The activities of home delivery through online booking platform had already been under the lens of the Italian Data Protection Authority in 2019, culminating in the decisions against Deliveroo (of July 22, 2021, web doc No. 9685994) and Foodinho.
In the Foodinho case, Decision No. 234 of June 10, 2021 (web doc no. 9675440) provided for the imposition of a fine of 2,600,000 euros and at the same time the Authority enjoined the company to:
- Properly fulfill obligations for privacy notice, record of processing activities, and impact assessment
- Identify retention periods for processed data
- Take appropriate measures to protect the rights, freedoms and legitimate interests of data subjects, including the right to obtain human intervention, express their opinion and challenge automated decisions
- Periodically verify the correctness and accuracy of the results of algorithmic systems to minimize the risk of errors and comply with the prohibition of discrimination
- Introduce tools to avoid improper and discriminatory uses of feedback-based reputational mechanisms
- Apply the principles of minimization and privacy by design and by default
- Comply with the provisions of Article 4 of the Workers’ Statute.
The decision was subsequently appealed before the Court of Milan, which nullified it on the grounds that the fine imposed was excessive. Against the ruling, the Italian Data Protection Authority filed an appeal for cassation that was upheld in 2023 by the Court of legitimacy, which set aside the court’s ruling and referred the case back to the same court. Finally, we learn from the decision under review that due to the Company’s failure to resume the case before the referring court, the Authority’s 2021 decision became unenforceable.
