Italy’s data protection authority Garante fined U.K.-based food delivery company Deliveroo €2.5 million (U.S. $3 million) for violating the privacy rights of its Italian drivers.

The fine, issued July 22 and further explained in English by Garante in a newsletter Monday, is the second announced by the regulator against a food delivery company in less than a month regarding breaches of the EU’s General Data Protection Regulation (GDPR). Foodinho in June (announced in July) was penalized €2.6 million (U.S. $3.1 million) because the app at the core of its business model allegedly discriminated against employees.

The Deliveroo fine is the fourth largest issued by the Italian DPA this year, according to the GDPR Enforcement Tracker.

In explaining its decision, Garante noted a shift booking system utilized by Deliveroo discriminated against drivers regarding the assignment of orders and work hours. The regulator cited a “lack of transparency” in the algorithms of the system, which Deliveroo stopped using by the end of 2020.

The company was further reprimanded for extensive surveillance of drivers “far beyond what is necessary.” This included geolocation data and the storage of personal data collected during the execution of orders.

In all, Garente alleged the privacy rights of about 8,000 drivers in Italy were violated.

Deliveroo has 60 days to correct the alleged violations and must verify completion within the following 90 days. The company in an emailed statement said it is confident the issues raised by the Italian DPA are “no longer of concern.”

“We have worked closely with the Garante during the investigation, and we do not believe the findings represent how Deliveroo works with riders today,” the company stated. “This [case] is based on an historical model to book sessions that was dismissed in 2020. We are currently evaluating next steps and assessing all available options, including an appeal. We are committed to maintaining the highest standard on privacy: today we have strong processes in place to ensure that our processes are fair and that all personal data is safe and secure.”