The Italian Data Protection Authority sanctioned the company Foodinho S.r.l., a Glovo Group company, to pay a fine of EUR 5 million for unlawfully processing the personal data of more than 35,000 riders through its digital platform.   

Following a complex investigation carried out ex officio by the Authority, it revealed that the company, which had already been sanctioned in 2021 for unlawful processing and violations of the provisions of the privacy legislation, was carrying out “numerous and serious violations” of the GDPR. 

Among others, the company:  

1. when de-activating or blocking the rider’s account, it automatically sent a single standard message without informing the recipient of the possibility of contesting the decision and requesting that the account be restored, 
2. carried out automated processing of riders’ personal data without having taken the measures required by the regulations for the use of automated systems. In fact, the rider was not provided with the possibility of exercising the right to obtain human intervention, to express his or her opinion and to contest the decision taken through the system (n.b. on this point also the so-called “Transparency Decree”), 
3. sent, without prior notice, the riders’ personal data, including their geographical location, to third-party companies. The geolocation data were collected and processed even when the rider was not working and even when the app was in the background or not active.  

In addition to the numerous violations of privacy regulations pointed out by the Italian Data Protection Authority and partially reported herein, it is worth mentioning that the Authority highlighted that in this case, the company “while carrying out an activity of systematic control of the work performed by the riders, through the settings and functions of technological tools that operate remotely (digital platform, app, communication recording systems), […], did not comply with the provisions established by Article 4, paragraph 1, of Law no. 300/1970, as it did not verify that the tools used are attributable to the purposes strictly allowed by the law (organizational and production needs, work safety and protection of the environment, and protection of the environment) nor did it activate the guarantee procedure provided for in the event of the existence of one of the aforementioned purposes (collective agreement entered into with trade union representatives or, failing that, authorization by the Italian Labor Inspectorate)”. 

In other words, the company, in addition to implementing technical and organizational security measures aimed at eliminating breaches and ceasing unlawful processing of personal data, must also take appropriate measures to comply with the provisions of the Workers’ Statute on remote control of employees. 

Other related insights: 

• Company e-mail and metadata: the Italian Data Protection Authority updates the guideline document