4); c. in a context characterized by "complexity and changeability [...] of the provisions on data retention [...] the Company and the Holding considered that the provision of a general clause was the best tool, in this first phase of implementation of the GDPR , to communicate, pursuant to art. 13 to the interested parties the self-imposed (including legal) constraint to keep personal data only within the limits of what is strictly necessary for the pursuit of their purposes "(see note cit., P. 4); d. from the information it emerges that the geographical position and type of vehicle are factors used "to evaluate the distance and average speed of travel of the chosen means of transport so as to efficiently propose orders to the riders who are online on the app"; as stated by the company, the latter operates as data controller in relation to the "operations of so-called onboarding (the practice and procedures that are carried out at the beginning of the relationship with the rider, e.g. signing the contract, sending the necessary documents, etc.), including the contractualization, as well as in those of support to the riders and tax and financial reporting ", Otherwise the profiling treatments" are [...] subjected to the full decision-making domain of the Holding, both in terms of determining the purposes and in terms of the means of processing - being an integral part of the business model, then exported to the individual jurisdictions "(see cit. note, p. 5-6); And. the company, with reference to the information relating to the authorities to which a complaint can be lodged, "considers [...] important that the interested parties receive full and effective protection before their supervisory authority regardless of the nationality of the data controller, and that they feel they are free to act before each Authority or both if they wish to lodge a complaint "(see cit. note, p. 8); f. with reference to the retention times of personal data collected, the company, taking into account the "absence of certain parameters in terms of data retention", "is fully reviewing its retention processes in order to significantly increase the amount of different types of data personal, so as to set more precise retention times. In particular, a new data retention policy is being drawn up and will hopefully be implemented by the end of the year "; with the new policy that the company intends to adopt “general retention times will be indicated for thematic macro-areas, to then go into more detail […]. This new data retention policy will then be transfused into the information provided to the interested parties […]. […] In any case […] even if the current storage times were considered excessive or excessively generic, the violation of the Regulation […] would be considered only virtual. In fact, Deliveroo is a Company active in Italy only since 1 October 2015 "(see note cit., P. 8-9); g. during the inspections, the company clarified that “« the various communications are stored in different systems according to the type of channel; [moreover] [the] consultation must be carried out separately on each platform in the absence of a specific interface that jointly shows all the communications that have taken place ". With regard to the "add order log" function [...], the Company clarified (by answering the Authority's questions) that "this functionality is generally used by customer care operators to enter information elements relating to the order (for for example, a customer's complaint about the quality of the food delivered) ». Furthermore, the Company provided with the note of 10 July 2019 the list of access profiles, the qualifications and the number of users for each profile "(see note cited, p. 10); moreover, according to the company, "it is not explained how the transition from one system to another represents a violation of the principle according to which personal data must be adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed ( "minimization")"; "In the same way, [...] it is not explained why further steps are necessary to access communications with the riders so that a customer care employee, once properly authenticated on the reference information system with his credentials through a multifactor authentication system, can view the communications with the riders in order to carry out their support work duties in real time "; "It is believed that the extremely indefinite, vague and fundamentally programmatic nature of the letter of art. 25 makes it almost impossible for obliged holders to identify with certainty what are the methods to comply with the principle, while avoiding the sanctioning response of the legal system "(see note cit., P. 10-11); h. with reference to the alleged violation of art. 32 of the Regulation, the company ordered the change in the configuration of the systems "in advance of the shared date of 10 July 2019" and "decided to accept [...] the anomalies reported during the inspection activities, exploiting this negative episode as a moment of general critical self-assessment of the entire technological infrastructure used to protect personal data "(see cit. note, p. 11); the. "All processing relating to the management and effective operation of the app and the underlying business model, including the booking system, is carried out in complete independence by the Holding (as independent data controller)" (see note cit., P . 12); j. to the profiling activities carried out by the parent company Roofoods through the priority booking system, art. 22 of the Regulation "given the absence (even abstract) of legal effects or that significantly affect the interested party in a similar way" (see note cit., P. 6); k. with reference to the operation of the SSB booking system, the company specifies that "In areas subject to booking (there are also free login areas but at the moment not in Italy, even if the Company is rapidly moving in this direction also in our country) , every Monday at 17:00 it is possible to book in advance to work the following week (the one that starts on the following Monday). However, you can get priority access to bookings; in particular, at 11:00 or 15:00. The ability to book as a matter of priority is determined in Italy by two (2) factors: (a) participation - that is, the percentage of sessions booked in which one actually participated (to actually participate it is sufficient to be online, even for a second); (b) participation in the so-called “Super peak” - that is the number of sessions in which you have been online in conjunction with the peak of demand (from 19:00 to 21:00 on Friday, Saturday and Sunday). These statistics are freely accessible by individual riders within their own page in the app and relate only to the activity of the previous fourteen (14) days, updating daily. Every Sunday the statistics are frozen and the rider receives a push notification informing him of his access time to book sessions (11:00, 15:00 or 17:00) "(see note cited, p. 6) ; L. "With the entry into force of the GDPR, the Holding deemed it necessary to appoint a data protection officer (the" DPO ") and on that occasion opted for the appointment of the Group, as permitted by art. 37, par. 2 of the GDPR, making the subsequent communication of contact data to the ICO in May 2018 pursuant to the Data Protection Act of 1998 and in May 2019 pursuant to the GDPR, thus fulfilling the provisions of art. 37, par. 7 of the Regulations "(see cit. Note, p. 14); m. "With reference to the activity of recording phone calls with riders, it must be specified that the version of the register analyzed by the Authority is the one provided on the first day of inspections [...]. As regards the reference to security policies, it is believed that although it is possible and advisable to summarize the main security measures adopted, it is sufficient to investigate the issue in a transparent way, consulting the documents cited (see doc. 1) . Finally, Deliveroo [...], takes note of the fact that its register of processing activities can be improved and is working on a new version, which will promptly implement the recommendations that will be provided here by the Guarantor "(see note cit ., p. 15); n. the company does not consider applicable to the employment relationship established with the riders nor art. 114 of the Code nor art. 2, d. lgs. 15 June 2015, n. 81 "both in the formulation prior to the 2019 reform and in the current one"; this is because "The relationships of the riders with Deliveroo [...] are self-employment relationships and not coordinated and continuous collaborations (such as those of the well-known sentence of the Supreme Court so-called" Foodora ", n. 1663/2020) also for reasons [...] of the total freedom of the rider to determine not only the modalities of the service but the very fact of rendering, or not, any service "(see note cit. p. 15-16); or. "Any form of will and representation of any violations of the legislation on the protection of personal data is considered to be radically excluded, nor is it considered that the Company has engaged in negligent conduct"; "The Group has recently completed a GDPR audit undertaken as part of Phase 2 of GDPR compliance activities"; "The path undertaken from June 2019 to today is characterized by a growing and constant increase in the levels of supervision, both technical (through the implementation of security procedures and protocols) and organizational (thanks to the expansion of the DPO team, constant support of external professionals - such as the writers - and the increase in company training sessions) "(see note cit., p. 16-17). 2.3. On 9 July 2020, at the headquarters of the Guarantor, the hearing of the company took place which represented that "from the date of the inspection to today, the Company has profoundly changed its organizational structure, in terms of privacy". 2.4. On 21 August 2020, the company made some requests for confidentiality and confidentiality of the information provided during the procedure. 2.5. Finally, with a note dated 10 December 2020, the company informed the Authority "that it has completed the procedure for abandoning the booking system called" SSB "in Italy" and therefore "from 3 November 2020, riders will be able to log in freely at any time in the free login areas, and in other areas it will still be possible for riders to work by booking, but without the priority criteria that were part of SSB ". 3. The outcome of the investigation and the procedure for the adoption of corrective measures. 3.1. Activation of the cooperation procedure for cross-border processing. After the conclusion of the inspection, having found the existence of some treatments of a cross-border nature, the Authority, in light of the provisions of art. 56 of the Regulation in relation to cross-border processing, has informed without delay the Lead Supervisory Authority (Information Commissioner's Office-ICO) in previous proceedings initiated against Roofoods LTD (parent company which has its main establishment in Great Britain) relating to cross-border processing. The ICO, on November 29, 2019, accepted the competence of the Italian Authority, pursuant to art. 56, par. 2 of the Regulation, in relation to the treatments carried out by Deliveroo Italy s.r.l. which substantially affect riders who operate solely in Italy on the basis of an employment contract stipulated with the Italian company. 3.2. Ownership of the treatment. Upon the outcome of the assessment carried out and based on the examination of the documentation acquired, it emerges that Deliveroo Italy srl, in relation to some processing of data relating to riders, determines the purposes and means of the processing itself (see Article 4, no. . 7, Regulation). This, specifically, emerges: from the types of activities and personal data indicated in the processing register prepared by the company (see note 10.7.2019, Annex L, "Deliveroo Italy - Register of processing activities (Updated)", in particular with reference to the activities: "Agreement with the riders", "Discretion to carry out some support operations to the rider on a daily basis", "Tax and financial reporting" and the related types of personal data processed: "Names and contact information, including email, contract and signature" , "Name and data, including email, telephone and any communication with the rider"), "Invoices"; from the results of access to the systems developed by Deliveroo Italy (Rider Portal to "manage riders daily, including key profile information and payment details"; Admin to "see the number of hours worked, the area and the number of rider's phone "; Atlas to" troubleshoot last 28-day orders ") and (admittedly) third-party systems (NVM that" facilitates calls with riders and retention of call records "; Zendesk for "Support tickets via email"; Zopim to "support tickets via chat") through which the company processes the personal data of the riders, collected by the system, relating to all the details of the order, the geographical position collected through the GPS, to the storage of the routes traveled on the map, to the data collected and stored during the communications made (with inbound and outbound mode) by the Rider Support Team (managed by the company ) through phone calls, chats and e-mails even when the "anomalies" indicated in the list of so-called triggers (see note 10.7.2019, Annex C and screenshots of the accesses made on the systems on 20.6.2019); from the information document "Privacy policy of the Rider for Italy", updated on 24 May 2018, where it is clarified that: Roofoods Limited and Deliveroo Italy are "the" data controllers "of the information that [will be collected on] the candidates to do the riders and [on] riders "; any questions or requests relating to the privacy policy may be addressed to the “Rider Italia Support Team” or to the Data Protection Officer (DPO); any complaints can be presented to the Guarantor for the protection of personal data; by the (autonomous) decision of the company, as data controller, not to carry out the impact assessment on data protection in relation to the treatments carried out, "as it is not deemed necessary" (see note 10.7.2019, Annex J ). 3.3. Observations on compliance with the legislation on the protection of personal data and ascertained violations. Upon examination of the declarations made to the Authority during the procedure as well as of the documentation acquired, in relation to which it is recalled that, unless the fact constitutes a more serious crime, whoever, in a proceeding before the Guarantor, declares or falsely certifies news or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or the exercise of the powers of the Guarantor", it emerged that the company, as owner, has carried out processing operations of personal data against a number high number of interested parties - equal, according to what was declared at the time of the inspection, to about 8,000 riders who do not comply with the regulations on the protection of personal data in the terms described below. 3.3.1. Principle of transparency and inadequacy of the information provided to the interested parties. With reference to the obligation to provide the information to the interested parties, it emerged that the company carried out the processing of the rider data on the basis of an information called "Privacy policy of the rider for Italy", made available through a link, inserted in point 9.2. of the contract model stipulated with the riders and made available on the company's website (see Annex of the inspection report). This information document - which is currently still present on the company's website with the same conformation - does not comply with the data protection provisions under various profiles. In the aforementioned document, the company fails to indicate the concrete methods of processing data relating to the geographic position of the riders, as emerged during the assessment (systematic data collection every 12 seconds), against a completely generic indication and misleading on this point ("when your status is set to" online "[...], we collect data relating to your geographic location on a discontinuous basis"). In this regard, in fact, it cannot fail to underline that the particular invasiveness of the treatment in question imposes the need to provide information about the specific methods of treatment and the timing of the detection of the geographical position: in the absence of such information, the interested party cannot have adequate awareness of the processing of their data. This therefore involves the violation of art. 5, par. 1, lett. a) of the Regulation in relation to the principle of transparency. Also with regard to storage times, the indications provided in the information through tautological formulas are extremely generic and do not allow us to understand what the expected storage time is ("We will not keep your information for a longer period than we think is necessary", see point 6, Privacy policy cited.): therefore, no indications are provided regarding the retention times of some types of data as resulting from both the treatment register (6 years "after the expiry of the contract / termination" for data related to the contract and processed for rider support activities; "Indefinite" for data relating to invoices) and from the verification activities (6 years for the detected "discrepancies" in the management of the order; 1 year for telephone conversations until the date of modification of the data retention policy, communicated on 10.7.2019, which currently, according to what has been declared, provides for the action for 28 days only by the parent company Roofoods). The criteria used to determine the data retention period are also not indicated (see Working Group Article 29, Guidelines on transparency pursuant to regulation 2016/679, WP260 rev.01). This involves the violation of art. 13, par. 2, lett. a) of the Regulations. Considering, moreover, that in the aforementioned information (point 3, letter f), e) and point 5) reference is made to the carrying out of profiling activities (explicitly based on the geographical position and the type of vehicle, as well as to "determine the [...] priority access level to booking ") it is also noted that the company has not provided" significant information on the logic used, as well as the importance and expected consequences of this treatment for the data subject "; in this regard, it is therefore noted that the company - which, as will be seen in more detail below, also carries out automated processing, including profiling, which can be classified among those referred to in art. 22 of the Regulation -, has violated the "enhanced" disclosure obligations that the Regulation explicitly requires in these cases (see Article 13, paragraph 2, letter f)). Furthermore, the aforementioned information cannot be considered compliant with data protection regulations, in particular with art. 13, par. 2, lett. d), also in terms of the indication to the interested parties of the competent supervisory authority in relation to the various treatments carried out; in fact, it suggests that it is possible to contact either the Guarantor for the protection of personal data or the Information Commissioner's Office (ICO) indifferently or jointly. This reconstruction was confirmed by the company in its defense briefs where it specified that “it believes […] it is important that the interested parties […] feel free to act before each Authority or both if they wish to file a complaint”. However, given that the ICO is not competent to know complaints relating to processing carried out in Italy by a data controller who has its registered office there, this incorrect indication is misleading with respect to the obligation to provide information relating to the possibility of filing a complaint. to the competent supervisory authority and does not facilitate the exercise of rights by the interested party. The aforementioned violations must also be considered taking into account that, in the context of the employment relationship, fully informing the worker about the processing of his / her data is an expression of the general principle of correctness of processing (Article 5, letter a of the Regulation ). 3.3.2. Principle of limitation of data retention. With reference to the identification of the retention times of the processed data, it emerged that the company has provided for the retention for 6 years, after the termination of the employment relationship, of different types of data of the riders collected for a variety of purposes (data processed for the signing of the employment contract; data relating to communications with the riders through chat and e-mail; data relating to the "discrepancies" found in the management of the order). Until 10 July 2019, the company also kept, for 1 year, (as declared by the group DPO and ascertained by the Authority when accessing the systems), the external data (calling / called number, date, time , duration, outbound / inbound mode) and the content (recordings) of the phone calls made with the riders through the Team Service, while, starting from 10 July 2019, the aforementioned recordings, as declared by the company, are kept by the parent company - and not from the Italian company - for 28 days. Finally, the company, based on what is indicated in the treatment register, keeps the data relating to the invoices issued for the payment of the riders for an "indefinite" time. The path relating to the order is instead stored on the systems for 6 months (as ascertained when accessing the systems). The company has identified a single retention period, equal to 6 years, in itself significant, in relation to a plurality of treatments carried out for different purposes as well as in relation to different types of data, in some cases also referred to the content of communications ( via chat and e-mail) protected by law with particular guarantees. In this regard, we cannot agree with the statement that "the provision of a general clause" is the "best tool" to provide interested parties with information in the face of "complexity and changeability [...] of the provisions on data retention", such as deduced by the company with the defense briefs, given that the Authority has clarified in this regard that, in light of the need to identify retention times deemed appropriate in relation to each of the purposes actually pursued with the processing of the different types of personal data, the owner must not limit himself to identifying "blocks" of homogeneous time bands (provision 9.1.2020, n. 8, web doc. n. 9263597). Even if in the specific case the (broad) retention period envisaged, equal to 6 years, has not yet been reached, given that the company has been active since 1 October 2015, the vast typology of data collected appeared to have been preserved at the time. of the assessments, for a considerable period of time (over four years), regardless of a specific assessment of adequacy in relation to the purposes pursued. Neither this assessment, which is the responsibility of the data controller (see Article 5, paragraph 1, letter e) of the Regulation and Recital 39), appears to have been carried out by the company in relation to the identification of the retention terms in the data system. and the content of telephone communications made with the riders for a significant period of time (1 year), valid until 10 July 2019, and the route maps of the individual orders placed by the riders for 6 months. Finally, no commensuration is carried out in relation to the data relating to the payment of the riders and to the issuance of the relative invoice, the conservation of which is foreseen for an "indefinite" period of time. This resulted in the violation of art. 5, par. 1. lett. e) of the Regulation which provides that personal data are kept "in a form that allows the identification of data subjects for a period of time not exceeding the achievement of the purposes for which they are processed". In particular, the data controller has the obligation "to ensure that the retention period of personal data is limited to the minimum necessary" (see Recital 39). In this regard, it is however acknowledged that the company, as stated in the defense briefs, has started a general review of the data retention criteria, within which distinct terms for the retention of the data processed will be identified (for "macro areas" and for "specific categories of data"). The Authority reserves the right to activate an autonomous procedure in relation to the legal basis of the processing of data from telephone calls with Italian riders carried out by the parent company Roofoods Ltd as well as in relation to the identification, by the latter, of the retention time equal to to 28 days of the collected data. 3.3.3. Principle of data minimization and protection by design and by default (privacy by design and by default). On the basis of the statements of the company and the results of the access to the systems carried out during the inspection, it emerged that the systems are configured in such a way as to collect and store all data relating to the management of the order (data collected through the application in use by the riders, including detection via GPS every 12 seconds as well as through interactions with customer care, data relating to delivery times (estimated and actual) for each phase of the order, order history for each rider (including the percentage of accepted orders), indication of the last connection made, number and type of "actions" carried out against the rider, with the details of each "action", area of the city where the order is placed, map of the order made, details of rejected orders). It also emerged that the systems (in particular Atlas and Payments) are configured in such a way as to allow authorized operators to pass through simple functions from one system to another, with consequent sharing of the data collected in the different systems (see Add order log function that allows you to enter, in the order details tab, information from the customer care / rider support; see also the Payments function from which you can access all the details of the order for each rider including the historical). Furthermore, the chat and e-mail management system is configured in such a way as to allow the operator to directly access the content of chats and e-mails exchanged with the riders without further steps, reconstructing, for each rider, all the communications made. , until 10 July 2019. Contrary to what the company claimed in the defense briefs, no specific reasons have been presented (nor have emerged in any case) on the basis of which it would be necessary, in order to efficiently deliver the services, the contextual access of operators to the different systems. This considering that the aforementioned systems are pre-ordered, respectively, for the management of orders in real time and for the display of the order history (Atlas), as well as for the management of problems that occurred during the order or, regardless of the order in progress, in relation to the relationship with the riders. The communication channels with the riders are functional with respect to various occurrences of which the management of any problems in the management of orders in progress is only one of the possibilities. In the event of a transition from the order management system to the communications management system and vice versa, operators have access not only to the data relating to the rider who managed a particular order, but also to information relating to all the other riders. Furthermore, the subjects who carry out the accounting of the compensation due to the riders (Payments) can directly access all the details of the orders placed by each rider, including the map of the orders and all the other details processed by the system (percentage of orders accepted, last connection, details of all the individual steps of the order). For the aforementioned reasons, this configuration of the systems, taking into account the quantity and variety of data collected and the methods of processing, in relation to the purpose of managing the delivery service of food or other goods, resulted in the violation of art. 5, par. 1. lett. c) of the Regulation (principle of data minimization) and art. 25 of the Data Protection Regulation by design and by default (privacy by design and by default). 3.3.4. Security measures. On the basis of the company's declarations and the outcome of the access to the systems carried out during the assessment, it emerged that all systems (both those developed by Deliveroo and those developed by third parties, but in any case accessible to Deliveroo), at least up to date of 10 July 2020, allowed operators to access the data of all riders operating both in the EU and outside the EU. This configuration, after the Authority's verification activity, was modified by the company therefore, at present, all systems have been reconfigured according to the principle of "segregation by single jurisdiction, with exceptions for a limited number of supervisors, where necessary "(see note 10.7.2019, p. 3), although it has not been specified in which cases it is necessary for supervisors to access and compare the data relating to Italian riders with the data relating to riders of other countries, without prejudice to the prospected possibility that the processing takes place anonymously for statistical purposes. The configuration of the systems adopted by the company, until 10 July 2019, therefore appears to have been carried out in violation of the provisions of art. 32 of the Regulation, where it establishes that "Taking into account the state of the art and the costs of implementation, as well as the nature, object, context and purposes of the processing, as well as the risk of varying probability and severity for the rights and the freedoms of natural persons, the data controller and the data processor implement adequate technical and organizational measures to ensure a level of security appropriate to the risk ". In fact, the company, until the modification of the systems, has not adopted adequate technical measures to prevent access to the data of Italian riders, processed through the platform, by the operators of the other companies of the group (based both in EU countries and in non-EU countries). At the same time, the operators authorized to access the platform in Italy had the possibility of accessing the data of the riders processed by all the companies of the group, in the absence of the provision of selective access to the system by default. This taking into account that the (generic) reminder contained in the employment contract with employees regarding compliance with the data protection regulations and company policies, as well as the clarification of the meaning of treatment and the principles of proportionality and minimization (which would have been provided during the training course carried out on 23.5.2018), in the absence of specific instructions relating to the use of the systems, they do not constitute suitable organizational measures - also in light of the concrete circumstances of the specific case - to ensure "on a permanent basis the confidentiality, 'integrity, availability and resilience of the systems ”, taking into account the concrete risks caused by the“ loss, modification, unauthorized disclosure or access, accidentally or illegally, to personal data ”. In relation to the above, therefore, it does not appear that the company has adopted, until 10 July 2019, adequate technical and organizational measures to ensure adequate security of processing, in violation of the provisions of art. 32 of the Regulation. 3.3.5. Automated treatments including profiling. Based on the results of the verification activity, it emerged that the company carried out automated processing, including profiling: - also preordained for the evaluation of "reliability" and "availability" to accept duty shifts on peak frequency days in order to determine the priority in the choice of shifts by the riders (until November 2, 2020); - for the assignment of orders within the booked shifts - through an algorithmic system called Frank active even after 2 November 2020 considering that the company has not declared that it has abandoned it - which processes at least, according to what has been declared, the data relating to the geographical position and the type of means of transport used by the rider considered in relation to the position of the customer and the business (see page 5 Rider's privacy policy for Italy: "We process your data [...] to develop our business, our systems and our services […] to guide our algorithms to make the most effective and accurate decisions, for example by orienting our ordering algorithm, Frank ”). In this regard, he notes that, with reference to the systems used by Roofoods Spain S.L., also a company of the group to which the company Deliveroo Italy s.r.l. belongs, profiling activities have been ascertained by the Juzgado de lo social n. 19 de Madrid, sentencia 188/2019 ("Confirmada la aceptación por el restaurante del pedido y notificada a través de la" tablet "a la aplicación Deliveroo, if seleccionaba al repartidor considerado as mejor candidate para atenderlo. Deliveroo a través de un algorithm, esto es, a través de una fórmula mathemática que realiza a conjunto de operaciones sobre los datos que nutren la aplicación, y en base a los criterios que se han establecido por la sociedad demandada (proximidad al punto de recogida , determinación de la condición de óptimo de un repartidor, etc.) "). In the same terms, again against Roofoods Spain S.L., the Juzgado de lo social n. 6 de Valencia, sentencia 244/2018 ("La empresa, with a gloomy diary of" riders ", inside the elegidos por los repartidores, fija el horario de cada one de ellos, eligiendo a unos u otros en función del orden de elección de éstos y nivel de excelencia, y no asignándoles a veces algunos de los turnos solicitados "). First of all, it should be noted that the processing of personal data carried out through the aforementioned algorithmic systems presuppose a profiling, by the company, carried out using personal data of the riders aimed at evaluating certain aspects relating to the natural person. In this regard, the definition, provided by the Regulation, under which profiling means any form of automated processing of personal data "consisting in the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze and provide for aspects concerning the professional performance [...], the reliability, the behavior, the location or the movements of said natural person "(see art. 4, no. 4) as well as what is specified in this regard by Recital 71 in on the basis of which the profiling activity produces legal effects or in any case significantly affects the person concerned. The treatments carried out by the company in this area certainly produce a significant effect on the person concerned, consisting in the possibility of allowing (or denying) access to job opportunities, in certain pre-established time slots, and therefore offering (or denying) an opportunity. of use. Therefore, the reconstruction carried out by the company in the defensive briefs cannot be accepted, according to which the effect of the profiling activity, through the priority booking system, would be to "abstractly limit the possibility for a rider to book their sessions at the times and in the preferred areas ”from which only mere“ minor inconveniences ”could arise for the riders. According to the SSB booking system, through the application, the rider books the time slots predetermined by the company, until they are saturated. The company also, through the system, assigns orders to the rider who has set the online mode within a predetermined area. The booking system has been configured in Italy in order to guarantee the booking with priority based on the factor defined as "reliability", ie the actual participation in the booked shifts or cancellation prior to the start of the shift, and the "availability" factor, ie effective participation in the so-called "super peak" shifts (from 7 pm to 9 pm on Friday, Saturday and Sunday) which, according to the company's calculations, present a greater number of orders. This system is designed to present, with priority, the choice of work shifts to those who have acquired a higher score (as resulting from the statistics). The shifts available run out as the riders who access the weekly calendar with priority express their preference, progressively reducing the possibility of accessing shifts and orders for other riders (the Court of Bologna, sect. work, ordinance 31.12.2020, made to Deliveroo Italy srl). The assignment of the score in the statistics elaborated within the SSB system, deriving from the application of a mathematical formula on the basis of which the calculation is carried out, directly penalizes (as stated by the company: see previous point 1.1., Lett.j .) the rider who does not log in after the start of the shift and, in rewarding those who actually participate, even if only by activating the online status on the app in the sessions booked and who participate in the cd sessions super peak (see previous point 2.1., letter k.), penalizes riders who do not show up online in the booked session and who do not participate (or participate less than) in the super peak sessions. Through the score derived from the statistics, the company evaluates the rider's work, thus producing a significant effect on his person. With reference to the characteristics of the order assignment algorithm, which emerged from the outcome of the verification activities and the modification that the company claims to have carried out with effect from 3 November 2020, there is a lack of transparency of the related operating mechanisms. Neither through the FAQs, made available on the company's website, is exhaustive information on the new system provided. Following the declared suppression of the SSB booking system, however, the operation of the current allocation algorithm remains unclear by the company, provided that, where a completely random / random allocation is not determined, this algorithm must necessarily use priority criteria elaborated on the basis of the collected data. Furthermore, considering that the company through the various order management systems continues to collect a large amount and variety of personal data through the app, customer care and customer feedback, and that the company itself has communicated the abandonment of the SSB system, without any explanation relating to the new assignment methods, nor did it provide any information on the current processing of data already collected by the statistics processing system, it is clear that the modification of the system, effective from 3 November 2020, concerns to maximum the criteria for access to the work shift, but not the way in which the order is assigned within the shift. Based on the evidence in the documents, the reconstruction of the company cannot be shared, according to which the processing relating to "the management and effective operation of the app [...], including the booking system" is carried out "in complete independence" by the parent company Roofoods as an independent data controller. In fact, the company manages the Deliveroo rider app and, through this application, collects and transfers data relating to orders to the platform, collects data relating to communications, anomalies and actions implemented by implementing the systems; it also collects customer feedback and inserts them on the systems (in this last regard the company in the rider's Privacy policy for Italy, merely states that "We process your data [...] to guarantee and improve the efficiency of our services, for example to understand from your data [...] as well as the data of other riders, what determines a negative experience of customers, restaurants or riders, what are the causes of inefficient deliveries or damage to Deliveroo "). The company may, within certain terms, customize the use of the platform, given that it can independently establish increases in the remuneration on certain holidays or other variables (see previous point 1.1., Letter qq.). It also appears that it was the company that modified the system operating in Italy by abandoning the SSB system (see company note 10.12.2020) as well as modifying the configuration of the systems in relation to the criteria for accessing them (see above. point 1.3.1., letter a). The company, therefore, collects and enters data on the system and uses the platform to carry out the delivery of goods assigned to the riders on the basis of a contract, thereby determining the purposes and means of the processing, as the owner. In the present case, the application of art. 22 of the Regulations must be considered in the light of the provisions of par. 2, lett. a) which excludes the application of the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects or which significantly affects the data subject when it appears that the processing is necessary for the execution of a contract stipulated between the parties. In this case, however, art. 22, par. 3) of the Regulation provides that the data controller implements appropriate measures to "protect the rights, freedoms and legitimate interests of the data subject, at least the right to obtain human intervention [...], to express their opinion and to contest the decision". On the basis of the investigations carried out, it does not appear that the company has adopted these measures. Furthermore, it does not appear that the company, in relation to the treatments carried out as owner, has adopted technical and organizational measures to protect the interested parties aimed at periodically verifying the correctness and accuracy of the results of the algorithmic systems, the accuracy, relevance and adequacy of the data. used by the system with respect to the purposes pursued, and to reduce as much as possible the risk of distorted or discriminatory effects, with reference to the functioning of the digital platform (see specific references in Recital 71, cit .; see European Commission, A Union of 'equality: the strategy for gender equality 2020-2025, 5.3.2020, COM (2020) 152 final, "Algorithms and related machine learning, if not sufficiently transparent and robust, risk reproducing, amplifying or contribute to gender biases that programmers may not be aware of or that are the result of specific selection of data "). This also in relation to the obligations imposed by the sector regulations on the operation of platforms (see Article 47-quinquies, Legislative Decree no. 81/2015, in force since 3.11.2019, according to which "1. Ai workers referred to in article 47-bis, the anti-discrimination discipline and the one to protect the freedom and dignity of the worker envisaged for subordinate workers, including access to the platform, apply. 2. Exclusion from the platform and reductions in opportunities work attributable to the non-acceptance of the service are prohibited ", on which, more extensively, par. 3.3.9 .; see also Consultative Committee of the Convention for the Protection of Individuals with regard to automatic processing of personal data (Convention 108) , Guidelines on Artificial Intelligence and Data Protection, Strasbourg, 25 January 2019, "AI developers, manufacturers, and service providers should adopt forms of algorithm vigilance that promote the accountability of all relevant stakeholders throughout the entire life cycle of these applications, to ensure compliance with data protection and human rights law and principles ". Finally, with reference to the feedback mechanism, it does not appear that the company has adopted appropriate measures to avoid improper or discriminatory use of reputational mechanisms based on feedback. In this regard, the Guarantor, albeit with reference to the discipline prior to the application of the Regulation, had established that automated processing, including profiling, must take place in compliance with the relevant provisions and in the presence of adequate guarantees (see provision 29.11.2018, no. 492; see also, on this point, provision 24.11.2016, no. 488 confirmed by Court of Cassation no. 14381 of 25.5.2021). For the above reasons, the company has therefore violated art. 22, par. 3, of the Regulation. 3.3.6. Data protection impact assessment. With reference to the complex of treatments subject to the procedure, the company has deemed it not required to carry out the impact assessment on data protection provided for by art. 35 of the Regulations upon the outcome of the recognition of the treatments carried out. In this regard, the company, in its defense briefs, specified that the processing activities carried out by Deliveroo Italy s.r.l. as data controller "are substantiated only in the operations of c.d. onboarding [...], including contractualization, as well as in support for riders and tax and financial reporting "and that, in relation to these activities, the company has evaluated, then excluding it, the opportunity to carry out an impact assessment . In support of this, the company has produced a document called "Need for an impact assessment on data protection for processing in Italy by Deliveroo Italy srl", undated and signed, in which, without in-depth explanations relating to the evaluation of the nature and type of the treatments carried out, the need to carry out a DPIA pursuant to art. 35 of the Regulation, referring to a simplified version of the register of processing activities, integrated with the assessment of the non-need to carry out an impact assessment on data protection. On the basis of the evidence in the documents, it is not possible, in the first place, to agree with the reconstruction of the company according to which "all processing relating to the management and effective operation of the app [...], including the booking system, is carried out in complete independence from holding (as independent data controller) ". In fact, as explained more extensively in the previous paragraph 3.3.5., The Italian company directly processes the personal data of the riders using the digital platform, providing for its population and its use for the management of all stages of delivery. of orders entrusted to the riders. For these reasons there are no doubts about the ownership of the treatment by the same. When a treatment that involves "the use of new technologies, given the nature, the object, the context and the purposes of the treatment, may present a high risk for the rights and freedoms of individuals", art. 35, par. 3, lett. a) of the Regulation establishes that the data controller must carry out the impact assessment. Par. 2, lett. a) provides that this assessment is required in particular in the case of "systematic and comprehensive assessment of personal aspects relating to natural persons, based on automated processing, including profiling, and on which decisions that have legal effects or affect in a manner significantly similar on these individuals ". In light of the provisions of the aforementioned regulation, as well as the indications provided in this regard by the Guidelines WP 248rev.01 of 4.4.2017 (with reference to criteria no. 1, 2, 3, 4, 5 and 7) and by the provision of the Guarantor of 11 October 2018, n. 467 ("List of types of processing subject to the requirement of an impact assessment on data protection pursuant to art. 35, paragraph 4, of Regulation (EU) no. 2016/679", in GU, SG no. 269 of 19.11.2018), the processing activity carried out by Deliveroo Italy srl is among those that present "a high risk for the rights and freedoms of individuals" with the consequent need to carry out, before the start of the treatment, an impact assessment pursuant to art. 35 of the Regulation. This considering, in particular, that the processing of data is also carried out through the innovative use of a digital platform, the operating mechanism of which has been disclosed only in part, and which is the subject of the activity carried out by the Italian company. , as also highlighted by the company survey ("organization and management of an online software platform (based on web and applications) to connect restaurateurs and other partners with potential customers and facilitate the delivery of food and more through a network of independent transport service providers "). The processing is characterized by the collection and storage of a plurality of personal data, including the geographical location and communications made via phone calls (until 10.7.2019), chat and e-mail, as well as all the details relating to each phase of management of the orders, including the detection (and related management) of anomalies (triggers), and the consequent carrying out of profiling activities and automated processing towards a significant number of "vulnerable" interested parties (as parties to an employment relationship; v. Guidelines cit., Chap. III, B, n. 7). Considering, therefore, that Deliveroo Italy s.r.l. is the data controller with reference to the data of the riders who work for the Italian company and that art. 35 of the Regulation recognizes, on the part of the data controller, the obligation to carry out an impact assessment, before processing, if the conditions are met, Deliveroo Italy s.r.l. was required to comply, with reference to the processing activities carried out by the Italian company itself. It is also noted that the innovative nature of the technology used by the company (of which the geolocation functionality constitutes only a part, albeit a significant one) - and the consequent high risk for the rights and freedoms of the data subjects - is evident from the examination itself. the functioning of the digital platform around which the activity carried out by Deliveroo Italy srl revolves; this also taking into account the scope and context of reference (i.e. work via digital platform), the growing expansion of the market sectors concerned, the evolution of the phenomenon of the so-called "Gig economy" in the context of continuous technological changes that are characterizing the labor market as well as the full recognition of this evolution by the national legislator (vln 128/2019, conversion of dln 101 of 3.09.2019, which inserted the Chapter V-bis in Legislative Decree no. 81 of 2015, "Protection of work through digital platforms", as well as the new period in Article 2, paragraph 1, of Legislative Decree no. 81/2015, which refers to the "methods of execution of the service [...] organized through platforms, including digital") and of the attention paid to this phenomenon, also by the European institutions (see European Commission, document of 24.2.2021, containing "Questions and Answers : First stage social partners consultation on improving the working conditions in platform work "; European Parliament, Legislative Observatory, Fair working conditions, rights and social protection for platform workers - New forms of employment linked to digital development, 2019/2186 (INI), 2019; European Parliament and Council, Directive 2019/1152 on transparent and predictable working conditions, 2019, also containing references to digital platform workers) as well as jurisprudence, at national and European level (see par. 3.3.9.). The processing of a large number of different types of data, referring to a significant number of interested parties, also carried out through the digital platform which is based on the algorithmic functions previously described, in fact, by combining supply and demand, has an evident innovative character. It is therefore believed that such treatments may result in risks for the rights and freedoms of the data subjects as they relate to the "evaluation of personal aspects, in particular through the analysis or forecasting of aspects concerning professional performance, [...], reliability or behavior, location or travel, in order to create or use personal profiles; if data of vulnerable natural persons are processed […]; if the processing concerns a significant amount of personal data and a large number of interested parties "as well as" if the processing can create discrimination "(see recital 75 of the Regulation). For the above reasons, the company has violated art. 35 of the Regulation. 3.3.7. Notification of the appointment of the data protection officer. The company, pursuant to art. 37, par. 1, lett. b) of the Regulation, is required to designate a DPO, taking into account that the treatments carried out include the regular and systematic monitoring of data subjects on a large scale, also through the collection of data relating to the geographical position through an application installed on mobile devices (see Group art.29, Guidelines on data protection officers, 5 April 2017, WP 243 rev.01, par. 2.1.4, implemented by the EDPB on 25.5.2018). Based on the documentation acquired in the documents, it emerged that the company communicated to the Authority the contact details of the data protection officer pursuant to art. 37, par. 7 of the Regulation, only on 31 May 2019. The company, in its defense briefs, specified that the communication of the contact details of the group DPO was made by the parent company to ICO "in May 2018 pursuant to the Data Protection Act of 1998 and in May 2019 pursuant to the GDPR ". Only later, "in connection with the general reorganization of the Group's data protection governance structure, was it deemed appropriate to communicate the appointment also to the Italian Guarantor Authority". The designation, at corporate group level, of the DPO (see art. 37, par. 2 of the Regulation), is deemed compliant with data protection legislation, art. 37, par. 7 of the Regulation provides that "the data controller or the data processor publishes the contact details of the data protection officer and communicates them to the supervisory authority": consequently, even if the DPO is designated at the group, the obligation remains for the individual entities of the corporate group, owners or managers of the processing, to publish the contact details of the DPO and to communicate them to the competent Supervisory Authority (this is also clarified by the FAQ of the Authority adopted with provision of April 29, 2021, no. 186). That said, being Deliveroo Italy s.r.l. the data controller of the data of the riders who work for the same Italian company in Italy, the communication to the Guarantor of the designation of the DPO - even if carried out at group level - which is considered suitable pursuant to the provisions of referred to in art. 37, par. 7, of the Regulations, was carried out by the Italian company only on May 31, 2019; it is therefore ascertained that, up to that date, the company has failed to make the communication required by art. 37, par. 7 of the Regulation. 3.3.8. Register of processing activities. On the basis of the documentation acquired overall, it emerged that in the register of processing activities delivered to the Authority (both in the English version, provided during the inspection, and in the updated version of the register sent on 10.7.2019) some types of personal data referring to riders are not indicated, the processing of which has been ascertained during the control activities. In particular, the processing of data relating to the geographical position, collected via GPS placed on the device in use by the same, as well as the plurality of data relating to the details of the orders detected through the app, are not recorded. With reference to the identification of storage times, it also emerged that, in relation to some processing of the data of the "employees" of Deliveroo Italy srl, which are of particular relevance, as they concern disciplinary procedures, internal complaints, health information and on security, disputes and legal proceedings, the retention period is indicated in very general terms ("generally 6-7 years") and in relation to some data processing of both "employees" and "riders" the terms they are not determined (term “indefinite where the information is stored on the system”, in relation to fiscal and financial reporting). Furthermore, in this regard, it emerged that, while the register acquired during the inspection indicated, for the data relating to the recordings of telephone calls with the riders, a retention period of 28 days, when accessing the systems it was instead ascertained that the retention period was 1 year. From this point of view, therefore, the information in the processing register was incorrect as it indicated an inaccurate retention period, much lower than that implemented in reality. Although the company has declared that "the conservation of telephone calls recorded as Deliveroo Italy's activity" has been "removed", in the section of the last register of treatments delivered by the company and relating to communications with riders, both the "path storage "NVM, relating to recordings of telephone calls, and the reference to the" recipient category "consisting of the" communications management platform, telephone call platform ". It is noted that the company, in its defense briefs, stated in this regard that "the reorganization of the processes for handling call recording activities which occurred in conjunction with the inspection activities could not already be transposed into the delivered register". However, it should be noted that the elements described above, still referring to the recording of telephone calls, appear in the version of the register delivered on 10 July 2019 containing the specific "updated". The data processing register exhibited by the company was then found to be lacking also in terms of the general description of the security, technical and organizational measures, pursuant to art. 32 of the Regulation, as the document merely refers generically to an unspecified "security policy" or "IT policy" or "IT security policy", without any reference to specific documents adopted on the subject and without describing, albeit briefly , the measures actually adopted, as required by art. 30, par. 1, lett. g) of the Regulations (as expressly indicated by the Authority in the aforementioned FAQ on the Register of processing activities: "The security measures can be described in summary and concise form, or in any case suitable to give a general and overall picture of these measures in relation the processing activities carried out, with the possibility of referring for a more detailed assessment to external documents of a general nature (eg internal organizational procedures; security policy etc.) "). Finally, it is noted that the register of processing activities does not have the date of adoption, the date of the last update and signature, elements suitable to give the document full reliability, in accordance with the provisions of art. 5, par. 2, of the Regulation in terms of responsibility or accountability. In this regard, the Guarantor has in fact clarified (see FAQ on the Register of processing activities) that the register must be kept constantly updated since its content must always correspond to the effectiveness of the treatments put in place. For this reason "it must in any case bear, in a verifiable manner, the date of its first establishment (or the date of the first creation of each individual form by type of treatment) together with that of the last update". The company, therefore, for the above reasons has violated art. 30, par. 1, lett. c), f), g) in relation to the methods of drafting and keeping the register of processing provided for by the law. On this point, it is noted that the company has declared that it is working on a new version of the treatment register with the commitment to incorporate "the recommendations that will be provided [...] by the Guarantor". 3.3.9. Applicability of the guarantees referred to in art. 114 of the Code. The investigations made it possible to detect that the company carries out the processing of personal data of the riders, described above, in the context of an employment relationship having as its object the transport of food or other goods from restaurants or other partner merchants of the company, through the '' use of a digital platform and towards a fee. Deliveroo Italy stipulates with the riders a model contract prepared by the company, defined as a "collaboration contract", the object of which is the provision of services relating to the "withdrawal by the rider from restaurants or other partners [...] of hot prepared food / cold and / or drinks ("order") offered to the rider through the Deliveroo rider application ("App"), and the delivery of such orders by bicycle, motor vehicle, motor vehicle, motorcycle to Deliveroo customers. The rider is not obliged to carry out any work for Deliveroo or to accept any proposal for services, nor is Deliveroo obliged to propose any work to the rider ". […] Deliveroo provides a self-service booking service («SSB») which can be freely used to log in or to book sessions in which the rider wishes to receive service proposals ”. In this regard, "the availability during the booked sessions, if not canceled in advance by the rider, and the activity during times of particular traffic may be an element of preference for booking subsequent sessions". Furthermore, "when the rider is logged into the app he can decide whether to accept or reject any proposed services". With reference to the consideration for the service "Deliveroo reserves the right to offer special additional payments in the event of launches, exceptional promotions, special temporary conditions". The company provides the rider with the service kit (jacket, backpack with thermal bag bearing the company logo). The processing of personal data, referring to the riders, carried out by the company as part of the employment relationship governed by the contract described above have very specific characteristics and methods of execution. The rider, in order to carry out the work activity, must necessarily install the Deliveroo rider application on his personal device (smartphone or tablet). To carry out his service he must necessarily access the application, using the credentials provided by the company that are associated with the telephone number or e-mail address (personal). Through the application, the rider books the performance of his performance in certain time slots, established by the company, until they are saturated, based on the functioning of the SSB booking system (active at least until November 2, 2020, as declared by the company ). The booking system is configured in Italy in such a way as to allow riders to book shifts with priority, based on two specific factors: "reliability", ie actual participation in the shifts booked or cancellation prior to the start of the shift; "Availability", ie the effective participation in the shifts defined as "superpeak". The company, through an additional algorithmic system for assigning orders called Frank, assigns the orders to the rider who has set the "online" mode within a predetermined area. Currently, as declared by the company, access to orders through the application takes place either through the "free log-in" system, in the areas where it is active, or, in the areas where the free log does not operate -in, by making the reservation of shifts within a weekly calendar (no longer based on the SSB system). Based on what was made known to the Authority through the note of 10 December 2020 and the scant information made available on its website, the rider statistics "will have no effect and will not affect the time in which [the rider can] access the calendar ", although the company has not provided any information on the processing of data already collected by the statistics processing system nor has it clarified the functioning of the current order assignment algorithm (as already noted in the previous paragraph 3.3.5. ). However, it is ascertained that the company, making use of the digital platform, uses a booking and shift assignment system based on data collected with Deliveroo or third-party systems. Also in relation to the areas in which the free log-in system is applied, the company reserves the right to identify additional riders, with respect to those that are available, to assign them orders in the event that "[...] customer requests are higher than the number of Riders present ". The company therefore establishes the work shifts (time slots on the weekly calendar), the workplace (identifying the areas of the city predetermined and entered into the system within which the rider must be at the time of taking up service) and the criterion access to shifts also using a booking system and assignment of the same, on a weekly basis, through the processing of values carried out by the digital platform (and the relative algorithm), which uses all the data collected with the app, those inserted by the customer care / rider support function and those deriving from feedback. The company determines the remuneration on the basis of the orders delivered, even if a consideration is recognized even in the absence of orders. The order execution phase is managed through the system that collects data relating to all phases of the order through the app, including the geographical position detected by GPS, as well as data relating to predetermined situations defined as "discrepancies / triggers" which mostly consist of deviations, even of a few minutes, with respect to the estimated times (e.g. for the collection of food from the restaurant and / or for delivery to the customer) or with respect to predetermined times (e.g. time of actual movement of the rider from place where he accepted the pick up) or with respect to the actual movement detected in a predetermined period of time (e.g. after 5 minutes from the acceptance of the order the rider moves within a radius of less than 50 meters). In the event of such predetermined situations, the rider is contacted by customer care. The system collects data relating to the outcome and status of discrepancies / triggers found (see Annex C note 10.7.2019), with the possibility of accessing, through its systems, the order history as well as a wide range of processed data from the system (including: percentage of acceptance of the last 100 orders; status of the last 5 orders: delivered, rejected, not assigned; number of times there has been a potential problem or in which there has been an action in relation to a specific order; percentage of sessions attended by the most recent 14 days; percentage of sessions canceled with less than 24 hours notice; percentage of orders for which the rider initially accepted but subsequently refused orders). Furthermore, as already highlighted, the system records and stores the external data and the content of the communications made with the rider via chat and e-mail, as well as, until 10 July 2019, by telephone. The systems used by the company allow you to view, for each rider, both the details of the order in progress (including the display on the map) and the history of orders placed. Considering that the processing of data relating to riders is carried out as part of an employment relationship, it is necessary to preliminarily examine the specific provisions contained in the Regulations on this matter within Chapter IX. In particular, art. 88 of the Regulation is without prejudice to the national rules of greater protection ("more specific rules") aimed at ensuring the protection of rights and freedoms with regard to the processing of personal data of workers, regardless of the specific type of employment relationship. This with particular reference to the adoption of "appropriate and specific measures to safeguard human dignity, legitimate interests and fundamental rights of the data subjects, in particular as regards the transparency of processing, the transfer of personal data within a group entrepreneurial or group of companies carrying out a common economic activity and workplace monitoring systems ". The national legislator has approved, as a more specific provision, art. 114 of the Code which, among the conditions of lawfulness of the processing - pursuant to art. 5, par. 1, lett. a) of the Regulations - established compliance with the provisions of art. 4, law 20 May 1970, n. 300. The violation of the aforementioned art. 88 of the Regulation is subject, if the requirements are met, to the application of a pecuniary administrative sanction pursuant to art. 83, par. 5, lett. d) of the Regulations. The national legislator, starting from 2015, has also adopted provisions aimed at regulating the scope of work performed through the operation of digital platforms. Art. 2, d. lgs. 15 June 2015, n. 81 established that "With effect from 1 January 2016, the discipline of the subordinate employment relationship also applies to collaboration relationships that take the form of exclusively personal, continuous work and whose execution methods are organized by the client also with reference to time and place of work ". Following the modifications introduced by l. 2 November 2019, n. 128, in force since November 3, 2019, art. 2 above provides that the work performances are not "exclusively" but "mainly" personal, and furthermore, in specifying that the methods of execution of the work are organized by the client, it has deleted the reference to time and place of work. Finally, it was clarified that the provisions apply "even if the procedures for performing the service are organized through platforms, including digital ones". Chapter V-bis dedicated to "Protection of work through digital platforms" was also added which introduced the definitions of digital platforms ("the IT programs and procedures used by the client which, regardless of the place of establishment, are instrumental to the activities of delivery of goods, fixing the remuneration and determining the methods of execution of the service ") and of riders (" self-employed workers who carry out the delivery of goods on behalf of others, in an urban setting and with the aid of cycles or vehicles engine referred to in Article 47, paragraph 2, letter a), of the Highway Code, referred to in Legislative Decree 30 April 1992, n. 285, also through digital platforms ") (see art. 47-bis, legislative decree no. 81/2015). These definitions, as also clarified by the Ministry of Labor circular no. 17 of November 19, 2020, have a general validity, i.e. also referring to the services rendered in the context of the so-called "Hetero-organization" pursuant to the aforementioned art. 2, d. lgs. n. 81/2015. The aforementioned Chapter V-bis has also established "minimum levels of protection" for riders who, in practice, operate as self-employed workers, in particular by extending the applicability of the "anti-discrimination discipline and that protecting the freedom and dignity of the worker provided for subordinate workers, including access to the platform "and prohibiting" exclusion from the platform and reductions in job opportunities attributable to non-acceptance of the service "(Article 47-quinquies, Legislative Decree no. 81/2015). As a result of the provisions of art. 47-quinquies, d. lgs. n. 81/2015, the application of the rules on "freedom and dignity of the worker" provided for employees - which includes that set by art. 4, l. 20.5.1970, n. 300 -, therefore falls within the minimum levels of protection guaranteed by the law, regardless of the concrete nature of the employment relationship in place with those who provide the delivery of goods through "including digital" platforms (see Court of Bologna , business section, cit. order). It is also specified that the regulations on the protection of personal data are applicable to the processing of data of workers who carry out their activity through digital platforms (Article 47-sexies, Legislative Decree no. 81/2015). These rights must be understood as recognized to the riders, regardless of the nature of the underlying employment relationship (hetero-organized or autonomous), since they are fundamental and unavailable rights (on the applicability of this overall discipline to riders see Court of Bologna, section , ord. cit.). The processing of personal data subject to assessment is carried out by Deliveroo Italy as part of an employment relationship now regulated by the aforementioned art. 2, d. lgs. n. 81/2015 (as amended by art. 1, paragraph 1, letter a), nos. 1 and 2, d.l. 3.9.2019, n. 101, converted with modifications into l. 2.11.2019, n. 128). The company, in fact, through the use of a digital platform allows customers to place orders for food or other goods, at a commercial establishment, and organizes the transport and delivery of goods, in the absence of any coordination established jointly. agreement with the riders. From the examination of the concrete methods of the treatments carried out, it emerges that, regardless of what is abstractly provided for in the employment contract, the riders continuously perform the service with mainly personal activities and with executive methods determined and organized by the company, also through the use of a platform. digital. The company, through the booking of predetermined work shifts, selects and distributes the shifts themselves through a system that also takes into account the assessments assigned by customers, the quantity of orders assigned and carried out, and the estimated time (and actually taken) of delivery. (see previous point 1.1., letter p). It is precisely through the operation of these systems (which have at their disposal a plurality of collected data such as, for example, the geographical position, model and operating system of the last device used by the rider) that the company organizes the activity delivery, identifying, among other things, the time and place of the service. In addition, the activity was organized, at least until the abandonment of the SSB system, in order to reward the riders with the largest number of sessions booked and orders accepted and delivered; at present, without prejudice to the considerations set out above relating to the lack of transparency of the operation of the current booking and order assignment system, the presence of a system for booking work shifts on a weekly basis confirms the company's interest in the service is of a continuous nature (see, for example, the statements made by the company regarding the expected reassignment of the order to another rider in the absence of taking charge of the order within the short term of 60 seconds; see point 1.1., letter m). It should be emphasized that the rider's choice as to whether and when to perform his / her service is not without consequences in the context of the employment relationship and therefore, contrary to what is claimed by the company according to which there is the "total freedom of the rider to determine not only the modalities of the service but the very fact of rendering, or not, any service "(see defensive briefs, p. 16), this choice cannot be defined as" free "(the same conclusions are reached by the Court of Palermo, work section , sentence of 24.11.2020, n. 3570, given to another company operating in the field of "food delivery", Foodinho srl). The aforementioned reconstruction of the nature of the employment relationship, within which the treatments are carried out, is, on the other hand, consistent with what has been ascertained by jurisprudence, including European, which has, with some recent rulings, qualified the activity of subjects who, through a digital platform, connect customers and operators in terms of transport company activities (see, among the most recent, Court of Justice, Grand Section, 20 December 2017, C-434/15 concerning the case involving the company Uber Systems Spain SL; Cour de cassation, Chambre sociale, 4 March 2020, n.374, adopted against Uber France and Uber BV; Sentencia SOCIAL Nº 805/2020, Tribunal Supremo, Sala de lo Social , Rec 4746/2019 de 25 de Septiembre de 2020 cit., Adopted against GlovoApp23). Finally, in this regard, the Court of Cassation (sentence 24 January 2020, n. 1663), ruling in a case concerning the employment relationship between a "food delivery" company and some riders, clarified that the aforementioned art. 2, legislative decree n. 81/2015 must be qualified as a disciplinary rule that does not create a new case, given that "upon the occurrence of the characteristics of the collaborations identified by art. 2, paragraph 1, of Legislative Decree 81 of 2015, the law imperatively links the application of the subordination discipline ". In particular, following some legislative changes that have affected the type of employment contracts in Italy, "the legislator, in an anti-elusive perspective, intended to limit the possible negative consequences, however providing for the application of the employment relationship regulations subordinated to forms of continuous and personal collaboration, carried out with the functional interference of the organization unilaterally prepared by the person commissioning the service ". The national legislator arrived at this result by evaluating "certain factual indices deemed significant (personality, continuity, hetero-organization) and sufficient to justify the application of the regulations dictated for the employment relationship [...]". Therefore "when the hetero-organization, accompanied by personality and continuity of performance, is marked to the point of making the collaborator comparable to an employee, equivalent protection is required and, therefore, the remedy of the full application of the regulations of the subordinate work ". With reference to the rules applicable ratione temporis to the present case, the treatments carried out in the context of the employment relationship by Deliveroo Italy still have the characteristics ascertained by the Authority during the procedure; from this follows the application of the current sector regulations (Article 2, Legislative Decree 15.6.2015, no. 81). In any case, paragraph 1 of the aforementioned art. 2, legislative decree n. 81/2015 also in the text prior to the recent regulatory changes that took place in 2019 (applicable to "mainly personal, continuous work and the execution methods of which are organized by the client also with reference to time and place of work"). Therefore, given that the provisions of art. 4, l. 300/1970 cit., It is noted that Deliveroo Italy carries out a meticulous check on the work performance carried out by the riders, through the continuous geolocation of the device (carried out in ways that go beyond what is necessary to assign the order, based on the rider's distance from the collection and delivery point, as claimed by the company - see previous point 1.1., lett. storage of a multiplicity of additional personal data collected during the execution of the order, including communications with customer care. Art. 114 of the Code ("Guarantees regarding remote control"), as already mentioned, refers to art. 4, l. n. 300/1970 as a condition of lawfulness of the processing of personal data carried out in the context of the employment relationship. On the basis of this last provision, "The audiovisual systems and other tools from which the possibility of remote control of workers' activity derives can be used exclusively for organizational and production needs, for work safety and for the protection of assets company and can be installed after a collective agreement stipulated by the unitary union representation or by the company union representatives. Alternatively, in the case of companies with production units located in different provinces of the same region or in several regions, this agreement can be stipulated by the comparatively most representative trade unions on a national level. In the absence of an agreement, the systems and tools referred to in the first period may be installed with the authorization of the territorial office of the National Labor Inspectorate ". The company, therefore, through a plurality of technological tools (the digital platform, the app and the channels used by customer care), carries out data processing that allows a meticulous control of the work performance carried out by the riders without complying with the purpose established by art. 4, paragraph 1, l. 300/1970. In relation to the above, the violation of the principle of lawfulness of processing is therefore ascertained (Article 5, paragraph 1, letter a) of the Regulation in relation to art. 114 of the Code) and art. 88 of the Regulation which allows national law to provide "more specific measures to ensure the protection of rights and freedoms with regard to the processing of personal data of employees in the context of employment relationships". 4. Conclusions: declaration of illegality of the treatment. Corrective measures pursuant to art. 58, par. 2, Regulations. For the aforementioned reasons, the Authority believes that the declarations, documentation and reconstructions provided by the data controller during the investigation do not allow to overcome the findings notified by the Office with the act of initiation of the procedure and which are therefore unsuitable to allow the filing of this proceeding, since none of the cases provided for by art. 11 of the Guarantor Regulation n. 1/2019. The processing of personal data carried out by the company is in fact illegal, in the terms set out above, in relation to articles 5, par. 1, lett. a), c) and e) (principles of lawfulness, correctness, minimization and limitation of conservation); 13 (information); 22, par. 3 (appropriate measures for automated processing including profiling); 25 (data protection by design and data protection by default: privacy by design and by default); 30 (register of treatments), par. 1, lett. c), f) and g); 32 (security measures); 35 (impact assessment); 37, par. 7 (communication to the supervisory authority of the data protection officer); 88 (processing of data in the context of employment relationships) of the Regulation and 114 (guarantees regarding remote control) of the Code. Given the corrective powers attributed by art. 58, par. 2 of the Regulation, in light of the circumstances of the specific case, it is considered necessary to assign the company a deadline to comply with the Regulation for the processing of data still in place, therefore the company is enjoined to comply with the Regulation its treatments, with reference to: - the correct preparation of the documents containing the information, in particular providing precise indications to the riders regarding the functioning of the order assignment system currently in use (including the type of data processed and regarding the processing of data already collected by the statistics processing); to the register of treatments and the impact assessment, in the terms set out in the motivation (Article 58, paragraph 2, letter d), Regulation); - the identification of the retention times of the processed data, in the terms set out in the motivation (Article 58, paragraph 2, letter d), Regulation); - the identification of appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, at least with reference to the right to obtain human intervention by the data controller, to express their opinion and to contest the decision, in in relation to automated processing, including profiling, carried out through the platform, within the terms set out in the motivation (Article 58, paragraph 2, letter d), Regulation); - the identification of appropriate measures aimed at periodically verifying the correctness and accuracy of the results of the algorithmic systems, also in order to ensure that the risk of errors is minimized and to comply with the provisions of art. 47-quinquies, d. lgs. n. 81/23015 regarding the prohibition of discrimination, access to the platform and exclusion from the platform (Article 58, paragraph 2, letter d), Regulation); - the identification of appropriate measures aimed at introducing tools to avoid improper and discriminatory uses of reputational mechanisms based on feedback; this check must be repeated at each modification of the algorithm, in relation to the use of feedback for calculating the score (Article 58, paragraph 2, letter d), Regulations); - the application of the principles of minimization and privacy by design and by default, in relation to the processing of rider data, in the terms set out in the motivation (Article 58, paragraph 2, letter d), Regulation); - in compliance with the provisions of art. 4, paragraph 1, l. 20.5.1970, n. 300, within the terms set out in the motivation (art. 58, par. 2, letter d), Regulation); - the specific identification of the subjects authorized to access the systems, as supervisors, with unrestricted visibility on a territorial basis, defining a priori predetermined hypotheses and specific purposes that make such access necessary and adopting appropriate measures to ensure the verification of such access. 5. Adoption of the injunction order for the application of the pecuniary administrative sanction and ancillary sanctions (Articles 58, paragraph 2, letter i), and 83 of the Regulations; art. 166, paragraph 7, of the Code). As a result of the complex procedure, it appears that Deliveroo Italy s.r.l. has violated Articles 5, par. 1, lett. a), c) and e); 13; 22, par. 3; 25; 30, par. 1, lett. c), f) and g); 32; 35; 37, par. 7; 88 of the Regulation; 114 of the Code. For the violation of the aforementioned provisions, the application of the administrative sanctions referred to in art. 83, para. 4 and 5, of the Regulation. Considering it necessary to apply paragraph 3 of art. 83 of the Regulation where it provides that "If, in relation to the same treatment or related treatments, a data controller [...] violates, with willful misconduct or negligence, various provisions of this regulation, the total amount of the pecuniary administrative sanction does not exceed the amount specified for the most serious violation ", considering that the ascertained violations of art. 5 of the Regulation are to be considered more serious, as they relate to the non-compliance with a plurality of general principles applicable to the processing of personal data and the applicable sector regulations, the total amount of the sanction is calculated so as not to exceed the maximum legal notice provided for the aforementioned violation. Consequently, the sanction provided for by art. 83, par. 5, lett. a), of the Regulation, which sets the maximum legal limit in the sum of 20 million euros or, for companies, in 4% of the annual worldwide turnover of the previous year, whichever is higher. With reference to the elements listed in art. 83, par. 2 of the Regulation for the purposes of applying the pecuniary administrative sanction and its quantification, taking into account that the sanction must "in any case [be] effective, proportionate and dissuasive" (Article 83, par. 1 of the Regulation), it is stated that , in the present case, the following circumstances were considered: a) in relation to the nature, gravity and duration of the violation, the nature of the violation was considered relevant, concerning the general principles of processing, including the principle of lawfulness, correctness and transparency; in particular, the violations also concerned the sector regulations on remote controls and those aimed at protecting work through digital platforms; the violations also concerned multiple further provisions relating to the disclosure and the accountability principle, which is applied in the correct preparation of the register of processing activities, in the carrying out of an impact assessment and in the application of the principle of privacy by design and by default ; the obligation to take appropriate measures to protect the rights and freedoms of data subjects in the face of automated processing, including profiling, carried out through the use of a digital platform and the related algorithmic systems was also violated; the violations also concerned the obligations placed on the owner with regard to security measures and communication to the contact data authority of the data protection officer; it was also considered that some ascertained violations are still in place and began in 2015 (the year in which the company's activities began) and that the processing concerns a considerable number of data subjects (approximately 8,000); b) with reference to the willful or negligent nature of the violation and the degree of responsibility of the owner, the conduct of the company and the degree of responsibility of the same have been taken into consideration, which has not spontaneously complied with the rules on data protection relating to a plurality of provisions, after the start of the procedure by the Authority, with the exception of the abandonment of the SSB priority booking system and the implementation of some internal directives on personal data; c) in favor of the company, the absence of specific precedents and partial cooperation with the Authority during the procedure was taken into account. It is also believed that they assume relevance, in the present case, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness to which the Authority must comply in determining the amount of the sanction (Article 83, paragraph 1, of the Regulation), firstly, the economic conditions of the offender, determined on the basis of the revenues achieved by the company with reference to the financial statements for the year 2019 (which recorded operating losses). Lastly, the extent of the sanctions imposed in similar cases is taken into account. In light of the elements indicated above and the assessments made, it is believed, in the present case, to apply against Deliveroo Italy s.r.l. the administrative sanction for the payment of a sum equal to € 2,500,000.00 (two million and five hundred thousand). In this context, it is also considered, in consideration of the number and significance of the violations, as well as the extent of the sanction, that the ancillary sanction of the publication on the website of the Guarantor of this provision, provided for by art. 166, paragraph 7, of the Code and by art. 16 of reg. of the Guarantor n. 1/2019. Finally, it is noted that the conditions set out in art. 17 of reg. of the Guarantor n. 1/2019. Please note that, if the conditions are met, the penalty referred to in art. 83, par. 5, lett. e) of the Regulations. WHEREAS, THE GUARANTOR detects the unlawfulness of the processing carried out by Deliveroo Italy s.r.l., in the person of its legal representative, with registered office in Via Carlo Bo, 11, Milan (MI), C.F. 09214970965, pursuant to art. 143 of the Code, for the violation of art. 5, par. 1, lett. a), c) and e); 13; 22, par. 3; 25; 30, par. 1, lett. c), f) and g); 32; 35; 37, par. 7; 88 of the Regulation; 114 of the Code; INJUNCES to Deliveroo Italy s.r.l .: 1) to comply, pursuant to art. 58, par. 2, lett. d) of the Regulation, its processing to the Regulation, with reference: a) the correct preparation of the documents containing the information, the treatment register and the impact assessment, within 60 days of receipt of this provision; b) the identification of the retention times of the processed data, within 60 days of receipt of this provision; c) the identification of appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, at least the right to obtain human intervention by the data controller, to express their opinion and to contest the decision, in relation to automated processing including profiling carried out through the platform, within 60 days of receipt of this provision; d) the identification of appropriate measures aimed at periodically verifying the correctness and accuracy of the results of the algorithmic systems, also in order to ensure that the risk of errors is minimized and to comply with the provisions of art. 47-quinquies, d. lgs. n. 81/23015 on the prohibition of discrimination, access to the platform and exclusion from the platform, to be started within 60 days of receipt of this provision, concluding the verification activity within the following 90 days; e) the identification of appropriate measures aimed at introducing tools to avoid improper and discriminatory use of reputational mechanisms based on feedback, a check that must be repeated at each modification of the algorithm, in relation to the use of feedback for the calculation of the score, to be started within 60 days of receipt of this provision, concluding the verification activity within the following 90 days; f) the application of the principles of minimization and privacy by design and by default, within 60 days of receipt of this provision; g) identifying the subjects authorized to access the systems, as supervisors, with unrestricted visibility on a territorial basis, defining predetermined hypotheses and specific purposes that make such access necessary and adopting appropriate measures to ensure the verification of such access; h) the fulfillment of the provisions of art. 4, paragraph 1, l. 20.5.1970, n. 300, within 60 days of receipt of this provision; 2) to pay the aforementioned sum of € 2,500,000.00 (two million and five hundred thousand), according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art . 27 of the law n. 689/1981. Please note that the offender has the right to settle the dispute by paying - again in the manner indicated in the annex - of an amount equal to half of the sanction imposed, within the term set out in art. 10, paragraph 3, of the d. lgs. n. 150 of 1.9.2011 provided for the submission of the appeal as indicated below (Article 166, paragraph 8, of the Code); ORDER pursuant to art. 58, par. 2, lett. i) of the Regulation to Deliveroo Italy s.r.l., to pay the sum of € 2,500,000.00 (two million and five hundred thousand) as a pecuniary administrative sanction for the violations indicated in this provision; HAS the publication of this provision on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor Regulation n. 1/20129, and believes that the conditions set out in art. 17 of Regulation no. 1/2019. He requests Deliveroo Italy s.r.l. to communicate what initiatives have been undertaken in order to implement the provisions of this provision and to provide, in any case, adequately documented feedback pursuant to art. 157 of the Code, within 90 days from the date of notification of this provision; any non-response may result in the application of the administrative sanction provided for by art. 83, par. 5, lett. e) of the Regulations. Pursuant to art. 78 of the Regulations, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, an opposition to the ordinary judicial authority may be proposed against this provision, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the applicant resides abroad. Rome, July 22, 2021 PRESIDENT Stanzione THE RAPPORTEUR Stanzione THE SECRETARY GENERAL Mattei function printDiv (divIdToPrint, title) { var divToPrint = document.getElementById (divIdToPrint); var newWin = window.open ('', 'Print-Window'); newWin.document.open (); newWin.document.write ('<html> <body onload = "window.print ()"> <img style = "width: 100%;" src = "/ o / guarante-privacy-theme / images / topdoc.gif "/> <h2 class =" internal-title "> '+ title +' </h2> '+ divToPrint.innerHTML +' </body> </html> '); newWin.document.close (); setTimeout (function () {newWin.close ();}, 10); } - SEE ALSO NEWSLETTER OF 2 AUGUST 2021 [doc. web n. 9685994] Order injunction against Deliveroo Italy s.r.l. - July 22, 2021 Record of measures n. 285 of 22 July 2021 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, which was attended by prof. Pasquale Stanzione, president, professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members and the cons. Fabio Mattei, general secretary; GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016 (hereinafter, the "Regulation"); GIVEN the Code regarding the protection of personal data, containing provisions for the adaptation of the national system to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, n.196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter the "Code"); GIVEN the inspections carried out by the Authority at the registered office of Deliveroo Italy s.r.l. on 19 and 20 June 2019; EXAMINED the documentation in deeds; HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000; RAPPORTEUR prof. Pasquale Stanzione; WHEREAS 1. Inspection of the company. 1.1. As part of a complex investigation launched ex officio by the Authority, on 19 and 20 June 2019 an on-site investigation was carried out at Deliveroo Italy s.r.l. (hereinafter, the company), with registered office in Italy, which carries out, by means of a digital platform, an activity consisting in the delivery, following orders placed by customers, of food or other goods supplied by multiple operators, using staff specifically dedicated to this (cd rider). The Authority's control activity and this provision concern the processing of the personal data of the riders. During the assessment, which was also attended by the representative of the parent company Roofoods LTD (company that controls 100% Deliveroo Italy srl) and the group DPO, and during which direct access to the computer systems was made, it was declared that: to. "The company uses a centralized system managed exclusively by Roofoods, located in the datacenter in Ireland" (see minutes of operations carried out 19.6.2019, p. 3); b. “The riders have a collaboration agreement with the company […]. At the moment the contracted riders in Italy are about 8,000 ”(see minutes quoted, p. 4); c. "After signing the collaboration agreement, the company provides the rider with the code for accessing the" Deliveroo riders "app [which] the employee must install on their mobile device, associating it with their phone number or email "(See minutes cit., P. 4); d. "The rider is provided with a kit (jacket, backpack with thermal bag inside) and [...] at the time of commissioning [the same] must be within the reference area" (see minutes cit., p. 4); And. "The data of the riders is shared at group level" (see minutes cit., P. 4); f. "With regard to the riders, the platform acquires personal and contract data, payment data and data relating to the vehicle used for deliveries (for insurance coverage)" (see minutes cited, p. 5); g. the group DPO specified that "the determination of the logic relating to the processing of riders' data is established by the UK owner" (see minutes cited, p. 5); h. in this regard, the company specified that "in a logic of separation of roles with respect to the parent company, it has access only to the data it can influence, feeding the shared DB, without deciding the logic of the processing" (see minutes cit., p. 5); the. “The shift booking system provides for three access bands at 11/15/17, through weekly booking on Mondays. […] The criterion of access to the time slots is based, in Italy, on two criteria: availability [of the rider] in the critical time slots (Friday, Saturday and Sunday evening); reliability of availability (ie actual participation [of the rider] in the booked shifts or cancellation prior to the start of the shift) "(see minutes cited, p. 5); j. “The cancellation of the shift before its start does not affect the percentage, and is stored on the systems; while not logging in after the start of the shift has a negative impact on the percentage. […] Refusing an order, in the online state, does not generate any effect on the percentage but is stored in the system ”(see minutes cit., P. 5-6); k. "Once the work shift for which availability has started, to accept the orders the riders, to receive the orders within the predetermined area served by the service, must switch, in the app, to the" online "status from" offline »" (See minutes cit., P. 6); L. "In relation to the attribution of remuneration [...] the online rider, who is not assigned the minimum number of orders (1.5), still receives a consideration connected with this, while if he refuses or does not take charge of all the orders, this behavior has no effect on the score but on the remuneration that is linked to the single delivery "(see minutes cit., p. 6); m. "An order assigned to a rider and not taken over within 60 seconds, is automatically reassigned to another rider" (see minutes cit., P. 6); n. "The management of the order by a rider involves several phases, all traced, through the app, by the system also for subsequent order analysis activities. These phases are: acceptance of the order; signaling of arrival at the restaurant; goods collection notification; notification of arrival at the customer; notification of order delivered to the customer. [...] The data relating to the order as a whole are stored in the system "(see minutes quoted, p. 6); or. "The position of the rider is used by the system when assigning the order, to allow maximum efficiency of the delivery, also taking into account the position of the restaurant, the customer and the means of transport indicated by the rider himself" (see report cit ., p. 7); p. "The delivery time proposed to the customer is estimated by the system before the assignment of the rider" (see minutes quoted, p. 7); q. "At the conclusion of the order, the customer can provide an evaluation that is associated with the order and not with the rider" (see minutes cited, p. 7); r. "The geographical position is detected only when the rider is online in the app, as the app does not geolocate the position in the offline state. The position of the rider is provided exclusively to the customer to monitor the status of his order, starting from when the rider collects the product "(see minutes cited, p. 7); s. the group DPO specified that “the rider's position is detected every 12 seconds, memorized for a period of time which reserves the right to verify […]. This memorization is functional to the improvement of the times of the different phases of the service (eg: waiting at the restaurant, waiting by the customer, travel time ...) "(see minutes quoted, p. 7); t. "No one can access the position of the riders except customer care who, in the event of orders with anomalies (eg: delivery with delay compared to the estimated time), can view the position of the rider who is delivering the order" (see minutes cit., p. 7-8) u. "The position of the rider is also treated for collaboration with the police in case of theft during the course. Furthermore, the position […] is also used internally for anti-fraud purposes ”(see minutes cit., P. 8); v. "The communication of the DPO was sent to the Authority on May 31, 2019" (see minutes 20.6.2019, p. 2); w. during access to the systems and in particular to the "management software of the company called Atlas, via the web portal [...]" it was ascertained that "the access landing page displays the data of the riders of any company in the group (even from extra countries EU), being able to set the filter by "Country" only after access "(see minutes cit., P. 2); x. in this regard, the group DPO stated that "technically the possibility of access is the same regardless of the accessing country" (see minutes quoted, p. 2); y. with reference to the possibility of viewing the data of active riders in another European country (Spain), the group DPO stated that "this operation is not permitted on the basis of the organizational measures adopted with the aim of protecting personal data" (v. minutes cit., p. 2); z. in this regard, the company and the group DPO specified that "the system allows you to view the data of the riders of any company in the group, EU and non-EU, although instructions have been given to the operators aimed at not accessing the related data under any circumstances to riders from other countries "(see minutes cit., p. 2); aa. during the access to the systems it was ascertained that: "The default access view shows the data without geographic restriction" (see minutes cit., p. 2); bb. in this regard, the representative of the parent company stated that "the group is implementing a large GDPR project and, as part of the project, a team of dedicated engineers is reviewing the entire access permit system, which will involve a geographic segregation mechanism, in relation to the data of the riders. This change will presumably be effective by September 2019 "(see minutes cit., P. 2); cc. when accessing the Atlas system "the detail of a rider was displayed, with the" Atlas History "which contains the list of" issues / triggers ", or discrepancies with respect to the estimates programmed automatically by the system and found by the customer care in relation to that order "(see minutes cit., p. 2); dd. in this regard, the group DPO stated that "the data relating to these discrepancies do not currently have a specific cancellation date, other than that envisaged by the company policy which is equal to 6 years" (see minutes cited, p. 2 ); and and. when accessing the system, "the order in progress by the riders and an order already delivered were displayed, displaying the path taken by the rider, as well as his position detected by the system. Different statuses of the order were displayed [...] and the map of the rider's route to deliver the order "(see minutes cited, p. 2); ff. the “information relating to past orders managed by a particular rider was also accessed directly, also displaying the path taken in past orders” (see minutes quoted, p. 2); days with reference to the "Add order log" function present in the Atlas system, the company specified that "this function is used, generally by customer care operators, to enter information elements relating to the order (for example, a customer complaint for the quality of the food delivered) "(see minutes cit., p. 2); hh. again in relation to the Atlas system, the representative of the parent company represented that "although prohibited by company policy, the system potentially allows you to view the history of the same data also referring to riders from other countries, however [...] the team of engineers in the UK is working on the limitation of accesses "(see minutes cit., p. 2); ii. when accessing the various menus of the Atlas system, it was verified that "by default the system offers screens containing the data relating to all the countries in which the service is active" (see minutes, p. 2); jj. with reference to the communication channels between the company and the riders, the same specified that “the various communications are stored in different systems depending on the type of channel (email, chat, phone calls). The consultation must be carried out separately on each platform in the absence of a specific interface that jointly shows all the communications that have taken place "(see minutes cit., P. 2); kk. the group DPO stated that "the emails exchanged with the riders are kept for 6 years, according to the company privacy policy" (see minutes quoted, p. 3); ll. when accessing the system that preserves chat conversations with riders, it was ascertained that "the content of the chats appears [and] directly to the operator without the need for further steps"; in this regard, the group DPO specified that "the chats exchanged with the riders are kept for 6 years, according to the company privacy policy" (see minutes quoted, p. 3); mm. when accessing the system that preserves telephone conversations with the riders, it was ascertained that "the search in the system can be carried out by« Call-ID »or by« Agent »" (see minutes quoted, p. 3); nos. the group DPO specified that "telephone conversations with riders are kept for one year, according to the corporate privacy policy [...] presumably by the end of July, the retention time for telephone calls will be set to 28 days, to comply with the Regulations European Commission on the processing of personal data [...] "(v. minutes cit., p. 3); oo. with reference to the reasons for setting the retention times for telephone communications, the company stated that "these decisions are not taken by Deliveroo Italy but by the UK parent company" (see minutes cited, p. 4); pp. with reference to the declared use of the location data of the riders for "internal anti-fraud purposes", the company stated that "such data can be used for the management of customer complaints relating, for example, to the non-delivery of an order" (see report cited ., p. 4); qq. with reference to the methods of calculating the amounts to be paid to the riders, the company stated that “the accounting has an integrated system in the« Rider portal »which automatically records the deliveries made by the riders with the relative amount […]. Deliveries may include extra payments related to eg. on specific days (eg 1st May). The accounting calculates the amount to be paid to the rider, also manually calculating other items (eg: promotions linked to specific campaigns such as "Bring a friend") "(see minutes quoted, p. 4); rr. when accessing the system used for accounting, it was verified that even in this “data of the riders of any country, EU and non-EU, in which the service is active, is shown by default. […] The accounts can access the details of the orders and relative history and therefore also the route taken by the rider for delivery "(see minutes quoted, p. 4); ss. with reference to the regulation of relations between the Italian company and the parent company, the group DPO stated that "the member companies sign the document called« Intra Group Data processing Agreement »" (see minutes cited, p. 4); tt. with reference to the impact assessment on data protection, the group DPO stated that "at the moment the DPIA relating to the processing of personal data of riders has not been prepared since the company did not consider that the treatments in question met the criteria in on the basis of which this evaluation is required. This decision is constantly monitored due to the evolution of the state of implementation and the interpretative practices of the data protection authorities of the individual countries "(see minutes cited, p. 4). 1.3.1. On 10 July 2019, dissolving the reservation made during the inspections, the company sent the required documentation and a supplementary note to the Authority in which it stated that: to. "With regard to Italy, the company [...] has successfully completed the technological process of segregation of accesses on a territorial basis of the system called Atlas. Consequently, no Italian employee is currently in any way able to access data of riders from other countries. This technical project is currently underway and completion for all relevant markets is estimated for the month of September "(see company note 10.7.219, p. 2); b. "With respect to the Atlas system, it should be noted that since technical access control systems have been implemented for each jurisdiction, the previously existing organizational security measures are no longer applicable [...]. […] Regarding the situation prior to the remedial activities completed, it is emphasized that Italian employees are contractually bound to comply with the legislation on the protection of personal data, as well as with the relevant company policies. Furthermore, during the GDPR training session of 23 May 2018, the legal meaning of "processing of personal data" was clarified and specified that any processing activity should have respected the principles of proportionality and minimization "(see note cit. , p. 3); c. “Deliveroo's other relevant systems have implemented segregation by individual jurisdiction, with exceptions for a limited number of supervisors, where necessary. All this is specified in the […] document on access control […], together with the remediation plans for three further systems, currently subject to the GDPR remedial program ”(see note cit., P. 3); d. "On the subject of data retention, we wish to confirm that the retention period of 28 days for recorded calls has been successfully implemented by the Deliveroo UK company for the data of each relevant market (including Italy), online with the existing project […] ”(see cit. note, p. 3); And. in addition to what was declared during the inspections "the geolocation data of the riders are not collected when the rider's status is set to" offline ", however it is desired to clarify that such data is collected when the rider requests an offline service , for example when you want to find an operational zone or use the zone sector while it is offline ”(see cit. note, p. 3); f. with reference to the register of processing activities "since the Deliveroo processing register was provided on 19 June 2019, some minor updates have been made: the location of the managers has been updated; removed the conservation of telephone calls recorded as activities of Deliveroo Italy, to align with the recent decision of the parent company ". 2. Start of the procedure for the adoption of corrective measures. 2.1. On February 20, 2020, the Office notified the company, pursuant to art. 166, paragraph 5, of the Code, the alleged violations found, with reference to art. 5, par. 1, lett. a), c) and e) (principles of lawfulness, correctness and transparency, minimization principle and conservation limitation principle); 13 (information); 22 (automated decision-making process including profiling); 25 (privacy by design and by default); 30 (register of processing activities); 32 (security of treatment); 35 (impact assessment on data protection); 37 (data protection officer); 88 (more specific provisions at national level) of the Regulation; art. 114 (guarantees regarding remote control) of the Code. With defensive briefs of 12 June 2020, the company stated that: to. "Deliveroo is a subsidiary of the UK Roofoods Ltd holding [...] and its operation in Italy is aimed at the implementation on the national market of a business model conceived, pursued and constantly updated by the Holding itself [...]. […] There is a clear distinction between the obligations (and responsibilities) as owner of Roofoods and of the Company (and of any other affiliate in the various countries), each being an independent data controller "(note 12.6.2021, p. 1-2); b. with reference to the information to the riders, this "provides the essential core of the information necessary for the interested party to know the nature and impact of the treatments carried out by Deliveroo. The riders are in fact put in a position to understand how and what data is processed "; in any case "in the spirit of loyal collaboration with the Authority [...] the Company [...] undertakes to adapt its information to the recommendations of the Authority" (see note cit., p. 4); c. in a context characterized by "complexity and changeability [...] of the provisions on data retention [...] the Company and the Holding considered that the provision of a general clause was the best tool, in this first phase of implementation of the GDPR , to communicate, pursuant to art. 13 to the interested parties the self-imposed (including legal) constraint to keep personal data only within the limits of what is strictly necessary for the pursuit of their purposes "(see note cit., P. 4); d. from the information it emerges that the geographical position and type of vehicle are factors used "to evaluate the distance and average speed of travel of the chosen means of transport so as to efficiently propose orders to the riders who are online on the app"; as stated by the company, the latter operates as data controller in relation to the "operations of so-called onboarding (the practice and procedures that are carried out at the beginning of the relationship with the rider, e.g. signing the contract, sending the necessary documents, etc.), including the contractualization, as well as in those of support to the riders and tax and financial reporting ", Otherwise the profiling treatments" are [...] subjected to the full decision-making domain of the Holding, both in terms of determining the purposes and in terms of the means of processing - being an integral part of the business model, then exported to the individual jurisdictions "(see cit. note, p. 5-6); And. the company, with reference to the information relating to the authorities to which a complaint can be lodged, "considers [...] important that the interested parties receive full and effective protection before their supervisory authority regardless of the nationality of the data controller, and that they feel they are free to act before each Authority or both if they wish to lodge a complaint "(see cit. note, p. 8); f. with reference to the retention times of personal data collected, the company, taking into account the "absence of certain parameters in terms of data retention", "is fully reviewing its retention processes in order to significantly increase the amount of different types of data personal, so as to set more precise retention times. In particular, a new data retention policy is being drawn up and will hopefully be implemented by the end of the year "; with the new policy that the company intends to adopt “general retention times will be indicated for thematic macro-areas, to then go into more detail […]. This new data retention policy will then be transfused into the information provided to the interested parties […]. […] In any case […] even if the current storage times were considered excessive or excessively generic, the violation of the Regulation […] would be considered only virtual. In fact, Deliveroo is a Company active in Italy only since 1 October 2015 "(see note cit., P. 8-9); g. during the inspections, the company clarified that “« the various communications are stored in different systems according to the type of channel; [moreover] [the] consultation must be carried out separately on each platform in the absence of a specific interface that jointly shows all the communications that have taken place ". With regard to the "add order log" function [...], the Company clarified (by answering the Authority's questions) that "this functionality is generally used by customer care operators to enter information elements relating to the order (for for example, a customer's complaint about the quality of the food delivered) ». Furthermore, the Company provided with the note of 10 July 2019 the list of access profiles, the qualifications and the number of users for each profile "(see note cited, p. 10); moreover, according to the company, "it is not explained how the transition from one system to another represents a violation of the principle according to which personal data must be adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed ( "minimization")"; "In the same way, [...] it is not explained why further steps are necessary to access communications with the riders so that a customer care employee, once properly authenticated on the reference information system with his credentials through a multifactor authentication system, can view the communications with the riders in order to carry out their support work duties in real time "; "It is believed that the extremely indefinite, vague and fundamentally programmatic nature of the letter of art. 25 makes it almost impossible for obliged holders to identify with certainty what are the methods to comply with the principle, while avoiding the sanctioning response of the legal system "(see note cit., P. 10-11); h. with reference to the alleged violation of art. 32 of the Regulation, the company ordered the change in the configuration of the systems "in advance of the shared date of 10 July 2019" and "decided to accept [...] the anomalies reported during the inspection activities, exploiting this negative episode as a moment of general critical self-assessment of the entire technological infrastructure used to protect personal data "(see cit. note, p. 11); the. "All processing relating to the management and effective operation of the app and the underlying business model, including the booking system, is carried out in complete independence by the Holding (as independent data controller)" (see note cit., P . 12); j. to the profiling activities carried out by the parent company Roofoods through the priority booking system, art. 22 of the Regulation "given the absence (even abstract) of legal effects or that significantly affect the interested party in a similar way" (see note cit., P. 6); k. with reference to the operation of the SSB booking system, the company specifies that "In areas subject to booking (there are also free login areas but at the moment not in Italy, even if the Company is rapidly moving in this direction also in our country) , every Monday at 17:00 it is possible to book in advance to work the following week (the one that starts on the following Monday). However, you can get priority access to bookings; in particular, at 11:00 or 15:00. The ability to book as a matter of priority is determined in Italy by two (2) factors: (a) participation - that is, the percentage of sessions booked in which one actually participated (to actually participate it is sufficient to be online, even for a second); (b) participation in the so-called “Super peak” - that is the number of sessions in which you have been online in conjunction with the peak of demand (from 19:00 to 21:00 on Friday, Saturday and Sunday). These statistics are freely accessible by individual riders within their own page in the app and relate only to the activity of the previous fourteen (14) days, updating daily. Every Sunday the statistics are frozen and the rider receives a push notification informing him of his access time to book sessions (11:00, 15:00 or 17:00) "(see note cited, p. 6) ; L. "With the entry into force of the GDPR, the Holding deemed it necessary to appoint a data protection officer (the" DPO ") and on that occasion opted for the appointment of the Group, as permitted by art. 37, par. 2 of the GDPR, making the subsequent communication of contact data to the ICO in May 2018 pursuant to the Data Protection Act of 1998 and in May 2019 pursuant to the GDPR, thus fulfilling the provisions of art. 37, par. 7 of the Regulations "(see cit. Note, p. 14); m. "With reference to the activity of recording phone calls with riders, it must be specified that the version of the register analyzed by the Authority is the one provided on the first day of inspections [...]. As regards the reference to security policies, it is believed that although it is possible and advisable to summarize the main security measures adopted, it is sufficient to investigate the issue in a transparent way, consulting the documents cited (see doc. 1) . Finally, Deliveroo [...], takes note of the fact that its register of processing activities can be improved and is working on a new version, which will promptly implement the recommendations that will be provided here by the Guarantor "(see note cit ., p. 15); n. the company does not consider applicable to the employment relationship established with the riders nor art. 114 of the Code nor art. 2, d. lgs. 15 June 2015, n. 81 "both in the formulation prior to the 2019 reform and in the current one"; this is because "The relationships of the riders with Deliveroo [...] are self-employment relationships and not coordinated and continuous collaborations (such as those of the well-known sentence of the Supreme Court so-called" Foodora ", n. 1663/2020) also for reasons [...] of the total freedom of the rider to determine not only the modalities of the service but the very fact of rendering, or not, any service "(see note cit. p. 15-16); or. "Any form of will and representation of any violations of the legislation on the protection of personal data is considered to be radically excluded, nor is it considered that the Company has engaged in negligent conduct"; "The Group has recently completed a GDPR audit undertaken as part of Phase 2 of GDPR compliance activities"; "The path undertaken from June 2019 to today is characterized by a growing and constant increase in the levels of supervision, both technical (through the implementation of security procedures and protocols) and organizational (thanks to the expansion of the DPO team, constant support of external professionals - such as the writers - and the increase in company training sessions) "(see note cit., p. 16-17). 2.3. On 9 July 2020, at the headquarters of the Guarantor, the hearing of the company took place which represented that "from the date of the inspection to today, the Company has profoundly changed its organizational structure, in terms of privacy". 2.4. On 21 August 2020, the company made some requests for confidentiality and confidentiality of the information provided during the procedure. 2.5. Finally, with a note dated 10 December 2020, the company informed the Authority "that it has completed the procedure for abandoning the booking system called" SSB "in Italy" and therefore "from 3 November 2020, riders will be able to log in freely at any time in the free login areas, and in other areas it will still be possible for riders to work by booking, but without the priority criteria that were part of SSB ". 3. The outcome of the investigation and the procedure for the adoption of corrective measures. 3.1. Activation of the cooperation procedure for cross-border processing. After the conclusion of the inspection, having found the existence of some treatments of a cross-border nature, the Authority, in light of the provisions of art. 56 of the Regulation in relation to cross-border processing, has informed without delay the Lead Supervisory Authority (Information Commissioner's Office-ICO) in previous proceedings initiated against Roofoods LTD (parent company which has its main establishment in Great Britain) relating to cross-border processing. The ICO, on November 29, 2019, accepted the competence of the Italian Authority, pursuant to art. 56, par. 2 of the Regulation, in relation to the treatments carried out by Deliveroo Italy s.r.l. which substantially affect riders who operate solely in Italy on the basis of an employment contract stipulated with the Italian company. 3.2. Ownership of the treatment. Upon the outcome of the assessment carried out and based on the examination of the documentation acquired, it emerges that Deliveroo Italy srl, in relation to some processing of data relating to riders, determines the purposes and means of the processing itself (see Article 4, no. . 7, Regulation). This, specifically, emerges: from the types of activities and personal data indicated in the processing register prepared by the company (see note 10.7.2019, Annex L, "Deliveroo Italy - Register of processing activities (Updated)", in particular with reference to the activities: "Agreement with the riders", "Discretion to carry out some support operations to the rider on a daily basis", "Tax and financial reporting" and the related types of personal data processed: "Names and contact information, including email, contract and signature" , "Name and data, including email, telephone and any communication with the rider"), "Invoices"; from the results of access to the systems developed by Deliveroo Italy (Rider Portal to "manage riders daily, including key profile information and payment details"; Admin to "see the number of hours worked, the area and the number of rider's phone "; Atlas to" troubleshoot last 28-day orders ") and (admittedly) third-party systems (NVM that" facilitates calls with riders and retention of call records "; Zendesk for "Support tickets via email"; Zopim to "support tickets via chat") through which the company processes the personal data of the riders, collected by the system, relating to all the details of the order, the geographical position collected through the GPS, to the storage of the routes traveled on the map, to the data collected and stored during the communications made (with inbound and outbound mode) by the Rider Support Team (managed by the company ) through phone calls, chats and e-mails even when the "anomalies" indicated in the list of so-called triggers (see note 10.7.2019, Annex C and screenshots of the accesses made on the systems on 20.6.2019); from the information document "Privacy policy of the Rider for Italy", updated on 24 May 2018, where it is clarified that: Roofoods Limited and Deliveroo Italy are "the" data controllers "of the information that [will be collected on] the candidates to do the riders and [on] riders "; any questions or requests relating to the privacy policy may be addressed to the “Rider Italia Support Team” or to the Data Protection Officer (DPO); any complaints can be presented to the Guarantor for the protection of personal data; by the (autonomous) decision of the company, as data controller, not to carry out the impact assessment on data protection in relation to the treatments carried out, "as it is not deemed necessary" (see note 10.7.2019, Annex J ). 3.3. Observations on compliance with the legislation on the protection of personal data and ascertained violations. Upon examination of the declarations made to the Authority during the procedure as well as of the documentation acquired, in relation to which it is recalled that, unless the fact constitutes a more serious crime, whoever, in a proceeding before the Guarantor, declares or falsely certifies news or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or the exercise of the powers of the Guarantor", it emerged that the company, as owner, has carried out processing operations of personal data against a number high number of interested parties - equal, according to what was declared at the time of the inspection, to about 8,000 riders who do not comply with the regulations on the protection of personal data in the terms described below. 3.3.1. Principle of transparency and inadequacy of the information provided to the interested parties. With reference to the obligation to provide the information to the interested parties, it emerged that the company carried out the processing of the rider data on the basis of an information called "Privacy policy of the rider for Italy", made available through a link, inserted in point 9.2. of the contract model stipulated with the riders and made available on the company's website (see Annex of the inspection report). This information document - which is currently still present on the company's website with the same conformation - does not comply with the data protection provisions under various profiles. In the aforementioned document, the company fails to indicate the concrete methods of processing data relating to the geographic position of the riders, as emerged during the assessment (systematic data collection every 12 seconds), against a completely generic indication and misleading on this point ("when your status is set to" online "[...], we collect data relating to your geographic location on a discontinuous basis"). In this regard, in fact, it cannot fail to underline that the particular invasiveness of the treatment in question imposes the need to provide information about the specific methods of treatment and the timing of the detection of the geographical position: in the absence of such information, the interested party cannot have adequate awareness of the processing of their data. This therefore involves the violation of art. 5, par. 1, lett. a) of the Regulation in relation to the principle of transparency. Also with regard to storage times, the indications provided in the information through tautological formulas are extremely generic and do not allow us to understand what the expected storage time is ("We will not keep your information for a longer period than we think is necessary", see point 6, Privacy policy cited.): therefore, no indications are provided regarding the retention times of some types of data as resulting from both the treatment register (6 years "after the expiry of the contract / termination" for data related to the contract and processed for rider support activities; "Indefinite" for data relating to invoices) and from the verification activities (6 years for the detected "discrepancies" in the management of the order; 1 year for telephone conversations until the date of modification of the data retention policy, communicated on 10.7.2019, which currently, according to what has been declared, provides for the action for 28 days only by the parent company Roofoods). The criteria used to determine the data retention period are also not indicated (see Working Group Article 29, Guidelines on transparency pursuant to regulation 2016/679, WP260 rev.01). This involves the violation of art. 13, par. 2, lett. a) of the Regulations. Considering, moreover, that in the aforementioned information (point 3, letter f), e) and point 5) reference is made to the carrying out of profiling activities (explicitly based on the geographical position and the type of vehicle, as well as to "determine the [...] priority access level to booking ") it is also noted that the company has not provided" significant information on the logic used, as well as the importance and expected consequences of this treatment for the data subject "; in this regard, it is therefore noted that the company - which, as will be seen in more detail below, also carries out automated processing, including profiling, which can be classified among those referred to in art. 22 of the Regulation -, has violated the "enhanced" disclosure obligations that the Regulation explicitly requires in these cases (see Article 13, paragraph 2, letter f)). Furthermore, the aforementioned information cannot be considered compliant with data protection regulations, in particular with art. 13, par. 2, lett. d), also in terms of the indication to the interested parties of the competent supervisory authority in relation to the various treatments carried out; in fact, it suggests that it is possible to contact either the Guarantor for the protection of personal data or the Information Commissioner's Office (ICO) indifferently or jointly. This reconstruction was confirmed by the company in its defense briefs where it specified that “it believes […] it is important that the interested parties […] feel free to act before each Authority or both if they wish to file a complaint”. However, given that the ICO is not competent to know complaints relating to processing carried out in Italy by a data controller who has its registered office there, this incorrect indication is misleading with respect to the obligation to provide information relating to the possibility of filing a complaint. to the competent supervisory authority and does not facilitate the exercise of rights by the interested party. The aforementioned violations must also be considered taking into account that, in the context of the employment relationship, fully informing the worker about the processing of his / her data is an expression of the general principle of correctness of processing (Article 5, letter a of the Regulation ). 3.3.2. Principle of limitation of data retention. With reference to the identification of the retention times of the processed data, it emerged that the company has provided for the retention for 6 years, after the termination of the employment relationship, of different types of data of the riders collected for a variety of purposes (data processed for the signing of the employment contract; data relating to communications with the riders through chat and e-mail; data relating to the "discrepancies" found in the management of the order). Until 10 July 2019, the company also kept, for 1 year, (as declared by the group DPO and ascertained by the Authority when accessing the systems), the external data (calling / called number, date, time , duration, outbound / inbound mode) and the content (recordings) of the phone calls made with the riders through the Team Service, while, starting from 10 July 2019, the aforementioned recordings, as declared by the company, are kept by the parent company - and not from the Italian company - for 28 days. Finally, the company, based on what is indicated in the treatment register, keeps the data relating to the invoices issued for the payment of the riders for an "indefinite" time. The path relating to the order is instead stored on the systems for 6 months (as ascertained when accessing the systems). The company has identified a single retention period, equal to 6 years, in itself significant, in relation to a plurality of treatments carried out for different purposes as well as in relation to different types of data, in some cases also referred to the content of communications ( via chat and e-mail) protected by law with particular guarantees. In this regard, we cannot agree with the statement that "the provision of a general clause" is the "best tool" to provide interested parties with information in the face of "complexity and changeability [...] of the provisions on data retention", such as deduced by the company with the defense briefs, given that the Authority has clarified in this regard that, in light of the need to identify retention times deemed appropriate in relation to each of the purposes actually pursued with the processing of the different types of personal data, the owner must not limit himself to identifying "blocks" of homogeneous time bands (provision 9.1.2020, n. 8, web doc. n. 9263597). Even if in the specific case the (broad) retention period envisaged, equal to 6 years, has not yet been reached, given that the company has been active since 1 October 2015, the vast typology of data collected appeared to have been preserved at the time. of the assessments, for a considerable period of time (over four years), regardless of a specific assessment of adequacy in relation to the purposes pursued. Neither this assessment, which is the responsibility of the data controller (see Article 5, paragraph 1, letter e) of the Regulation and Recital 39), appears to have been carried out by the company in relation to the identification of the retention terms in the data system. and the content of telephone communications made with the riders for a significant period of time (1 year), valid until 10 July 2019, and the route maps of the individual orders placed by the riders for 6 months. Finally, no commensuration is carried out in relation to the data relating to the payment of the riders and to the issuance of the relative invoice, the conservation of which is foreseen for an "indefinite" period of time. This resulted in the violation of art. 5, par. 1. lett. e) of the Regulation which provides that personal data are kept "in a form that allows the identification of data subjects for a period of time not exceeding the achievement of the purposes for which they are processed". In particular, the data controller has the obligation "to ensure that the retention period of personal data is limited to the minimum necessary" (see Recital 39). In this regard, it is however acknowledged that the company, as stated in the defense briefs, has started a general review of the data retention criteria, within which distinct terms for the retention of the data processed will be identified (for "macro areas" and for "specific categories of data"). The Authority reserves the right to activate an autonomous procedure in relation to the legal basis of the processing of data from telephone calls with Italian riders carried out by the parent company Roofoods Ltd as well as in relation to the identification, by the latter, of the retention time equal to to 28 days of the collected data. 3.3.3. Principle of data minimization and protection by design and by default (privacy by design and by default). On the basis of the statements of the company and the results of the access to the systems carried out during the inspection, it emerged that the systems are configured in such a way as to collect and store all data relating to the management of the order (data collected through the application in use by the riders, including detection via GPS every 12 seconds as well as through interactions with customer care, data relating to delivery times (estimated and actual) for each phase of the order, order history for each rider (including the percentage of accepted orders), indication of the last connection made, number and type of "actions" carried out against the rider, with the details of each "action", area of the city where the order is placed, map of the order made, details of rejected orders). It also emerged that the systems (in particular Atlas and Payments) are configured in such a way as to allow authorized operators to pass through simple functions from one system to another, with consequent sharing of the data collected in the different systems (see Add order log function that allows you to enter, in the order details tab, information from the customer care / rider support; see also the Payments function from which you can access all the details of the order for each rider including the historical). Furthermore, the chat and e-mail management system is configured in such a way as to allow the operator to directly access the content of chats and e-mails exchanged with the riders without further steps, reconstructing, for each rider, all the communications made. , until 10 July 2019. Contrary to what the company claimed in the defense briefs, no specific reasons have been presented (nor have emerged in any case) on the basis of which it would be necessary, in order to efficiently deliver the services, the contextual access of operators to the different systems. This considering that the aforementioned systems are pre-ordered, respectively, for the management of orders in real time and for the display of the order history (Atlas), as well as for the management of problems that occurred during the order or, regardless of the order in progress, in relation to the relationship with the riders. The communication channels with the riders are functional with respect to various occurrences of which the management of any problems in the management of orders in progress is only one of the possibilities. In the event of a transition from the order management system to the communications management system and vice versa, operators have access not only to the data relating to the rider who managed a particular order, but also to information relating to all the other riders. Furthermore, the subjects who carry out the accounting of the compensation due to the riders (Payments) can directly access all the details of the orders placed by each rider, including the map of the orders and all the other details processed by the system (percentage of orders accepted, last connection, details of all the individual steps of the order). For the aforementioned reasons, this configuration of the systems, taking into account the quantity and variety of data collected and the methods of processing, in relation to the purpose of managing the delivery service of food or other goods, resulted in the violation of art. 5, par. 1. lett. c) of the Regulation (principle of data minimization) and art. 25 of the Data Protection Regulation by design and by default (privacy by design and by default). 3.3.4. Security measures. On the basis of the company's declarations and the outcome of the access to the systems carried out during the assessment, it emerged that all systems (both those developed by Deliveroo and those developed by third parties, but in any case accessible to Deliveroo), at least up to date of 10 July 2020, allowed operators to access the data of all riders operating both in the EU and outside the EU. This configuration, after the Authority's verification activity, was modified by the company therefore, at present, all systems have been reconfigured according to the principle of "segregation by single jurisdiction, with exceptions for a limited number of supervisors, where necessary "(see note 10.7.2019, p. 3), although it has not been specified in which cases it is necessary for supervisors to access and compare the data relating to Italian riders with the data relating to riders of other countries, without prejudice to the prospected possibility that the processing takes place anonymously for statistical purposes. The configuration of the systems adopted by the company, until 10 July 2019, therefore appears to have been carried out in violation of the provisions of art. 32 of the Regulation, where it establishes that "Taking into account the state of the art and the costs of implementation, as well as the nature, object, context and purposes of the processing, as well as the risk of varying probability and severity for the rights and the freedoms of natural persons, the data controller and the data processor implement adequate technical and organizational measures to ensure a level of security appropriate to the risk ". In fact, the company, until the modification of the systems, has not adopted adequate technical measures to prevent access to the data of Italian riders, processed through the platform, by the operators of the other companies of the group (based both in EU countries and in non-EU countries). At the same time, the operators authorized to access the platform in Italy had the possibility of accessing the data of the riders processed by all the companies of the group, in the absence of the provision of selective access to the system by default. This taking into account that the (generic) reminder contained in the employment contract with employees regarding compliance with the data protection regulations and company policies, as well as the clarification of the meaning of treatment and the principles of proportionality and minimization (which would have been provided during the training course carried out on 23.5.2018), in the absence of specific instructions relating to the use of the systems, they do not constitute suitable organizational measures - also in light of the concrete circumstances of the specific case - to ensure "on a permanent basis the confidentiality, 'integrity, availability and resilience of the systems ”, taking into account the concrete risks caused by the“ loss, modification, unauthorized disclosure or access, accidentally or illegally, to personal data ”. In relation to the above, therefore, it does not appear that the company has adopted, until 10 July 2019, adequate technical and organizational measures to ensure adequate security of processing, in violation of the provisions of art. 32 of the Regulation. 3.3.5. Automated treatments including profiling. Based on the results of the verification activity, it emerged that the company carried out automated processing, including profiling: - also preordained for the evaluation of "reliability" and "availability" to accept duty shifts on peak frequency days in order to determine the priority in the choice of shifts by the riders (until November 2, 2020); - for the assignment of orders within the booked shifts - through an algorithmic system called Frank active even after 2 November 2020 considering that the company has not declared that it has abandoned it - which processes at least, according to what has been declared, the data relating to the geographical position and the type of means of transport used by the rider considered in relation to the position of the customer and the business (see page 5 Rider's privacy policy for Italy: "We process your data [...] to develop our business, our systems and our services […] to guide our algorithms to make the most effective and accurate decisions, for example by orienting our ordering algorithm, Frank ”). In this regard, he notes that, with reference to the systems used by Roofoods Spain S.L., also a company of the group to which the company Deliveroo Italy s.r.l. belongs, profiling activities have been ascertained by the Juzgado de lo social n. 19 de Madrid, sentencia 188/2019 ("Confirmada la aceptación por el restaurante del pedido y notificada a través de la" tablet "a la aplicación Deliveroo, if seleccionaba al repartidor considerado as mejor candidate para atenderlo. Deliveroo a través de un algorithm, esto es, a través de una fórmula mathemática que realiza a conjunto de operaciones sobre los datos que nutren la aplicación, y en base a los criterios que se han establecido por la sociedad demandada (proximidad al punto de recogida , determinación de la condición de óptimo de un repartidor, etc.) "). In the same terms, again against Roofoods Spain S.L., the Juzgado de lo social n. 6 de Valencia, sentencia 244/2018 ("La empresa, with a gloomy diary of" riders ", inside the elegidos por los repartidores, fija el horario de cada one de ellos, eligiendo a unos u otros en función del orden de elección de éstos y nivel de excelencia, y no asignándoles a veces algunos de los turnos solicitados "). First of all, it should be noted that the processing of personal data carried out through the aforementioned algorithmic systems presuppose a profiling, by the company, carried out using personal data of the riders aimed at evaluating certain aspects relating to the natural person. In this regard, the definition, provided by the Regulation, under which profiling means any form of automated processing of personal data "consisting in the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze and provide for aspects concerning the professional performance [...], the reliability, the behavior, the location or the movements of said natural person "(see art. 4, no. 4) as well as what is specified in this regard by Recital 71 in on the basis of which the profiling activity produces legal effects or in any case significantly affects the person concerned. The treatments carried out by the company in this area certainly produce a significant effect on the person concerned, consisting in the possibility of allowing (or denying) access to job opportunities, in certain pre-established time slots, and therefore offering (or denying) an opportunity. of use. Therefore, the reconstruction carried out by the company in the defensive briefs cannot be accepted, according to which the effect of the profiling activity, through the priority booking system, would be to "abstractly limit the possibility for a rider to book their sessions at the times and in the preferred areas ”from which only mere“ minor inconveniences ”could arise for the riders. According to the SSB booking system, through the application, the rider books the time slots predetermined by the company, until they are saturated. The company also, through the system, assigns orders to the rider who has set the online mode within a predetermined area. The booking system has been configured in Italy in order to guarantee the booking with priority based on the factor defined as "reliability", ie the actual participation in the booked shifts or cancellation prior to the start of the shift, and the "availability" factor, ie effective participation in the so-called "super peak" shifts (from 7 pm to 9 pm on Friday, Saturday and Sunday) which, according to the company's calculations, present a greater number of orders. This system is designed to present, with priority, the choice of work shifts to those who have acquired a higher score (as resulting from the statistics). The shifts available run out as the riders who access the weekly calendar with priority express their preference, progressively reducing the possibility of accessing shifts and orders for other riders (the Court of Bologna, sect. work, ordinance 31.12.2020, made to Deliveroo Italy srl). The assignment of the score in the statistics elaborated within the SSB system, deriving from the application of a mathematical formula on the basis of which the calculation is carried out, directly penalizes (as stated by the company: see previous point 1.1., Lett.j .) the rider who does not log in after the start of the shift and, in rewarding those who actually participate, even if only by activating the online status on the app in the sessions booked and who participate in the cd sessions super peak (see previous point 2.1., letter k.), penalizes riders who do not show up online in the booked session and who do not participate (or participate less than) in the super peak sessions. Through the score derived from the statistics, the company evaluates the rider's work, thus producing a significant effect on his person. With reference to the characteristics of the order assignment algorithm, which emerged from the outcome of the verification activities and the modification that the company claims to have carried out with effect from 3 November 2020, there is a lack of transparency of the related operating mechanisms. Neither through the FAQs, made available on the company's website, is exhaustive information on the new system provided. Following the declared suppression of the SSB booking system, however, the operation of the current allocation algorithm remains unclear by the company, provided that, where a completely random / random allocation is not determined, this algorithm must necessarily use priority criteria elaborated on the basis of the collected data. Furthermore, considering that the company through the various order management systems continues to collect a large amount and variety of personal data through the app, customer care and customer feedback, and that the company itself has communicated the abandonment of the SSB system, without any explanation relating to the new assignment methods, nor did it provide any information on the current processing of data already collected by the statistics processing system, it is clear that the modification of the system, effective from 3 November 2020, concerns to maximum the criteria for access to the work shift, but not the way in which the order is assigned within the shift. Based on the evidence in the documents, the reconstruction of the company cannot be shared, according to which the processing relating to "the management and effective operation of the app [...], including the booking system" is carried out "in complete independence" by the parent company Roofoods as an independent data controller. In fact, the company manages the Deliveroo rider app and, through this application, collects and transfers data relating to orders to the platform, collects data relating to communications, anomalies and actions implemented by implementing the systems; it also collects customer feedback and inserts them on the systems (in this last regard the company in the rider's Privacy policy for Italy, merely states that "We process your data [...] to guarantee and improve the efficiency of our services, for example to understand from your data [...] as well as the data of other riders, what determines a negative experience of customers, restaurants or riders, what are the causes of inefficient deliveries or damage to Deliveroo "). The company may, within certain terms, customize the use of the platform, given that it can independently establish increases in the remuneration on certain holidays or other variables (see previous point 1.1., Letter qq.). It also appears that it was the company that modified the system operating in Italy by abandoning the SSB system (see company note 10.12.2020) as well as modifying the configuration of the systems in relation to the criteria for accessing them (see above. point 1.3.1., letter a). The company, therefore, collects and enters data on the system and uses the platform to carry out the delivery of goods assigned to the riders on the basis of a contract, thereby determining the purposes and means of the processing, as the owner. In the present case, the application of art. 22 of the Regulations must be considered in the light of the provisions of par. 2, lett. a) which excludes the application of the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects or which significantly affects the data subject when it appears that the processing is necessary for the execution of a contract stipulated between the parties. In this case, however, art. 22, par. 3) of the Regulation provides that the data controller implements appropriate measures to "protect the rights, freedoms and legitimate interests of the data subject, at least the right to obtain human intervention [...], to express their opinion and to contest the decision". On the basis of the investigations carried out, it does not appear that the company has adopted these measures. Furthermore, it does not appear that the company, in relation to the treatments carried out as owner, has adopted technical and organizational measures to protect the interested parties aimed at periodically verifying the correctness and accuracy of the results of the algorithmic systems, the accuracy, relevance and adequacy of the data. used by the system with respect to the purposes pursued, and to reduce as much as possible the risk of distorted or discriminatory effects, with reference to the functioning of the digital platform (see specific references in Recital 71, cit .; see European Commission, A Union of 'equality: the strategy for gender equality 2020-2025, 5.3.2020, COM (2020) 152 final, "Algorithms and related machine learning, if not sufficiently transparent and robust, risk reproducing, amplifying or contribute to gender biases that programmers may not be aware of or that are the result of specific selection of data "). This also in relation to the obligations imposed by the sector regulations on the operation of platforms (see Article 47-quinquies, Legislative Decree no. 81/2015, in force since 3.11.2019, according to which "1. Ai workers referred to in article 47-bis, the anti-discrimination discipline and the one to protect the freedom and dignity of the worker envisaged for subordinate workers, including access to the platform, apply. 2. Exclusion from the platform and reductions in opportunities work attributable to the non-acceptance of the service are prohibited ", on which, more extensively, par. 3.3.9 .; see also Consultative Committee of the Convention for the Protection of Individuals with regard to automatic processing of personal data (Convention 108) , Guidelines on Artificial Intelligence and Data Protection, Strasbourg, 25 January 2019, "AI developers, manufacturers, and service providers should adopt forms of algorithm vigilance that promote the accountability of all relevant stakeholders throughout the entire life cycle of these applications, to ensure compliance with data protection and human rights law and principles ". Finally, with reference to the feedback mechanism, it does not appear that the company has adopted appropriate measures to avoid improper or discriminatory use of reputational mechanisms based on feedback. In this regard, the Guarantor, albeit with reference to the discipline prior to the application of the Regulation, had established that automated processing, including profiling, must take place in compliance with the relevant provisions and in the presence of adequate guarantees (see provision 29.11.2018, no. 492; see also, on this point, provision 24.11.2016, no. 488 confirmed by Court of Cassation no. 14381 of 25.5.2021). For the above reasons, the company has therefore violated art. 22, par. 3, of the Regulation. 3.3.6. Data protection impact assessment. With reference to the complex of treatments subject to the procedure, the company has deemed it not required to carry out the impact assessment on data protection provided for by art. 35 of the Regulations upon the outcome of the recognition of the treatments carried out. In this regard, the company, in its defense briefs, specified that the processing activities carried out by Deliveroo Italy s.r.l. as data controller "are substantiated only in the operations of c.d. onboarding [...], including contractualization, as well as in support for riders and tax and financial reporting "and that, in relation to these activities, the company has evaluated, then excluding it, the opportunity to carry out an impact assessment . In support of this, the company has produced a document called "Need for an impact assessment on data protection for processing in Italy by Deliveroo Italy srl", undated and signed, in which, without in-depth explanations relating to the evaluation of the nature and type of the treatments carried out, the need to carry out a DPIA pursuant to art. 35 of the Regulation, referring to a simplified version of the register of processing activities, integrated with the assessment of the non-need to carry out an impact assessment on data protection. On the basis of the evidence in the documents, it is not possible, in the first place, to agree with the reconstruction of the company according to which "all processing relating to the management and effective operation of the app [...], including the booking system, is carried out in complete independence from holding (as independent data controller) ". In fact, as explained more extensively in the previous paragraph 3.3.5., The Italian company directly processes the personal data of the riders using the digital platform, providing for its population and its use for the management of all stages of delivery. of orders entrusted to the riders. For these reasons there are no doubts about the ownership of the treatment by the same. When a treatment that involves "the use of new technologies, given the nature, the object, the context and the purposes of the treatment, may present a high risk for the rights and freedoms of individuals", art. 35, par. 3, lett. a) of the Regulation establishes that the data controller must carry out the impact assessment. Par. 2, lett. a) provides that this assessment is required in particular in the case of "systematic and comprehensive assessment of personal aspects relating to natural persons, based on automated processing, including profiling, and on which decisions that have legal effects or affect in a manner significantly similar on these individuals ". In light of the provisions of the aforementioned regulation, as well as the indications provided in this regard by the Guidelines WP 248rev.01 of 4.4.2017 (with reference to criteria no. 1, 2, 3, 4, 5 and 7) and by the provision of the Guarantor of 11 October 2018, n. 467 ("List of types of processing subject to the requirement of an impact assessment on data protection pursuant to art. 35, paragraph 4, of Regulation (EU) no. 2016/679", in GU, SG no. 269 of 19.11.2018), the processing activity carried out by Deliveroo Italy srl is among those that present "a high risk for the rights and freedoms of individuals" with the consequent need to carry out, before the start of the treatment, an impact assessment pursuant to art. 35 of the Regulation. This considering, in particular, that the processing of data is also carried out through the innovative use of a digital platform, the operating mechanism of which has been disclosed only in part, and which is the subject of the activity carried out by the Italian company. , as also highlighted by the company survey ("organization and management of an online software platform (based on web and applications) to connect restaurateurs and other partners with potential customers and facilitate the delivery of food and more through a network of independent transport service providers "). The processing is characterized by the collection and storage of a plurality of personal data, including the geographical location and communications made via phone calls (until 10.7.2019), chat and e-mail, as well as all the details relating to each phase of management of the orders, including the detection (and related management) of anomalies (triggers), and the consequent carrying out of profiling activities and automated processing towards a significant number of "vulnerable" interested parties (as parties to an employment relationship; v. Guidelines cit., Chap. III, B, n. 7). Considering, therefore, that Deliveroo Italy s.r.l. is the data controller with reference to the data of the riders who work for the Italian company and that art. 35 of the Regulation recognizes, on the part of the data controller, the obligation to carry out an impact assessment, before processing, if the conditions are met, Deliveroo Italy s.r.l. was required to comply, with reference to the processing activities carried out by the Italian company itself. It is also noted that the innovative nature of the technology used by the company (of which the geolocation functionality constitutes only a part, albeit a significant one) - and the consequent high risk for the rights and freedoms of the data subjects - is evident from the examination itself. the functioning of the digital platform around which the activity carried out by Deliveroo Italy srl revolves; this also taking into account the scope and context of reference (i.e. work via digital platform), the growing expansion of the market sectors concerned, the evolution of the phenomenon of the so-called "Gig economy" in the context of continuous technological changes that are characterizing the labor market as well as the full recognition of this evolution by the national legislator (vln 128/2019, conversion of dln 101 of 3.09.2019, which inserted the Chapter V-bis in Legislative Decree no. 81 of 2015, "Protection of work through digital platforms", as well as the new period in Article 2, paragraph 1, of Legislative Decree no. 81/2015, which refers to the "methods of execution of the service [...] organized through platforms, including digital") and of the attention paid to this phenomenon, also by the European institutions (see European Commission, document of 24.2.2021, containing "Questions and Answers : First stage social partners consultation on improving the working conditions in platform work "; European Parliament, Legislative Observatory, Fair working conditions, rights and social protection for platform workers - New forms of employment linked to digital development, 2019/2186 (INI), 2019; European Parliament and Council, Directive 2019/1152 on transparent and predictable working conditions, 2019, also containing references to digital platform workers) as well as jurisprudence, at national and European level (see par. 3.3.9.). The processing of a large number of different types of data, referring to a significant number of interested parties, also carried out through the digital platform which is based on the algorithmic functions previously described, in fact, by combining supply and demand, has an evident innovative character. It is therefore believed that such treatments may result in risks for the rights and freedoms of the data subjects as they relate to the "evaluation of personal aspects, in particular through the analysis or forecasting of aspects concerning professional performance, [...], reliability or behavior, location or travel, in order to create or use personal profiles; if data of vulnerable natural persons are processed […]; if the processing concerns a significant amount of personal data and a large number of interested parties "as well as" if the processing can create discrimination "(see recital 75 of the Regulation). For the above reasons, the company has violated art. 35 of the Regulation. 3.3.7. Notification of the appointment of the data protection officer. The company, pursuant to art. 37, par. 1, lett. b) of the Regulation, is required to designate a DPO, taking into account that the treatments carried out include the regular and systematic monitoring of data subjects on a large scale, also through the collection of data relating to the geographical position through an application installed on mobile devices (see Group art.29, Guidelines on data protection officers, 5 April 2017, WP 243 rev.01, par. 2.1.4, implemented by the EDPB on 25.5.2018). Based on the documentation acquired in the documents, it emerged that the company communicated to the Authority the contact details of the data protection officer pursuant to art. 37, par. 7 of the Regulation, only on 31 May 2019. The company, in its defense briefs, specified that the communication of the contact details of the group DPO was made by the parent company to ICO "in May 2018 pursuant to the Data Protection Act of 1998 and in May 2019 pursuant to the GDPR ". Only later, "in connection with the general reorganization of the Group's data protection governance structure, was it deemed appropriate to communicate the appointment also to the Italian Guarantor Authority". The designation, at corporate group level, of the DPO (see art. 37, par. 2 of the Regulation), is deemed compliant with data protection legislation, art. 37, par. 7 of the Regulation provides that "the data controller or the data processor publishes the contact details of the data protection officer and communicates them to the supervisory authority": consequently, even if the DPO is designated at the group, the obligation remains for the individual entities of the corporate group, owners or managers of the processing, to publish the contact details of the DPO and to communicate them to the competent Supervisory Authority (this is also clarified by the FAQ of the Authority adopted with provision of April 29, 2021, no. 186). That said, being Deliveroo Italy s.r.l. the data controller of the data of the riders who work for the same Italian company in Italy, the communication to the Guarantor of the designation of the DPO - even if carried out at group level - which is considered suitable pursuant to the provisions of referred to in art. 37, par. 7, of the Regulations, was carried out by the Italian company only on May 31, 2019; it is therefore ascertained that, up to that date, the company has failed to make the communication required by art. 37, par. 7 of the Regulation. 3.3.8. Register of processing activities. On the basis of the documentation acquired overall, it emerged that in the register of processing activities delivered to the Authority (both in the English version, provided during the inspection, and in the updated version of the register sent on 10.7.2019) some types of personal data referring to riders are not indicated, the processing of which has been ascertained during the control activities. In particular, the processing of data relating to the geographical position, collected via GPS placed on the device in use by the same, as well as the plurality of data relating to the details of the orders detected through the app, are not recorded. With reference to the identification of storage times, it also emerged that, in relation to some processing of the data of the "employees" of Deliveroo Italy srl, which are of particular relevance, as they concern disciplinary procedures, internal complaints, health information and on security, disputes and legal proceedings, the retention period is indicated in very general terms ("generally 6-7 years") and in relation to some data processing of both "employees" and "riders" the terms they are not determined (term “indefinite where the information is stored on the system”, in relation to fiscal and financial reporting). Furthermore, in this regard, it emerged that, while the register acquired during the inspection indicated, for the data relating to the recordings of telephone calls with the riders, a retention period of 28 days, when accessing the systems it was instead ascertained that the retention period was 1 year. From this point of view, therefore, the information in the processing register was incorrect as it indicated an inaccurate retention period, much lower than that implemented in reality. Although the company has declared that "the conservation of telephone calls recorded as Deliveroo Italy's activity" has been "removed", in the section of the last register of treatments delivered by the company and relating to communications with riders, both the "path storage "NVM, relating to recordings of telephone calls, and the reference to the" recipient category "consisting of the" communications management platform, telephone call platform ". It is noted that the company, in its defense briefs, stated in this regard that "the reorganization of the processes for handling call recording activities which occurred in conjunction with the inspection activities could not already be transposed into the delivered register". However, it should be noted that the elements described above, still referring to the recording of telephone calls, appear in the version of the register delivered on 10 July 2019 containing the specific "updated". The data processing register exhibited by the company was then found to be lacking also in terms of the general description of the security, technical and organizational measures, pursuant to art. 32 of the Regulation, as the document merely refers generically to an unspecified "security policy" or "IT policy" or "IT security policy", without any reference to specific documents adopted on the subject and without describing, albeit briefly , the measures actually adopted, as required by art. 30, par. 1, lett. g) of the Regulations (as expressly indicated by the Authority in the aforementioned FAQ on the Register of processing activities: "The security measures can be described in summary and concise form, or in any case suitable to give a general and overall picture of these measures in relation the processing activities carried out, with the possibility of referring for a more detailed assessment to external documents of a general nature (eg internal organizational procedures; security policy etc.) "). Finally, it is noted that the register of processing activities does not have the date of adoption, the date of the last update and signature, elements suitable to give the document full reliability, in accordance with the provisions of art. 5, par. 2, of the Regulation in terms of responsibility or accountability. In this regard, the Guarantor has in fact clarified (see FAQ on the Register of processing activities) that the register must be kept constantly updated since its content must always correspond to the effectiveness of the treatments put in place. For this reason "it must in any case bear, in a verifiable manner, the date of its first establishment (or the date of the first creation of each individual form by type of treatment) together with that of the last update". The company, therefore, for the above reasons has violated art. 30, par. 1, lett. c), f), g) in relation to the methods of drafting and keeping the register of processing provided for by the law. On this point, it is noted that the company has declared that it is working on a new version of the treatment register with the commitment to incorporate "the recommendations that will be provided [...] by the Guarantor". 3.3.9. Applicability of the guarantees referred to in art. 114 of the Code. The investigations made it possible to detect that the company carries out the processing of personal data of the riders, described above, in the context of an employment relationship having as its object the transport of food or other goods from restaurants or other partner merchants of the company, through the '' use of a digital platform and towards a fee. Deliveroo Italy stipulates with the riders a model contract prepared by the company, defined as a "collaboration contract", the object of which is the provision of services relating to the "withdrawal by the rider from restaurants or other partners [...] of hot prepared food / cold and / or drinks ("order") offered to the rider through the Deliveroo rider application ("App"), and the delivery of such orders by bicycle, motor vehicle, motor vehicle, motorcycle to Deliveroo customers. The rider is not obliged to carry out any work for Deliveroo or to accept any proposal for services, nor is Deliveroo obliged to propose any work to the rider ". […] Deliveroo provides a self-service booking service («SSB») which can be freely used to log in or to book sessions in which the rider wishes to receive service proposals ”. In this regard, "the availability during the booked sessions, if not canceled in advance by the rider, and the activity during times of particular traffic may be an element of preference for booking subsequent sessions". Furthermore, "when the rider is logged into the app he can decide whether to accept or reject any proposed services". With reference to the consideration for the service "Deliveroo reserves the right to offer special additional payments in the event of launches, exceptional promotions, special temporary conditions". The company provides the rider with the service kit (jacket, backpack with thermal bag bearing the company logo). The processing of personal data, referring to the riders, carried out by the company as part of the employment relationship governed by the contract described above have very specific characteristics and methods of execution. The rider, in order to carry out the work activity, must necessarily install the Deliveroo rider application on his personal device (smartphone or tablet). To carry out his service he must necessarily access the application, using the credentials provided by the company that are associated with the telephone number or e-mail address (personal). Through the application, the rider books the performance of his performance in certain time slots, established by the company, until they are saturated, based on the functioning of the SSB booking system (active at least until November 2, 2020, as declared by the company ). The booking system is configured in Italy in such a way as to allow riders to book shifts with priority, based on two specific factors: "reliability", ie actual participation in the shifts booked or cancellation prior to the start of the shift; "Availability", ie the effective participation in the shifts defined as "superpeak". The company, through an additional algorithmic system for assigning orders called Frank, assigns the orders to the rider who has set the "online" mode within a predetermined area. Currently, as declared by the company, access to orders through the application takes place either through the "free log-in" system, in the areas where it is active, or, in the areas where the free log does not operate -in, by making the reservation of shifts within a weekly calendar (no longer based on the SSB system). Based on what was made known to the Authority through the note of 10 December 2020 and the scant information made available on its website, the rider statistics "will have no effect and will not affect the time in which [the rider can] access the calendar ", although the company has not provided any information on the processing of data already collected by the statistics processing system nor has it clarified the functioning of the current order assignment algorithm (as already noted in the previous paragraph 3.3.5. ). However, it is ascertained that the company, making use of the digital platform, uses a booking and shift assignment system based on data collected with Deliveroo or third-party systems. Also in relation to the areas in which the free log-in system is applied, the company reserves the right to identify additional riders, with respect to those that are available, to assign them orders in the event that "[...] customer requests are higher than the number of Riders present ". The company therefore establishes the work shifts (time slots on the weekly calendar), the workplace (identifying the areas of the city predetermined and entered into the system within which the rider must be at the time of taking up service) and the criterion access to shifts also using a booking system and assignment of the same, on a weekly basis, through the processing of values carried out by the digital platform (and the relative algorithm), which uses all the data collected with the app, those inserted by the customer care / rider support function and those deriving from feedback. The company determines the remuneration on the basis of the orders delivered, even if a consideration is recognized even in the absence of orders. The order execution phase is managed through the system that collects data relating to all phases of the order through the app, including the geographical position detected by GPS, as well as data relating to predetermined situations defined as "discrepancies / triggers" which mostly consist of deviations, even of a few minutes, with respect to the estimated times (e.g. for the collection of food from the restaurant and / or for delivery to the customer) or with respect to predetermined times (e.g. time of actual movement of the rider from place where he accepted the pick up) or with respect to the actual movement detected in a predetermined period of time (e.g. after 5 minutes from the acceptance of the order the rider moves within a radius of less than 50 meters). In the event of such predetermined situations, the rider is contacted by customer care. The system collects data relating to the outcome and status of discrepancies / triggers found (see Annex C note 10.7.2019), with the possibility of accessing, through its systems, the order history as well as a wide range of processed data from the system (including: percentage of acceptance of the last 100 orders; status of the last 5 orders: delivered, rejected, not assigned; number of times there has been a potential problem or in which there has been an action in relation to a specific order; percentage of sessions attended by the most recent 14 days; percentage of sessions canceled with less than 24 hours notice; percentage of orders for which the rider initially accepted but subsequently refused orders). Furthermore, as already highlighted, the system records and stores the external data and the content of the communications made with the rider via chat and e-mail, as well as, until 10 July 2019, by telephone. The systems used by the company allow you to view, for each rider, both the details of the order in progress (including the display on the map) and the history of orders placed. Considering that the processing of data relating to riders is carried out as part of an employment relationship, it is necessary to preliminarily examine the specific provisions contained in the Regulations on this matter within Chapter IX. In particular, art. 88 of the Regulation is without prejudice to the national rules of greater protection ("more specific rules") aimed at ensuring the protection of rights and freedoms with regard to the processing of personal data of workers, regardless of the specific type of employment relationship. This with particular reference to the adoption of "appropriate and specific measures to safeguard human dignity, legitimate interests and fundamental rights of the data subjects, in particular as regards the transparency of processing, the transfer of personal data within a group entrepreneurial or group of companies carrying out a common economic activity and workplace monitoring systems ". The national legislator has approved, as a more specific provision, art. 114 of the Code which, among the conditions of lawfulness of the processing - pursuant to art. 5, par. 1, lett. a) of the Regulations - established compliance with the provisions of art. 4, law 20 May 1970, n. 300. The violation of the aforementioned art. 88 of the Regulation is subject, if the requirements are met, to the application of a pecuniary administrative sanction pursuant to art. 83, par. 5, lett. d) of the Regulations. The national legislator, starting from 2015, has also adopted provisions aimed at regulating the scope of work performed through the operation of digital platforms. Art. 2, d. lgs. 15 June 2015, n. 81 established that "With effect from 1 January 2016, the discipline of the subordinate employment relationship also applies to collaboration relationships that take the form of exclusively personal, continuous work and whose execution methods are organized by the client also with reference to time and place of work ". Following the modifications introduced by l. 2 November 2019, n. 128, in force since November 3, 2019, art. 2 above provides that the work performances are not "exclusively" but "mainly" personal, and furthermore, in specifying that the methods of execution of the work are organized by the client, it has deleted the reference to time and place of work. Finally, it was clarified that the provisions apply "even if the procedures for performing the service are organized through platforms, including digital ones". Chapter V-bis dedicated to "Protection of work through digital platforms" was also added which introduced the definitions of digital platforms ("the IT programs and procedures used by the client which, regardless of the place of establishment, are instrumental to the activities of delivery of goods, fixing the remuneration and determining the methods of execution of the service ") and of riders (" self-employed workers who carry out the delivery of goods on behalf of others, in an urban setting and with the aid of cycles or vehicles engine referred to in Article 47, paragraph 2, letter a), of the Highway Code, referred to in Legislative Decree 30 April 1992, n. 285, also through digital platforms ") (see art. 47-bis, legislative decree no. 81/2015). These definitions, as also clarified by the Ministry of Labor circular no. 17 of November 19, 2020, have a general validity, i.e. also referring to the services rendered in the context of the so-called "Hetero-organization" pursuant to the aforementioned art. 2, d. lgs. n. 81/2015. The aforementioned Chapter V-bis has also established "minimum levels of protection" for riders who, in practice, operate as self-employed workers, in particular by extending the applicability of the "anti-discrimination discipline and that protecting the freedom and dignity of the worker provided for subordinate workers, including access to the platform "and prohibiting" exclusion from the platform and reductions in job opportunities attributable to non-acceptance of the service "(Article 47-quinquies, Legislative Decree no. 81/2015). As a result of the provisions of art. 47-quinquies, d. lgs. n. 81/2015, the application of the rules on "freedom and dignity of the worker" provided for employees - which includes that set by art. 4, l. 20.5.1970, n. 300 -, therefore falls within the minimum levels of protection guaranteed by the law, regardless of the concrete nature of the employment relationship in place with those who provide the delivery of goods through "including digital" platforms (see Court of Bologna , business section, cit. order). It is also specified that the regulations on the protection of personal data are applicable to the processing of data of workers who carry out their activity through digital platforms (Article 47-sexies, Legislative Decree no. 81/2015). These rights must be understood as recognized to the riders, regardless of the nature of the underlying employment relationship (hetero-organized or autonomous), since they are fundamental and unavailable rights (on the applicability of this overall discipline to riders see Court of Bologna, section , ord. cit.). The processing of personal data subject to assessment is carried out by Deliveroo Italy as part of an employment relationship now regulated by the aforementioned art. 2, d. lgs. n. 81/2015 (as amended by art. 1, paragraph 1, letter a), nos. 1 and 2, d.l. 3.9.2019, n. 101, converted with modifications into l. 2.11.2019, n. 128). The company, in fact, through the use of a digital platform allows customers to place orders for food or other goods, at a commercial establishment, and organizes the transport and delivery of goods, in the absence of any coordination established jointly. agreement with the riders. From the examination of the concrete methods of the treatments carried out, it emerges that, regardless of what is abstractly provided for in the employment contract, the riders continuously perform the service with mainly personal activities and with executive methods determined and organized by the company, also through the use of a platform. digital. The company, through the booking of predetermined work shifts, selects and distributes the shifts themselves through a system that also takes into account the assessments assigned by customers, the quantity of orders assigned and carried out, and the estimated time (and actually taken) of delivery. (see previous point 1.1., letter p). It is precisely through the operation of these systems (which have at their disposal a plurality of collected data such as, for example, the geographical position, model and operating system of the last device used by the rider) that the company organizes the activity delivery, identifying, among other things, the time and place of the service. In addition, the activity was organized, at least until the abandonment of the SSB system, in order to reward the riders with the largest number of sessions booked and orders accepted and delivered; at present, without prejudice to the considerations set out above relating to the lack of transparency of the operation of the current booking and order assignment system, the presence of a system for booking work shifts on a weekly basis confirms the company's interest in the service is of a continuous nature (see, for example, the statements made by the company regarding the expected reassignment of the order to another rider in the absence of taking charge of the order within the short term of 60 seconds; see point 1.1., letter m). It should be emphasized that the rider's choice as to whether and when to perform his / her service is not without consequences in the context of the employment relationship and therefore, contrary to what is claimed by the company according to which there is the "total freedom of the rider to determine not only the modalities of the service but the very fact of rendering, or not, any service "(see defensive briefs, p. 16), this choice cannot be defined as" free "(the same conclusions are reached by the Court of Palermo, work section , sentence of 24.11.2020, n. 3570, given to another company operating in the field of "food delivery", Foodinho srl). The aforementioned reconstruction of the nature of the employment relationship, within which the treatments are carried out, is, on the other hand, consistent with what has been ascertained by jurisprudence, including European, which has, with some recent rulings, qualified the activity of subjects who, through a digital platform, connect customers and operators in terms of transport company activities (see, among the most recent, Court of Justice, Grand Section, 20 December 2017, C-434/15 concerning the case involving the company Uber Systems Spain SL; Cour de cassation, Chambre sociale, 4 March 2020, n.374, adopted against Uber France and Uber BV; Sentencia SOCIAL Nº 805/2020, Tribunal Supremo, Sala de lo Social , Rec 4746/2019 de 25 de Septiembre de 2020 cit., Adopted against GlovoApp23). Finally, in this regard, the Court of Cassation (sentence 24 January 2020, n. 1663), ruling in a case concerning the employment relationship between a "food delivery" company and some riders, clarified that the aforementioned art. 2, legislative decree n. 81/2015 must be qualified as a disciplinary rule that does not create a new case, given that "upon the occurrence of the characteristics of the collaborations identified by art. 2, paragraph 1, of Legislative Decree 81 of 2015, the law imperatively links the application of the subordination discipline ". In particular, following some legislative changes that have affected the type of employment contracts in Italy, "the legislator, in an anti-elusive perspective, intended to limit the possible negative consequences, however providing for the application of the employment relationship regulations subordinated to forms of continuous and personal collaboration, carried out with the functional interference of the organization unilaterally prepared by the person commissioning the service ". The national legislator arrived at this result by evaluating "certain factual indices deemed significant (personality, continuity, hetero-organization) and sufficient to justify the application of the regulations dictated for the employment relationship [...]". Therefore "when the hetero-organization, accompanied by personality and continuity of performance, is marked to the point of making the collaborator comparable to an employee, equivalent protection is required and, therefore, the remedy of the full application of the regulations of the subordinate work ". With reference to the rules applicable ratione temporis to the present case, the treatments carried out in the context of the employment relationship by Deliveroo Italy still have the characteristics ascertained by the Authority during the procedure; from this follows the application of the current sector regulations (Article 2, Legislative Decree 15.6.2015, no. 81). In any case, paragraph 1 of the aforementioned art. 2, legislative decree n. 81/2015 also in the text prior to the recent regulatory changes that took place in 2019 (applicable to "mainly personal, continuous work and the execution methods of which are organized by the client also with reference to time and place of work"). Therefore, given that the provisions of art. 4, l. 300/1970 cit., It is noted that Deliveroo Italy carries out a meticulous check on the work performance carried out by the riders, through the continuous geolocation of the device (carried out in ways that go beyond what is necessary to assign the order, based on the rider's distance from the collection and delivery point, as claimed by the company - see previous point 1.1., lett. storage of a multiplicity of additional personal data collected during the execution of the order, including communications with customer care. Art. 114 of the Code ("Guarantees regarding remote control"), as already mentioned, refers to art. 4, l. n. 300/1970 as a condition of lawfulness of the processing of personal data carried out in the context of the employment relationship. On the basis of this last provision, "The audiovisual systems and other tools from which the possibility of remote control of workers' activity derives can be used exclusively for organizational and production needs, for work safety and for the protection of assets company and can be installed after a collective agreement stipulated by the unitary union representation or by the company union representatives. Alternatively, in the case of companies with production units located in different provinces of the same region or in several regions, this agreement can be stipulated by the comparatively most representative trade unions on a national level. In the absence of an agreement, the systems and tools referred to in the first period may be installed with the authorization of the territorial office of the National Labor Inspectorate ". The company, therefore, through a plurality of technological tools (the digital platform, the app and the channels used by customer care), carries out data processing that allows a meticulous control of the work performance carried out by the riders without complying with the purpose established by art. 4, paragraph 1, l. 300/1970. In relation to the above, the violation of the principle of lawfulness of processing is therefore ascertained (Article 5, paragraph 1, letter a) of the Regulation in relation to art. 114 of the Code) and art. 88 of the Regulation which allows national law to provide "more specific measures to ensure the protection of rights and freedoms with regard to the processing of personal data of employees in the context of employment relationships". 4. Conclusions: declaration of illegality of the treatment. Corrective measures pursuant to art. 58, par. 2, Regulations. For the aforementioned reasons, the Authority believes that the declarations, documentation and reconstructions provided by the data controller during the investigation do not allow to overcome the findings notified by the Office with the act of initiation of the procedure and which are therefore unsuitable to allow the filing of this proceeding, since none of the cases provided for by art. 11 of the Guarantor Regulation n. 1/2019. The processing of personal data carried out by the company is in fact illegal, in the terms set out above, in relation to articles 5, par. 1, lett. a), c) and e) (principles of lawfulness, correctness, minimization and limitation of conservation); 13 (information); 22, par. 3 (appropriate measures for automated processing including profiling); 25 (data protection by design and data protection by default: privacy by design and by default); 30 (register of treatments), par. 1, lett. c), f) and g); 32 (security measures); 35 (impact assessment); 37, par. 7 (communication to the supervisory authority of the data protection officer); 88 (processing of data in the context of employment relationships) of the Regulation and 114 (guarantees regarding remote control) of the Code. Given the corrective powers attributed by art. 58, par. 2 of the Regulation, in light of the circumstances of the specific case, it is considered necessary to assign the company a deadline to comply with the Regulation for the processing of data still in place, therefore the company is enjoined to comply with the Regulation its treatments, with reference to: - the correct preparation of the documents containing the information, in particular providing precise indications to the riders regarding the functioning of the order assignment system currently in use (including the type of data processed and regarding the processing of data already collected by the statistics processing); to the register of treatments and the impact assessment, in the terms set out in the motivation (Article 58, paragraph 2, letter d), Regulation); - the identification of the retention times of the processed data, in the terms set out in the motivation (Article 58, paragraph 2, letter d), Regulation); - the identification of appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, at least with reference to the right to obtain human intervention by the data controller, to express their opinion and to contest the decision, in in relation to automated processing, including profiling, carried out through the platform, within the terms set out in the motivation (Article 58, paragraph 2, letter d), Regulation); - the identification of appropriate measures aimed at periodically verifying the correctness and accuracy of the results of the algorithmic systems, also in order to ensure that the risk of errors is minimized and to comply with the provisions of art. 47-quinquies, d. lgs. n. 81/23015 regarding the prohibition of discrimination, access to the platform and exclusion from the platform (Article 58, paragraph 2, letter d), Regulation); - the identification of appropriate measures aimed at introducing tools to avoid improper and discriminatory uses of reputational mechanisms based on feedback; this check must be repeated at each modification of the algorithm, in relation to the use of feedback for calculating the score (Article 58, paragraph 2, letter d), Regulations); - the application of the principles of minimization and privacy by design and by default, in relation to the processing of rider data, in the terms set out in the motivation (Article 58, paragraph 2, letter d), Regulation); - in compliance with the provisions of art. 4, paragraph 1, l. 20.5.1970, n. 300, within the terms set out in the motivation (art. 58, par. 2, letter d), Regulation); - the specific identification of the subjects authorized to access the systems, as supervisors, with unrestricted visibility on a territorial basis, defining a priori predetermined hypotheses and specific purposes that make such access necessary and adopting appropriate measures to ensure the verification of such access. 5. Adoption of the injunction order for the application of the pecuniary administrative sanction and ancillary sanctions (Articles 58, paragraph 2, letter i), and 83 of the Regulations; art. 166, paragraph 7, of the Code). As a result of the complex procedure, it appears that Deliveroo Italy s.r.l. has violated Articles 5, par. 1, lett. a), c) and e); 13; 22, par. 3; 25; 30, par. 1, lett. c), f) and g); 32; 35; 37, par. 7; 88 of the Regulation; 114 of the Code. For the violation of the aforementioned provisions, the application of the administrative sanctions referred to in art. 83, para. 4 and 5, of the Regulation. Considering it necessary to apply paragraph 3 of art. 83 of the Regulation where it provides that "If, in relation to the same treatment or related treatments, a data controller [...] violates, with willful misconduct or negligence, various provisions of this regulation, the total amount of the pecuniary administrative sanction does not exceed the amount specified for the most serious violation ", considering that the ascertained violations of art. 5 of the Regulation are to be considered more serious, as they relate to the non-compliance with a plurality of general principles applicable to the processing of personal data and the applicable sector regulations, the total amount of the sanction is calculated so as not to exceed the maximum legal notice provided for the aforementioned violation. Consequently, the sanction provided for by art. 83, par. 5, lett. a), of the Regulation, which sets the maximum legal limit in the sum of 20 million euros or, for companies, in 4% of the annual worldwide turnover of the previous year, whichever is higher. With reference to the elements listed in art. 83, par. 2 of the Regulation for the purposes of applying the pecuniary administrative sanction and its quantification, taking into account that the sanction must "in any case [be] effective, proportionate and dissuasive" (Article 83, par. 1 of the Regulation), it is stated that , in the present case, the following circumstances were considered: a) in relation to the nature, gravity and duration of the violation, the nature of the violation was considered relevant, concerning the general principles of processing, including the principle of lawfulness, correctness and transparency; in particular, the violations also concerned the sector regulations on remote controls and those aimed at protecting work through digital platforms; the violations also concerned multiple further provisions relating to the disclosure and the accountability principle, which is applied in the correct preparation of the register of processing activities, in the carrying out of an impact assessment and in the application of the principle of privacy by design and by default ; the obligation to take appropriate measures to protect the rights and freedoms of data subjects in the face of automated processing, including profiling, carried out through the use of a digital platform and the related algorithmic systems was also violated; the violations also concerned the obligations placed on the owner with regard to security measures and communication to the contact data authority of the data protection officer; it was also considered that some ascertained violations are still in place and began in 2015 (the year in which the company's activities began) and that the processing concerns a considerable number of data subjects (approximately 8,000); b) with reference to the willful or negligent nature of the violation and the degree of responsibility of the owner, the conduct of the company and the degree of responsibility of the same have been taken into consideration, which has not spontaneously complied with the rules on data protection relating to a plurality of provisions, after the start of the procedure by the Authority, with the exception of the abandonment of the SSB priority booking system and the implementation of some internal directives on personal data; c) in favor of the company, the absence of specific precedents and partial cooperation with the Authority during the procedure was taken into account. It is also believed that they assume relevance, in the present case, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness to which the Authority must comply in determining the amount of the sanction (Article 83, paragraph 1, of the Regulation), firstly, the economic conditions of the offender, determined on the basis of the revenues achieved by the company with reference to the financial statements for the year 2019 (which recorded operating losses). Lastly, the extent of the sanctions imposed in similar cases is taken into account. In light of the elements indicated above and the assessments made, it is believed, in the present case, to apply against Deliveroo Italy s.r.l. the administrative sanction for the payment of a sum equal to € 2,500,000.00 (two million and five hundred thousand). In this context, it is also considered, in consideration of the number and significance of the violations, as well as the extent of the sanction, that the ancillary sanction of the publication on the website of the Guarantor of this provision, provided for by art. 166, paragraph 7, of the Code and by art. 16 of reg. of the Guarantor n. 1/2019. Finally, it is noted that the conditions set out in art. 17 of reg. of the Guarantor n. 1/2019. Please note that, if the conditions are met, the penalty referred to in art. 83, par. 5, lett. e) of the Regulations. WHEREAS, THE GUARANTOR detects the unlawfulness of the processing carried out by Deliveroo Italy s.r.l., in the person of its legal representative, with registered office in Via Carlo Bo, 11, Milan (MI), C.F. 09214970965, pursuant to art. 143 of the Code, for the violation of art. 5, par. 1, lett. a), c) and e); 13; 22, par. 3; 25; 30, par. 1, lett. c), f) and g); 32; 35; 37, par. 7; 88 of the Regulation; 114 of the Code; INJUNCES to Deliveroo Italy s.r.l .: 1) to comply, pursuant to art. 58, par. 2, lett. d) of the Regulation, its processing to the Regulation, with reference: a) the correct preparation of the documents containing the information, the treatment register and the impact assessment, within 60 days of receipt of this provision; b) the identification of the retention times of the processed data, within 60 days of receipt of this provision; c) the identification of appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, at least the right to obtain human intervention by the data controller, to express their opinion and to contest the decision, in relation to automated processing including profiling carried out through the platform, within 60 days of receipt of this provision; d) the identification of appropriate measures aimed at periodically verifying the correctness and accuracy of the results of the algorithmic systems, also in order to ensure that the risk of errors is minimized and to comply with the provisions of art. 47-quinquies, d. lgs. n. 81/23015 on the prohibition of discrimination, access to the platform and exclusion from the platform, to be started within 60 days of receipt of this provision, concluding the verification activity within the following 90 days; e) the identification of appropriate measures aimed at introducing tools to avoid improper and discriminatory use of reputational mechanisms based on feedback, a check that must be repeated at each modification of the algorithm, in relation to the use of feedback for the calculation of the score, to be started within 60 days of receipt of this provision, concluding the verification activity within the following 90 days; f) the application of the principles of minimization and privacy by design and by default, within 60 days of receipt of this provision; g) identifying the subjects authorized to access the systems, as supervisors, with unrestricted visibility on a territorial basis, defining predetermined hypotheses and specific purposes that make such access necessary and adopting appropriate measures to ensure the verification of such access; h) the fulfillment of the provisions of art. 4, paragraph 1, l. 20.5.1970, n. 300, within 60 days of receipt of this provision; 2) to pay the aforementioned sum of € 2,500,000.00 (two million and five hundred thousand), according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art . 27 of the law n. 689/1981. Please note that the offender has the right to settle the dispute by paying - again in the manner indicated in the annex - of an amount equal to half of the sanction imposed, within the term set out in art. 10, paragraph 3, of the d. lgs. n. 150 of 1.9.2011 provided for the submission of the appeal as indicated below (Article 166, paragraph 8, of the Code); ORDER pursuant to art. 58, par. 2, lett. i) of the Regulation to Deliveroo Italy s.r.l., to pay the sum of € 2,500,000.00 (two million and five hundred thousand) as a pecuniary administrative sanction for the violations indicated in this provision; HAS the publication of this provision on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor Regulation n. 1/20129, and believes that the conditions set out in art. 17 of Regulation no. 1/2019. He requests Deliveroo Italy s.r.l. to communicate what initiatives have been undertaken in order to implement the provisions of this provision and to provide, in any case, adequately documented feedback pursuant to art. 157 of the Code, within 90 days from the date of notification of this provision; any non-response may result in the application of the administrative sanction provided for by art. 83, par. 5, lett. e) of the Regulations. Pursuant to art. 78 of the Regulations, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, an opposition to the ordinary judicial authority may be proposed against this provision, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the applicant resides abroad. Rome, July 22, 2021 PRESIDENT Stanzione THE RAPPORTEUR Stanzione THE SECRETARY GENERAL Mattei