Italy’s data protection authority Garante on Monday fined food delivery company Foodinho €2.6 million (U.S. $3.1 million) because the app at the core of its business model allegedly discriminated against employees.

Garante found the app’s algorithmic rating system—which relies on a mathematical formula that can penalize or prioritize riders depending on how many jobs they accept, fulfill, complete on time, or reject—was biased and violated the EU’s General Data Protection Regulation (GDPR) principles around transparency and lawfulness of processing.

Garante said Foodinho failed to adequately inform its employees on the functioning of the system and had not implemented suitable safeguards to ensure accuracy and fairness of the algorithmic results. Further, the app did not allow riders to contest the decisions being made.

Under Article 22 of the GDPR, data subjects have the right not to be subject to any decision based solely on automated processing—including profiling—which might produce any legal or other significant effect against him/her, such as (in this case) determining how much work an employee may get over another.

Garante has ordered Foodinho to lay down measures to protect riders’ rights and freedoms regarding automated decisions, as well as check the accuracy, relevance, and amount of data used by the system that could exclude some riders from certain jobs.

Indeed, lawyers say the types of data collected were “excessive”: chats, emails, phone calls, map routes, customer feedback, and estimated and actual delivery times. The app also fetched geolocation data at 15-second intervals, as well as device battery levels.

Foodinho has 60 days to start implementing Garante’s recommendations, with an additional 90 days to change its algorithms.

The company was criticized for “poor cooperation” in determining the fine. Foodinho’s actions also infringed Italian law on employer-employee relations and recently- enacted legislation to protect workers using digital platforms. Up to 19,000 riders were affected.

Separately, the Spanish data protection authority, which worked in collaboration with Garante, is conducting proceedings against Foodinho’s parent company, GlovoApp23.

Oliver Vistisen, applications director at GRC software vendor SureCloud, says the case highlights regulators’ concerns about how employers’ use of automated algorithms can directly impact employees, particularly in the gig economy where workers’ rights are often secondary. He expects future cases will “become more common as regulators get more familiar with automated data handling.”

Danielle Amor, commercial lawyer at Pannone Corporate, says the case should be a wake-up call for employers monitoring workers.

“Companies have the right to monitor employee performance, but if such monitoring is constant and intrusive—or if some parts rely solely on automated decision-making—employers are going to face regulatory and legal action,” she says.