Foodinho s.r.l.

Kirjeldus

The Italian DPA (Garante) has fined Foodinho s.r.l. EUR 2,600,000. Foodinho is an Italian food delivery service. The investigation against Foodinho mainly focused on the drivers of Foodinho. In the process, the DPA found some serious violations of applicable data protection regulations. Thus, the DPA identified some irregularities concerning the algorithms of the Foodinho system. In particular, the DPA found that the controller had not adequately informed employees about how the system worked and did not guarantee the accuracy and correctness of the results of the algorithms used to evaluate drivers. Furthermore, the DPA found violations of the principles of data minimization as well as memory limitation. For example, the systems processed drivers' data to an extent that exceeded the purpose of the processing and, in some cases, stored the data significantly longer than necessary. In addition, the controller had not taken sufficient technical and organizational measures to ensure secure data processing. The controller had also not conducted a data protection impact assessment, although this would have been necessary due to the considerable amount of data of different types relating to a significant number of data subjects. Separate proceedings are being conducted against the parent company GlovoApp23 by the Spanish DPA (AEPD).