Banner1.png
Banner3.png

Difference between revisions of "Garante per la protezione dei dati personali (Italy) - 9675440"

From GDPRhub
 
Line 91: Line 91:
  
 
The DPA set a 60-day deadline for Foodinho to start implementing the measures required to remedy the serious shortcomings it had found, and gave Foodinho an additional 90 days to finalize a redesign of the algorithms.
 
The DPA set a 60-day deadline for Foodinho to start implementing the measures required to remedy the serious shortcomings it had found, and gave Foodinho an additional 90 days to finalize a redesign of the algorithms.
 
 
 
== Comment ==
 
== Comment ==
 
''Share your comments here!''
 
''Share your comments here!''

Latest revision as of 13:51, 28 July 2021

Garante per la protezione dei dati personali (Italy) - 9675440
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(c) GDPR
Article 5(1)(e) GDPR
Article 5(1)(a) GDPR
Article 13 GDPR
Article 22 GDPR
Article 25 GDPR
Article 30 GDPR
Article 32 GDPR
Article 35 GDPR
Article 37 GDPR
Type: Investigation
Outcome: Violation Found
Decided: 10.06.2021
Published:
Fine: €2,600,000
Parties: n/a
National Case Number/Name: 9675440
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: IL GARANTE PER LA PROTEZIONE DEI DATI PERSONALI (in IT)
Initial Contributor: n/a

The Italian DPA fined the digital platform, Foodinho, €2,600,000 for using discriminatory algorithms to manage its food delivery riders. Among other violations, Foodinho failed to supply transparent information about how its reputational rating system for riders works. The investigation revealed that the rating system enabled discriminatory ratings that would exclude riders from job opportunities.

English Summary[edit | edit source]

Facts[edit | edit source]

Foodinho is an Italy-based company and a subsidiary of GlovoApp23, a Spanish-based company. It operates a digital platform for on-demand food delivery in Milan. Employees are typically gig workers who deliver food orders by bike. Of relevance is that, in 2020, the Italian Supreme Court ruled that delivery riders have workers’ rights, regardless of whether they are self-employed. At the time of this decision, Foodinho has some 19,000 delivery riders on its platform.

This is the first decision from the Garante concerning riders and follows from a set of inspections on the handling of employees’ data by the main food delivery companies in Italy. As part of the investigation, the Garante also initiated, for the first time, a joint operation with the Spanish DPA (AEPD) under the terms of the GDPR to shed light on the operation of the digital platform owned by the holding company, GlovoApp23. Of concern to the Garante and the AEPD is how food delivery companies use algorithms to opaquely micromanage platform workers’ labor.

Investigation yielded multiple findings. Firstly, the company had failed to adequately inform its employees on the functioning of the platform and had not implemented suitable safeguards to ensure accuracy and fairness of the algorithmic results that were used to rate riders’ performance. The lack of such safeguards means that discriminatory reviews from clients affected rider ratings.

Secondly, Foodinho did not guarantee procedures to protect the right to obtain human intervention, express one’s opinion, and contest the rider rating resulting use of the algorithms in question, even though ratings could cause a rider to be excluded from job opportunities.

Furthermore, the Garante identified a number of further data protection shortcomings by Foodinho; it had failed to produce satisfactory Data Protection Impact Assessments, implement technical and organizational security measures, appoint a data protection officer appointment, keep records, and implement Data Protection by Design.

Holding[edit | edit source]

The Italian DPA (Garante) held that Foodinho had violated Articles 5(1)(a), (c) and (e), 13, 22, 25, 30, 32, 35 and 37 of the GDPR through its use of algorithms to manage riders doing food deliveries. Accordingly, it issued a fine of €2,600,000. In calculating the fine, the DPA took into account Foodinho’s resistance to cooperation during the investigation, and the large number of riders on the platform.

In addition, the DPA issued an injunction ordering Foodinho to take corrective measures for each violation. Significantly, Foodinho will have to lay down measures preventing inappropriate and/or discriminatory use of reputational mechanisms based on feedback from customers and business partners.

Firstly, to minimize the risk of errors and biases in rider ratings, Foodinho was ordered to check accuracy and relevance of the data used by the system – chats, emails and phone calls between riders and customer care, geolocation at 15-second intervals, mapping of routes, estimated and actual delivery time, details on the handling of current and past orders, feedback from customers and partners, device battery level, etc.

Secondly, the DPA ordered Foodinho to address the discriminatory risk produced by the rating system, which relies on the application of a mathematical formula that penalizes riders who do not promptly accept orders or reject orders, while prioritizing riders who accept orders on schedule.

The DPA set a 60-day deadline for Foodinho to start implementing the measures required to remedy the serious shortcomings it had found, and gave Foodinho an additional 90 days to finalize a redesign of the algorithms.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

Order of injunction against Foodinho srl - 10 June 2021

Register of measures
n. 234 of 10 June 2021

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the cons. Fabio Mattei, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016 (hereinafter, the "Regulation");

GIVEN the Code regarding the protection of personal data, containing provisions for the adaptation of the national system to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, n.196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter the "Code");

GIVEN the inspections carried out by the Authority at the registered office of Foodinho srl on 16 and 17 July 2019;

EXAMINED the documentation in deeds;

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000;

RAPPORTEUR prof. Pasquale Stanzione;

WHEREAS

1. The inspection activity towards the company.

1.1. As part of a control activity launched ex officio by the Authority, on 16 and 17 July 2019 an on-site inspection was carried out at Foodinho srl (hereinafter, the company), with registered office in Italy, which carries out , by means of a digital platform, an activity consisting in the delivery, following orders placed by customers, of food or other goods supplied by operators, using specifically dedicated staff (so-called rider). The Authority's control activity concerned the processing of riders' personal data.

During the assessment, which was also attended by a member of the legal office of GlovoApp23 SL (a company that controls 100% Foodinho srl) via telephone connection from Barcelona and during which direct access to the computer systems was made, it has been stated that:

to. "The DPO was appointed at group level, identified in the person of dr. Maria Asuncion Rance Gimenez Salinas, but has not yet been communicated to the Authority. The company will make this communication as soon as possible "(see minutes of transactions completed 16.7.2019, p. 3);

b. the legal department of the parent company, with reference to the privacy impact assessment relating to the processing of riders' data, stated that "the parent company did not consider preparing this document, although it is taking place, one year after entering regulation, an overall due diligence activity aimed at verifying the compliance of corporate procedures with the GDPR. […] No documentation is available to support the decision not to prepare the DPIA ”(see minutes cit., P. 4);

c. with reference to the ways in which the employees and collaborators of the company can exercise the rights provided for by art. 15-22 of Regulation (EU) 2016/679, the company specified that "these methods are reported in paragraph 10 of the information" issued by Foodinho srl to collaborators (riders) and employees (see minutes cit., P. 4 );

d. “The data controller of the riders (so-called glovers) is Foodinho srl while the IT platform for order management is developed by GlovoApp23, which owns it. [...] Foodinho srl and GlovoApp23 have signed a data processing agreement, in which the company, for this type of treatment, has appointed GlovoApp23 as external data processor "(see minutes cited, p. 4);

is. “In case the contract [with the rider] is concluded, the company supplies the equipment (kit) which includes the backpack and other optional equipment. For this equipment the rider issues a deposit of about 65 euros. […] To take orders, riders must install a special app (Glover) […]. Through the app, riders give their willingness to make deliveries in certain time slots (of one hour each), for each day of the week and based on the availability of slots. Once the slot has been booked, the rider can open the app and confirm availability to start receiving orders to be delivered "(see minutes cited, p. 5);

f. "The order proposed to the rider does not include all the details relating to the collection point and the delivery point […]. Once the rider accepts the order, the app provides the exact address of the collection point and communicates it through the app, and with the order code, collects the goods from the merchant. When the rider confirms that he has collected the goods, he receives the precise delivery address and has the right to decide to get advice on the best route. […] This route proposal is made, outside the Glover app, through Google Maps or similar programs […] ”(see minutes quoted, p. 5);

g. “The means of transport used by riders is generally the bicycle or moped and […] this information is used by the app to identify the rider to whom to assign the delivery […]. The identification of areas with a particular traffic situation, not recommended for cyclists for example, is the responsibility of Foodinho ”(see minutes cit., P.6);

h. “The algorithm for assigning deliveries to riders is developed and managed directly by the parent company. Foodinho srl cannot in any way modify the assignment algorithm, but can insert parameters based on local customization. In principle, this algorithm tends to assign the order to the rider closest to the collection area, subject to adjustments based on the characteristics of the delivery and other parameters entered by Foodinho itself "(see minutes cited, p.6);

the. “When the order is proposed to the rider, the maximum amount that will be paid is also proposed. This amount is a variable value, at Foodinho's discretion, based on three elements: a basic fee, which varies by city, a salary per kilometer, 5 cents for each minute of waiting after the first 10/15 at the restaurant "(see . minutes cit., p.6);

j. "There are cases in which, at the discretion of Foodinho srl, bonuses are assigned, in addition to the quota described, generally as a percentage of the consideration, for example in case of rain or in particular circumstances. The application of the bonuses can be carried out by Glovoapp23 on the recommendation of Foodinho or directly by Foodinho srl "(see minutes cit., P.6);

k. “Riders are paid every 15 days, based on the calculations made automatically by the GlovoApp23 system based on the parameters decided by Foodinho. The invoice and the payment order are prepared by Foodinho srl "(see minutes cit., P.6);

L. "Once the contract has been signed, the rider is summoned for an interview, during which the materials and the password for the first access to the Glover app are delivered, to be changed compulsorily" (see minutes cited, p.7);

m. with reference to the ways in which the score is assigned to the riders, the company specified that “the riders' score is initially a default value, assigned to all newly recruited riders. Subsequently this value is increased on the basis of feedback given by customers (15%) (thumb up or thumb down), by merchants (5%), hours of high demand established by partners (35%), orders delivered (10%), platform productivity (35%). These parameters are indicated by Foodinho srl. Those who provide negative feedback are asked to indicate the reasons for this evaluation. […] Not all the reasons given contribute to the rider's score ”(see minutes quoted, p.7, 8);

n. the company has provided the list of reasons “established by Foodinho, relating to a negative evaluation (thumb down) by customers, [specifying that] only the first two contribute to the rider's score: unprofessional courier; the products were not transported correctly; order not delivered; delivery took too long; payment problem; free field"; the company also provided the list of reasons relating to “a negative evaluation (thumb down) by the exhibitors [specifying that] only the first two contribute to the rider's score: rider without backpack; unprofessional rider; rider did not take a photo of the receipt before leaving; other "(see minutes cit., p. 8);

or. during access to the Admin platform - which allows the company to manage merchants and riders - with the profile credentials of the General Counsel and an Operations employee, consisting of a userid, corresponding to the company email, and a password, it was ascertained that “with the General Counsel profile it is possible to enter new cities and new businesses, defining their characteristics. It has been verified that the platform allows you to view the data of the riders of all the countries in which Glovo is active (even outside the EU), by selecting the country of interest from a drop-down menu, being able to access the same details with which the riders are displayed of your country. The live map function has been displayed which allows you to see the orders in progress and the active riders in the current slot positioned on the map of interest. It has been verified that this map is updated with the updated positioning of the riders. [The company] specified that this functionality is necessary for the management of any problems during the delivery of an order "(see minutes cit., P. 8, 9);

p. the company specified that "the geolocation of the riders is activated when the rider is active in the chosen shift, in order to identify the rider closest to the pickup position, while the memorization of the position is activated only during an order in progress, or between acceptance of the order and delivery of the same "(see minutes cit., p. 9);

q. during the direct access to the Admin platform "the form of a delivery in progress was also displayed, which shows the map of the route taken by the rider" (see minutes quoted, p. 9);

r. with reference to the purpose of the score assigned to the riders, the company stated that "the" excellence "score serves the rider to have priority in choosing the slots. In fact, Foodinho, based on the analysis of the order history and abandonment rates (riders who do not show up in the slot or refuse the order) is able, in principle, to predict the number of riders needed in each slot . Then, based on these estimates, a certain number of availabilities are opened in the weekly calendar for each slot. A higher score gives the rider the opportunity to view the calendar, with the relative availabilities, in advance of the others "(see report of operations carried out 17.7.2019, p. 2);

s. "In Italy, in order not to penalize the newly recruited riders too much, it was decided to leave a part of the availability for each slot freely bookable by the riders, regardless of the score, thus providing two distinct moments of booking: the first, with multiple bookable slots with priority based on the score and the second after, with the remaining slots, without priority based on the score and therefore open to all "(see minutes cit., p. 2);

t. "The scoring is generally automated, once the relative parameters established by Foodinho have been established manually, without prejudice to the possibility of Foodinho to intervene manually (for example in the event of a notification by a rider following a negative evaluation) . The system calculates starting from at least 50 orders placed and is based only on the last 50 orders delivered by the rider. The rider has access to the score with a cross-section between the components also for any disputes, and in no way has access to the person who has expressed an opinion "(see minutes quoted, p. 3);

u. “It has been verified that with the profile assigned to the General Manager it is not possible to access the rider score, which is stored in an Excel file stored on Google docs and prepared on the data stored in the Admin platform. This file can be accessed with the Head of Operations credentials "(see minutes cit., P. 3);

v. during direct access to Google docs to check how the riders' scores are displayed and the retention times of the ratings and scores relating to a rider "it has been verified that this file has scores on a scale of 0 to 100 and shows the feedback of the last 50 orders "(see minutes cit., p. 3);

w. the company specified that "as regards the" Reliability "score, determined by the parameters" Rejections Coefficient "," Reassignment Coefficient ", Foodinho reserves the right to penalize if a rider is not available in the autonomously booked shift . The "Seniority" score takes into account the experience gained with the delivery of orders and is based on the number of orders actually delivered. This item, which is worth 10% of the overall score, establishes, based on the parameters set by Foodinho, the number of orders that correspond to the maximum score (the 15th percentile) "(see minutes quoted, p. 3) ;

x. "It has been verified that the parameters relating to the Seniority score can be modified by operating, in the Admin platform, on the settings relating to a specific city, using the item« Seniority threshold »" (see minutes cited, p. 3);

y. the company stated that "on the Admin system, the order data are kept for up to 4 years from the termination of the employment relationship with the rider" (see minutes quoted, p. 4);

z. “Starting from the map of orders on the Admin platform, with the credentials [Operation], the order in progress by a rider was displayed, displaying the route taken, as well as its instantaneous position, detected by the system. The various information related to the order have been displayed. It has been verified that the map relating to the route taken is kept for about 10 months, after which only the positions relating to the point of collection and delivery are kept "(see minutes cited, p. 4);

aa. “The« Wake up couriers »function sends a notification to the riders who have booked a slot and are not active but it is not used by the Operations operators in Italy” (see minutes quoted, p. 4);

bb. "The position of the riders on the map is updated approximately every 15 seconds" (see minutes quoted, p. 4);

cc. the company specified that “the score is visible only if the rider is still active […]” (see minutes quoted, p. 4);

dd. “The rider, depending on the issues on which he asks for assistance, has various communication channels at his disposal. For example, for problems during the order, the rider has a chat with customer service available. While for problems that are not related to deliveries in progress, for example for the score or invoices, riders can send emails to Foodinho or go to the dedicated counter "(see minutes quoted, p. 4, 5);

ee. “The customer service is managed by GlovoApp23 which takes care of interfacing the riders during the order and […] Foodinho has live access to the chat for the riders. The costs of the customer care service are borne by Foodinho srl "(see minutes cit., P. 5);

ff. “Customer care can call the riders, for example to intervene in the management of a problematic order, and […] the calls are recorded and stored by GlovoApp23. [...] No Foodinho employee has the credentials to access [the] platform [for storing phone calls], and a possible re-listening of a phone call is only possible through a procedure that involves sending a specific request to GlovoApp23 by email "(See minutes cit., P. 5);

days with reference to the predefined cases in which the customer care contacts the rider by telephone, the company specified that "such telephone contacts can only take place for orders in progress in the event of problems that cannot be defined via chat" (see minutes cit. , p. 5);

hh. “The tool to use for mail and chat channels is the Kustomer platform” (see minutes quoted, p. 5);

ii. "It has been verified that from the order form on Admin it is possible to access any chat retention relating to the order itself [and] that from the Kustomer system, used by Foodinho to exchange emails with the riders, it is also possible to access conversations in chat ”(see minutes cit., p. 5);

jj. the company specified that "the chat and email data are kept for 4 years from the termination of the employment relationship" (see minutes cited, p. 6);

kk. "The company is evaluating what can be a reasonable amount of time of inactivity of the rider to consider the employment relationship concluded [...] at the moment, in fact, unless a positive action by the rider, the employment relationship is considered in progress for the system even with long periods of inactivity "(see minutes cit., p. 6);

ll. with reference to the retention period of four years, the company declared that "this term was established by Foodinho" (see minutes cit., p. 6);

mm. the legal department of the parent company, with reference to the possibility that operators in other countries where the service is active can also access the data of riders in any city, EU and non-EU, stated that "some specific profiles (for example General Managers and Head of Operations) can access the data of the various countries, also to make comprehensive analyzes possible […] during specific meetings between the top figures of the various countries ”(see minutes quoted, p. 6);

nos. the legal department of the parent company also stated that “GlovoApp23 uses standard contractual clauses with regard to non-EU countries” (see minutes quoted, p. 6).

1.2. The following documentation was acquired during the inspection:

to. copy of the "work performance" contract stipulated between Foodinho srl and a rider on 22.5.2018;

b. facsimile of a "work performance" contract;

c. copy of the document called "Data Protection Information and Policy for Employees" in English;

d. copy of the document called "Personal Data Treatment & Communications and Use of Equipment Policy" in English;

is. copy of the document called “Record of Processing Activities” in English;

f. copy of the information relating to the processing of personal data for Foodinho srl collaborators;

g. copy of the document called "Software Licenses Agreement" in English;

h. copy of the screenshots of the accesses made on the systems on 16.7.2019 and 17.7.2019.

1.3.1. On 12 August 2019, dissolving the reserve made during the inspections, the company sent the following documentation to the Authority:

to. copy of the appointment of the Data Protection Officer (Annex 1);

b. "GlovoApp23 organization chart" (Att. 2);

c. "Foodinho srl organization chart" (Att. 3);

d. description of the algorithm implemented to establish the assignment of orders to riders (Annex 4);

is. description of the algorithm implemented to establish the scoring of the riders (Annex 5);

f. information on the contracts signed with the riders and on the active riders in the periods of interest (Annex 6-7);

g. list of access profiles and rights of Foodinho srl employees (Annex 8);

h. standard contractual clauses for the transfer of data abroad signed by the subjects to whom the personal data of the riders are transferred (Annex 9);

the. architecture of the system used by GlovoApp23 SL for the management of the riders (Annex 10);

j. "Information relating to the telephone call management platform" (All. 11-12-14);

k. documentation relating to the retention period of the riders' personal data (Annex 13);

L. preliminary risk assessment relating to the processing of riders' personal data (Annex 15).

1.3.2. The translation of the documents already delivered to the Authority in English during the inspections was also provided:

to. Data Protection Information and Policy for Employees - Information and policy on the protection of employee data;

b. Data Processing Agreement - Agreement for data processing;

c. Personal Data treatment & communication and use of equipment policy - Policies for the treatment and communication of personal data and use of equipment;

d. Record of processing activities - Record of processing activities;

is. Software license agreement - Software license agreement.

2. Start of the procedure for the adoption of corrective measures.

2.1. On 9 November 2020, the Office notified the company, pursuant to art. 166, paragraph 5, of the Code, the alleged violations found, with reference to art. 5, par. 1, lett. a), c) and e) (principles of lawfulness, correctness and transparency, minimization principle and conservation limitation principle); 13 (information); 22 (automated decision-making process including profiling); 25 (privacy by design and by default); 30 (register of processing activities); 32 (security of treatment); 35 (impact assessment on data protection); 37 (data protection officer); 88 (more specific provisions at national level) of the Regulation; art. 114 (guarantees regarding remote control) of the Code.

With defense briefs of 11 March 2021, the company, represented and defended by lawyer XX, stated that:

to. “Foodinho is a company whose main activity consists in the development and management of a platform […]” (note 11.3.2021, p. 1);

b. "Foodinho, therefore, through the use of technologies already known and used in the transport sector - such as, for example, geolocation systems and instant customer care services - manages (in an innovative way) the so-called" last mile ", facilitating the 'meeting between supply and demand in the delivery sector - transformed, therefore, into “instant” delivery ”(cit. note, p. 1);

c. "The Company - active in Italy only since 2016 - is controlled by the Spanish company GlovoApp23 SL (the" Parent Company ") and carries out the activity described above using a technological infrastructure (mainly software) licensed by the latter and constantly updated" (cit. note, p. 2);

d. "Given that during the Inspection a copy of the information signed by an interested party was not requested, but a" copy (standard ed.) Of the information on the processing of personal data for Foodinho collaborators (riders) ", it should be specified that the the need to sign would exist only if the legal basis of consent was adopted to legitimize the processing or, at most, in order to prove that it had been given to a specific interested party. Having not been asked to provide proof to this effect and having not adopted - in accordance with the indications of the Guarantor - the legal basis of consent (since these are treatments carried out in the context of a contractual relationship between the riders and the Company), the sense of the contestation and, therefore, of the recognized violation.

is. "It should be noted that at the time of the Inspection, the information was made and made available to interested parties on the registration page for the application used by the riders to carry out their activities" [...] For the sake of completeness, it should be noted that currently the The information is provided - as well as in the aforementioned registration form to the Application and through various additional sources of information, as specified below - both at the following link https://glovers.glovoapp.com/it/privacy, and as an attachment to work performance contract for the riders "(cit. note, p. 3);

f. with regard to the disputed omitted indication of the concrete methods of processing personal data relating to the geographical position, "the Company has considered that to explain in detail - in the information provided digitally through the Application - the operating methods of the geolocation of the riders (and the technical indications relating to the processing of data deriving from the same) would have made the information not very usable and difficult to understand for the interested parties, putting itself in contrast with that principle of transparency that the Guarantor believes to have been violated, in addition to the need for clarity "( cit. note, p. 4);

g. "The information on the processing of personal geolocation data - inherent in itself to the type of service provided by the riders - was provided during the interview that precedes the registration to the Application, as well as during the specific training sessions provided to the riders in the context the onboarding phase (sub doc. 3) "(cit. note, p. 4);

h. “It is also possible to argue that pursuant to art. 13, par. 4 of the Regulation, it is not necessary to provide the interested party with information that he already has. In this regard, it is clear that the riders were and are aware of the geolocation activity ”(cit. Note, p. 4-5);

the. as for the alleged omitted indication "(i) of the processing of data relating to communications between the rider and call center, and (ii) of the processing of data relating to the evaluations expressed on the riders by merchants and customers, as well as the fact that said evaluations involved the '' assignment of a score that affects the booking priority of delivery slots [,] it should be noted that said information is and was, in reality, provided during the interview that precedes registration for the Application and during onboarding, as well as in the 'Application itself ”(cit. Note, p. 5);

j. as for the alleged failure to indicate the contact details of the data protection officer "The appointment of the data protection officer pursuant to art. 37 of the Regulation was delegated - for organizational reasons - to the Parent Company, which proceeded to appoint, on 23 May 2019, a data protection officer for the entire group. At the time of the Inspection, however, the Parent Company had not yet communicated the contact details of the same to the Company, which, therefore, had not yet been able to update the information and, in general, the compliance documentation "( cit. note, p. 5);

k. "Since the processing of the personal data of the riders is carried out, essentially, for a single purpose - precisely for the management of the contractual relationship - the Company has decided to adopt a single term for the retention of personal data" (note cit., P. 6);

L. "The retention period relating to the treatments carried out for the purpose of managing the relationship is dictated by specific laws (think, for example, those relating to taxation, social security, etc.) or, in any case, by general rules of the legal system which provide an indication of the reasonable period of time within which the data can still be considered "useful" for the owner (think, for example, of art. 2946 of the Civil Code [...], or of art. 2948, co. 1, n. 4 of the Civil Code […]). At the time of the Inspection, the Company had prudently tried to stay under the data retention terms of ten years and five years (which it could have lawfully adopted for almost all the treatments - eg, control and management of accidents, management of the relationship with the riders, and tax and accounting management, contribution and remuneration management). This choice was dictated by the fact that the Company […] was (and in some respects is still) evaluating the actual need to keep the personal data processed for this purpose for the aforementioned terms. Therefore, in compliance with the principle of minimization of treatment, as per art. 5, par. 1, lett. c) of the Regulation, as well as the principle of privacy by design pursuant to art. 25, par. 1 of the Regulation […] the Company has decided to adopt a preliminary 4-year “precautionary” retention period. In 2021, also following the outcome of this proceeding, the Company will conclude its evaluations regarding the conservation times to be adopted (and in part already adopted) "(note cit., P. 6); This choice was dictated by the fact that the Company […] was (and in some respects still is) evaluating the actual need to keep the personal data processed for this purpose for the aforementioned terms. Therefore, in compliance with the principle of minimization of treatment, as per art. 5, par. 1, lett. c) of the Regulation, as well as the principle of privacy by design pursuant to art. 25, par. 1 of the Regulation […] the Company has decided to adopt a preliminary 4-year “precautionary” retention period. In 2021, also following the outcome of this proceeding, the Company will conclude its own assessments on the retention times to be adopted (and in part already adopted) "(note cit., P. 6); This choice was dictated by the fact that the Company […] was (and in some respects is still) evaluating the actual need to keep the personal data processed for this purpose for the aforementioned terms. Therefore, in compliance with the principle of minimization of treatment, as per art. 5, par. 1, lett. c) of the Regulation, as well as the principle of privacy by design pursuant to art. 25, par. 1 of the Regulation […] the Company has decided to adopt a preliminary 4-year “precautionary” retention period. In 2021, also following the outcome of this proceeding, the Company will conclude its evaluations regarding the conservation times to be adopted (and in part already adopted) "(note cit., P. 6);

m. as for the disputed omitted indication "about the need to keep the data relating to the route taken by the riders for each order, for a period of ten months starting from the delivery of the order [...] having no possibility of influencing the choice of the route by of the rider, the Company needs to keep this data for a time that allows it to respond to any customer complaints, for example in the event of non-delivery of orders, or to provide information to public authorities and insurance companies that may request them. , in case of accidents occurred during the delivery (as already happened) or also to evaluate the correctness of the remuneration paid to the riders. This type of data is also among those necessary for managing the relationship between the Company and the riders. The retention period of the same, therefore, could have been abstractly the same as that adopted for the processing of all other data necessary for the same purpose, as previously described. Despite this, and always in compliance with the principles of minimization and privacy by design, the Company has prudently established a retention period of only ten months (and not four years) ”(note cit., P. 6-7);

n. "The contractual relationship with the riders is subject to the ordinary civil law regarding the termination of the duration contract, which provides, in the event of failure to predetermine the duration, the right for each party to withdraw from the relationship with adequate notice"; moreover "at the time of the Inspection (and, therefore, in 2019) the processing of data took place, in any case, in compliance with the conservation terms adopted" (cit. note, p. 7);

or. "The Company adopts an access segregation policy and system - continuously updated given the short period of activity of the same and its rapid evolution - which limits access to management systems only to figures (specially trained in the field of protection personal data) which, within the scope of their function, need to process certain personal data. For example, as ascertained during the Inspection, the general manager of the Company, [...], despite his top role, does not have access to the "Aircall" application for managing communications between the rider and the Company (sub doc. 6 and fig. 3) "(cit. note, p. 8);

p. “The number [of employees who have direct access to order management systems], although apparently high in itself, is proportionate to the operational needs of the Company. In fact, the Company's activity requires the adoption of an efficient order management and timely customer care system (both on the customer side and on the merchant side) able to guarantee effective execution of the service and to intervene extremely quickly if there are problems during the same. Therefore, in light of the large number of riders registered on the Application at the time of the Inspection - equal to 18,684 - the number of employees who had access to the order management systems was adequate to guarantee the timeliness of the service (each operator can in fact having to provide assistance to over 30 riders at the same time) "(cit. note, p.

q. “Without prejudice to the Company's absolute discretion to assign access profiles in the most functional way to its needs in compliance with the principle of minimization - it should be noted that the two applications [editor's note: Admin and Kustomer] are complementary to each other. In fact, as can be seen from the screenshots acquired during the Inspection (sub doc. 10), the Admin system - consisting of a live database containing data of partners, riders, as well as financial information - allows the management of the entire cycle of each order (end-to-end), while the Kustomer system - customer service management system - allows the exchange of communications via e-mail or chat between riders, users and companies relating to a specific order. It is therefore evident

r. “Access to the data of riders from countries other than the one where the Company is based was (and is) limited only to the top managers of the same and, therefore, to an extremely limited number of operators. This access is necessary to (i) carry out comprehensive data analyzes during specific meetings between the top managers of the various countries in which the group to which the Company belongs operates, and (ii) to allow the interchangeability of rider data as part of any opportunities for their mobility between the different countries in which the companies of the group operate. Despite this need, the Company has recently introduced the so-called “city permission” mechanism developed by the Parent Company, which makes it possible to further limit, on a territorial basis, access to data only for active riders in the country in which it operates;

s. with reference to the need to carry out a privacy impact assessment "the functioning of the Application is globally standardized in its main aspects and, therefore, the assessments regarding the impacts of its use on the rights and freedoms of the data subjects are the responsibility of the Parent Company . […] The latter […] in the document “Couriers Professional Data - Preliminary Analysis on privacy impact assessment” (sub doc. 12), […] did not [have] deemed it necessary to carry out an impact assessment. This document was also evaluated by the Spanish supervisory authority, which shared the conclusion reached by the Parent Company […]. The Company, therefore, has generally aligned itself with the assessments made by the Parent Company "; "As for, however,

t. "The treatments discussed are not among those for which it is mandatory to carry out an impact assessment. In fact, it cannot be argued that the Application and geolocation constitute "new technologies" pursuant to Recitals 89 and 91 of the Regulation [...] "(cit. Note, p. 10);

u. “Neither […] could the obligation to carry out an impact assessment be supported in consideration of the fact that the processing is carried out in the context of an employment relationship (not existing in this case) or collaboration. In fact, the adoption of these technologies as part of the existing contractual relationship is subject to the obligation to carry out an impact assessment only when it may involve remote control of the riders […]. [...] in this case the adoption of these technologies [...] is not aimed at carrying out any remote control on the riders, but is inherent to their activity and necessary for the performance of the work "(cit. Note, p. 11) ;

v. "The Excellence Score relates not to the evaluation of the rider himself (and / or his personal characteristics), but rather (i) to the methods of execution of the service provided through the Application and (ii) to the evaluation of the quality of the service itself "(cit. note, p. 11);

w. “The decision taken by the algorithm cannot be considered based solely on automated processing. [...] For the functioning of the Excellence Score, in fact, human activity is required both for the pre-setting of the parameters of the same (carried out by the Parent Company), and for the (possible) personalization and subsequent reshaping of these parameters, carried out by the Company on the basis of local needs "; “Even assuming that the Excellence Score determines an automated processing […], the same would not in any case be carried out in violation of art. 22 of the Regulation. In fact […] said treatment would be necessary for the execution of the contract between the Company and the riders ”(cit. Note, p. 12);
x. "The Company has guaranteed the interested party the right to obtain human intervention, the right to express their opinion and to contest the decision, dedicating to these purposes a customer care that provides immediate support through a special chat accessible through the Application, as well as an e-mail address and dedicated branches "(cit. Note, p. 12);

y. "The Excellence Score affects the allocation of slots only if" in a certain time slot, more riders than necessary have registered, to favor the riders with the best excellence score "[AEPD document, par. VI, p. 32]. It is limited to giving the riders an order of priority in the choice of delivery slots, leaving in any case part of the availability for each slot that can be booked regardless of the rider's score (also in order not to penalize new members). As regards the methods of calculating the Excellence Score, the assignment of the score to each rider (initially consisting of a default value configurable by city) is carried out through the joint evaluation - relating only to the last 50 orders delivered - of five parameters having different percentage values: (i) merchant feedback (5%) 33; (ii) customer feedback (15%); (iii) yield (eficiencia) (35%); (iv) operations in the high demand bands (35%); and (v) order history (10%) ”(cit. note, p. 13);

z. "Far from having" a significant effect on the person concerned by proposing or denying access to the time slots "- the Excellence Score is a functional tool for the Company's activity aimed, in the event of an excess of riders for a given slot , to allow fairness and efficient management of the service "(cit. note, p. 13);

aa. “The activities relating to the appointment and (formal) communication to the Data Guarantor of the DPO are the exclusive responsibility of the Parent Company […]. And nevertheless, with a view to a complete and transparent collaboration with the Guarantor, the Company proceeded to informally communicate the contacts of the DPO already during the Inspection, despite having received no indication in this regard from the Parent Company. […] On 23 May 2019 - and, therefore, before the Inspection - the Parent Company appointed the DPO for the entire group "(cit. Note, p. 14);

bb. with reference to the preparation of the data processing register "there is no obligation to sign the register under the Privacy Law"; "As regards [...] the indication of the data protection officer and his contacts, [...] given the exclusive competence of the Parent Company for the appointment and communication of his data to the Guarantor, the Company was unable to integrate the register processing until the completion of said formalities by the Parent Company. For the sake of completeness, it should be noted that, once these formalities were completed, the Company proceeded to integrate the treatment register "; “The register is actually organized by sections relating to each category of data subject. Each section is clearly identified [...] by a yellow box positioned in the center of the page [...], within which there is the category of interested parties to which the section refers. Again, […], the register specifically identifies the (six) purposes of processing rider data "; "The" personal "data which is assumed to be lacking in the processing register - that is" the data relating to the communications between the riders and the customer care through chat and email "," the so-called external data of the phone calls "," the data used in the so-called system of excellence "and" the specific data relating to the details of the orders detected through the app "- are not in themselves personal data pursuant to Article 4, par. 1 of the Regulation. In fact, [...] neither the content of the communications (chats / phone calls), nor the data of the system of excellence (evaluation scores) or relating to orders can, in themselves, allow the identification of a natural person, since they do not communicate any information referable to it ”(cit. note, p. 14-15); "Furthermore, even assuming that the data relating to communications can be qualified as personal data, their processing is in any case already mapped in the treatment register as part of the processing carried out for the management of orders, complaints and any customer complaints and / or the requests of the riders "(cit. note, p. 17); "The lack of security measures in the register is due to the fact that at the time of the Inspection the Company had been operating in Italy for only 3 years and, therefore, was still evaluating various IT security service providers, in order to identify - also in agreement with the Parent Company - those most appropriate to the nature / type of processing performed "(cit. note, p. 18);

cc. "The qualification of the relationship between the Company and the riders [...] in terms of a coordinated and continuous hetero-organized collaboration relationship is not correct"; “The relationship between the Company and the riders is a self-employed work / service relationship pursuant to art. 2222 cc does not have any of the characteristics of the so-called co.co.co ex art. 409 cpc and even less the hetero-organization requirement on the part of the client referred to in the aforementioned art. 2 of Legislative Decree 81/2015 "(cit. Note, p. 18);

dd. with reference to the deemed non-existence of the requirements of the coordinated and continuous collaboration relationship “it is undisputed that the vehicles (bicycle / motorbike / car + smartphone) are owned by the riders and that they are completely necessary for the performance of the service. This excludes that personal activity prevails over the means used "; "In the case of the riders [...] the signed contract simply has a regulatory function, that is to set the rules of the performance if and when it will be requested and if and when it will be accepted by the riders, who are in fact free to decide if and when to carry out the performance "(cit. note, p. 19);

ee. "The platform is nothing more than a software that simply assigns delivery orders from customers faster than a natural person could do, without making any determination of the performance and even less any organization of the same" (cit. Note, p. 20) ;

ff. the reference made by the Guarantor to the sentence of the Court of Cassation 24 January 2020, n. 11663, “is first of all irrelevant, as it has as its object a co.co.co relationship and not work performance relationships”; "It is clear that the factual elements on which the Supreme Court based the hetero-organization judgment for the Foodora riders are completely absent in the Company's business model" considering that: "the Foodinho riders poss [o] no connect from any part of the city (so there is no predetermination of place) "," the fact that the riders must then deliver to a certain place is not an extrinsic element of the service that may be the subject of a discretionary directive by the customer but a essential element of the same service: in the absence of indication of the recipient,

days “Further confirmation of the correct qualification of the collaboration relationship carried out by the Company […] is given by the recent entry into force of the new CCNL so-called rider, which formally […] crystallized said qualification” (cit. Note, p. 21);

hh. “Even if we want to […] consider the rules of the subordinate employment relationship applicable to the relationship between the riders and the Company, there would be no violation of the Articles of Association […]. The art. 4, co. 2 of the Statute provides, in fact, a specific derogation from the general discipline in cases where the remote control is carried out through "tools used by the worker to make the performance work". This derogation can be found in the present case "; "In fact, the geolocation system is strictly functional to the performance of the job"; finally, the alleged violation of art. 88 of the Regulation, "this article, in fact, far from imposing specific obligations on the data controller, authorizes the Member States to" provide,

ii. “The intermediation services in instant delivery - the Company's core business - […] began to spread on a large scale less than five years ago, thanks to the affirmation of the gig economy; social phenomenon that brings with it […] a series of new issues to manage. […] This cannot be ignored in evaluating the Company's conduct regarding the processing of personal data ”; “The Company immediately took steps to minimize the processing carried out - for example by adopting a shorter retention period than that abstractly allowed. […] In the course of its activity, the Company has also adopted corrective measures aimed at strengthening its compliance with the Privacy Law. The introduction of the city permission mechanism, for example,

jj. “The Company has constantly increased its technical and organizational measures in order to achieve an ever higher level of compliance with the Privacy Law”, for example, among other things, it has “reviewed and improved its internal policies”; "Introduced new guidelines and a new prevention protocol [as well as" management and reporting "] of data breach events"; "Improved the management systems for the activities that involve the processing of personal data, providing for a restriction on the operators who may have access to them"; “Introduced a website dedicated to riders where it is possible to obtain information on the processing of their personal data” (cit. Note, p. 22).

2.2. The company has also attached the following documentation to the defense briefs: Doc. 01: AEPD Provision - Doc. 02: Screenshot of login page with link to privacy policy - Doc. 03: Training Calendars Customer & Courier Onboarding - Doc. 04: Information screenshot on the evaluations of the riders present in the Application - Doc. 05: Requests of the public safety authority - Doc. 06: Screenshot of the login page in Aircall - Doc. 07: Screenshot of the script showing the number of riders at the date of the Inspection - Doc. 08: Total number of users of the Application by status - Doc. 09: Number of orders by time slot - Doc. 10: Application screenshots Admin and Kustomer - Doc. 11: Training Calendars Onboarding Multiskill - Doc. 12: Couriers' Professional Data - Preliminary Analysis on privacy impact assessment - Doc. 13: Demonstration video of the functioning of the city permission - Doc. 14: Court of Bologna, ord. December 31, 2020 - Doc. 15: Register of treatment activities - Doc. 16: Register of treatment activities updated - Doc. 17: Screenshot of the script showing the total number of orders received in Italy in 2016 - Doc. 18: Court Milan, sent. 584 of 2 March 2021 - Doc. 19: Decree of filing GIP of Turin of 13 July 2018 - Doc. 20: Turin Court of Appeal, sent. of 11 January 2019 - Doc. 21: Assessment results of the Turin Labor Inspectorate of 17 October 2017. Screenshot of the script showing the total number of orders received in Italy in 2016 - Doc. 18: Court of Milan, sent. 584 of 2 March 2021 - Doc. 19: Decree of filing GIP of Turin of 13 July 2018 - Doc. 20: Turin Court of Appeal, sent. of 11 January 2019 - Doc. 21: Assessment results of the Turin Labor Inspectorate of 17 October 2017. Screenshot of the script showing the total number of orders received in Italy in 2016 - Doc. 18: Court of Milan, sent. 584 of 2 March 2021 - Doc. 19: Decree of filing GIP of Turin of 13 July 2018 - Doc. 20: Turin Court of Appeal, sent. of 11 January 2019 - Doc. 21: Assessment results of the Turin Labor Inspectorate of 17 October 2017.

3. The outcome of the investigation and the procedure for the adoption of corrective measures.

3.1. Activation of the cooperation procedure not yet completed.

After the conclusion of the inspection activity, having found the existence of some treatments of a cross-border nature, the Authority informed without delay the Agency Española de Protección de Datos (AEPD) that it declared itself the lead supervisory authority following the outcome of the cooperation procedure launched pursuant to art. 56, par. 1, of the Regulation in relation to cross-border processing carried out by GlovoApp23 SL (parent company which has its main establishment in Spain).

The AEPD, on 21 November 2019, agreed on the competence of the Italian Authority, pursuant to art. 56, par. 2, of the Regulations, in relation to the treatments carried out by Foodinho srl which substantially affect riders who operate solely in Italy on the basis of an employment contract stipulated with the company.

As part of the mutual assistance procedure launched on 2 December 2019 with the AEPD pursuant to art. 61 of the Regulation, the control authorities of Italy and Spain exchanged information relating to the inspections carried out in their respective areas of competence. On 4 September 2020, the AEPD sent the Authority part of the documentation collected as part of the control activities carried out against the parent company. Of the documents thus transmitted three, considered relevant also with respect to the treatments put in place by Foodinho srl which fall within the competence of this Authority pursuant to art. 56, par. 2 of the Regulation, were used to make disputes relating to alleged violations against the Italian company pursuant to art. 166, paragraph 5 of the Code. Foodinho srl,

On January 30, 2021, as part of a procedure pursuant to art. 60 of the Regulation, the AEPD sent to the supervisory authorities concerned - including the Italian one - a draft decision relating to the cross-border processing carried out by GlovoApp23 ("Proyecto de acuerdo de inicio de procedimiento sancionador", Procedimiento N °: PS / 00020 / 2021) other than those for which the lead authority has recognized the competence of the Italian Authority. In accordance with what is permitted by the regulations on cooperation procedures, the supervisory authorities concerned have presented pertinent and motivated objections pursuant to art. 60, par. 4 of the Regulation, requesting the modification and integration of the draft decision on various profiles. At the state, the cooperation procedure preordained for the adoption of a provision pursuant to art. 60, par. 7, of the Regulation has not been concluded and therefore the assessments contained in the draft decision prepared by AEPD, sent to the authorities concerned on January 30, 2021, cannot be considered definitive.

3.2. Ownership of the treatment.

Upon the outcome of the assessment carried out and based on the examination of the documentation acquired, it emerges that Foodinho srl, in relation to some processing of data relating to the riders, determines the purposes and means of the processing itself (see Article 4, n. 7, Regulation) and therefore operates as owner. This, specifically, emerges:

- from the types of activities and personal data indicated in the Register of treatments prepared by the company and referred to at the time of carrying out the control activity (see note 12.8.2019, Annex 4 of the translations into Italian of the documents delivered in English in the course of the inspection activity), "Register of processing activities", version 06 - 20052019, in particular with reference to the section "Relations with suppliers" (where the riders are indicated by suppliers), points 8, 9, 12 and 13 and the related types of personal data processed; also the updated version of the Register lists a plurality of types of processing of personal data relating to riders carried out by the company as owner (see Register of processing activities, version 07, 2019-2021, section "Relations with suppliers",

- the results of direct access to the systems developed directly by Foodinho srl (Admin, which allows the company to manage the riders and the orders assigned to them; Kustomer, used to exchange emails and chats with the riders and through which it is possible to access phone calls made in the manner that will be illustrated in the course of the provision) and to the systems Google docs, used to process the evaluations and scores of the riders, and Google drive, used to prepare the invoices of the riders, through which the company carries out processing of personal data, relating to all the details of the order, to the geographical position collected through the GPS, to the storage of the routes traveled on the map, to the data collected and stored in the course of communications via email and chat (seescreenshots of the accesses made on the systems on 16 and 17.7.2019);

- from the document "Data Processing Agreement" (see note 12.8.2019, Annex 2 of the translations into Italian of the documents delivered in English during the inspection activity), dated May 20, 2018 and signed by the parties, in which the the company is qualified as "data controller" and the parent company GlovoApp23 "responsible", in relation to the provision of services to users and interested parties in Italy through the platform; the same parties have declared that this agreement refers to the riders (see previous point 1.1., let. d.);

- from the information documents "Information on personal data processing for Foodinho srl collaborators" (see information given during the inspections on 16 and 17.7.2019) and "Information on personal data processing for Foodinho, SRL couriers who carry out delivery assignments "(Currently available through the link https://glovers.glovoapp.com/it/privacy), in which the company is indicated as the data controller.

3.3. Established violations.

Upon examination of the declarations made to the Authority during the procedure as well as of the documentation acquired, it emerged that the company, as owner, has carried out processing operations of personal data towards a large number of interested parties - equal to to 18,684 riders at the time of the inspection, as declared (see Annex 7 defensive briefs) - who do not comply with the regulations on the protection of personal data in the terms described below.

3.3.1. Given that, unless the fact constitutes a more serious offense, whoever, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces false acts or documents, is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or the exercise of the powers of the Guarantor", on the merits it emerged that, with reference to the obligation to provide the information to the interested parties envisaged by the holder of the treatment, the company has prepared, at different times, a plurality of information notices of content that are partly different.

In particular, the company carried out the processing of the rider data on the basis of a disclosure ("Information on the processing of personal data for Foodinho srl collaborators"), whose model - objectively without date and signature - was delivered by the company in the course of the inspections, without specifying how this document was made known to the riders (see previous point 1.2., letter f.). In this regard, the company, in its defense briefs, stated that at the time of the inspection "the information was made and made available to interested parties on the registration page for the application used by the riders to carry out their activities".

The information document delivered by the company under inspection, having examined its content, appears to have been made in violation:

- of art. 5, par. 1, lett. a) of the Regulation in relation to the principle of transparency with reference to the omitted indication: 1. of the concrete methods of processing the data relating to the geographical seconds) in the face of a completely generic indication on the point ("the owner may receive information regarding the geographical position of the mobile device"), 2. the type of data collected, in particular data relating to communications undertaken via chat, email and telephone with the call center, the evaluations expressed on the rider by the operators and customers;

- of art. 13, par. 2, lett. a) of the Regulation, considering that, with regard to storage times, this document is limited to providing a completely generic indication on the point ("The data are processed only for the time strictly necessary to achieve the purposes for which they were collected and, in any case, no later than the termination of the collaboration relationship [...] ", see point 9, Information note cited), as well as inaccurate considering that during the investigations the company declared to keep the data even after the termination of the work. Therefore it fails to provide the precise retention times of some types of data as resulting from both the verification activities (4 years from the termination of the employment relationship: see previous point 1.1., Letters y, jj and ll; 3 months from making the call for the content of the phone calls: v. doc. 11-12-14 in the previous point 1.3.1., Lett. j .; 4 years from the termination of the employment relationship for the so-called external data of the phone calls with the riders as emerged from the direct investigations to the systems documented in the screenshots present in the documents), and from the treatment register (for the registration data "at the end of the relationship work [...] and after 4 years from that date "; for the data relating to the management of the relationship" 4 years from the date of cancellation of the account or of the last [interaction] with the platform ").

- of art. 13, par. 2, lett. f) considering that the aforementioned information does not refer to the carrying out of automated processing including profiling activity (activities ascertained during the control activity: see previous point 1.1., spec. letter m., r., t ., w.), preordained to assign a score to the rider for the declared purpose of determining the priority in booking the slots (time slots determined by the company within which delivery orders are sent); therefore "significant information on the logic used, as well as the importance and expected consequences of such processing for the data subject" were also omitted;

- of art. 13, par. 1, lett. b) considering that the information does not provide the contact details of the data protection officer - DPO (despite it appears that the group DPO would have been designated by the group leader on 23.5.2019, therefore prior to the inspection activity);

- of art. 5, par. 1, lett. a) of the Regulation in relation to the principle of fairness, considering finally that, in the context of the employment relationship, as constantly stated by the Authority, the obligation to inform the worker is also an expression of the general principle of fairness of the treatments.

With reference, in particular, to the omitted indication of the concrete methods of processing data relating to the geographical position, the company, in its defense briefs, emphasized that, given the "multiplicity of functions" of the application used by the riders, "explain in a detailed [...] the operating methods of the geolocation [...] would have made the information not very usable and difficult to understand "and that, to comply with the provisions of art. 12, par. 7 of the Regulations, such information "was provided during the interview before registering for the Application, as well as during the specific training sessions provided to the riders as part of the onboarding phase".
In this regard, it is noted that art. 12, par. 1 of the Regulation, in application of the provisions of art. 5, par. 1, lett. a) of the Regulation, provides that the data controller must adopt "appropriate measures to provide the data subject with all the information referred to in articles 13 and 14 [...] in a concise, transparent, intelligible and easily accessible form, with simple and clear. The information is provided in writing or by other means, including, where appropriate, by electronic means. If requested by the interested party, the information can be provided orally, provided that the identity of the interested party is proven by other means ". In compliance, therefore, with the principles of transparency and correctness, the company should have provided, in writing or with other suitable tools, however documentable, to the interested parties, albeit with an easily understandable language, all the information required by art. 13 of the Regulation also regarding the processing of data relating to the geographical position; does not note, in this regard, that the riders were simply aware of the geolocation activity as they "see themselves and the suggested route on the map of the Application" nor that the geolocation is considered by the company "essential for the provision of the service" as well as a “common and consolidated practice in the transport and delivery sector”. In this regard, the difference between the possible mere knowledge of the possibility of being geolocated and the full awareness of the specific processing carried out in relation to the data deriving from the geolocation is evident. Only by making the interested party fully aware of the processing of their data through a transparent, therefore complete, clear and easily accessible information, in fact, the owner fulfills the provisions of art. 5, par. 1, lett. a) in relation to art. 13 of the Regulation.

With reference, then, to the failure to indicate the type of data collected, in particular the data relating to communications undertaken via chat, email and telephone with the call center as well as the evaluations expressed on the rider by the operators and customers, based on what was stated in the defense briefs, such information would have been provided during "the interview that precedes registration for the Application and during onboarding, as well as in the application itself". In relation to what would have been communicated to all riders during the aforementioned interview and during "onboarding", however, no evidence emerges nor can the document called "Training Calendars Customer & Courier Onboarding" be considered adequate to prove this, as it has no any reference on the point; as regards, however, the information that would have been provided through the application, of which some screenshots have been attached (see Annex 4 to the defense briefs), the presence of such specific information - and therefore its knowability in the application - does not emerge even at the moment inspection. In any case, such information is generic and not clear enough to make riders aware of the processing of such data.

With regard to the absence of the contact details of the DPO, moreover, in the defensive briefs it is specified that the designation of the person responsible for the protection of personal data was delegated "for organizational reasons" to the parent company which, however, despite having appointed the DPO on 23 May 2019, until the inspection at Foodinho srl, he had not communicated his contact details to the latter. In this regard, it is noted that, even if the appointment of a group DPO complies with the rules on data protection (see Article 37, paragraph 2 of the Regulation), the obligation to designate the DPO is placed on the owner of the treatment when the treatment carried out by the same falls within the hypotheses provided for by art. 37 of the Regulation: in the present case, despite Foodinho srl holds the title of data controller with regard to the processing of the data of the riders who work for the same Italian company, it does not appear that the latter has carried out the activities necessary to appoint its own DPO or that it has urged the parent company to communicate them such information for inclusion in the information pursuant to art. 13 of the Regulation.

In the defensive briefs, the company also represented that the information relating to the processing of rider data is currently available on the internet page https://glovers.glovoapp.com/it/privacy, which is currently made available to riders. also through the application used by the same as well as attached to the contract stipulated with the company and, again, orally "during the interview that precedes the registration to the Application and during onboarding".

From the examination of this information - which is undated and in relation to which the company has not provided any indication as to the date of its preparation - some changes have emerged with respect to the model delivered during the inspection. Even in the new information, however, some aspects do not comply, in the terms highlighted above, with the principles set out in art. 5 and as indicated in art. 13 of the Regulation. Taking this into account, it is believed that the new disclosure model also violates the aforementioned data protection regulations. In particular, in the new information model, the indication of the types of data collected is structured in an explicitly exemplary manner, therefore not all types of data that Foodinho srl processes are fully indicated, in particular, the processing of data relating to communications with riders carried out via chat and email is not mentioned. Furthermore, the description of the processing of data relating to the geographical position is completely generic as it is indicated that the company "may [...] receive information relating to the geographical position of the mobile device used" while the system systematically collects geolocation data every 15 seconds. for the entire duration of the delivery of the orders and prepares and keeps the route maps. Some of the purposes for which the geolocation data are processed are indicated, here too, generically, in particular the declared purposes of "money laundering", "crimes against public health" and "fight against terrorism". With reference to the legal bases, on the one hand it is specified that "the data will be processed exclusively in order to correctly execute the contractual relationship between the parties", on the other hand consent is also indicated, in the presence of which they can be treated not better defined data of the riders, even if it is subsequently specified that "the data requested from the couriers are mandatory and necessary for the management of the activity". It is also specified that "the owner does not adopt decisions based on automated decision-making processes", that "all the parameters that are taken into consideration have been manually generated" and that "profiles are not created", statements that contrast with what is ascertained by the '' Authority during the inspection, i.e. that the company carries out automated processing, including profiling, within the so-called "system of excellence" and through the order assignment system (see next point 3.3.6.). The company informs the riders that "the geolocation [is] limited to a short route between two mandatory points that the courier cannot choose" despite the fact that during the inspection he declared that "when the rider confirms that he has collected the goods, he receives the precise delivery address and has the right to decide to get advice on the best route "(see minutes of 16.7.2019, p. 5). With reference to the retention times, it is specified that “once the work performance contract has ended, the owner may keep the data for the time established in the current legislation and for a maximum of 10 years in order to comply with legal obligations. […] The retention period may be shorter depending on the legislation applicable to each type of data. The retention periods are shown in Annex I ", but at the time of drafting this provision there is no attachment to the information, therefore the retention periods are neither identified nor identifiable. Among the rights recognized to the interested party, indicated as "rights guaranteed by articles 12-22 of the GDPR", there is no specific reference to the provisions of art. 22 Regulations. Among the rights recognized to the interested party, indicated as "rights guaranteed by articles 12-22 of the GDPR", there is no specific reference to the provisions of art. 22 Regulations. Among the rights recognized to the interested party, indicated as "rights guaranteed by articles 12-22 of the GDPR", there is no specific reference to the provisions of art. 22 Regulations.

Finally, it appears that in the text of the information some treatments are not indicated that instead have been inserted by the company in the updated version of the treatment register (in particular treatments for marketing purposes and for study purposes on the use of the platform and groups discussion).

Again with reference to the disclosure obligation, the Authority acknowledges that, as part of the collaboration procedure with the AEPD, the latter has sent the Guarantor an additional disclosure model drawn up by Foodinho srl, held by GlovoApp23, which appears to have been attached to a contract stipulated between the Italian company and a rider, dated 2 December 2020. However, no mention of this model is contained in the defensive briefs of Foodinho srl.

In this regard, it should be noted that also this information - which according to what was disclosed under its own responsibility by the Italian company must be considered superseded by the model uploaded on the website indicated in the defense briefs - has some aspects that do not comply with Articles 5 and 13 of the Regulation, in particular: the indication of the concrete methods of data processing through the digital platform and, in particular, the so-called “system of excellence” and the order assignment system is omitted; the indication of the concrete methods of processing data relating to the geographical position is omitted ("Glovo will receive information on the geographical position of the courier in a discontinuous manner"); the activation of the geolocation "function" is qualified as "necessary in order to receive and complete the delivery orders", but it is specified that "the activation of this function implies consent to the processing of data collected through the geolocation "; the clear and transparent indication of the legal bases of the processing is omitted, given that the rider's consent, the execution of the contract and the legitimate interest of the company are indicated; "Key steps" in the delivery of products to final consumers (i.e. date, place and time of collection and place and time of delivery of the product) considering that these data are used to determine the fee, they will be "anonymized" automatically after 10 years from their collection ". In this last regard, given that the use of the term "anonymized" is improper - if not misleading - as the company continues to process data relating to the geographical position referable to the so-called "key passages", the storage terms indicated are different from those declared by the company during the investigations and in the defense briefs. Finally, within this document there is no reference to the automated treatments carried out by Foodinho srl (given that only a generic reference to the "algorithm" appears in the context of the purposes to be pursued on the basis of the legitimate interest of Foodinho srl) nor to the rights referred to in art. 22 of the Regulation.

Finally, it should be noted that among the documents acquired from the parent company and transmitted by AEPD to the Authority, there is also a further disclosure model provided by Foodinho, not mentioned in the latter's briefs and undated, also not compliant with provisions of the Regulations (see Doc. 20a, transmitted by AEPD and sent to Foodinho as part of the procedures for accessing the documents).

Ultimately, therefore, the information documents prepared by the company at different times and, in any case, characterized by inorganicity, imprecision and vagueness, are not suitable, for the aforementioned reasons, to clearly provide the interested parties with the information relating to the essential elements of the complex treatments carried out. The company therefore violated Articles 5, par. 1, lett. a) and 13 of the Regulations.

Taking into account that in the text of the new information made available through the internet link https://glovers.glovoapp.com/it/privacy, the "biometric model of the face" is also mentioned among the data that Foodinho intends to process (see point 8 of 'information in which it is specified that "starting from November 2020, the courier authentication process to the Glovo App [...] will be integrated with a biometric authentication process through facial recognition" and that such data will be "transferred and analyzed from an external supplier […] North American company "), the Authority reserves the right to initiate an independent procedure in relation to the conditions of lawfulness of the proposed treatment of biometric data of the riders.

3.3.2. With reference to the identification of the retention times of the data processed, the outcome of the inspection activities revealed that the company retains for the entire duration of the relationship and for 4 years after the termination of the employment relationship, different types of data of the riders collected for a plurality of heterogeneous purposes (all data relating to the management of orders, data collected through communications via chat and email, see previous point 1.1., lett.y. and jj .; data necessary for the conclusion and execution of the contract, data relating to the "fiscal and accounting management" of the relationship, "control and management of accidents" caused during the use of the platform; see the register of treatments delivered to the Authority during the inspection, points 8, 9, 12 and 13). It also emerged that the company keeps for 10 months the maps of the route taken by the rider for each order placed (see point 1.1., Letter z. On the basis of what emerged from the inspection activities (and documented in the screenshots acquired during the inspection), the company also retains the external data of the calls made by customer care for 4 years (calling and called number, start and end time of the call, waiting , duration: see screenshot acquired during the inspection) while, based on what has been declared, at the outcome of an authorization procedure against the parent company it is possible to access the contents of the telephone calls (the link to which appears alongside the external data) that would be stored for three months on a platform managed by Mas Voz Telecomunicaciones Interactivas SL (see Doc. 11, 12 and 14, note 12.8.

On the basis of what is stated in this regard in the defense briefs, the company has adopted "a" precautionary "retention period of 4 years", having regard to the terms of the prescription (five-year and ten-year) provided for by the law for the data necessary for the management of the employment relationship, in deemed application of the principles of minimization and privacy by design, taking into account that the processing of rider data is carried out in relation to the sole purpose of managing the contractual relationship (see previous point 2.1., letter k . and l.).

In this regard, it is firstly noted that during the investigation it emerged that other documents prepared by the company indicate retention terms other than those indicated in the defense briefs (retention for four years of the data processed, except for what is will say later in relation to the routes taken by the riders for each order). In particular, with the "Information on the processing of personal data for Foodinho, SRL Couriers who carry out delivery tasks", currently made available through the link https://glovers.glovoapp.com/it/privacy (see previous point 2.1 ., lett. e), the company indicates the different retention period up to "a maximum of 10 years in order to comply with legal obligations - including the duty to collaborate with the Police by virtue of the superior interest of public safety, as well as to fulfill to controls of a fiscal and / or social security nature, among other things - and to defend oneself or take actions to protect one's rights and interests ". The information also generically indicates that "the retention period may be shorter depending on the legislation applicable to each type of data" and, for further details on the individual storage terms, refers to an attachment which, as already noted, does not however, it is present on the page. tax and / or social security - and defend themselves or take actions to protect their rights and interests ". The information also generically indicates that "the retention period may be shorter depending on the legislation applicable to each type of data" and, for further details on the individual storage terms, refers to an attachment which, as already noted, does not however, it is present on the page. tax and / or social security - and defend themselves or take actions to protect their rights and interests ". The information also generically indicates that "the retention period may be shorter depending on the legislation applicable to each type of data" and, for further details on the individual storage terms, refers to an attachment which, as already noted, does not however, it is present on the page.

It is also noted that in the Register of processing activities, version 07, 2019-2021 (see Annex 16 defensive briefs 11.3.2021), section "Relations with suppliers" (ie riders), the company indicated, in relation to a large part of the type of data processed, "the duration of the statute of limitations, starting from the date of termination of the contractual relationship". This, in particular, in relation to: registration data, data processed as part of the management of the relationship, data "relating to the use of the platform" (including "voice" and "chat"), data relating to tax management and accounting and those relating to "control and management of accidents", data relating to requests from public authorities and the management of claims, data relating to the exercise of rights by the interested parties,

In such cases, the limitation period is not specifically indicated in relation to the different types of data, while in relation to some types of data it does not appear that the legal system has provided for limitation periods (see data relating to communications via chat and email and telephone calls; data relating to the exercise of rights by data subjects; data on the use of the platform and discussion groups).

Otherwise, in relation to the data processed for "marketing" purposes and for the purpose of studying the use of the platform and discussion groups, the term is indicated in "24 months from the date of creation of the account or from the last interaction with the platform. by the supplier ". For the conservation of "voice recordings" the different term of "12 months from the date of data collection" is indicated, in relation to the declared purpose of "assisting couriers during the execution of services by contacting customer service", which in itself should run out in a much shorter period of time and in any case relative to the time frame of execution of the delivery. In relation to this type of treatment, it is also noted that the company has declared that it can access the content of the recordings of the phone calls made with the rider only with the authorization of the parent company, which would also keep these recordings for a different and shorter term (3 months: see Doc. 11, 12 and 14, note 12.8.2019). If the company refers to the external data of the telephone calls with the expression "voice recordings", this should be clarified in the register. In any case, the exact term within which the company can access the external data of the telephone calls must be indicated (which would appear to be, as for a plurality of other data, equal to 4 years) and the content of the telephone calls themselves. The company should also verify under what title the processing is carried out (given that the treatments carried out by Foodinho srl are registered in the register

In relation to the specific retention period of 10 months of the routes taken by the riders for each order, which emerged, as represented above, during the inspection, the company subsequently specified that the conservation purposes for this period consist in the need to manage customer complaints, requests from public authorities or insurance companies, or to "assess the correctness of the compensation paid to the riders" (see point 2.1., letter m.). However, also in relation to this data, the updated version (with respect to the time of the inspection) of the Treatment Register (version 07, 2019-2021) indicates a different term, where in relation to the geolocation of couriers (riders) declaredly aimed at "assigning orders to couriers and showing customers the position of the couriers during the delivery of their orders", indicates the term of "24 months from the delivery of the order, after which they will be only the data relating to the point of departure and the point of arrival are kept for the entire duration of the statutory limitation period starting from the date of termination of the contractual relationship with the interested party ". From which it is clear that the data relating to the route taken (not only the point of departure and arrival) would be kept by the company not for 10 but for 24 months. after which, only the data relating to the point of departure and the point of arrival will be stored for the entire duration of the statute of limitations established by law from the date of termination of the contractual relationship with the interested party ". From which it is clear that the data relating to the route taken (not only the point of departure and arrival) would be kept by the company not for 10 but for 24 months. after which, only the data relating to the point of departure and the point of arrival will be stored for the entire duration of the statute of limitations established by law from the date of termination of the contractual relationship with the interested party ". From which it is clear that the data relating to the route taken (not only the point of departure and arrival) would be kept by the company not for 10 but for 24 months.

Upon examination of the documentation and declarations in deeds, it emerges, first of all, that the company has failed to define (and consequently to transfer within the documents whose preparation constitutes an obligation for the owner according to the Regulation ) a clear and coherent framework of the retention terms of personal data referring to the riders. Indeed, as seen, the statements made by the company do not correspond to some passages included in the "Information on the processing of personal data for Foodinho, SRL Couriers who carry out delivery assignments" and in the Register of processing activities, version 07, 2019- 2021, as well as regarding the recording of telephone calls in one of the documents sent to the Authority after the inspection (see Doc. 11, 12 and 14, note 12.8.2019).

According to the Regulation (art. 5, par. 1, lett. E), personal data are "stored in a form that allows the identification of the data subjects for a period of time not exceeding the achievement of the purposes for which they are processed" . In particular, the data controller has the obligation "to ensure that the retention period of personal data is limited to the minimum necessary" (see Recital 39).

In this regard, the Authority clarified that, in light of the need to identify retention times deemed appropriate in relation to each of the purposes actually pursued with the processing of the various types of personal data, the owner must not limit himself to identifying "blocks" of homogeneous time bands (provision 9.1.2020, n. 8, web doc. n. 9263597).

Taking as reference the terms indicated by the company, under its own responsibility, in the briefs sent to the Authority (and not those resulting from the various documents listed above, which must in any case be subject to verification and updating), it appears that the company a single retention period, in itself significant, equal to 4 years after the termination of the employment relationship, in relation to a plurality of treatments carried out for different purposes as well as in relation to different types of data, in some cases referring to the content of communications in themselves protected by particular guarantees from the legal system (via chat, email and telephone).Therefore, the company has failed to identify distinct retention times for data referring to the riders being processed in relation to the distinct and specific purposes pursued, given that only some of the treatments carried out are necessary in relation to the purpose of managing the contractual relationship (eg data identification and contact details, general information, bank details) while in relation to other processing the management of the contractual relationship constitutes the context of the processing carried out (by way of example, the processing of data relating to external data and the content of communications via chat, email and phone, geolocation, score assigned to the rider for each order).given that only some of the treatments carried out are necessary in relation to the purpose of managing the contractual relationship (eg identification and contact data, general information, bank data) while in relation to other treatments, the management of the contractual relationship constitutes the context of the processing carried out ( by way of example, the processing of data relating to external data and the content of communications via chat, email and telephone, geolocation, score assigned to the rider for each order).given that only some of the treatments carried out are necessary in relation to the purpose of managing the contractual relationship (e.g. identification and contact data, general information, bank data) while in relation to other treatments, the management of the contractual relationship constitutes the context of the processing carried out ( for example, the processing of data relating to external data and the content of communications via chat, email and telephone, geolocation, score assigned to the rider for each order).bank data) while in relation to other processing the management of the contractual relationship constitutes the context of the processing carried out (by way of example, the processing of data relating to external data and the content of communications via chat, email and telephone, geolocation, score assigned to rider for each order).bank data) while in relation to other processing the management of the contractual relationship constitutes the context of the processing carried out (by way of example, the processing of data relating to external data and the content of communications via chat, email and telephone, geolocation, score assigned to rider for each order).

It is noted that the company, with regard to the starting date of the aforementioned single retention period equal to 4 years after the termination of the relationship, during the procedure specified that the contract with the rider is considered terminated in the event of withdrawal by one of the parties , subject to adequate notice (see previous point 2.1., letter n.). Given that the Authority has not formally criticized the company, as claimed in the defense briefs, "for not being able to identify the moment from which the aforementioned terms began", it is reiterated that, also following the clarifications provided regarding the termination of the contract stipulated with the rider following the withdrawal of one of the parties, the employment relationship is considered ongoing even with long periods of inactivity ", v. minutes 17.7.20219, p. 6). the employment relationship is considered ongoing even with long periods of inactivity ", v. minutes 17.7.20219, p. 6).

Again with reference to what was declared to the Authority regarding conservation terms, it is finally noted that in relation to the indication of the 10-month deadline for storing the maps of the riders' routes, also in the light of the clarifications provided during the procedure , the specific reasons that would make this term congruous with respect to the aims pursued are not indicated by the company. In fact, the purposes indicated by the company relate to contexts (which are not homogeneous) in relation to which ordinarily - in the absence of specific characteristics linked to concrete situations that however do not emerge from the documents - the need to proceed to internal investigations also by drawing on the data stored is manifested in much shorter times (commensurate, for example, the terms in which customers are allowed to file a complaint, or riders to contest the amount of the compensation received, or the occurrence of events in respect of which public authorities or insurance companies can legitimately ask the company to deliver the map of the route taken by a determined rider; in this last regard it is noted that the request of the Local Police attached as an example, was addressed to the company a little less than a month after the events: Doc. 5 defensive briefs).

The company therefore, for the above reasons, has violated art. 5, par. 1. lett. e) of the Regulation which provides that personal data are kept "in a form that allows the identification of data subjects for a period of time not exceeding the achievement of the purposes for which they are processed".

3.3.3. On the basis of the statements of the company and the results of the direct access to the systems carried out during the inspection, it emerged that the systems are configured in such a way as to collect and store all data relating to the management of the order (data collected through the application in use by the riders, including the detection of the geographical position through GPS every 15 seconds as well as the data relating to the estimated delivery times and the times actually taken to make the delivery - this last data is obtained from the examination of the intermediate times indicated in the section of the 'customer side order -; data relating to the individual scores assigned to the rider daily; data relating to communications via email and chat as well as external data relating to telephone calls stored by the parent company with the possibility of accessing the content of the conversations upon activation of an authorization procedure against the parent company, as declared by the company). It also emerged that the systems (in particular Admin and Kustomer) are configured in such a way as to allow authorized operators to use the two applications simultaneously and simultaneously. Furthermore, the chat and email management system is configured in such a way as to allow each operator to directly access the content of chats and emails exchanged with the riders without further steps. It also emerged that the systems (in particular Admin and Kustomer) are configured in such a way as to allow authorized operators to use the two applications simultaneously and simultaneously. Furthermore, the chat and email management system is configured in such a way as to allow each operator to directly access the content of chats and emails exchanged with the riders without further steps. It also emerged that the systems (in particular Admin and Kustomer) are configured in such a way as to allow authorized operators to use the two applications simultaneously and simultaneously. Furthermore, the chat and email management system is configured in such a way as to allow each operator to directly access the content of chats and emails exchanged with the riders without further steps.

Contrary to what the company claims in the defense briefs, no specific reasons have been presented (nor have emerged in any case) on the basis of which it would be necessary, in order to efficiently provide the services, the simultaneous access of operators to the two systems. This considering that the aforementioned systems are pre-ordered, respectively, for the management of orders in real time and for the display of the order history (Admin) as well as for the management of problems that occurred during the order or, regardless of the order in progress, relatively to the relationship with the riders (Kustomer; see previous point 1.1., lett. bb.). Therefore, it is clear from this that the communication channels with the riders are made available for a plurality of occurrences of which the management of any problems in the management of orders in progress is only one of the possibilities. Furthermore, in the event of a transition from the order management system to the communications management system and vice versa, operators have access not only to the data relating to the rider who managed a particular order but also to information relating to all the other riders.

In this context, the circumstance that during the inspection the general manager of the company was unable to access the content of a phone call with a registered rider does not in itself constitute an indication that "the Company adopts a policy and a system of segregation of accesses" , not otherwise documented (see defense briefs, p. 8).

In this regard, it also emerges from the examination of the documents in place, that the subjects authorized by the company to access the aforementioned systems with access profiles that allow full access to data, including detailed data, referring to the riders contained therein, are a number relevant (more than 600 for LOH profiles only - live operations which include: LOH, LOH Dashboard, LOH Level 1, LOH Level 2, LOH Management, LOH Managers, LOH OCC, LOH Workforce) (see doc. 8 dissolution reserves; Docs. 3 and 5 acquired by the AEPD, containing, respectively, the table relating to the profiles and the corresponding additional operating authorizations of the subjects working on the platform - with particular reference to the riders: "Couriers", "Read Access", " Manage Access "," do.Couriers Kick ", Couriers Schedule" and "Couriers Forecast" -,as well as the table containing, for each country in which Glovo operates, the number of operators, divided by profiles - "Number of operators with permission").

In this last regard, the objection of the company cannot be accepted, according to which this number of employees "even if apparently high" would not be such when compared to the high number of customers who place orders on the platform, given that in this way each operator would be required to "have to provide assistance to over 30 riders at the same time". In fact, the calculation is based on the ratio between the total number of riders at the time of the inspection provided by the company (18,684) and the number of employees authorized to access the aforementioned systems with access profiles that allow full access to data (more than 600 , data obtained by the Authority by comparing the documents provided by the company on the basis of an express request and one of the documents acquired by AEPD; this number thus identified has not been contested by the company). However, the total number of riders "registered on the Application" at the time of the inspection must be reduced by the inactive ones (see in this regard the numbers relating to the "number of active riders from 1 January 2019 who have made at least one delivery", which remain for each month below 5,000 units; see Doc. 6-7, note 12.8.2019) and be limited to the number of riders booked for the individual slots. In this sense, the number of riders for each employee is completely reduced compared to what the company calculated. However, the total number of riders "registered on the Application" at the time of the inspection must be reduced by the inactive ones (see in this regard the numbers relating to the "number of active riders from 1 January 2019 who have made at least one delivery", which remain for each month below 5,000 units; see Doc. 6-7, note 12.8.2019) and be limited to the number of riders booked for the individual slots. In this sense, the number of riders for each employee is completely reduced compared to what the company calculated. However, the total number of riders "registered on the Application" at the time of the inspection must be reduced by the inactive ones (see in this regard the numbers relating to the "number of active riders from 1 January 2019 who have made at least one delivery", which remain for each month below 5,000 units; see Doc. 6-7, note 12.8.2019) and be limited to the number of riders booked for the individual slots. In this sense, the number of riders for each employee is completely reduced compared to that calculated by the company.

Nor is it sufficient to eliminate the Authority's objections relating to the failure to configure the systems in terms of privacy by design and by default, the organization by the company of generic "training activities" of employees in "live operations" ”, As it would appear from a calendar of training activities in which there is never any reference to data protection (see Annex 11 defensive memos, Training Calendars Onboarding Multiskill).

For the above reasons, this configuration of the systems, taking into account the quantity and variety of the data collected and the methods of treatment in relation to the purpose of managing the delivery service of food or other goods, involves the violation of art. 5, par. 1. lett. c) of the Regulation which sets out the principle of data minimization and of the art. 25 of the Regulation which sets out the principles of privacy by design and by default.

3.3.4. At the time of direct access to the systems carried out during the assessment - using the credentials of an Operation employee - the Admin and Kustomer systems were configured so that the presentation page allowed access to the data of all the riders who operate both in the EU and outside the EU (see screenshots acquired in documents). The same company stated that the previous access system was based on the “EU / non-EU access logic” (see defense briefs, p. 22). This configuration, therefore,

Furthermore, in this regard, the legal department of the parent company during the inspections stated that also the operators of the other countries in which the service is active, through specific authorization profiles (in particular, according to what has been declared, ) can "access the data [of the riders] of the different countries", both in the EU and outside the EU, in order to allow "comprehensive analyzes [...] during specific meetings between the top figures of the different countries" (see previous point 1.1., letter mm.).

In light of this configuration of the systems, also taking into account the significant number of subjects authorized by the company to access the aforementioned systems (see previous point 3.3.3.), As well as the quantity, variety and nature of the data processed, the Authority has the company has been accused of violating the provisions of art. 32 of the Regulation where it establishes that "Taking into account the state of the art and the implementation costs, as well as the nature, object, context and purpose of the processing, as well as the risk of varying probability and severity for the rights and freedom of natural persons, the data controller and the data processor implement adequate technical and organizational measures to ensure a level of security appropriate to the risk ".

In the defense briefs, the company stated that the access system was modified with the introduction of the so-called city permission mechanism which allows operators to access rider data only on a territorial basis. This mechanism is represented by the company as an example of "corrective [o] aimed at strengthening compliance [...] with privacy legislation". The company also considered that both following the modification but also before it, access to the data of the riders operating in countries other than Italy was and is limited only to the top figures of the same, in view of the declared need to carry out data analysis during meetings as well as to allow "the interchangeability of rider data in the context of any mobility opportunities of the same between the different countries in which the group companies operate" (see previous point 2.1., letter r). In this regard, the company recalled what was stated by the legal department of the parent company during the inspections, although this statement does not confer a position that it refers to the criteria for accessing rider data through the platform in countries other than Italy.

The aforementioned objections of the company cannot be accepted because, as previously reported, at the outcome of the direct access to the systems, the Authority ascertained that not only the top managers, but every operator authorized to access the system had access to the data collected. and kept in all countries in which subsidiaries of the parent company are present. This is also confirmed by the fact that the company has - appreciably - decided to make a change to the systems precisely in the sense of limiting access on a territorial basis.

The configuration of the systems, therefore, as ascertained during the inspection, results from the date of their adoption (at the time of the start of the company's activity in Italy, in 2016) at least until the date of activation of the so-called city permission, in violation of the provisions of art. 32 of the Regulation. With reference to the date of activation of the so-called city permission, it is noted that the Italian company in the defense briefs of 12 March 2021 announced that the mechanism would be introduced "recently". In this regard, it is finally acknowledged that the AEPD was informed on 18 May 2020 by GlovoApp23 of the completion of the activation of the so-called city permission on its systems.

The possibility of default access to a significant number of personal data by a significant number of systems management personnel with a wide range of tasks relating to the operation of the riders, does not allow to ensure "on a permanent basis the confidentiality, 'integrity, availability and resilience of the systems ”, taking into account the concrete risks caused by the“ loss, modification, unauthorized disclosure or access, accidentally or illegally, to personal data ”.

Finally, it is reiterated that the document sent by the AEPD to the supervisory authorities concerned on 30 January 2021 as part of the cooperation procedure activated pursuant to art. 60 of the Regulation, and cited in the company's defense briefs, is not definitive, as the adoption procedure is not, at present, concluded. Therefore the statements contained therein, pending the adoption of the provision pursuant to art. 60 par. 7 of the Regulations by the lead Authority, have no verification value.

3.3.5. The company has not carried out an impact assessment on data protection as required by the data controller by art. 35 of the Regulation following the recognition of the treatments carried out. In this regard, the parent company, in the course of the verification activities, following a question posed to Foodinho srl, declared that it had not deemed it necessary to prepare the assessment, without however producing documentation relating to the aforementioned decision (see previous point 1.1., Lett. . b.).

The art. 35, par. 1 establishes that when a treatment that involves "the use of new technologies, given the nature, object, context and purpose of the treatment, may present a high risk for the rights and freedoms of individuals", it is necessary to proceed with carrying out the impact assessment. The following par. 3, lett. a) provides that this assessment is in particular required in the case of "systematic and comprehensive assessment of personal aspects relating to natural persons, based on automated processing, including profiling, and on which decisions that have legal effects or affect in a manner significantly similar on these individuals ".

In light of the provisions of the aforementioned regulation, as well as the indications provided in this regard by the WP 248rev.01 Guidelines of 4.4.2017 and by the provision of the Guarantor of 11 October 2018, n. 467 ("List of types of processing subject to the requirement of an impact assessment on data protection pursuant to art. 35, paragraph 4, of Regulation (EU) no. 2016/679", in GU, SG no. 269 ​​of 19.11.2018), the processing activity carried out by Foodinho srl, as characterized by the innovative use of a digital platform, by the collection and storage of a multiplicity of personal data relating to the management of orders including the geographical location and communications via chat and email as well as the ability to access the content of phone calls between riders and customer care, from the carrying out of profiling activities and automated processing towards a significant number of "vulnerable" data subjects (as parties to an employment relationship; see Guidelines cited, chap. III, B, no. 7), presents " a high risk for the rights and freedoms of natural persons "with the consequent need to carry out, before the start of the treatment, an impact assessment pursuant to art. 35 of the Regulation. an impact assessment pursuant to art. 35 of the Regulation. an impact assessment pursuant to art. 35 of the Regulation.

On the occasion of the dissolution of the reserves, the company sent the Guarantor a "Preliminary assessment of the risks relating to the processing of personal data of riders" (see note 12.8.2020, Doc. 15). In this regard, it is noted that this document, drawn up in English, without date and signature, is lacking with respect to the indication of some of the elements indicated by art. 35, par. 7, of the Regulation. In particular: the specific methods of the treatments carried out through geolocation are not indicated (very close periodization of the survey; storage on the map of the routes), the treatments carried out through emails and chats as well as the recordings of telephone calls are not mentioned, the automated and profiling treatments carried out through the platform are also not mentioned. Furthermore, the section relating to the identification of risks and the measures adopted to address the risks (“Step 6: Identify measures to reduce risk”) is not completed and is followed only by the generic abbreviation “N / A”. The reference to the UK Control Authority (ICO) as the authority to consult in case of identification of high residual risks is also incongruous.

In the defensive briefs, Foodinho srl also argued that "the assessments of the impacts" of the use of the "application developed by the parent company" through which it carries out its business activity "belong to the parent company". The latter, in this regard, after having assessed the need to carry out an impact assessment pursuant to art. 35 of the Regulation, would have excluded the need to proceed with a DPIA, arguing for this decision in the document called "Couriers professional data-preliminary analysis on privacy assessment" (annex 12 to the defense briefs), dated November 2019, written in English,

Considering, therefore, that Foodinho srl is the data controller with reference to the data of the riders who work for the Italian company and that art. 35 of the Regulation recognizes the obligation of the data controller to carry out a DPIA, before processing, if the conditions provided for by the law are met, Foodinho srl is the subject required to carry out an impact assessment with reference to the processing activities made by the Italian company itself.

The company also excludes that the treatments put in place by the same are among those for which it is mandatory to carry out an impact assessment as "it cannot be argued [...] that the Application and geolocation constitute" new technologies "for pursuant to Recitals 89 and 91 of the Regulation "; according to the company, in fact, “neither the Application nor the geolocation system are technologies that can now be considered 'new'" (see defensive memoirs, p. 11).

In this regard, it is noted that, in the defensive briefs, the company itself specifies that the main activity carried out consists "in the development and management of a platform through which some local shops in the Italian territory can offer their products and / or services through of a mobile or web application ”and that“ On an ancillary basis […] acts as an intermediary in the planned or immediate delivery of products. Foodinho, therefore, through the use of technologies already known and used in the transport sector [...] manages (in an innovative way) the so-called "last mile" facilitating the meeting between supply and demand in the delivery sector - transformed, therefore, in "instant" delivery ". The company itself, therefore, has qualified the management of the activity carried out as “innovative”.

It is also noted that the innovative nature of the technology used by the company (of which the application to be installed on the rider's device and the geolocation functionality constitute only a part) - and the consequent high risk for the rights and freedoms of the data subjects - it is evident from the examination of the functioning of the digital platform around which the activity carried out by Foodinho srl revolves; this also taking into account the scope of application and the reference context (ie work via a digital platform), the growing expansion of the market sectors concerned, the evolution of the phenomenon of the so-called Legislative Observatory, Fair working conditions, rights and social protection for platform workers - New forms of employment linked to digital development, 2019/2186 (INI), 2019; European Parliament and Council, Directive 2019/1152 on transparent and predictable working conditions, 2019, also containing references to digital platform workers) and of jurisprudence at national and European level (see next paragraph 3.3.9.). The processing of a large number of different types of data referring to a significant number of interested parties, carried out through the digital platform which is based on algorithmic functions, in fact, by combining supply and demand, has an evident innovative character. The innovative nature of the technology used and therefore of the activity carried out by the company, in fact,

Secondly, the innovative nature of the technology used consists in carrying out automated treatments, including profiling, which significantly affect the interested parties, treating a multiplicity of data, including geolocation data, excluding a part of the riders from job opportunities. .

It is also believed that the treatments carried out by Foodinho through the digital platform may result in risks for the rights and freedoms of the data subjects as they relate to the "evaluation of personal aspects, in particular by analyzing or forecasting aspects concerning professional performance, […], Reliability or behavior, location or travel, in order to create or use personal profiles; if data of vulnerable natural persons are processed […]; if the processing concerns a considerable amount of personal data and a large number of interested parties "as well as" if the processing can create discrimination "(see recital 75 of the Regulation).

Finally, it is reiterated that the document sent by the AEPD to the supervisory authorities concerned on 30 January 2021 as part of the cooperation procedure activated pursuant to art. 60 of the Regulation, and cited in the company's defense briefs, is not definitive, as the adoption procedure is not, at present, concluded. Therefore the statements contained therein, pending the adoption of the provision pursuant to art. 60 par. 7 of the Regulations by the lead Authority, have no verification value.

For the above reasons, the company has violated art. 35 of the Regulation.

3.3.6. From the verification activity it emerged that the company carries out, through the overall system used for the operation of the platform, automated treatments, including profiling, as part of the so-called "system of excellence" that it attributes to each rider, through the 'operation of specific and predetermined parameters, a score that gives priority access to the "system for selecting the time slots (slots)" established by the company (see note 12.8.2020, Doc. 5, "Description of the algorithm for assignment of points to riders "), within which orders received are distributed daily. Some time slots are defined as "high demand" because they are usually characterized by a greater number of orders. In relation to the determination of some of these criteria, the company, as stated by the same, it can "insert parameters on the basis of local customization" and, in some cases, modify the parameters themselves (see previous point 1.1., letter g., h., t. ex). Contrary to what the company maintains, the necessary setting of the parameters on the basis of which the algorithm operates does not in itself negate the taking of decisions based solely on automated processing (see defensive briefs, p. 12) . Considering, however, that the same company in the inspection investigations stated that "the scoring is generally automated" (see previous point 1.1., Lett. T.), It is noted that the declared possibility of manually intervening on the system in the event of a "report" by a rider following a negative feedback,

There are five variables on the basis of which the score is assigned to each rider (expressed in distinct percentage numbers for each parameter for each order; see screenshots relating to the score), in particular: score assigned by the user (15%); score assigned by the partner (5%); score determined by the provision of services in hours of high demand, provided that the rider has selected at least 5 high demand slots in 7 consecutive days (35%); orders actually delivered (10%); productivity of the platform (35%), based on the number of orders proposed to the rider (who can opt for automatic assignment in order to increase the score), on the check-in within the reserved slot "a few minutes after the start "of the selected time slot (see Doc. 5, note 12.8.

Therefore, the assignment of the score within the so-called system of excellence, deriving from the application of a mathematical formula on the basis of which the calculation is made, penalizes the riders who do not promptly accept the order or refuse it or who do not actually lead to completion of a certain number of deliveries; vice versa, the system favors riders who accept a greater number of orders within the established terms and who actually deliver the greatest number of orders. The fact that the company, as stated (see point 1.1., Letter s. And 2.1., Letter y.), Allows the possibility to reserve part (not quantified) of the availability of each slot regardless of the score, does not change substantially the functioning of the system.

no if consideringandichas franjas. The result of this punctuality is the minimum between 1 or the number of pedidos realized in high demand (n) in the ultimos 28 dias entre 60. […] 35% - eficiencia: keeps in cuenta the ordenes mostradas at the repartidor (Os). […] Holds en cuenta los pedidos rechazados (Or) y resignados (Ora), estos last considered in AA (through the chat) and the primeros los pedidos that since the AA no son aceptados en los primero 30 segundos. Other values ​​that hold and cuenta are los check_in (CI), follow el which is a binary value between 1 we have hecho el check_in y 0 yes no "). From the examination of the scoring mechanism it emerges, therefore, on the one hand that the company carries out a profiling activity that significantly affects the interested parties by determining - through access to the slots - the possibility of receiving orders or not through the platform and therefore of obtaining an employment opportunity. On the other hand, it also emerges that the feedbacks taken into consideration by the system, for the calculation of the relative share of the score, are only the negative ones "El resultado es el máximo entre 0 y la inversa del número de feedbacks negativos (de 1 or 2) by the partner with a constant of 0.2 en los 50 últimos pedidos. Cuanto mayor es el número de feedbacks negativos, menor es el segundo valor hasta que when convierte en negativos, cuenta como 0 ". Therefore, the score, which changed only following negative feedback and not increased following positive feedback,

It also emerged that the company carries out automated processing also through the system for assigning orders to riders called Jarvis, which, according to what has been stated, is an algorithm that uses the following information: geographic position of the rider taken from the GPS of the device; location of the point of sale where to collect the product to be delivered; delivery address; specific order requirements and other parameters such as the type of vehicle used by the rider (see Doc. 4, company note 12.8.2019).

Despite the absence of exhaustive clarifications - albeit required - on the operating methods of the algorithm preordained for the assignment of orders to the riders - Jarvis -, which presides over the operation of the platform owned by GlovoApp23, used (also) by Foodinho srl, as well as on the specific methods with which Jarvis interacts with the so-called system of excellence, following the outcome of the control activity carried out by the Authority, also using documentation acquired by the AEPD, it emerges that the company, using a digital platform that operates through , adopts decisions based solely on automated processing, including profiling, of the personal data of the riders.

This evaluation takes into account the definition provided by the Regulation according to which profiling means any form of automated processing of personal data "consisting in the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze and provide for aspects concerning the professional performance [...], reliability, behavior, location or movements of said natural person "(see Article 4, no. 4) as well as what is specified in this regard by Recital 71 on the basis to which the profiling activity produces legal effects or in any case significantly affects the person of the interested party.

Considering that one of the exemptions provided for by art. 22 with respect to the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects the data subject and that, in particular, it appears that the processing is necessary for the execution of a contract stipulated between the parties (see Article 22, paragraph 2, letter a) of the Regulation), however, it does not appear that the company has taken steps to implement appropriate measures to "protect the rights, freedoms and legitimate interests of 'interested, at least the right to obtain human intervention […], to express their opinion and to contest the decision ”.

Contrary to what the company claims, there is no evidence of the adoption of measures relating to the exercise of rights through the activation of dedicated channels (chat accessible through the application, dedicated branches, email: see defensive briefs, p. 12) . Nor does it appear that the interested parties were in any way aware of the possibility of exercising these rights in relation to the decisions adopted through the use of the platform.

machine learning related to them, if not sufficiently transparent and robust, risk reproducing, amplifying or contributing to gender biases of which programmers may not be aware or which are the result of a specific selection of data "). This also in relation to the obligations imposed by the sector regulations regarding the operation of platforms (see Article 47-quinquies, Legislative Decree no. 81/2015, in force since 3.11.2019 "1. To the workers referred to in 'article 47-bis, the anti-discrimination discipline and the one protecting the freedom and dignity of the worker envisaged for subordinate workers, including access to the platform, apply. 2. Exclusion from the platform and reductions in job opportunities attributable to non-acceptance of the service are prohibited. ", on which, more extensively, par. 3.3.9 .; v. Consultative Committee of the Convention for the Protection of Individuals with regard to automatic processing of personal data (Convention 108), Guidelines on Artificial Intelligence and Data Protection, Strasbourg, 25 January 2019, "AI developers, manufacturers, and service providers should adopt forms of algorithm vigilance that promote the accountability of all relevant stakeholders throughout the entire life cycle of these applications, to ensure compliance with data protection and human rights law and principles ".

Finally, with reference to the feedback mechanism, which determines 20% of the score of excellence, it does not appear that the company has adopted appropriate measures to avoid improper or discriminatory use of reputational mechanisms based on feedback.

The Guarantor, albeit with reference to the discipline prior to the application of the Regulation, has established that automated processing, including profiling, must take place in compliance with the relevant provisions and in the presence of adequate guarantees (see provision 29.11.2018, n. 492; see also, on this point, provision 24.11.2016, no. 488 confirmed by Court of Cassation no. 14381 of 25.5.2021).

Finally, it is reiterated that the document sent by the AEPD to the supervisory authorities concerned on 30 January 2021 as part of the cooperation procedure activated pursuant to art. 60 of the Regulation, and cited in the company's defense briefs, is not definitive, as the adoption procedure is not, at present, concluded. Therefore the statements contained therein, pending the adoption of the provision pursuant to art. 60 par. 7 of the Regulations by the lead Authority, have no verification value.

For the above reasons, the company has therefore violated art. 22, par. 3, of the Regulation

3.3.7. On the basis of the documentation acquired in the documents, it appears that the company has communicated to the Authority - through the online procedure specifically prepared through the institutional website of the Guarantor - of the contact details of the data protection officer (designated at group level) pursuant to art. 37, par. 7 of the Regulation on 1 July 2020, specifying, on that occasion, that "the appointment of the group DPO took place on 23/05/2019 and was communicated to the Guarantor on 12/08/2019 during the procedure with service 24046/137534. The […] communication is therefore purely formal and has retroactive effect ”.

In the defense briefs, the company noted, in this regard, that the activities of appointing the DPO and communicating it to the supervisory authority are "the exclusive competence" of the parent company also for "practical reasons in fulfilling compliance obligations. of the group". In addition to the general reasons of practicality, however, no other reasons have been indicated on the basis of which Foodinho srl believes that the communication of the appointment of the DPO to the Guarantor for the protection of personal data is exclusively an activity of the Spanish parent company considering that the the Italian company "did not have (and does not have) the possibility of proceeding autonomously" in this activity.

Deemed compliant with data protection legislation, the appointment of the DPO at corporate group level (see Article 37, paragraph 2 of the Regulation), art. 37, par. 7 of the Regulation states that "the data controller or data processor publishes the contact details of the data protection officer and communicates them to the supervisory authority": consequently in the event that the DPO is appointed at group level, the obligation remains for the individual group entities as data controllers or processors to publish the contact details of the DPO and to communicate them to the competent Supervisory Authority (this is also clarified by the Authority's Faq adopted with provision of April 29, 2021, n. 186). That said, being Foodinho srl the data controller of the data of the riders who work for the same Italian company in Italy, the communication to the Guarantor of the designation of the DPO - even if carried out at group level - which is considered suitable pursuant to the provisions of referred to in art. 37, par. 7, of the Regulation, is the one carried out by the Italian company on 1.7.2020, in accordance with the specific procedure outlined on the Authority's institutional website.

Therefore, also from this point of view, the processing carried out by the company up to the date of the communication of 1.7.2020 is illegal pursuant to art. 37, par. 7 of the Regulation.

3.3.8. With reference to the obligation placed on the owner to keep a register of the processing activities carried out under his own responsibility (see Article 30 of the Regulation), it is noted that during the inspection activities the Authority acquired a copy of the Register of treatments (version 06 - 20052019, both the English language copy provided during the inspection and the Italian translation provided on 12.8.2019), which was found to be primarily without the indication and contact details of the data protection officer data. Differently from what the company believes (see previous point 2.1., Lett. Bb.), Provided that both the designation of the DPO and the keeping of the treatment register fall within the obligations that are due to the owner and that Foodinho srl

In addition, the aforementioned Register of treatments, drawn up in a manner that does not allow to clearly distinguish the categories of data subjects from the categories of data processed (given that the types of data are directly listed under the heading "Data subjects" and "Categories concerned") and which describes in a generic way the purposes of the treatments referred to the riders (eg. in relation to the management of the relationship, the purpose indicated is "to satisfy the services offered by suppliers through the technological platform", where suppliers are meant riders), are not certain types of personal data, the processing of which has been ascertained during the control activities, are indicated. In particular, the data relating to the communications between the riders and the customer care through chat and email are not listed, as well as the external data of the telephone calls and the possibility of accessing the contents of the same, nor the data used in the context of the so-called system of excellence and the specific data relating to the details of the orders detected through the app. Contrary to what the company claims in the defense briefs, such information processed by the systems is attributable to the interested parties and as such falls within the definition of personal data (see Article 4, No. 1 of the Regulation), in some cases (data processed in the "system of excellence" and details relating to the order) because they are preordained for the definition of an individual "score" or in any case entered in a computer system that associates each order (and related data) to the rider (see screenshots acquired during the inspection relating to the score, where for each rider identified with name and surname, glover's ID and email address are associated the individual items of the score processed daily; see also screenshots relating to orders where for each identified rider with name and surname and other information are associated with the details of each order). Also with regard to data relating to communications with customer care, based on the direct accesses carried out during the inspection activities on the systems used by the company (documented through screenshots acquired in deeds) it emerged that the Kustomer system allows access to emails and chats by identifying the rider (through name and surname, usually associated initials, and other information such as telephone number and email; see screenshot acquired in documents relating to emails). In this regard, it is represented that the screenshot cited in the defensive memoirs regarding the chats bears, in fact, the initials of the rider's name and surname which can easily be obtained in its entirety through simple steps that are always possible in the system (see, for e.g., the screenshots relating to the order history where for each order placed by an identified rider there is also the "chat transcript" button). Also with regard to telephone calls, the external cd data (calling and called number, time of start and end of the call, waiting time, duration: see screenshot acquired during inspection) are present directly on the screen together with the link to access registration (subject to obtaining an authorization from the parent company, as stated). These data constitute specific "categories of personal data" (see Article 30, paragraph 1, letter c) of the Regulation) and as such must be indicated in the Register.

Furthermore, from the aforementioned Register it emerges that in relation to some processing of rider data (see "registration of suppliers (couriers)", point 8, note 12.8.2020, Annex 4), the last storage term is not unambiguously indicated , considering that it is specified that "the data will be deleted at the end of the employment relationship between the supplier and Glovo and after 4 years from that date". This also considering that, as already noted, the employment relationship is in progress even after significant periods of inactivity (see screenshots acquired during inspections where data of riders who have not received orders even for 1203 days are present) (as stated in the course of the inspection, see minutes of 17.7.2019, p. 6 "the company is evaluating what may be a reasonable amount of time of inactivity of the rider to consider the employment relationship concluded, regardless of a positive action by the rider. At the moment, in fact, unless a positive action by the rider, the employment relationship is considered to be in progress for the system even with long periods of inactivity "). Furthermore, the different retention period - equal to ten months - of the maps of the orders placed is not mentioned in the Register.

Lastly, the Register does not contain the general description of the technical and organizational security measures referred to in Article 32, paragraph 1 of the Regulations (as required by Article 30, paragraph 1, letter g) of the Regulations). In this regard, the company's assertion cannot be shared for which since at the time of the inspection the same "had been operating in Italy for only 3 years [...] it was still evaluating various IT security service providers, in order to identify - even in agreement with the Parent Company - those most appropriate to the nature / type of processing performed "(see previous point 2.1., lett. bb.). In fact, the time span of three years is too long compared to the need to promptly prepare adequate measures in relation to the risks, taking into account the nature, object,

For the above reasons, the company therefore violated art. 30, par. 1, lett. a), b), c), f), g) in relation to the procedures for drawing up and keeping the register (version 06 - 20052019) provided for by the law.

During the proceeding, as an attachment to the defense briefs, the company provided an updated version of the Register of processing activities, (version 07, 2019-2021; see Annex 16 defensive briefs 11.3.2021). Even this version, which would constitute the latest version of the register (available), from a formal point of view does not contain a verifiable indication of the drafting date (for example accompanied by a signature) nor that of the first institution of the register itself. Considering that the register is a tool that allows the owner, in the context of accountability, to have an updated picture of the treatments carried out also in view of the risk analysis as well as being able to respond to requests for disclosure by the supervisory authority control, the contents reported therein must correspond to the treatments actually in place. For this reason, the Authority considered that the register must be completed in such a way as to indicate the verifiable date of its first establishment and that of the last update (see FAQ on the register of processing activities, no. 5). This considering that keeping the register does not constitute a formal fulfillment but an integral part of a system for the correct management of the processing of personal data carried out.

That said, it emerges that this updated version from the register contains the name and contact details of the DPO, in line with the provisions of art. 30, par. 1, lett. a) of the Regulations. This Register, whose structure has remained such, however, that for certain items the categories of data subjects overlap with the categories of data processed (given that the types of data are listed under "Data subjects" and "Data subjects"), compared to the previous version, new types of data processing referring to riders. In relation to some of these types of personal data, a suitable legal basis is not indicated - nor can it be found - (data processed for marketing purposes; data processed for study purposes on the use of the platform and discussion groups; data relating to "voice recordings"; data relating to "fraud prevention"), given that the legitimate interest of the company is indicated, however, in more than one case cumulatively, as prerequisites for the lawfulness of the related processing - in the absence of any evidence of prior carrying out of the necessary comparative test by of the owner; v. Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46 / EC, a test that appears necessary even in the face of the declared treatment of "opinions expressed during discussion groups", also taking into account the prohibition imposed by sector legislation to carry out investigations on opinions or in any case on facts not relevant for the purposes of assessing the professional attitude of the worker) - and the consent of the interested party - in the absence in the specific case of any evidence that specific consent has been given and, in any case, has been given in compliance with the conditions provided for by the legal system (the consent must be demonstrable, freely given, revocable and given in the face of adequate information; see Article 7 of the Regulation ). In relation to the purpose of "fraud prevention", then, it does not appear on the basis of what legal obligation placed on the owner the processing is carried out, also taking into account that the legitimate interest of the owner is also indicated here as a legal basis. .

There are also some inconsistencies relating to certain categories of data (not present in the previous version). In particular, the category "Use of the platform (Glover App)" does not include geolocation among the categories of data processed, which is peacefully processed through the application (geolocation is present in a separate section of the register, although it does not correspond to a specific purpose but to a category of data). In relation to the purposes of "Claims management" and "Contacts with insurance companies", the data relating to the state of health of the person concerned is not indicated.

As for the general description of the security measures, the register specifies that the measures are "described and available in the internal security policies at group level". However, there is no document containing the description of the technical and organizational security measures adopted pursuant to art. 32 of the Regulation which would have been prepared at group level and also adopted by the Italian company.

Finally, with reference to the indication of the retention terms of the processed data, please refer to what has already been set out in the previous paragraph 3.3.2., Where it has been highlighted that the terms present in the treatment register are different from those communicated by the company during the investigation and in any case not distinctly identified in relation to the specific and distinct purposes pursued.

For the above reasons, also the updated version of the register of processing activities prepared by the company (version 07, 2019-2021) does not comply with the provisions of art. 30 of the Regulations, in relation to letters c), f) and g).

3.3.9. Finally, it emerged that the company carries out the processing of personal data of the riders, described above, in the context of an employment relationship having as its object the transport of food or other goods from restaurants or other partner merchants of the company through the use of a digital platform and towards a fee.

Foodinho srl stipulates with the riders a model contract prepared and qualified by the company as a “work performance contract pursuant to art. 2222 of the Italian Civil Code ”of which there are versions (dated and signed) that present different formulations in some points. In particular, the contract delivered to the Authority during the inspections (dated and signed on 22.5.2018) establishes, among other things, that: "the self-employed collaborator, through the use of his own means and with charges entirely at his own expense , on the days and at the times it deems most appropriate, it will have the right to make itself available, through the appropriate software App prepared by the company, to carry out transport activities of meals / goods from the shops of local restaurateurs / businesses, customers and not of the Glovo platform. , at the domicile of consumers "; "The collaborator [...] will be able to confirm through the software App his will to perform the service, and consequently organize himself for the collection of meals / goods [...] and the relative delivery to the consumer in compliance with the times requested by the customer . If the collaborator does not intend to carry out the indicated task, he will have no obligation to report or reply, remaining in his free availability the choice of the activities to be carried out "; the rider “can wear the clothes and use the accessories provided by Foodinho” by paying the amount of 65 euros as a deposit; “For each service performed […] Foodinho will pay a gross variable amount […]”; “This agreement may be terminated at any time by either party with 24 hours notice.

In the documents there is a copy of the contracts acquired at GlovoApp23 by the AEPD and transmitted to the Authority (called "Occasional self-employment"), not mentioned in the defense briefs, dated and signed - with the name of the contractor blanked - on 7.9. 2018; 7.5.2019 and 2.12.2020. The texts of the model contracts are partially different from that of 22.5.2018, with the addition of formulations that accentuate the declared autonomy of the rider in the execution of the performance.

The processing of personal data referring to the riders carried out by the company in the context of the employment relationship governed by the contract described above have very peculiar characteristics and methods of execution, which emerged from the outcome of the Authority's investigations.

In order to carry out the work activity, the rider must download the Glover application on his smartphone which can be accessed using credentials (access code) provided by the company and password. Through the application, the rider books the time slots, predetermined by the company, until they are saturated, based on the functioning of the "system of excellence"; among the slots some are defined by the company as "high demand" because they are usually characterized by a greater number of orders. This system is designed to present the choice of slots with priority to those who have acquired a higher score, although, according to what the company has declared, an unspecified share of availability would be ensured for each slot, independent of the score acquired by the rider.

The "system of excellence" is based on criteria determined by percentage values ​​processed through the digital platform, distinct for each parameter relating to each order, in some cases determined or modified by the company on the basis of local customization. In particular, the variables on the basis of which the score is assigned to each rider (see screenshot relating to the score) - as already represented above - are five, in particular: score assigned by the user (15%); score assigned by the partner (5%); score determined by the provision of services in hours of high demand, provided that the rider has selected at least 5 high demand slots in 7 consecutive days (35%); orders actually delivered (10%); platform productivity (35%),

The assignment of the score within the "system of excellence", deriving from the application of an algorithm on the basis of which the calculation is carried out, therefore, penalizes the riders who do not accept the order promptly or refuse it or who do not actually bring completed a certain number of deliveries; vice versa, the system favors riders who accept a greater number of orders within the established terms and who actually deliver the greatest number of orders. Through the score, the company therefore evaluates the rider's work and denies access to the time slots and the relative possibility of performing the service (delivery of food or other goods) covered by the contract (see previous point 3.3.6).

assigns the orders to the rider who has promptly checked-in in the reserved slot and manages the entire order execution phase. It also emerged that the system processes data relating to the battery level of the device used by the rider and the slots booked by the rider as a whole (see screenshots acquired during the inspections).

From the access to the systems it emerged that the wake-up couriers function is still available for the operators of the company working in Italy, which allows you to send a notification to the riders who have booked a slot, but are not active in it, although the company stated that this function "is not used by Operations operators in Italy".

The remuneration paid to the riders is determined by Foodinho srl on the basis of values ​​identified by the same company, which also processes and sends the relative invoice to the rider.

The communications made during the order assignment phase between the customer care and the riders, both the external data and the content of the same (the content of the phone calls is stored on a different Aircall platform), are recorded and stored by the system.

The systems used by the company, finally, allow you to view for each rider both the details of the order in progress (including the real-time display on the map) and the history of the orders placed (including the display on the map stored for 10 months).

Considering that the processing of data relating to riders is carried out in the context of an employment relationship, it is necessary to preliminarily examine the specific provisions contained in the Regulations on this matter within Chapter IX. In particular, art. 88 of the Regulation is without prejudice to the national rules of greater protection ("more specific rules") aimed at ensuring the protection of rights and freedoms with regard to the processing of personal data of workers, regardless of the specific type of employment relationship. This with particular reference to the adoption of "appropriate and specific measures to safeguard human dignity, legitimate interests and fundamental rights of the data subjects, in particular as regards the transparency of processing, the transfer of personal data in the within an entrepreneurial group or group of companies carrying out a common economic activity and workplace monitoring systems ". The national legislator approved, as a more specific provision, art. 114 of the Code which among the conditions of lawfulness of the treatment - that of lawfulness constitutes one of the general principles of the treatment itself pursuant to art. 5, par. 1, lett. a) of the Regulations - established compliance with the provisions of art. 4, law 20 May 1970, n. 300. The violation of the aforementioned art. 88 of the Regulation is subject, if the requisites are met, to the application of a pecuniary administrative sanction pursuant to art. 83, par. 5, lett. d) of the Regulations. common economic activity and workplace monitoring systems ". The national legislator approved, as a more specific provision, art. 114 of the Code which among the conditions of lawfulness of the treatment - that of lawfulness constitutes one of the general principles of the treatment itself pursuant to art. 5, par. 1, lett. a) of the Regulations - established compliance with the provisions of art. 4, law 20 May 1970, n. 300. The violation of the aforementioned art. 88 of the Regulation is subject, if the requisites are met, to the application of a pecuniary administrative sanction pursuant to art. 83, par. 5, lett. d) of the Regulations. common economic activity and workplace monitoring systems ". The national legislator approved, as a more specific provision, art. 114 of the Code which among the conditions of lawfulness of the treatment - that of lawfulness constitutes one of the general principles of the treatment itself pursuant to art. 5, par. 1, lett. a) of the Regulations - established compliance with the provisions of art. 4, law 20 May 1970, n. 300. The violation of the aforementioned art. 88 of the Regulation is subject, if the requisites are met, to the application of a pecuniary administrative sanction pursuant to art. 83, par. 5, lett. d) of the Regulations. 114 of the Code which among the conditions of lawfulness of the treatment - that of lawfulness constitutes one of the general principles of the treatment itself pursuant to art. 5, par. 1, lett. a) of the Regulations - established compliance with the provisions of art. 4, law 20 May 1970, n. 300. The violation of the aforementioned art. 88 of the Regulation is subject, if the requisites are met, to the application of a pecuniary administrative sanction pursuant to art. 83, par. 5, lett. d) of the Regulations. 114 of the Code which among the conditions of lawfulness of the treatment - that of lawfulness constitutes one of the general principles of the treatment itself pursuant to art. 5, par. 1, lett. a) of the Regulations - established compliance with the provisions of art. 4, law 20 May 1970, n. 300. The violation of the aforementioned art. 88 of the Regulation is subject, if the requisites are met, to the application of a pecuniary administrative sanction pursuant to art. 83, par. 5, lett. d) of the Regulations. 83, par. 5, lett. d) of the Regulations. 83, par. 5, lett. d) of the Regulations.

The national legislator, starting from 2015, has also adopted provisions aimed at regulating the scope of work performed through the operation of digital platforms. The art. 2, d. lgs. 15 June 2015, n. 81 established that "With effect from 1 January 2016, the discipline of the subordinate employment relationship is also applied to collaboration relationships that take the form of exclusively personal, continuous work and whose execution methods are organized by the client also with reference to time and place of work ". Following the modifications introduced by l. 2 November 2019, n. 128, in force since November 3, 2019, art. 2 above provides that the work performances are not "exclusively" but "mainly" personal, and moreover, in specifying that the methods of execution of the work are organized by the client, it has deleted the reference to time and place of work. Finally, it was clarified that the provisions apply "even if the procedures for carrying out the service are organized through platforms, including digital ones".

Chapter V-bis dedicated to "Protection of work through digital platforms" was also added which introduced the definitions of digital platforms ("the IT programs and procedures used by the client which, regardless of the place of establishment, are instrumental to the activities of delivery of goods, fixing the remuneration and determining the methods of execution of the service ") and of riders (" self-employed workers who carry out the delivery of goods on behalf of others, in urban areas and with the aid of cycles or vehicles engine referred to in article 47, paragraph 2, letter a), of the highway code, referred to in legislative decree 30 April 1992, n. 285, also through digital platforms ") (see art. 47-bis, legislative decree no. 81/2015). Such definitions, as also clarified with the circular of the Ministry of Labor no. 17 of November 19, 2020, have a general value, i.e. also referring to the services rendered in the context of the so-called hetero-organization pursuant to the aforementioned art. 2, d. lgs. n. 81/2015. The aforementioned Chapter V-bis has also established "minimum levels of protection" for riders who, in practice, operate as self-employed workers, in particular by extending the applicability of the "anti-discrimination discipline and that protecting the freedom and dignity of the worker provided for subordinate workers, including access to the platform "and prohibiting" exclusion from the platform and reductions in job opportunities attributable to non-acceptance of the service "(Article 47-quinquies, Legislative Decree no. 81/2015). It is also specified that the regulations on the protection of personal data are applicable to the processing of data of workers who carry out their activity through digital platforms (Article 47-sexies, Legislative Decree no. 81/2015). These rights must be understood as recognized to the riders regardless of the nature of the underlying employment relationship (hetero-organized or autonomous), since they are fundamental and unavailable rights (on the applicability of this overall discipline to riders see Court of Bologna, section work, ord. . 31.12.2020).

In light of this reference discipline, the processing of personal data subject to assessment is carried out by Foodinho srl as part of an employment relationship now regulated by the aforementioned art. 2, d. lgs. n. 81/2015 (as amended by article 1, paragraph 1, letter a), nos. 1 and 2, dl 3.9.2019, n. 101, converted with modifications into l. 2.11.2019, n. 128). The company, in fact, through the use of a digital platform allows customers to place orders for food or other goods from a commercial establishment and organizes the transport and delivery of goods, in the absence of any coordination established by mutual agreement with the riders.

From the examination of the concrete methods of the treatments carried out, it emerges that, regardless of what is abstractly provided for in the employment contract, the riders continuously perform the service with mainly personal activities and with executive methods substantially determined and organized by the company also through the use of the digital platform. The company, through the system for booking the work shifts identified ("system of excellence"), selects and distributes the shifts themselves (slots), through the operation of a system based on the score assigned to the rider (score). This score, as seen, takes into account the assessments assigned by customers and merchants and the quantity of orders assigned and carried out based on the forecasts of the estimated (and actually occurred) delivery time. Furthermore, again through the operation of the platform, the company prepares the assignment of orders, using an algorithm that identifies the rider on the basis of a plurality of parameters, including the geographical position taken into consideration to evaluate the proximity to the place where he must the service be carried out. It is precisely through the operation of these systems (which have at their disposal a plurality of other data collected, for example the battery level of the device used by the rider) that the company organizes the delivery of food and other goods, identifying, among other things, the time and place of the performance. Furthermore, the activity is organized in such a way as to reward the riders with the highest number of orders accepted and delivered, thus confirming the company's interest in having the performance be continuous. su puntuación disminuye y with her the posibilidad de que en el future se le encarguen más servicios y achieve la rentabilidad económica que busca, lo que equals perder empleo y retribución. Además la empresa penaliza a los repartidores, dejando de asignarles pedidos, when no estén operativos en las franjas reservadas, except in case of justificada duly comunicada y acreditada ", par. decimoctavo).

In fact, it is the scoring system itself that is structured in such a way as to presuppose (and in any case encourage) the continuity of rider performance, considering that the assignment of work shifts is carried out on the basis of a score that increases with the increase in orders assigned, accepted and delivered. A significant portion of the scoring system (35%) is also awarded as long as the rider is able to book at least 5 high demand slots for 7 consecutive days.

The aforementioned reconstruction of the nature of the employment relationship in which the treatments are carried out is, on the other hand, consistent with what has been ascertained by European jurisprudence which has, with some recent rulings, qualified the activity of subjects who through a digital platform connect customers and merchants in terms of transport company activities (see, among the most recent, Court of Justice, Grand Section, 20 December 2017, C-434/15 concerning the case involving Uber Systems Spain SL; Cour de cassation, Chambre sociale, 4 March 2020, n.374, adopted against Uber France and Uber BV; Sentencia SOCIAL Nº 805/2020, Tribunal Supremo, Sala de lo Social, Rec 4746 / 2019 de 25 de Septiembre de 2020 cit., Adopted against GlovoApp23).

Finally, in this regard, the Supreme Court of Cassation (sentence 24 January 2020, n. 1663), ruling in a case concerning the employment relationship between a "food delivery" company (Digital Services XXXVI Italy srl, incorporated by Foodinho srl) and some riders, clarified that the aforementioned art. 2, legislative decree n. 81/2015 must be qualified as a disciplinary rule that does not create a new case, given that “upon the occurrence of the characteristics of the collaborations identified by art. 2, paragraph 1, of Legislative Decree 81 of 2015, the law imperatively links the application of the subordination discipline ". In particular, following some legislative changes that have affected the type of employment contracts in Italy, "the legislator, in an anti-elusive perspective, intended to limit the possible negative consequences, however, providing for the application of the discipline of the subordinate employment relationship to forms of continuous and personal collaboration, carried out with the functional interference of the organization unilaterally prepared by the person who commissions the service ". This result was achieved by the national legislator by evaluating "certain factual indices considered significant (personality, continuity, hetero-organization) and sufficient to justify the application of the regulations dictated for the employment relationship [...]". Therefore "when the hetero-organization, accompanied by personality and continuity of performance, is marked to the point of making the collaborator comparable to an employee, equivalent protection is required and, therefore,

With reference to the rules applicable ratione temporis to the present case, the treatments carried out in the context of the employment relationship by Foodinho still have the characteristics ascertained by the Authority during the procedure; from this follows the application of the sector regulations currently in force (art. 2, legislative decree 15.6.2015, n. 81). In any case, for the reasons set out above, paragraph 1 of the aforementioned art. 2, legislative decree n. 81/2015 also in the text prior to the recent regulatory changes that took place in 2019 (applicable to "mainly personal, continuous work performance whose execution methods are organized by the client also with reference to time and place of work").

In this regard, the company's objection according to which the signing, by the latter, of the national collective agreement stipulated by Assodelivery and UGL on 15 September 2020 (which entered into force on 3.11.2020) would have “Formally […] crystallized” the nature of the collaboration relationship established with the riders in the sense of excluding the applicability of the discipline of the subordinate relationship (including that referred to in Article 114 of the Code). First of all, it is noted that the suitability of the aforementioned national collective labor agreement, which began to produce its effects about one year and three months after carrying out the inspections at the company, to carry out the legal qualification of the relationship regulated therein was denied with circular of the Ministry of Labor of 19 November 2020; the Ministry of Labor also doubted whether the aforementioned collective agreement has the characteristics - and therefore is suitable for producing the relative effects - identified in chapter V-bis, specifically art. 47-quater- and in art. 2, paragraph 2, lett. a) (expressly mentioned in the premises of the national collective labor agreement but relating to hetero-organized work), of Legislative Decree no. lgs. n. 81/2015, v. note 17 September 2020). In any case, as a result of the provisions of art. 47-quinquies, d. lgs. n. 81/2015, the application of the rules on "freedom and dignity of the worker" envisaged for subordinate workers (which certainly includes that set by art. 4, l. 20.5.1970, n. 300) ,

Given therefore that the provisions of art. 4, l. 300/1970 cit., It is noted that the company carries out a meticulous check on the work performed by the riders through the geolocation of the device (carried out in ways that go beyond what is necessary to assign the order due to the rider's distance from the pick-up point and delivery, as claimed by the company, see detection every 15 seconds and storage of all the paths taken for 10 months) (see also on this point what was ascertained against GlovoApp23 by Tribunal Supremo, 25.9.2020, cit. geolocalización por GPS of the requestante mientras realizaba su actividad, recording los kilómetros que recorría, es también an indicio relevante de dependencia en la medida en que permite el control empresarial en timé real del desempeño de la prestación. Los repartidores están sujetos to a permanent system of control mientras desarrollan la prestación del servicio ", para. decimonoveno). Furthermore, the company carries out treatments that allow the rider to be controlled by collecting and storing, during the execution of the order, a multiplicity of further personal data, including communications with customer care.

The art. 114 of the Code (“Guarantees regarding remote control”), as already mentioned, refers to art. 4, ln 300/1970 as a condition of lawfulness of the processing of personal data carried out in the context of the employment relationship. According to this last provision, "The audiovisual systems and other tools from which the possibility of remote control of workers' activity also derives can be used exclusively for organizational and production needs, for work safety and for the protection of assets company and can be installed after a collective agreement stipulated by the unitary union representation or by the company union representatives. Alternatively, in the case of companies with production units located in different provinces of the same region or in several regions, this agreement can be stipulated by the comparatively most representative trade unions at the national level. In the absence of an agreement, the systems and tools referred to in the first period can be installed with the authorization of the territorial office of the National Labor Inspectorate ".

The company, while carrying out through a plurality of technological tools (the digital platform, the app and the channels used by customer care) data processing that allow a meticulous control activity on the work performance carried out by the riders, has failed to apply what is established in this regard. from the aforementioned art. 4, paragraph 1, l. 300/1970. This labor discipline, as seen above, constitutes one of the provisions of national law "more specific to ensure the protection of rights and freedoms with regard to the processing of personal data of employees in the context of employment relationships" identified by art. 88 of the Regulation.

This therefore constitutes the violation of the principle of lawfulness of processing (Article 5, paragraph 1, letter a) of the Regulation in relation to art. 114 of the Code) and art. 88 of the Regulation regarding the applicable regulations on the matter.

4. Conclusions: illegality of the treatment. Corrective measures pursuant to art. 58, par. 2, Regulations.

For the aforementioned reasons, the Authority believes that the declarations, documentation and reconstructions provided by the data controller during the investigation do not allow to overcome the findings notified by the Office with the act of initiation of the procedure and which are therefore unsuitable to allow the filing of this proceeding, since none of the cases provided for by art. 11 of the Guarantor Regulation n. 1/2019.

The processing of personal data carried out by the company is in fact illegal, in the terms set out above, in relation to articles 5, par. 1, lett. a), c) and e) (principles of lawfulness, correctness, minimization and limitation of conservation); 13 (information); 22, par. 3 (appropriate measures for automated processing including profiling); 25 (data protection by design and data protection by default: privacy by design and by default); 30, par. 1, lett. a), b), c), f) and g); 32 (security measures); 35 (impact assessment); 37, par. 7 (communication to the supervisory authority of the data protection officer); 88 (processing of data in the context of employment relationships) of the Regulation; 114 (guarantees regarding remote control) of the Code.

Given the corrective powers attributed by art. 58, par. 2 of the Regulation, in light of the circumstances of the specific case, it is considered necessary to assign the company a term to comply with the Regulation the data processing still in place, therefore:

- the company is enjoined to comply with the Regulations its treatments with reference to the correct preparation of the documents containing the information, the treatment register and the impact assessment, also aligning the characteristics of the treatments indicated therein, in the terms set out in the motivation (art . 58, par. 2, letter d), Regulation);

- the company is enjoined to conform its processing to the Regulation with reference to the identification of the retention times of the processed data, in the terms set out in the motivation (Article 58, paragraph 2, letter d), Regulation);

- the company is enjoined to comply with the Regulations their treatments with reference to the identification of appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, at least the right to obtain human intervention by the data controller, of express their opinion and contest the decision, in relation to automated processing including profiling carried out through the platform, in the terms set out in the motivation (Article 58, paragraph 2, letter d), Regulation);

- the company is enjoined to comply with the Regulations its processing with reference to the identification of appropriate measures aimed at periodically verifying the correctness and accuracy of the results of the algorithmic systems, also in order to ensure that the risk of errors is minimized and to comply with what established by art. 47-quinquies, d. lgs. n. 81/23015 regarding the prohibition of discrimination, access to the platform and exclusion from the platform (Article 58, paragraph 2, letter d), Regulation);

- the company is enjoined to conform its processing to the Regulation with reference to the identification of appropriate measures aimed at introducing tools to avoid improper and discriminatory use of reputational mechanisms based on feedback; this check must be repeated at each modification of the algorithm relating to the use of feedback to calculate the score (Article 58, paragraph 2, letter d), Regulations);

- the company is enjoined to comply with the Regulations its overall processing of rider data with reference to the application of the principles of minimization and privacy by design and by default, in relation to the identification of the subjects and profiles authorized to access the different types of data with regard to the tasks performed, in the terms set out in the motivation (Article 58, paragraph 2, letter d), Regulation);

- the company is enjoined to comply with the Regulation its processing with reference to the fulfillment of the provisions of art. 4, paragraph 1, l. 20.5.1970, n. 300, within the terms set out in the motivation (art. 58, par. 2, letter d), Regulation);

- in addition to the corrective measure, there is a pecuniary administrative sanction pursuant to art. 83 of the Regulation, commensurate with the circumstances of the specific case (Article 58, paragraph 2, letter i), Regulation).

5. Injunction order.

Pursuant to art. 58, par. 2, lett. i) of the Regulations and art. 166, paragraphs 3 and 7 of the Code, the Guarantor orders the application of the pecuniary administrative sanction provided for by art. 83, par. 5, lett. a) of the Regulation, through the adoption of an injunction order (Article 18, Law 11/24/1981, n. 689), in relation to the processing of personal data carried out by the company, which was found to be unlawful, within the terms above, in relation to articles 5, par. 1, lett. a), c) and e); 13; 22, par. 3; 25; 30, par. 1, lett. a), b), c), f) and g); 32; 35; 37, par. 7; 88 of the Regulation; 114 of the Code, following the outcome of the procedure pursuant to art. 166, paragraph 5 carried out in contradiction with the data controller (see previous points 1.4. And 1.5.).

Considering it necessary to apply paragraph 3 of art. 83 of the Regulation where it provides that "If, in relation to the same treatment or related treatments, a data controller [...] violates, with willful misconduct or negligence, various provisions of this regulation, the total amount of the pecuniary administrative sanction does not exceed the amount specified for the most serious violation ", considering that the ascertained violations of art. 5 of the Regulation are to be considered more serious, as they relate to the non-compliance with a plurality of general principles applicable to the processing of personal data and the applicable sector regulations, the total amount of the sanction is calculated in such a way as not to exceed the maximum legal notice provided for the aforementioned violation. Consequently, the sanction envisaged by art. 83, par. 5, lett. a), of the Regulation, which sets the maximum legal limit in the sum of 20 million euros or, for companies, in 4% of the annual worldwide turnover of the previous year, whichever is higher.

With reference to the elements listed in art. 83, par. 2 of the Regulation for the purposes of applying the pecuniary administrative sanction and its quantification, taking into account that the sanction must "in any case [be] effective, proportionate and dissuasive" (Article 83, par. 1 of the Regulations), it is stated that , in the present case, the following circumstances were considered:

a) in relation to the nature, gravity and duration of the violation, the nature of the violation was considered relevant which concerned the general principles of processing, including the principle of lawfulness (also with reference to the specific provisions relating to processing in the context of relationships work and work through digital platforms); the violations also concerned multiple further provisions relating to: information, exercise of rights in the field of automated processing including profiling, application of the principle of privacy by design and by default, register of treatments, security measures, impact assessment and communication to the contact data authority of the data protection officer;

b) with reference to the willful or negligent nature of the violation and the degree of responsibility of the owner, the negligent conduct of the company and the degree of responsibility of the same that has not complied with the regulations on data protection relating to a plurality of provisions;

c) the company has, during the procedure, adopted a measure with reference to the alleged violation of art. 32 of the Regulation;

d) the absence of specific precedents (relating to the same type of treatment) charged to the company;

f) the company cooperated with the Authority only partially during the procedure.

It is also believed that they assume relevance in the present case, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness to which the Authority must comply in determining the amount of the sanction (Article 83, paragraph 1, of the Regulation), in firstly, the economic conditions of the offender, determined on the basis of the revenues achieved by the company with reference to the financial statements for the year 2019 (which recorded operating losses). Lastly, account is taken of the legal penalty imposed, in the previous regime, for the corresponding administrative offenses and the extent of the sanctions imposed in similar cases.

In the light of the elements indicated above and the assessments made, it is considered, in this case, to apply the administrative sanction of payment of a sum of € 2,600,000.00 (2 million, six hundred thousand) to Foodinho srl.

In this context, it is also considered, in consideration of the type of violations ascertained that concerned the general principles of processing, including the principle of lawfulness and further multiple provisions relating to information, the exercise of rights in the field of automated processing including profiling, the application of the principle of privacy by design and by default, to the register of treatments, to the security measures, to the impact assessment and to the communication to the Authority of the contact details of the data protection officer, who pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019, this provision should be published on the Guarantor's website.

It is also believed that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

It should be remembered that, if the conditions are met, the sanction pursuant to art. 83, par. 5, lett. e) of the Regulations.

WHEREAS, THE GUARANTOR

detects the unlawfulness of the processing carried out by Foodinho srl, in the person of the legal representative, with registered office in Viale Monza, 259, Rome (RM), CF 09080990964, pursuant to art. 143 of the Code, for the violation of art. 5, par. 1, lett. a), c) and e); 13; 22, par. 3; 25; 30, par. 1, lett. a), b), c), f) and g); 32; 35; 37, par. 7; 88 of the Regulation; 114 of the Code;

INJUNCES

pursuant to art. 58, par. 2, lett. d) of the Regulations to Foodinho srl, to conform their processing to the Regulations with reference to the correct preparation of the documents containing the information, the treatment register and the impact assessment, within 60 days of receipt of this provision;

INJUNCES

pursuant to art. 58, par. 2, lett. d) of the Regulations to Foodinho srl, to comply with the Regulations their treatments with reference to the identification of the retention times of the processed data, within 60 days of receipt of this provision;

INJUNCES

pursuant to art. 58, par. 2, lett. d) of the Regulations to Foodinho srl, to comply with the Regulations their treatments with reference to the identification of appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, at least the right to obtain human intervention by the owner of the processing, to express their opinion and to contest the decision, in relation to automated processing including profiling carried out through the platform, within 60 days of receipt of this provision;

INJUNCES

pursuant to art. 58, par. 2, lett. d) of the Regulation to Foodinho srl, to comply with the Regulation their processing with reference to the identification of appropriate measures aimed at periodically verifying the correctness and accuracy of the results of the algorithmic systems also in order to ensure that the risk of errors is minimized and to comply as established by art. 47-quinquies, d. lgs. n. 81/23015 regarding the prohibition of discrimination, access to the platform and exclusion from the platform, to be started within 60 days of receipt of this provision, concluding the verification activity within the following 90 days;

INJUNCES

pursuant to art. 58, par. 2, lett. d) of the Regulations to Foodinho srl, to conform their processing to the Regulations with reference to the identification of appropriate measures aimed at introducing tools to avoid improper and discriminatory use of reputational mechanisms based on feedback, a check that must be repeated at each modification of the algorithm regarding the use of feedback for the calculation of the score, to be started within 60 days of receipt of this provision, concluding the verification activity within the following 90 days;

INJUNCES

pursuant to art. 58, par. 2, lett. d) of the Regulations to Foodinho srl, to conform their processing to the Regulations with reference to the application of the principles of minimization and privacy by design and by default, within 60 days of receipt of this provision;

INJUNCES

pursuant to art. 58, par. 2, lett. d) of the Regulations to Foodinho srl, to conform their processing with the Regulations with reference to the fulfillment of the provisions of art. 4, paragraph 1, l. 20.5.1970, n. 300, within 60 days of receipt of this provision;

ORDER

pursuant to art. 58, par. 2, lett. i) of the Regulations to Foodinho srl, to pay the sum of Euro 2,600,000.00 (2 million, six hundred thousand) as a pecuniary administrative sanction for the violations indicated in this provision;

INJUNCES

also to the same Company to pay the aforementioned sum of € 2,600,000.00 (2 million, six hundred thousand), according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive deeds pursuant to 'art. 27 of the law n. 689/1981. It should be remembered that the offender has the right to settle the dispute by paying - again according to the methods indicated in the annex - of an amount equal to half of the sanction imposed, within the term referred to in art. 10, paragraph 3, of the d. lgs. n. 150 of 1.9.2011 envisaged for the submission of the appeal as indicated below (Article 166, paragraph 8, of the Code);

HAS

the publication of this provision on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor Regulation n. 1/20129, and believes that the conditions set out in art. 17 of Regulation no. 1/2019.

It requests Foodinho srl to communicate which initiatives have been undertaken in order to implement the provisions of this provision and in any case to provide adequately documented feedback pursuant to art. 157 of the Code, within 90 days from the date of notification of this provision; any non-response may result in the application of the administrative sanction provided for by art. 83, par. 5, lett. e) of the Regulations.

Pursuant to art. 78 of the Regulations, as well as articles 152 of the Code and 10 of Legislative Decree n. 150/2011, an opposition to the ordinary judicial authority may be proposed against this provision, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the applicant resides abroad.

Rome, June 10, 2021

THE PRESIDENT
Stanzione

THE RAPPORTEUR
Stanzione

THE SECRETARY GENERAL
Mattei

Date
10/06/21
Topics
Disclosure
 
Geolocation
 
Private work
 
Data protection officer
 
Artificial intelligence
 
Treatment register
Typology
Corrective and sanctioning measure
See also (2)
Rider: Privacy Guarantor, no discrimination based on algorithms. Sanction of 2.6 million euros to a platform of the Glovo group

Abstract of Italian SA's order as issued against Foodinho Srl