Foodinho Srl: Non-compliance with general data processing principles

The Italian DPA has fined the food delivery service Foodinho Srl EUR 5 million for unlawfully processing the data of approximately 35,000 drivers and for several violations of the GDPR. The DPA's investigation revealed that the company collected drivers' location data without their knowledge or consent—not only during working hours but also when the app was running in the background or inactive. Additionally, the DPA found that the company shared driver data with third parties without a valid legal basis. The investigation also uncovered that automated data processing was used for functions such as the evaluation system and task allocation during shifts, but the company had failed to implement necessary GDPR measures, such as allowing human intervention or enabling drivers to contest decisions made through the automated systems. Furthermore, biometric data, including facial recognition, was used without a valid legal basis. The investigation also revealed that drivers whose accounts were blocked received only standardized messages, with no information provided about their rights to appeal.

GDPR Articles: Art. 5 (1) a), c), d), e) GDPR, Art. 6 GDPR, Art. 9 (2) b) GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 22 (3) GDPR, Art. 25 GDPR, Art. 28 GDPR, Art. 32 GDPR, Art. 35 GDPR, Art. 88 GDPR, Art. 2-septies Codice della privacy, Art. 114 Codice della privacy, Art. 47-quinquies Decreto legislativo 81/2015
Industry: Employment