Privacy Policy

 

 

Privacy Policy – Riders
Who is the data controller?

The data controller, i.e. the body that defines the purposes and means of the processing specified in this privacy policy is Delivery Hero Germany Logistics GmbH, Mauerstraße 79 C, 10117 Berlin, (hereinafter referred to as “Pandalogistics” “we”, “our”, “controller”). We also use the terms “rider” or “employee” for your salutation. You can reach us with questions or feedback about our data processing at any time by emailing to [email protected]

 

Please note that you might have been hired as a rider by a third-party logistics company which is not part of our group of companies. In this case, this company generally processes your personal data as a separate data controller, acting as a joint controller with our company only with respect to the IT applications we provide. You are free to assert your legal rights in this context either against us or against the third party whom you have contracted with and acting as a joint controller. However, the legal joint controller relationship relates only to the processing of personal data on our online platforms. We have no influence on, and are not responsible for, the processing of personal data by such party in other contexts.

Why and which personal data do we process?

Below you can see which of your data we need for which purposes and under which circumstances we share your data with others.

Personal data is information from which we can directly or indirectly identify you as a person, such as first and last name, address, phone number, date of birth, location data or email address. Please be aware, however, that anonymized data will not qualify as personal data.

 

Which personal data do we process?

In order to provide our delivery service to our customers, we use various tools and systems that are absolutely necessary for the delivery of orders. We also use external and internal tools and systems to process your personal data for personnel management and business operations.

 

Generally, we collect, process and store the following categories of personal data within the scope of making available our tools and systems:

 

Data categories Explanation
Identification data Name, Surname, Address
Contact data Email Address, Phone number,
Account data Date of birth, Place of birth, nationality, bank account details, social security number
Performance data Usage time of rider applications, shift times, order details
Geolocation data GPS data
Technical data Device data
Contract details Contract type, work permit

 

 

For what purposes do we process personal data?

We only collect your personal data if this is necessary to achieve the performance of the contract with you, the intended purpose is legal and the processing is proportionate. Below we would like to give you more information about our processing activities, their purposes and the applicable legal basis under the applicable EU General Data Protection Regulation (GDPR):

 
Processing Activity Why do we process data for this purpose?
Recruiting As part of the application process, we collect, process and store your personal data on the basis of the data you have made available to us. The purpose of the processing is to make a decision regarding the hiring or refusal of an applicant.
  Categories of personal data:

●      Identification data

●      Contact data

●      Account data

 

Legal basis:

●      Art. 88 GDPR, Section 26 (1) of the German Federal Data Protection Act (BDSG), Art. 6 (1) b) GDPR (initiation of an employment or other contract)

 

 

 

Advertising and marketing Online marketing

 

  Our hiring process is based to a large extent on finding potential riders. In order to reach the right candidates, we run marketing campaigns.  Therefore, we would like to present to you our processes as transparently as possible. We conduct the following online marketing processing:

 

1)    Targeting

In principle, targeting means the switching and fading in of advertising banners on websites that are tailored to our needs. The aim is to display the most attractive banners as individually as possible for the users and potential riders. Please rest assured that we will process device data in a pseudonymous manner only. At no point will we use these data to identify you as an individual person. We segment different groups and place different ads on different portals for optimized targeting but do not track any persons specifically.

 

2)    Retargeting

As soon as you have visited our website for obtaining further information on our rider program, we store this information in cookies. If you continue to surf other websites, our advertising partners will remind you on our behalf that you have not yet submitted an application. We don’t want you to miss out on our amazing rider program.

 

To learn more about how we use cookies on our website, please refer to our Cookies Policy.

 

Categories of personal data:

●     Device data

●     Website visitor data

 

Legal basis:

●      Consent, Art. 6 (1) a) GDPR

 

 

Candidate reactivation If a candidate does not continue the application process, SMS, emails or WhatsApp will be sent to remind the candidate of the steps that need to be taken to complete the application process.
  Categories of personal data:

●      Identification data

●      Contact data

 

Legal basis:

●      Initiation of an employment contract, Art. 88 GDPR, Section 26 (1) BDSG, Art. 6 (1) b) GDPR

●      Legitimate interest, Art. 6 (1) f) GDPR; our legitimate interest is to ensure a smooth application process and better experience.

 

 

Contracting The conclusion of an employment contract is required for you to start as a rider.
  Categories of personal data:

●      Identification data

●      Account data

 

Legal basis:

●      Conclusion of an employment contract, Art. 88 GDPR, Section 26 (1) BDSG, Art. 6 (1) b) GDPR

 

 

Onboarding Preparation of the first working day, training of new employees
  Categories of personal data:

●      Identification data

●      Account data

 

Legal basis:

●      Performance of an employment contract, Art. 88 GDPR, Section 26 (1) BDSG, Art. 6 (1) b) GDPR

 

 

Rider accounts Creation of required accounts for the applications used
  Categories of personal data:

●      Identification data

●      Account data

 

Legal basis:

●      Performance of an employment contract, Art. 88 GDPR, Section 26 (1) BDSG, Art. 6 (1) b) GDPR

 

 

Working time recording Recording of work performed by the employee
  Categories of personal data:

●      Identification data

●      Start and end date of shift, breaks, legitimate absence

 

Legal basis:

●      Performance of an employment contract, Art. 88 GDPR, Section 26 (1) BDSG, Art. 6 (1) b) GDPR

 

 

Presence/shift monitoring Assessment of the reliability of drivers in fulfilling their contractual obligations. Monitoring of compliance with rest times.
  Categories of personal data:

●      Identification data

●      Account data

●      Working hours

●      Rest times

 

Legal basis:

●      Performance of an employment contract, Art. 88 GDPR, Section 26 (1) BDSG, Art. 6 (1) b) GDPR

 

 

Customer communication Communication with customers about the status of the order or delivery
   

Categories of personal data:

●      Identification data

●      Contact details

●      Location data

●      Content of communication

 

Legal basis:

●      Legitimate Interest, Art. 6 (1) f) GDPR

 

 

Photos and videos Taking and publishing photos and videos of employees for internal purposes. Specific purposes will be disclosed beforehand.
  Categories of personal data:

●      Identification data

●      Picture/video images

 

Legal basis:

●     Consent, Art. 6 (1) a) GDPR

Work permit Review of existing employee contracts with regard to the validity of work permits.
  Categories of personal data:

●      Identification data

●      Contact details

●      Contract details

 

Legal basis:

●     Legal obligation, Art. 6 (1) c) GDPR

●     Performance of contract, Art. 88 GDPR, Section 26 (1) BDSG

 

 

Personnel administration We collect, process and store your personal data for the processing and creation of legally required documents and proofs as well as for the remuneration of our employees.
  Categories of personal data:

●      Identification data

●      Contact data

●      Account data

 

Legal basis:

●      Performance of an employment contract, Art. 88 GDPR, Section 26 (1) BDSG, Art. 6 (1) b) GDPR

●      Legal obligation, Art. 6 (1) c) GDPR

 

 

Sick leave Processing of incoming sick notes; communication with health insurance companies.
  Categories of personal data:

●      Identification data

●      Contact details

●      Sick leave note

 

Legal basis:

●      Performance of an employment contract, Art. 88 GDPR, Section 26 (1) BDSG, Art. 6 (1) b) GDPR

●      Legal obligation, Art. 6 (1) c) GDPR

 

 

Internal communication Different tools are used for communication between all employees. The purpose of the processing is the communication of necessary information/ troubleshooting in case support is needed.
  Categories of personal data:

●      Identification data

●      Contact data

 

Legal basis:

●      Performance of an employment contract, Art. 88 GDPR, Section 26 (1) BDSG, Art. 6 (1) b) GDPR

●      Legitimate interest, Art. 6 (1) f) GDPR for newsletter

 

 

Vacation file Processing, granting and rejection of vacation requests submitted by employees; documentation.
  Categories of personal data:

●      Identification data

●      Contact data

●      Contract details

 

Legal basis:

●      Performance of an employment contract, Art. 88 GDPR, Section 26 (1) BDSG, Art. 6 (1) b) GDPR

●      Legal obligation, Art. 6 (1) c) GDPR

 

 

Delivery To ensure a prompt delivery of the products ordered by our customers, the coordination data of our riders is collected, and the order is assigned to the rider who will be able to deliver the order with best possible timing.
  Categories of personal data:

●      Identification data

●      Contact data

●      Geolocation data

●      Technical data

 

Legal basis:

●      Performance of an employment contract, Art. 88 GDPR, Section 26 (1) BDSG, Art. 6 (1) b) GDPR

●      Legitimate interest, Art. 6 (1) f) GDPR

 

 

Delivery Estimation In order to be able to inform customers of the expected delivery time, average speed data per vehicle type is processed in an anonymous form.
  Categories of personal data:

●      Geolocation data (anonymized)

 

Legal basis:

●      Legitimate interest, Art. 6 (1) f) GDPR

 

 

Work disciplinary measures Issuing a warning notice for breach of contract and breach of code of conduct.
  Categories of personal data:

●      Identification data

●      Personnel file

 

Legal basis:

●      Performance of an employment contract, Art. 88 GDPR, Section 26 (1) BDSG

 

 

Wage and salary payments Preparation of wage and salary statements; payment of salary and wages; payment of social security contributions.
  Categories of personal data:

●      Identification data

●      Contact data

●      Bank account information

 

Legal basis:

●      Performance of an employment contract, Art. 88 GDPR, Section 26 (1) BDSG, Art. 6 (1) b) GDPR

 

 

Rider equipment Our employees receive rider equipment from us. This serves the uniform appearance of our riders as well as the protection of our employees. We manage and monitor the availability of the equipment provided to ensure that the necessary equipment is always available.
  Categories of personal data:

●      Identification data

●      Contact data

 

Legal basis:

●      Performance of an employment contract, Art. 88 GDPR, Section 26 (1) BDSG, Art. 6 (1) b) GDPR

 

 

Shift planning and time recording Assignment of shifts depending on the availability/unavailability of the rider including contract information.  Riders are able to pick additionally available shifts.
  The purpose of the processing is to collect and monitor the hours worked. Additionally, work records will be generated based on performed hours.

 

Categories of personal data:

●      Identification data

●      Contact data

●      Account data

●      Performance data

●      Geolocation data

 

Legal basis:

●      Performance of an employment contract, Art. 88 GDPR, Section 26 (1) BDSG, Art. 6 (1) b) GDPR

●      Legitimate interest, Art. 6 (1) f) GDPR

 

 

Performance evaluation Evaluation of rider performance includes reliability before, during and after the shift. This also includes, but is not limited to, the punctual start of the shift, proper login and acceptance of orders during the shift until the end of the shift as well as the proper execution of the order.
  Categories of personal data:

●      Identification data

●      Contact data

●      Performance data

●      Geolocation data

●      Technical data

 

Legal basis:

●      Performance of an employment contract, Art. 88 GDPR, Section 26 (1) BDSG, Art. 6 (1) b) GDPR

 

 

Termination Ordinary and extraordinary terminations of contracts with employees
  Categories of personal data:

●      Identification data

●      Contact data

 

Legal basis:

●      Termination of an employment contract, Art. 88 GDPR, Section 26 (1) BDSG, Art. 6 (1) b) GDPR

 

 

Off-boarding Deactivation of existing accounts; return of received clothing and equipment.
  Categories of personal data:

●      Identification data

●      Contact data

 

Legal basis:

●      Termination of an employment contract, Art. 88 GDPR, Section 26 (1) BDSG, Art. 6 (1) b) GDPR

 

 

Archiving Archiving of documents subject to retention for tax purposes.
  Categories of personal data:

●      Identification data

●      Contact data

●      Date of birth

●      Tax information

●      Working times

 

Legal basis:

●      Legal obligation, Art. 6 (1) c) GDPR

 

 

 

How long do we store personal data?

When processing your personal data we observe the principle of storage limitation. That means personal data is stored in a form that permits the identification of the data subjects only for as long as is strictly necessary for the purposes for which the data is for which they are collected. The storage periods are based on the applicable statutory provisions. After expiry of the retention periods, we delete your personal data. With regard to GPS data, a storage period of six months has been defined, whereby the GPS data is anonymized after one month of its collection and can no longer be assigned to a specific employee. This storage period is necessary for evaluation purposes (calculation of delivery times in anonymous form), billing and as evidence in cases of incidents relevant under criminal law. After expiration of the storage period, we delete or anonymize the personal data of the employees in a manner that complies with the requirements of the GDPR.

How do we share your personal data?

We never share your data with unauthorized third parties, nor do we sell your data. However, as part of our work we obtain the services of selected service providers and give them limited and strictly monitored access to some of our data. Before we forward personal data to these data processors for processing on our behalf, each individual company undergoes an audit. All data recipients must meet the legal data protection requirements and prove their data protection level with appropriate proofs.

 

In the following we would like to inform you in a transparent and understandable way about all our data recipients with the respective transfer purposes:

Data recipient Reason for sharing
External service provider They support our business activities by providing us with IT solutions and infrastructure or by ensuring the security of our business operations, for example by identifying and rectifying faults. Furthermore, personal data may also be disclosed to external tax consultants, lawyers or auditors if they provide services for which they have been commissioned.
Members of the Delivery Hero SE Group Within a group of companies it is sometimes necessary to use resources effectively. In this context, we support each other within our group in optimizing our processes. In addition, we provide joint content and services. This includes, for example, the technical support of systems or database hosting for our rider applications.

 

In legal terms, taking decisions on the purposes and means of processing is called “joint controllership” of data. Your employer is fully responsible for fulfilling the data protection requirements together with Delivery Hero SE. Within the framework of joint regulations, both the employer and Delivery Hero SE have agreed that both will guarantee your rights equally. You can therefore address any requests both to us who have engaged you as a rider, and to Delivery Hero SE, Oranienburger Straße 70, 10117 Berlin.

 

You can reach the data protection officer of Delivery Hero SE at [email protected]

Prosecuting authorities and legal proceedings Unfortunately, it can happen that a few of our riders or service providers do not behave fairly and want to harm us. In these cases we are not only obliged to hand over personal data due to legal obligations, it is of course also in our interest to prevent damage and to enforce our claims and to reject unjustified claims.

 

 

 

Data processing outside the EU and EEA

We process your data mainly within the European Union (EU) and the European Economic Area (EEA). However, it might be required to transfer your personal data to a country outside the territory of the EU or EEA (these countries are called “third countries” in the GDPR). This is, for example, the case with our database providers (Google and Amazon Web Services). While these parties have their seat of business in the EU, they are subsidiaries of organizations headquartered in the United States (US). Consequently, to provide their cloud services it might be required for certain personal data to be accessible from the US.

 

The GDPR has high requirements for the transfer of personal data to third countries. All our data receivers have to measure up to these requirements. Before we transfer your data to a service provider in third countries, every service provider is first assessed with regard to its data protection level. Only if they can demonstrate an adequate level of data protection will they be shortlisted for service providers.

 

Regardless of whether our service providers are located within the EU/EEA or in third countries, each service provider must sign a data processing agreement with us. Service providers outside the EU/EEA must meet additional requirements. Unless there is a legally binding decision confirming that a third country provides an adequate level of data protection, all transfers to third countries will be subject to appropriate safeguards such as binding corporate rules or approved standard contractual clauses. Where necessary, we have implemented supplementary security measures under the standard contractual clauses certified by the EU Commission to provide an adequate level of data protection for any transfers outside the EU. You can obtain a copy of the standard contractual clauses by contacting us.

 

Automated Decision-Making

We also process your personal data in the context of algorithms in order to simplify our processes. Of course, you have the right not to be subject to decisions based solely on automated processing. However, we do not conduct any fully automated decision-making with a final binding effect on you as a rider but will always keep the door open for human review by one of our employees. For example, if you disagree with the decisions made by our rider applications we do grant you the opportunity to have these reviewed and, if necessary, changed by a human being. 

 

If you believe that we have made an automated decision in an unjustified way, you can always contact us at [email protected] In this case, we will examine the case separately and decide on a case-by-case basis.

What are your legal rights as a data subject and how can you assert them?

 

In addition, you have the following rights:

 

Right to access You have the right to be informed which data we store about you and how we process this data. This also includes receiving a copy of your data.
Right to rectification If you notice that processed data is incorrect, you can always ask us to correct it.
Right to erasure You can ask us at any time to delete the data we have stored about you.
Right to restriction of processing If you do not wish to delete your data, but do not want us to process it further, you can ask us to restrict the processing of your personal data. In this case, we will archive your data and only reintegrate it into our operative systems if you so wish. However, during this time you will not be able to use our services, otherwise we will process your data again. We will also restrict the processing of your data if you have requested us to delete it but we are not able to comply with your request due to the applicability of statutory retention periods.
Right to data portability You can ask us to transmit the data stored about you in a machine-readable format to you or to another responsible person. In this context, we will make the data available to you in JSON or another customary format.
Right to withdraw consent and object to the processing of your data You can revoke your consent at any time or object to the further processing of your data. This also includes objecting to our processing, which we process without your consent but based on our legitimate interest. This applies, for example, to direct marketing. You can object to receiving further newsletters at any time.

 

You also have the right, for reasons arising from your particular situation, to object at any time to the processing of your personal data, which is processed on the basis of Art. 6 (1) f) GDPR (data processing on the basis of a balance of interests); this also applies to any profiling for the purposes of Art. 4 (4) GDPR based on this provision. If you object, we will no longer process your personal data in the future unless we can prove compelling grounds for the processing that outweigh your interests, rights and freedoms.

Right of complaint If you believe that we have done something wrong with your personal data or your rights, you can complain to the appropriate supervisory authority at any time. You can raise a complaint about our processing of your personal data with the data protection authority in the EU Member State of your habitual residence, place of work or place of where you think a violation of the GDPR has occurred. In the case of cross-border data processing, you can also lodge a complaint with our lead supervisory authority in Berlin, Germany.