Italy: Garante fines Deliveroo €2.5M for unlawful processing of riders' personal data
The Italian data protection authority ('Garante') announced, on 2 August 2021, that following an investigation, it had issued a decision to fine Deliveroo Italy €2.5 million for lack of transparency in the use of algorithms used to manage riders and disproportionate collection of their data in violation of the principles of lawfulness, transparency, data minimisation and storage limitation in Articles 5(1)(a)(c)(e) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') as well as Articles 13, 22(3), 25, 30(1)(c)(f)(g), 32, 35, 37(7), and 88 of the same.
Furthermore, the Garante had also ordered Deliveroo Italy to, among other things, correct its GDPR violations in relation to the following:
- the preparation of documents containing relevant information, processing register and the Data Protection Impact Assessment;
- the identification of retention times of the processed data;
- the identification of appropriate measures to protect the rights, freedoms and legitimate interests of the data subject;
- the identification of appropriate measures to periodically verifying the correctness and accuracy of results of their algorithmic systems;
- the identification of appropriate measures aimed at introducing tools to avoid improper and discriminatory use of mechanisms based on feedback;
- the application of the principles of minimisation and Privacy by Design and by Default; and
- the identification of the subjects authorised to access the systems, defining purposes that make such access necessary and the adoption of measures to ensure the verification of such access.