Deliveroo Italy s.r.l. – €2,500,000 Fine (Italy, 2021)

The Italian DPA (Garante) has fined food delivery service Deliveroo Italy s.r.l. EUR 2,500,000 for unlawfully processing the personal data of approximately 8000 drivers. Garante's investigation revealed numerous and serious data protection violations. The violations included a lack of transparency in the algorithms used to manage drivers, both when assigning jobs and when booking work shifts. Deliveroo had used a centralized system for driver management through which it then processed and managed the assignment of orders as well as the booking of work shifts. However, Garante notes that the controller did not adequately inform the drivers about the functioning of the system they had installed on their smartphones, and did not ensure the accuracy and correctness of the results of the algorithmic systems used to evaluate the drivers. In addition, Garante found that Deliveroo carried out a meticulous control of the drivers' work performance - through the continuous geolocation of their device, which went far beyond what was necessary to assign the order (e.g., recording the position every 12 seconds) - and through the storage of a large amount of personal data collected during the execution of the orders, including communication with customer service. In this context, the storage period of the various data had not been defined in a manner appropriate to the purpose. Instead, the controller had defined a flat storage period of six years. Furthermore, the Garante found that the controller had not implemented adequate technical and organizational measures to ensure adequate security of the processing. Deliveroo Italy had also not conducted a data protection impact assessment, although this would have been necessary due to the risk posed to the drivers.