Italian data protection authority Garante has imposed a €2.5m ($3.0m) financial penalty on food delivery company Deliveroo for disproportionate collection of workers’ data and lack of transparency in use of algorithms.

The case involved numerous, serious violations of European and national privacy legislation in how the digital-based company handled personal data of around 8,000 riders, according to Garante.

Offences included collecting too much data, such as checking riders’ location every 12 seconds, recording deviations from estimated delivery times, storing riders’ routes for six months, and their communications with customer care. 

There was also a lack of transparency in algorithms used for assignment of orders and booking riders for shifts.

Garante has ordered Deliveroo to provide riders with precise information on how the assignment system works.

The DPA has also given the company 60 days to correct the violations and a further 90 days to complete the interventions on algorithms.


PrivSec Global is back for another 2 information-packed days, featuring a series of brand new topics and themes. Register now and hear industry experts discuss Global Data Protection and Privacy Law Developments.