On July 22, 2021, the Garante per la protezione dei dati personali, the Italian data protection authority, imposed a €2.5 million fine on Deliveroo Italy s.r.l., the Italian subsidiary of Roofoods LTD, a UK-based food delivery company operating through online orders in over a dozen countries. According to the Garante, Deliveroo’s handling of the personal data of approximately 8,000 riders employed by the company to deliver food orders violated European and Italian privacy law, including article 5 of the General Data Protection Regulation. Among Deliveroo’s failings was a lack of transparency in the algorithms used in the management of its riders. The company used geolocation software to determine the riders’ location every 12 seconds, and stored the location information for six months. The company also tracked by the minute the riders’ movement from pick up to delivery, from delivery to next order, etc., thereby violating Italian labor law and the rules on distance monitoring, in addition to privacy laws and the rules of transparency and data minimisation. In June 2021, the Garante levied a fine against another online meal service, Foodinho s.r.l., for similar GDPR failures, including a lack of transparency in that company’s application of the algorithm used to manage its employees.
In addition to the € 2.5 million fine, the Garante’s order requires that Deliveroo take steps to correct the GDPR violations. These measures include the provision of accurate information to the company’s employees, and greater transparency in terms of the algorithm used to assign jobs and rate employees. Deliveroo has 60 days to remedy the violations, and 90 days to correct its algorithms.