Garante per la protezione dei dati personali (Italy) - 9675440

From GDPRhub
Revision as of 09:58, 7 July 2021 by NN (talk | contribs)
Garante per la protezione dei dati personali (Italy) - 9675440
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(c) GDPR
Article 5(1)(e) GDPR
Article 5(1)(a) GDPR
Article 13 GDPR
Article 22 GDPR
Article 25 GDPR
Article 30 GDPR
Article 32 GDPR
Article 35 GDPR
Article 37 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published:
Fine: None
Parties: n/a
National Case Number/Name: 9675440
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: IL GARANTE PER LA PROTEZIONE DEI DATI PERSONALI (in IT)
Initial Contributor: n/a

The Italian DPA fined the digital platform, Foodinho, €2,600,000 for using discriminatory algorithms to manage its food delivery employees.

English Summary

Facts

Foodinho is an Italy-based company and a subsidiary of GlovoApp23, a Spanish-based company. It operates a digital platform for on-demand food delivery in Milan. Employees are typically gig workers who deliver food orders by bike. Of relevance is that, in 2020, the Italian Supreme Court ruled that delivery riders have workers’ rights, regardless of whether they are self-employed. At the time of this decision, Foodinho has some 19,000 delivery riders on its platform.

This is the first decision from the Garante concerning riders and follows from a set of inspections on the handling of employees’ data by the main food delivery companies in Italy. As part of the investigation, the Garante also initiated, for the first time, a joint operation with the Spanish DPA (AEPD) under the terms of the GDPR to shed light on the operation of the digital platform owned by the holding company, GlovoApp23. Of concern to the Garante and the AEPD is how food delivery companies use algorithms to opaquely micromanage platform workers’ labor.

Investigation yielded multiple findings. Firstly, the company had failed to adequately inform its employees on the functioning of the platform and had not implemented suitable safeguards to ensure accuracy and fairness of the algorithmic results that were used to rate riders’ performance. The lack of such safeguards means that discriminatory reviews from clients affected rider ratings.

Secondly, Foodinho did not guarantee procedures to protect the right to obtain human intervention, express one’s opinion, and contest the rider rating resulting use of the algorithms in question, even though ratings could cause a rider to be excluded from job opportunities.

Furthermore, the Garante identified a number of further data protection shortcomings by Foodinho; it had failed to produce satisfactory Data Protection Impact Assessments, implement technical and organizational security measures, appoint a data protection officer appointment, keep records, and implement Data Protection by Design.

Holding

The Italian DPA (Garante) held that Foodinho had violated Articles 5(1)(a), (c) and (e), 13, 22, 25, 30, 32, 35 and 37 of the GDPR through its use of algorithms to manage riders doing food deliveries. Accordingly, it issued a fine of €2,600,000. In calculating the fine, the DPA took into account Foodinho’s resistance to cooperation during the investigation, and the large number of riders on the platform.

In addition, the DPA issued an injunction ordering Foodinho to take corrective measures for each violation. Significantly, Foodinho will have to lay down measures preventing inappropriate and/or discriminatory use of reputational mechanisms based on feedback from customers and business partners.

Firstly, to minimize the risk of errors and biases in rider ratings, Foodinho was ordered to check accuracy and relevance of the data used by the system – chats, emails and phone calls between riders and customer care, geolocation at 15-second intervals, mapping of routes, estimated and actual delivery time, details on the handling of current and past orders, feedback from customers and partners, device battery level, etc.

Secondly, the DPA ordered Foodinho to address the discriminatory risk produced by the rating system, which relies on the application of a mathematical formula that penalizes riders who do not promptly accept orders or reject orders, while prioritizing riders who accept orders on schedule.

The DPA set a 60-day deadline for Foodinho to start implementing the measures required to remedy the serious shortcomings it had found, and gave Foodinho an additional 90 days to finalize a redesign of the algorithms.


Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.