Deliveroo fined 2.5 million EUR for not informing about automated processing Summary Our remarks An Italian food delivery company, Deliveroo, used • Using AI technology to score an individual based on AI technology to manage their couriers’ ability to personal data constitutes profiling. To ensure that choose shifts. Shifts between 19:00 and 21:00 on the profiling is compliant with the GDPR, you must Fridays, Saturdays, and Sundays (called ’super peak’ inform the data subject clearly and in language shifts) paid higher wages and were therefore more that is clear and easy to understand, and includes popular. The courier with the best score had priority in the following: booking shifts. A bidder’s score was based on previous participation in super peak shifts, how many times they ° That the profiling is taking place. had canceled a booked session, and how quickly they ° What data is used for profiling. delivered orders. A bidder could see its score but could not see how it was calculated. ° How the technology behind the profiling calculates the results. The decision of the Italian Data Protection ° That the data subject is allowed to object to the Authority outcome of the profiling. The Italian Data Protection Authority fined Deliveroo 2.5 million EUR for failing to ensure sufficient transparency ° That the AI technology is only fed with the data (GDPR, Article 5(1)(a)), and for not implementing necessary to achieve the desired output. appropriate measures to safeguard the data subject’s • When performing profiling via AI technology, a rights in relation to profiling (Article 22(3) of the GDPR). data impact assessment should always be carried out beforehand, testing the technology for bias to ensure that the profiling arrives at a correct result and is not discriminatory. Published: 22-07-2021, Journal number: 9685994 Tags: 01 Legal basis for processing and principles of processing 138