With order n. 285 of July 22nd 2021, the Italian Data Protection Authority ordered Deliveroo Italy s.r.l., leading company of the food delivery industry, to pay a penalty of 2,5 million Euro for the illicit personal data processing of about 8,000 riders.
The Italian Data Protection Authority detected several violations by Deliveroo, both of the national regulation (among which Employee’s Rights) and the European one (firstly, the UE Regulation 679/2016 (GDPR).
In particular, it has been found that non-transparent, and thus potentially discriminatory, algorithms were used for managing riders and, specifically, for the orders assignment and the booking of work shifts.
The preliminary analysis, having as object the digital platform through which the delivery service operates, highlighted the adoption of automatized processing, among the others profiling, which the “excellence system” is supposedly based on, that assigns a score to each rider in order to access with priority to the selection of time slots.
The criteria taken into account to increase the score are the orders actually delivered and the acceptance within 30 seconds of the order assigned. Under this system, therefore, the rider who does not promptly accept the order, or rejects it, is penalized in favor of the rider who accepts within the provided time and manages to fulfill the highest number of deliveries.
It was found that the functionality of this algorithm in the platform was subjected to such distortions as to amplify the risk of potentially discriminatory calculation errors against riders, who could, thus, endure an unjustified limitation of the delivery assignment, up to be even excluded from the platform.
To this it should be added the responsibility of the company for not having adequately informed the riders on the functioning of such system. In fact, no technical and organizational measure was taken to periodically verify the accuracy of the results given by the algorithm or the adequacy of the data used compared to the processing purposes, in order to reduce the risk of distortive and discriminatory effects as much as possible.
Moreover, the Authority has also found an illicit storage of data collected during the execution of the orders (including chats with the customer care) for a period of time longer than what provided for by the GDPR. As one can read in the decision, as a matter of fact “the company identified a unique term of storage, equal to 6 years, in itself significant, in relation to a plurality of processing carried out for different purposes as well as in relation to distinct types of data, in some cases referred also to the content of communications (via chat and e-mail) which are protected by the regulations with specific guarantees”.
On a strictly employment law point of view, it was shown that Deliveroo every 12 seconds carries out a control as much attentive as illegal on the working activity of their employees through the detection of their geo-localization and the storage of all their delivery tracks for 6 months.