Il Guarantees Privacywith provision no. 675 of 13 November 2024, sanctioned a company for numerous and serious ones violations of the GDPRwith particular reference touse of fully automated decision-making processes for the evaluation of work performanceand also for the illegitimate use of worker facial recognition systems (biometric data).
The use of fully automated decision-making processes
The Guarantor has ascertained that the Company has violated the artt. 5, para. 1, lett. a), 12 and 13 of the GDPR: while carrying out a plurality of treatments through decision-making processes fully automated, failed to provide interested parties with the information relating to the existence and specific mode of operation of the aforementioned systemsin violation of theArt. 1-bis del D. Lgs. 152/1997, before starting work (as required by art. 1, paragraph 2, of Legislative Decree no. 152 of 26 May 1997).
These systems were intended to provide relevant information for the purposes of assignment of the assignmentfrom the managementfrom the termination of the employment relationshipdell’assignment of tasksas well as indications of accidents on the supervision, evaluation, performance and fulfillment of contractual obligations of rider.
In base all’art. 12 del GDPR, le information on treatment must be provided to interested parties concise, transparent, intelligible and easily accessible formwith simple and clear language: only where the interested party requests it, information on the processing can be provided orally, but even in this case the data controller has the obligation to demonstrate that he has implemented conduct in compliance with the data protection regulations. data protection.
The company’s information on the matter was found not to contain some of the information required by paragraph 2 of the art. 1-bis:
- information about logic and functioning of decision-making systems o di monitoring fully automated (letter c)
- on data categories and on parameters main ones used to program or train fully automated decision-making or monitoring systems, including performance evaluation mechanisms (letter d)
- on control measures adopted for automated decisions, any correction processes and the person responsible for the quality management system (letter e)
- on the level of accuracy, robustness and cybersecurity (transparency regarding the number and type of Company operators who can access the processed data, protection from abusive or illicit access to data, communication of data to third parties) of decision-making systems or fully automated monitoring and the metrics used to measure these parameters, as well as the potentially discriminatory impacts of the metrics themselves (letter f).
The Guarantor noted that the attribution, in automated mode, of the so-called excellence score for the employeealways has a significant impact on the activity of the same, influencing the possibility of booking certain work shifts.
Through the two algorithmic systems, the Company therefore carries out processing consisting of decision-making based solely on automated processing, including the profilingrelative all’assignment of work shifts and delivery orderswhich significantly affect the interested party, through theincrease or reduction in work opportunitiesprecisely as a result of the decisions taken by the system.
The GDPR regulated the matter in art. 22 as well as, with reference to the notion of profiling, with art. 4, no. 4 and the cons. 71where in particular the profiling as a form of automated processing of personal data that evaluates personal aspects of a natural personin particular for the purpose of analyzing or predicting aspects regarding professional performancereliability or behaviour, location or movements where this produces legal effects or similarly significantly affects you.
This definition applies precisely to the treatments carried out using the parameters that make up the excellence score, aimed at analyze professional performance, reliability and behavior, also taking into account the location, with regards to the assignment of orders in the work shift: La profiling is therefore used to make entirely automated decisionsthrough the excellence system, with effects that significantly impact the interested party by significantly increasing or reducing the job opportunities offered through the platform.
It also emerged that even with regard to deactivation hypothesis (grievance) and di account blocking, the Company has carried out treatments through fully automated decision-making processes: in particular the Company has indicated some predetermined deactivation hypotheses in relation to which they do not emerge effective e significant margins of possible human intervention.
The Guarantor recalls in this regard the Guidelines on automated decision making relating to natural persons and on profiling for the purposes of Regulation 2016/679, adopted by Article 29 Working Group within the EDPBwhich clarify thearea of human involvement deemed significant in light of a plurality of concrete elements: “the data controller must ensure that any control of the decision is meaningful and does not constitute a simple symbolic gesture. The review should be carried out by a person who has the authority and competence to change the decision. In the context of the analysis, this person should take into account all relevant data. As part of the data protection impact assessment, the controller should identify and record the degree of human involvement in the decision-making process and the stage at which the latter takes place”.
Moreover, the same parameters that make up the excellence systemare preordained to reduce job opportunities for riders who do not accept the service offered: for the Guarantor, this also involves the violation of the provisions of the art. 47-quinquies, Legislative Decree no. 81/2015which has established specific protections, in the context of work via digital platforms, in particular the prohibition on ordering exclusion from the platform and the reduction of work opportunities attributable to non-acceptance of the service (this implies the loss of the condition of lawfulness of the processing required by art. 5, par. 1, letter a) GDPR).
Processing of workers’ biometric data
The Guarantor recalls that the processing of biometric data (normally prohibited pursuant to art. 9, par. 1 of the Regulation) is permitted exclusively if one of the conditions indicated by theart. 9, para. 2 GDPR and, with regard to the treatments carried out in working environmentonly when the treatment is necessary to fulfill the obligations and exercise the specific rights of the data controller or of the interested party in the matter of labor and social security law and social protection, to the extent that is authorized by Union or Member State law give one collective agreement in accordance with the law of the Member States, in the presence of appropriate guarantees for the fundamental rights and interests of the data subject (art. 9, par. 2, lett. b), GDPR).
The current legislation therefore it does not allow the processing of workers’ biometric data for identification purposes (carried out after the first recognition and subsequently randomly) in order to avoid replacements in the performance of the service: this processing does not find its basis in a regulatory provision that has the characteristics required by data protection regulations, also in terms of proportionality of the regulatory intervention with respect to the purposes that are intended to be pursued.
L’adoption of the biometric system by the Company Furthermore, it is not suitable for preventing phenomena of mistaken identityas recognized by the Company itself given that, even where the degree of reliability and accuracy of the chosen biometric system was sufficiently high, it would always be possible to deliver the device to a different person, after having carried out the recognition: therefore, the Company’s decision to reduce the retention terms of the biometric data collected does not change the assessment of the illegality of the processing of biometric datain the absence of a suitable legal basis, and therefore in violation of the articles. 5, par. 1, letter. a), and 9, par. 2, letter. b) GDPR.
