Privacy Policy

 

Privacy Policy – Rider
Who is the data controller?

The data controller, i.e. the body that defines the purposes and means of the processing specified in this privacy policy is Rocket Food Limited, 21/F, Guangdong Investment Tower, 148 Connaught Road Central, Sheung Wan, Hong Kong, hereinafter referred to as “foodpanda”  “we”, “our”, “controller”). We also use the terms “rider” or “employee” to address you below. 

Please note that you might have been hired as a rider by a third-party logistics company which is not part of our group of companies. In this case, this company generally processes your personal data as a separate data controller, acting as a joint controller with our company only with respect to the IT applications we provide. You are free to assert your legal rights in this context either against us or against the third party whom you have contracted with and acting as a joint controller. However, the legal joint controller relationship relates only to the processing of personal data on our online platforms. We have no influence on, and are not responsible for, the processing of personal data by such party in other contexts.

Why and which personal data do we process?

Below you can see which of your data we need for which purposes and under which circumstances we share your data with others. 

Personal data is information from which we can directly or indirectly relate to your person, such as first and last name, address, phone number, date of birth, location data or email address.

Which personal data do we process? 

In order to provide our delivery service to our customers, we use various tools and systems that are absolutely necessary for the delivery of orders. We also use external and internal tools and systems to process your personal data for personnel management and our general business operations.

We collect, process and store the following categories of personal data within the scope of using the tools and systems:

Data categories Explanation
Identification data Name, Surname, Address
Contact data Email Address, Phone number,
Account data Date of birth, Place of birth, nationality, gender, bank account details, social security number
Performance data Usage time of applications, order details
Geolocation data GPS data
Technical data Device data
Contract details Contract type, work permit
For what purposes do we process personal data?

We only collect your personal data if this is necessary and the purpose is legal and the processing is proportionate. Below we would like to give you more information for the purposes and legal basis:

Purpose Why do we process data for this purpose?
Recruiting As part of the application process, we collect, process and store your personal data on the basis of the data you have made available to us. The purpose of the processing is to make a decision regarding the hiring or refusal of an applicant.

Categories of personal data: 

  • Identification data
  • Contact data
  • Account data

Legal basis:

  • Initiation of contract, Art. 6 para. 1 b) GDPR
Advertising and marketing Online marketing

Our hiring process is based to a large extent on finding potential riders. In order to reach the right candidates, we run marketing campaigns.  Therefore, we would like to present to you our processes as transparently as possible. The following online marketing processing activities we pursue include targeting and retargeting:

  • Targeting

In principle, targeting means the switching and fading in of advertising banners on websites that are tailored to specific target groups. The aim is to display the most attractive banners as individually as possible for the user and potential riders. Firstly, we define a target group and secondly,  we commission our service providers to show our advertising to the defined target group. We do not process any personal data, as these are initially made anonymous. We segment different target groups and place different ads on different portals for optimized targeting. 

  • Retargeting

As soon as you have visited our website for obtaining further information on our rider program, we store the information about your website visit in cookies. If you continue to surf other websites, our advertising partners will remind you on our behalf that you have not yet submitted an application. We don’t want you to miss out on our amazing rider program. 

You can disable retargeting by installing appropriate add-ons for your browser. Furthermore, you can and should also regularly delete the cookies stored in the browser you are using. 

Categories of personal data:

  • Website visitor data

Legal basis:

Art. 6 para. 1 (f) GDPR, legitimate interest. 

Our legitimate interest is the purpose described above.

Candidate reactivation If a candidate does not continue the application process, SMS, emails or Whatsapp will be sent to remind the candidate of the steps that need to be taken to complete the application process.

Categories of personal data: 

  • Identification data
  • Contact data

Legal basis:

  • Contract initiation, Art. 6 para. 1 b) GDPR
  • Legitimate interest, Art. 6 para. 1 f) GDPR; our legitimate interest is to ensure a smooth application process and better experience. 
Contract Conclusion of an employment contract

Categories of personal data: 

  • Identification data
  • Account data

Legal basis:

  • Performance of contract, Art. 6 para. 1 b) GDPR
Onboarding Preparation of the first working day, training of new employees

Categories of personal data: 

  • Identification data
  • Account data

Legal basis:

  • Performance of contract, Art. 6 para. 1 b) GDPR
Rider accounts Creation of required accounts for the applications used

Categories of personal data: 

  • Identification data
  • Account data

Legal basis:

  • Performance of contract, Art. 6 para. 1 b) GDPR
Working time recording Recording of work performed by the employee

Categories of personal data: 

  • Identification data
  • Start and end date of shift, breaks, legitimate absence

Legal basis:

  • Performance of contract, Art. 6 para. 1 b) GDPR
Presence/shift monitoring Assessment of the reliability of drivers in fulfilling their contractual obligations. Use of location data in case of irregularities during the shift. Monitoring of compliance with rest times. 

Categories of personal data: 

  • Identification data
  • Account data
  • Working hours
  • Rest times

Legal basis:

  • Performance of contract, Art. 6 para. 1 b) GDPR
Customer communication Communication with customers about the status of the order or delivery

Categories of personal data: 

  • Identification data
  • Contact details
  • Location data
  • Content of communication
  • Picture (if available)

Legal basis:

  • Legitimate Interest, Art. 6 para. 1 f) GDPR
  • Consent, Art. 6 para. 1 a) GDPR for picture
Photos and videos Taking and publishing photos and videos of employees

Categories of personal data: 

  • Identification data
  • Picture/Video

Legal basis: 

  • Consent, Art. 6 para 1 a) GDPR
Work permit Review of existing employee contracts with regard to the validity of work permits

Categories of personal data: 

  • Identification data
  • Contact details
  • Contract details

Legal basis: 

  • Legal obligation, Art. 6 para 1 a c) GDPR
Personnel administration We collect, process and store your personal data for the processing and creation of legally required documents and proofs as well as for the remuneration of our employees.

Categories of personal data: 

  • Identification data
  • Contact data
  • Account data

Legal basis:

  • Performance of contract, Art. 6 para. 1 b) GDPR
  • Legal obligation, Art. 6 para. 1 c) GDPR
Sick leave Processing of incoming sick notes; communication with health insurance companies.

Categories of personal data: 

  • Identification data
  • Contact details
  • Sick leave note

Legal basis: 

  • Performance of contract, Art. 6 para. 1 b) GDPR
  • Legal obligation, Art. 6 para 1 a c) GDPR
Internal communication Different tools are used for communication between us and the employees (in this case Rider). The purpose of the processing is the communication of necessary information.

Categories of personal data: 

  • Identification data
  • Contact data

Legal basis:

  • Performance of contract, Art. 6 para. 1 b) GDPR
  • Legitimate interest, Art. 6 para. 1 f) GDPR for newsletter 
Vacation file Processing, granting and rejection of vacation requests submitted by employees; documentation 

Categories of personal data: 

  • Identification data
  • Contact data
  • Contract details

Legal basis:

  • Performance of contract, Art. 6 para. 1 b) GDPR
Delivery To ensure a prompt delivery of the products ordered by our customers, the coordination data of our riders is collected and the order is assigned to those riders who are in an optimal region.

Categories of personal data: 

  • Identification data
  • Contact data
  • Geolocation data
  • Technical data

Legal basis:

  • Performance of contract, Art. 6 para. 1 b) GDPR
  • Legitimate interest, Art. 6 para. 1 f) GDPR
Delivery Estimation In order to be able to inform customers of the expected delivery time, average speed data is processed in anonymous form.  

Categories of personal data: 

  • Geolocation data (anonymized)

Legal basis:

  • Legitimate interest, Art. 6 para. 1 f) GDPR
Work disciplinary measures  Issuing a warning notice with breach of contract 

Categories of personal data: 

  • Identification data
  • Personnel file 

Legal basis:

  • Performance of contract, Art. 6 para. 1 b) GDPR
Wage and salary payments Preparation of wage and salary statements; payment of gross amounts; payment of social security contributions (if applicable)

Categories of personal data: 

  • Identification data
  • Contact data
  • Bank account information

Legal basis:

  • Performance of contract, Art. 6 para. 1 b) GDPR
Rider equipment Our employees receive rider equipment from us. This serves the uniform appearance of our riders as well as the protection of our employees. We manage and monitor the equipment provided to ensure that the necessary equipment is always available. 

Categories of personal data: 

  • Identification data
  • Contact data

Legal basis:

  • Performance of contract, Art. 6 para. 1 b) GDPR
  • Legal obligation, Art. 6 para. 1 c) GDPR
Shift planning and time recording We collect, process and store personal data of our riders for the planning of deployments and the actual exercise of deliveries. The purpose of the processing is to collect and monitor the hours worked and to create the necessary work records.

Categories of personal data: 

  • Identification data
  • Contact data
  • Account data
  • Performance data
  • Geolocation data

Legal basis:

  • Performance of contract, Art. 6 para. 1 b) GDPR
  • Legitimate interest, Art. 6 para. 1 f) GDPR
Performance evaluation Evaluation of driver performance based on the quality (restaurant and customer complaints), quantity of orders delivered. It also includes reliability before, during and after the shift. This also includes, but is not limited to, the punctual start of the shift, proper login and acceptance of orders during the shift until the end of the shift. Also the proper execution of the order.

Categories of personal data: 

  • Identification data
  • Contact data
  • Performance data
  • Geolocation data
  • Technical data

Legal basis:

  • Performance of contract, Art. 6 para. 1 b) GDPR
Termination Ordinary and extraordinary terminations of contracts with employees

Categories of personal data: 

  • Identification data
  • Contact data

Legal basis:

  • Performance/termination of contract, Art. 6 para. 1 b) GDPR, Sect 26 BDSG
Off-boarding Deactivation of existing accounts; return of received clothing and equipment.

Categories of personal data: 

  • Identification data
  • Contact data

Legal basis:

  • Performance of contract, Art. 6 para. 1 b) GDPR
Archiving Archiving of documents subject to retention for tax purposes.

Categories of personal data: 

  • Identification data
  • Contact data
  • Date of birth
  • Tax information
  • Working times

Legal basis:

  • Legal obligation, Art. 6 para. 1 c) GDPR
How long do we store personal data?We generally delete your data after the purpose has been fulfilled. The exact deletion rules are defined in our regional deletion concepts. Different deletion rules apply depending on the purpose of the processing. Within our deletion concepts we have defined various data classes and assigned rule deletion periods to them. When the retention period is met, the stored data will be deleted accordingly.

Under certain circumstances, any requests for deletion may be opposed by legal retention periods, which prevent us from deleting the stored data for a fixed minimum period of time. In order to comply with these legal requirements, we block the relevant data after the purpose has been fulfilled and thereby guarantee data completeness and data integrity.

With which data processors and why do we share personal data?

We never give your data to unauthorized third parties. However, as part of our work we obtain the services of selected service providers and give them limited and strictly monitored access to some of our data. However, before we forward personal data to these data processors for processing on our behalf, each individual company undergoes an audit. All data recipients must meet the legal data protection requirements and prove their data protection level with appropriate proofs. 

In the following we would like to inform you in a transparent and understandable way about all our data recipients with the respective reasons:

Data recipient Reason
External service provider They support our business activities by providing us with IT solutions and infrastructure or by ensuring the security of our business operations, for example by identifying and rectifying faults. Furthermore, personal data may also be disclosed to external tax consultants, lawyers or auditors if they provide services for which they have been commissioned. 
Members of the Delivery Hero SE Group Within a group it is sometimes necessary to use resources effectively. In this context, we support each other within our Group in optimizing our processes. In addition, we provide joint content and services. This includes, for example, the technical support of systems.

This is a joint controllership within the meaning of Art. 26 GDPR. The employer is fully responsible for fulfilling the data protection requirements together with Delivery Hero SE. Within the framework of joint regulations, both the employer and Delivery Hero SE have agreed that both will guarantee their rights equally. You can therefore address any requests both to the local entity that has engaged you as a rider, and to Delivery Hero SE, Oranienburger Straße 70, 10117 Berlin. 

You can reach the data protection officer at [email protected] 

Prosecuting authorities and legal proceedings Unfortunately, it can happen that a few of our rider and service providers do not behave fairly and want to harm us. In these cases we are not only obliged to hand over personal data due to legal obligations, it is of course also in our interest to prevent damage and to enforce our claims and to reject unjustified claims.
Data processing outside the EU and EEA

We process your data mainly within the European Union (EU) and the European Economic Area (EEA). However, some of our service providers mentioned above are based outside the EU and the EEA. The GDPR has high requirements for the transfer of personal data to third countries. All our data receivers have to measure up to these requirements. Before we transfer your data to a service provider in third countries, every service provider is first assessed with regard to its data protection level. Only if they can demonstrate an adequate level of data protection will they be shortlisted for service providers.

Regardless of whether our service providers are located within the EU/EEA or in third countries, each service provider must sign a data processing agreement with us. Service providers outside the EU/EEA must meet additional requirements. According to Art. 44 ff. GDPR personal data may be transferred to service providers that meet at least one of the following requirements:

a.   The EU Commission has decided that the third country ensures an adequate level of protection (e.g. Israel and Canada).

b.   Standard data protection clauses have been accepted. Contractual clauses which cannot be modified by the contracting parties and in which they undertake to ensure an adequate level of data protection are recognized by the GDPR as a suitable transfer mechanism.

c.   Further appropriate safeguards pursuant to Art. 46 GDPR have been implemented.

The GDPR also permits data transfers in other situations, e.g. where a recipient has accepted the terms of binding corporate rules or approved certification mechanisms, or where a data subject has granted their consent. We will only transfer your data to service providers who meet at least one of these requirements. If we transfer data to third countries, these are mainly companies based in the USA or Israel.

Cookies: 

In order to make the visit of our website attractive and to enable the use of certain functions, we use so-called cookies on various pages. These are small text files that are stored on your device. Some of the cookies we use are deleted after the end of the browser session, i.e. after closing your browser (so-called session cookies). Other cookies remain on your device and allow us or our affiliate to recognize your browser on your next visit (persistent cookies). You can set your browser so that you are informed about the setting of cookies and individually decide on their acceptance or exclude the acceptance of cookies for specific cases or in general. Failure to accept cookies may limit the functionality of our website/app.

You can install additional add-ons in your browser that block unnecessary cookies. By doing so, you will not see any interest-based advertisements.

Categories of personal data:

Limited device information such as IP address, device ID, MAC address, operating system, device type, Apple Advertiser ID (IDFA) or Android Ad ID (AAID) 

Legal basis:

If processing takes place with your consent, the legal basis is Art. 6 Para. 1 (a) GDPR, namely your consent. Otherwise, the processing is based on our legitimate interest pursuant to Art. 6 para. 1 (f) GDPR. Our legitimate interest lies in the aforementioned purpose. 

You can find our cookie policy with all the cookies we use in our Cookies and Web-Tracking Policy.

What are your rights as  data subjects and how can they be asserted?

You have the right to receive explicit information from us about the personal data we have stored about you, free of charge. 

In addition, you have the following rights:

Right to access You have the right to be informed which data we store about you and how we process this data.
Right to rectification If you notice that processed data is incorrect, you can always ask us to correct it.
Right to erasure You can ask us at any time to delete the data we have stored about you.
Right to restriction of processing If you do not wish to delete your data, but do not want us to process it further, you can ask us to restrict the processing of your personal data. In this case, we will archive your data and only reintegrate it into our operative systems if you so wish. However, during this time you will not be able to use our services, otherwise we will process your data again. 
Right to data portability You can ask us to transmit the data stored about you in a machine-readable format to you or to another responsible person. In this context, we will make the data available to you in JSON format.
Right to withdraw consent and object to the processing of your data You can revoke your consent at any time or object to the further processing of your data. This also includes objecting to our processing, which we process without your consent but based on our legitimate interest. This applies, for example, to direct marketing. You can object to receiving further newsletters at any time. 

If you do not agree with one of our processing purposes based on our legitimate interest or wish to object to it, you may object to the processing at any time on grounds relating to his or her particular situation. Please write an email to [email protected]  In this case we will review the processing activity again and either stop processing your data for this purpose or explain to you our reasons worth protecting and why we will continue with the processing. 

Automated decision making We also process your personal data in the context of algorithms in order to simplify our processes. Of course, you have the right not to be subject to decisions based solely on automated processing. If you believe that we have denied your access in an unjustified way, you can always contact us at [email protected] In this case, we will examine the case separately and decide on a case-by-case basis.
Right of complaint If you believe that we have done something wrong with your personal data or your rights, you can complain to the appropriate supervisory authority at any time. 

The supervisory authority responsible for us is:

Name of the supervisory authority

Address

Postcode City

Email Address

 

To exercise your rights, you can contact [email protected] at any time.

If you believe that we have done something wrong with your personal data or your rights, you can complain to the appropriate supervisory authority at any time. The supervisory authority responsible for us is:

Name of authority      

Address

Email address