On 13 November 2024, the Italian Data Protection Authority (DPA) issued a 5 million euros fine against a food delivery company for unlawful processing of personal data of more than 35,000 riders via its digital platform. The investigation, prompted by media reports on the account deactivation of a rider who died in 2022, uncovered severe GDPR violations. Notably, the platform failed to inform riders of their right to contest account deactivations. Other violations included automated decision-making without adequate safeguards and the improper use of biometric data for identity verification. The DPA also found that the platform had been improperly geolocating riders, even when off-duty, and sharing this data with third parties without their consent. The DPA mandated corrective measures, including the reformulation of automated messages, greater transparency in geolocation tracking, and ensuring algorithmic decisions are subject to human oversight. This decision coincides with the recent publication of Directive (EU) 2024/2831, aimed at improving working conditions for platform workers.