Italy’s data protection authority, the Garante, issued a 2.5 million euro fine against food delivery company Deliveroo for inappropriately processing driver's personal data.

The company held personal and contract data, payment data, data relating to the driver's rides and data relating to vehicles used for deliveries for insurance coverage. The detailed opinion raises points that delivery companies, ride sharing companies and even vehicle original equipment manufacturers with proprietary applications can learn from.

Controller-processor roles

Even though a company manages a platform that may have a parent with a significant role in managing the platform, if it directly processes the personal data of the riders using the digital platform — providing for its population and its use for the management of all stages of delivery of orders entrusted to the riders — it is undoubtedly a data controller for the processing of same.

Privacy disclosure requirements

A privacy disclosure cannot just be located in a subsection of the terms of use. It needs to be its own document and include all the disclosure requirements required by law (Articles 13 and 14 of the EU General Data Protection Regulation). If you are collecting precise geolocation, in real or semi-real time, you need to provide a detailed explanation of it, including whether you are collecting only in an online status or also in offline situations.

Data retention or minimization

A data retention policy cannot be generic and needs to reflect analysis regarding the appropriate retention periods for each specific type of processing.

Technical and organizational measures

When you maintain a platform, such as a driver platform, make sure to closely access the permissions and access controls that others have to a specific driver's log. Organizations need to be particularly mindful of access of individuals from other countries to the data of individuals from an EU country.

Profiling

Processing drivers’ data to determine their availability or reliability — such as presenting, with priority, the choice of work shifts to those who have acquired a higher score — constitutes profiling. When you carry out profiling, you are obligated by an enhanced disclosure requirement. This includes: logic used, as well as the importance and expected consequences of this treatment for the data subject. 

This type of profiling does produce a significant effect on the person concerned, consisting in the possibility of allowing or denying access to job opportunities in certain pre-established time slots and therefore offering or denying an opportunity.

Another potential impact is the possibility of improper or discriminatory use of information gathered from customer feedback. This implicates Article 22 of the GDPR, which gives individuals the right not to be subjected to automated decision-making and to request human intervention.

Data protection impact assessment

The processing activity carried out by the delivery company regarding its drivers is among those that present "a high risk for the rights and freedoms of individuals" with the consequent need to carry out, before the start of the processing, an impact assessment pursuant to Article 35 of the GDPR.

Processing a large number of different types of data referring to a significant number of interested parties, carried out through the digital platform and based on the algorithmic functions described above, by combining supply and demand, has an evident innovative character, all of which indicate a need to conduct a DPIA. Factors that point to this include:

  • The data processing is carried out through the innovative use of a digital platform, the operating mechanism of which has been disclosed only in part, and which is the subject of the activity carried out by the Italian company.
  • The processing is characterized by the collection and storage of a plurality of personal data, including geographic location and communications via phone calls, chat and email.
  • The innovative nature of the technology used by the company — of which the geolocation functionality constitutes only a part, albeit a significant one — and the consequent high risk for the rights and freedoms of the data subjects.
  • The scope of application and the reference context, i.e., work via digital platform, the growing expansion of the market sectors concerned and the evolution of the phenomenon of the so-called "gig economy" in the context of continuous technological changes which are characterizing the labor market.

DPO obligations

Even if the data protection officer is designated at the group of companies level, the obligation remains for the individual entities of the corporate group, owners or managers of the treatment to publish the contact details of the DPO and communicate them to the competent supervisory authority.

Records of processing activities 

Under Article 30 of the GDPR, the ROPA needs to include all types of data processing. This includes processing data related to the geographical position collected via GPS and the plurality of data relating to the details of orders detected through the app.

The ROPA should either describe the security measures you take sufficiently or refer to a specific document. It is not enough to merely refer generically to an unspecified "security policy," "IT policy" or "IT security policy" without any reference to specific documents adopted on the subject.

The ROPA should have a date of adoption, a date of the last update — it needs to be reassessed regularly — and a signature in order to to give the document full reliability.

Photo by Chiara Daneluzzi on Unsplash