Italy: Garante fines Foodinho €2.6M for unlawful employee management algorithms
The Italian data protection authority ('Garante') announced, on 5 July 2021, that it had issued a decision to fine Foodinho s.r.l., a digital platform under the control of parent company GlovoApp 23, €2.6 million for numerous privacy violations regarding the algorithms used for management of its employees. In particular, the Garante outlined that Foodinho had not adequately informed the workers on the functioning of the system and did not guarantee the accuracy and correctness of the results of the algorithmic systems used for the evaluation of the riders. In addition, the Garante highlighted that Foodinho had failed to guarantee procedures to protect the right to obtain human intervention, express one's opinion, and contest the decisions adopted through the use of the algorithms in question, including in relation to an algorithm that excludes some of its riders from job opportunities. Furthermore, the Garante identified a number of further data protection shortcomings by Foodinho, including regarding Data Protection Impact Assessments, technical and organisational security measures, data protection officer appointment, record-keeping, and Data Protection by Design.
In view of the foregoing, among other findings, the Garante found that Foodinho had violated Articles 5(1)(a), (c) and (e),13, 22, 25, 30, 32, 35 and 37 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and, in addition to the financial penalty, imposed a number of corrective measures on Foodinho. Specifically, the Garante ordered Foodinho to:
- identify measures to protect the rights and freedoms of riders in the face of automated decisions, including profiling;
- verify the accuracy and relevance of the data used by the system; and
- identify measures that prevent improper or discriminatory use of reputational mechanisms based on customer and business partner feedback.
The Garante clarified that Foodinho now has 60 days to initiate the necessary measures to correct the serious violations detected and a further 90 days to complete the interventions on the algorithms.
Additionally, the Garante noted that it had initiated, for the first time, the joint European cooperation mechanism under the GDPR, with the Spanish data protection authority ('AEPD') to investigate the Spanish parent company GlovoApp23, which is now subject to an independent procedure conducted by the AEPD, with the collaboration of the Garante.