On August 2, 2021, the Italian Data Protection Authority (Garante per la protezione dei dati personali, “Garante”) announced that it had levied a €2,500,000 fine on Deliveroo Italy s.r.l. for the unlawful processing of personal data of approximately 8,000 Deliveroo riders, and various infringements of the EU Genera Data Protection Regulation (the “GDPR”).
Following an investigation into Deliveroo’s practices, the Garante found that Deliveroo had failed to provide transparent information to its riders about the algorithm used to manage riders’ work shifts. In addition, the Garante found that Deliveroo’s app collected a disproportionate amount of riders’ personal data in violation of the principles of lawfulness, transparency, data minimization and storage limitation.
The Garante also ordered Deliveroo to correct the GDPR violations it had found in Deliveroo’s data protection practices, including violations relating to, among others:
- Accountability, including the preparation of internal documentation on personal data processing, internal records of processing and data protection impact assessments;
- Transparency regarding data storage limitation, the measures implemented to protect the rights, freedoms and legitimate interests of riders, and measures implemented to verify the accuracy of data used by Deliveroo’s algorithm to manage riders’ work shifts.
Deliveroo was given a period of 60 days to correct the violations, and an additional period of 90 days to correct those related to the algorithm it uses.