Garante Fines Foodinho €5M for Violating GDPR with Biometric Data & Geolocation Tracking of Riders

The Recap

In a significant move to enforce data protection regulations, Italy’s Garante per la protezione dei dati personali (the Italian Data Protection Authority) has imposed a €5 million fine on Foodinho, a popular food delivery platform, for illegally processing sensitive biometric data and conducting geolocation tracking of its riders. The investigation revealed serious breaches of the General Data Protection Regulation (GDPR), particularly with respect to the principles of accuracy, data minimization, and the concepts of Data Protection by Design and Default.

The Nature of the Violations

The Garante's investigation into Foodinho began after concerns were raised regarding its data processing practices, especially in relation to its delivery drivers, often referred to as "riders." The key violations identified in the investigation included:

1. Biometric Data Processing: Foodinho was found to be collecting and processing biometric data from its riders. This included facial recognition data used for tracking working hours and monitoring the riders’ activity during their shifts. However, the company failed to obtain the necessary explicit consent from riders, as required by the GDPR. Processing such sensitive data without proper consent is a clear violation of the regulation.

2. Geolocation Tracking: The platform also used geolocation tracking to monitor the whereabouts of its riders throughout their workday. While tracking delivery vehicles in real-time might be necessary to ensure operational efficiency, the Garante found that Foodinho went beyond what was strictly necessary. The company tracked the location of riders even during non-working hours, violating the principle of data minimization, which requires that data collection be limited to what is necessary for the specified purpose.

3. Failure in Data Protection by Design and Default: The Garante also cited Foodinho for not implementing sufficient safeguards to protect riders' data from misuse. The company did not adequately assess the privacy risks of its data processing practices, nor did it implement privacy-friendly measures from the outset. This failure to incorporate Data Protection by Design and Default directly contributed to the breaches.

Key GDPR Principles Violated

Foodinho’s actions directly contravened several key principles outlined in the GDPR:

• Principle of Accuracy: The data collected by Foodinho was not always accurate, and riders were unable to rectify or challenge the biometric and geolocation data that the company held about them. The lack of transparency and the inability for riders to access or correct their data were key issues flagged by the Garante.

• Data Minimization: The GDPR emphasizes that data collected should be adequate, relevant, and limited to what is necessary for the specific purpose for which it is processed. Foodinho’s practice of tracking riders beyond their working hours and processing biometric data without clear necessity violated this principle.

• Data Protection by Design and Default: This principle requires that privacy measures be incorporated into the design of systems and processes from the outset. Foodinho's failure to integrate privacy protections into their data collection processes led to unnecessary risks and a lack of proper oversight.

The Garante's Findings and Enforcement Action

In its decision, the Garante concluded that Foodinho's data processing practices did not meet the rigorous standards set out by the GDPR. The authority's investigation highlighted that Foodinho had failed to conduct proper risk assessments, obtain adequate consent from riders, and ensure that data processing practices were transparent and in line with data protection requirements.

As a result, the Garante fined Foodinho €5 million. This penalty serves as a warning to other companies in the delivery and gig economy sectors, signaling that any attempts to exploit workers' personal data without proper safeguards will be met with severe legal consequences.

Implications for the Gig Economy

The case against Foodinho underscores the growing scrutiny of data processing practices within the gig economy, particularly those involving sensitive employee data. Many gig economy platforms, which rely heavily on digital monitoring and tracking technologies, have been increasingly criticized for their handling of personal data, including geolocation and biometric information. In response to the Garante’s ruling, companies operating in this space will likely reassess their data collection practices to ensure they comply with GDPR's strict requirements.

This fine also marks another example of how European data protection authorities are stepping up enforcement of the GDPR, emphasizing that businesses must prioritize data privacy and transparency to avoid costly penalties.

The Game Plan

Moving Forward: Key Takeaways for Businesses

For businesses processing personal data—particularly those in sectors like food delivery, transportation, or other gig-based services—the key takeaway from this case is the importance of:

1. Obtaining Explicit Consent: When processing sensitive data such as biometrics or geolocation information, companies must ensure that consent is freely given, specific, informed, and unambiguous.

2. Data Minimization: Organizations must limit the collection of personal data to what is strictly necessary for the performance of the task at hand. Collecting data beyond what is required, especially if it involves tracking workers during off-hours, can result in hefty fines.

3. Implementing Privacy Safeguards from the Start: Data protection should not be an afterthought. Privacy by design means building safeguards into data processing systems from the ground up, ensuring that risks to individual rights are minimized.

4. Transparency and Access to Data: Riders and workers should be fully informed about what data is being collected, why it is being collected, and how it will be used. Furthermore, they must be given the right to access, correct, or delete their personal data.

The €5 million fine against Foodinho marks a crucial moment in the ongoing evolution of privacy protections in the digital age. As authorities across Europe continue to enforce the GDPR, businesses must take careful stock of their data collection and processing practices, ensuring they are compliant with the law and safeguarding the rights of their employees and customers. For companies that fail to do so, the financial and reputational risks are only likely to grow in the years ahead.

Need Help?

Tap in Three-Point Law by emailing consult@threepointlaw.com.