Foodinho – €5,000,000 Fine (Italy, 2024)

In this case the controller is Foodinho a food delivery company managing the service “Glovo” in Italy. This company is owned by Glovoapp23 SA, a Spanish holding. The DPA started its investigation following the death of one of its employees while he was delivering food. The controller uses an online platform provided by Glovo ES (appointed as processor) to manage its employees and the deliveries. This platform allows to see a map of every place in the World where Glovo operates and the live location of each employee. The controller, by clicking on a “rider”, can view their location, the time slots in which they are available, the deliveries they performed and the track they followed. The investigation showed that this geolocation function was active, in some cases, even outside working hours and when the app was not active. Moreover, the controller implemented a facial recognition function for identity verification purposes, provided by a processor, Jumio Corporation. According to this procedure, the data subjects (employees) needed to upload an ID card and take a selfie of themselves. After that, the data subjects were asked to take a selfie in random occasions. If they refused to do so, their possibility of getting further delivery time slots was blocked. The controller argued that this processing was necessary to comply with Article 23 of the applicable collective agreement, stating that it’s forbidden for the employees to be replaced by a third party. Furthermore, the investigation showed that the controller’s software allowed to rate the data subjects. The controller argued that this rating function is not active for Italy. The DPA considered that the data processing is made by Foodinho, who fits the definition of controller as it decides the purposes and means of processing, as laid out in the privacy notice given to riders and in the contract with GlovoApp 23 SA. The case at hand does not concern a cross-border data processing activity as the data processi