The Privacy Supervisor sanctions Foodinho for personal data breaches

The Guarantor for the protection of personal data has imposed a sanction of five million euros on Foodinho S.r.l. This company manages the Glovo platform in Italy, for the unlawful processing of the personal data of over 35,000 riders through its digital platform.
The Authority found several violations. One of the most critical aspects concerns the geolocation system adopted by Foodinho until August 2023: the application tracked riders' positions not only during deliveries but also when they were disconnected, keeping monitoring active even when the app was closed. This has raised serious concerns about protecting workers' privacy.
Another controversial point is the management of account deactivation. The riders, in case of suspension of their profile on the platform, received an automatic message without any possibility of providing explanations or contesting the decision. A mechanism which, according to the Guarantor, violated the principle of transparency and the right of defence.
Finally, the sharing of personal data with third-party companies has been unclear, and workers have not been properly informed about who has access to their personal information and for what purposes.
Already in 2021, Foodinho was fined 2.6 million euros for serious offences related to the use of algorithms in managing workers and shifts.
As a result of these violations, the Guarantor had imposed a series of corrective measures on Foodinho, including reviewing account deactivation messages, properly managing privacy policies and impact assessments, Limiting the retention of personal data and introducing tools to guarantee riders the right to human intervention in algorithmic decisions. In addition, the company has been prohibited from processing rider’s biometric data, requiring its deletion within 30 days.
Foodinho has communicated the intention not to contest the corrective measures requested and to pay the administrative penalty of five million euros in reduced form. The company has also expressed its willingness to work with the Guarantor to create a new industry standard for personal data protection.
However, due to the technical complexity of the required interventions, Foodinho requested a deadline’s extension to implement the necessary modifications. The Guarantor has assessed the request and granted an extension of 90 days to comply with the requirements set out in the order of 13 November 2024. In particular, the deadline for deletion of biometric data has been extended from 30 to 120 days and the deadline for compliance with the requirements has been increased from 60 to 150 days. The subsequent verification periods remain unchanged (90 and 120 days, depending on the planned measures).
Foodinho shall provide the Guarantor with a detailed account of the actions taken to comply with the requirements. If the company will not adopt adequate measures within 90 days of the new deadlines, further penalties may be triggered, as provided by the Guarantor.
The decision by the Guarantor has been published on its official website to ensure maximum transparency and inform all parties involved.