Privacy Policy EN

 

Privacy Policy – Rider
Who is the data controller?

The data controller, i.e. the body that defines the purposes and means of the processing specified in this privacy policy is Volo DS XXXVI 9 GmbH
Mayergasse 14/1+2, 1020, Vienna, Austria, [email protected] (hereinafter referred to as “Mjam” “we”, “our”, “controller”). We also use the terms “rider” or “employee” for your salutation.

Our data protection officer can be contacted by all employees at any time via the following email address: [email protected]
Why and which personal data do we process?

Below you can see which of your data we need for which purposes and under which circumstances we share your data with others.

Personal data is information from which we can directly or indirectly relate to your person, such as first and last name, address, phone number, date of birth, location data or email address.

Which personal data do we process?

In order to provide our delivery service to our customers, we use various tools and systems that are absolutely necessary for the delivery of orders. We also use external and internal tools and systems to process your personal data for personnel management and business operations.

We collect, process and store the following categories of personal data within the scope of using the tools and systems:

Data categories Explanation
Identification data Name, Surname, Address
Contact data Email Address, Phone number,
Account data Date of birth, Place of birth, nationality, gender, bank account details
Performance data Usage time of applications, order details
Geolocation data GPS data
Technical data Device data
Contract details Contract type, work permit
For what purposes do we process personal data?

We only collect your personal data if this is necessary and the purpose is legal and the processing is proportionate. Below we would like to give you more information for the purposes and legal basis:

What the purpose is Why do we process data for this purpose?
Recruiting  

As part of the application process, we collect, process and store your personal data on the basis of the data you have made available to us. The purpose of the processing is to make a decision regarding the hiring or refusal of an applicant.

Categories of personal data:

  • Identification data
  • Contact data
  • Account data

Legal basis:

  • Contract initiation, Art. 6 para. 1 b) GDPR

Retention period:

6 months in case of rejection of the applicant with notification

__________________________________________________________________________________________________________________________

Contract Conclusion of an employment contract

Categories of personal data:

  • Identification data
  • Account data

Legal basis:

  • Performance of contract, Art. 6 para. 1 b) GDPR

Retention period:

7 years after termination of employment

__________________________________________________________________________________________________________________________

Onboarding Preparation of the first working day, training of new employees

Categories of personal data:

  • Identification data
  • Account data

Legal basis:

  • Performance of contract, Art. 6 para. 1 b) GDPR

Retention period:

7 years after termination of employment

__________________________________________________________________________________________________________________________

Accounts Creation of required accounts for the applications used

Categories of personal data:

  • Identification data
  • Account data

Legal basis:

  • Performance of contract, Art. 6 para. 1 b) GDPR

Retention period:

6 months after termination of contract

__________________________________________________________________________________________________________________________

Presence monitoring Assessment of the reliability of drivers in fulfilling their contractual obligations. Use of location data in case of irregularities during the shift. Monitoring of compliance with rest times.

Categories of personal data:

  • Identification data
  • Account data
  • Working hours
  • Rest times

Legal basis:

  • Performance of contract, Art. 6 para. 1 b) GDPR

Retention period:

7 years after termination of employment

__________________________________________________________________________________________________________________________

 

Customer communication

Communication with customers about the status of the order or delivery

Categories of personal data:

  • Identification data
  • Contact details
  • Location data
  • Content of communication

Legal basis:

  • Legitimate Interest, Art. 6 para. 1 f) GDPR

Retention period:

6 years after collection

__________________________________________________________________________________________________________________________

Photos and videos Taking and publishing photos and videos of employees

Categories of personal data:

  • Identification data

Legal basis:

  • Consent, Art. 6 para 1 a) GDPR

Retention period:

7 years after termination of employment

__________________________________________________________________________________________________________________________

Work permit Review of existing employee contracts with regard to the validity of work permits

Categories of personal data:

  • Identification data
  • Contact details
  • Contract details

Legal basis:

  • Legal obligation, Art. 6 para 1 a

c) GDPR

Retention period:

Until withdrawal of consent

__________________________________________________________________________________________________________________________

Personnel administration We collect, process and store your personal data for the processing and creation of legally required documents and proofs as well as for the remuneration of our employees.

Categories of personal data:

  • Identification data
  • Contact data
  • Account data

Legal basis:

  • Performance of contract, Art. 6 para. 1 b) GDPR
  • Legal obligation, Art. 6 para. 1 c) GDPR

Retention period:

7 years after termination of employment

__________________________________________________________________________________________________________________________

Internal communication Different tools are used for communication between the employer us and the employees (in this case Rider). The purpose of the processing is the communication of necessary information.

Categories of personal data:

  • Identification data
  • Contact data

Legal basis:

  • Performance of contract, Art. 6 para. 1 b) GDPR
  • Legitimate interest, Art. 6 para. 1 f) GDPR

Retention period:

3 years after termination of employment

__________________________________________________________________________________________________________________________

Vacation file Processing, granting and rejection of vacation requests submitted by employees; documentation

Kategorien personenbezogener Daten:

  • Identifikationsdaten
  • Kontaktdaten
  • Contract details

Rechtsgrundlage:

  • Vertragserfüllung, Art. 6 Abs. 1 b) DSGVO

Retention period:

7 years after termination of employment

__________________________________________________________________________________________________________________________

Delivery To ensure a prompt delivery of the products ordered by our customers, the coordination data of our riders is collected and the order is assigned to those riders who are in an optimal region.

Categories of personal data:

  • Identification data
  • Contact data
  • Geolocation data
  • Technical data

Legal basis:

  • Performance of contract, Art. 6 para. 1 b) GDPR
  • Legitimate interest, Art. 6 para. 1 f) GDPR

Retention period:

6 months after collection

__________________________________________________________________________________________________________________________

Rider equipment Our employees receive rider equipment from us. This serves the uniform appearance of our riders as well as the protection of our employees. We manage and monitor the equipment provided to ensure that the necessary equipment is always available.

Categories of personal data:

  • Identification data
  • Contact data

Legal basis:

  • Performance of contract, Art. 6 para. 1 b) GDPR
  • Legal obligation, Art. 6 para. 1 c) GDPR
  • Legitimate interest, Art. 6 para. 1 f) GDPR

Retention period:

3 years after termination of employment

__________________________________________________________________________________________________________________________

Shift planning and time recording We collect, process and store personal data of our riders for the planning of deployments and the actual exercise of deliveries. The purpose of the processing is to collect and monitor the hours worked and to create the necessary work records.

Categories of personal data:

  • Identification data
  • Contact data
  • Account data
  • Performance data
  • Geolocation data

Legal basis:

  • Performance of contract, Art. 6 para. 1 b) GDPR
  • Legal obligation, Art. 6 para. 1 c) GDPR
  • Legitimate interest, Art. 6 para. 1 f) GDPR

Retention period:

7 years after termination of employment

__________________________________________________________________________________________________________________________

Performance evaluation For the continuous improvement of our own services, including the performance of our riders, we collect, evaluate and store performance data of our riders. The purpose of this processing is the performance-related remuneration of our riders as well as the execution of feedback discussions in order to identify possible areas of development and to support them with suitable measures to improve them.

Categories of personal data:

  • Identification data
  • Contact data
  • Performance data
  • Geolocation data
  • Technical data

Legal basis:

  • Performance of contract, Art. 6 para. 1 b) GDPR
  • Legal obligation, Art. 6 para. 1 c) GDPR
  • Legitimate interest, Art. 6 para. 1 f) GDPR

Retention period:

7 years after termination of employment

__________________________________________________________________________________________________________________________

How long do we store personal data?

We generally delete your data after the purpose has been fulfilled. The exact deletion rules are defined in our regional deletion concepts. Different deletion rules apply depending on the purpose of the processing. Within our deletion concepts we have defined various data classes and assigned rule deletion periods to them. When the retention period is met, the stored data will be deleted accordingly.

Under certain circumstances, any requests for deletion may be opposed by legal retention periods, which prevent us from deleting the stored data for a fixed minimum period of time. In order to comply with these legal requirements, we block the relevant data after the purpose has been fulfilled and thereby guarantee data completeness and data integrity.

With which data processors and why do we share personal data?

We never give your data to unauthorized third parties. However, as part of our work we obtain the services of selected service providers and give them limited and strictly monitored access to some of our data. However, before we forwarding personal data to these partner companies for processing on our behalf, each individual company undergoes an audit. All data recipients must meet the legal data protection requirements and prove their data protection level with appropriate proofs.

In the following we would like to inform you in a transparent and understandable way about all our data recipients with the respective reasons:

Data recipient Reason
External service provider They support our business activities by providing us with IT solutions and infrastructure or by ensuring the security of our business operations, for example by identifying and rectifying faults. Furthermore, personal data may also be disclosed to external tax consultants, lawyers or auditors if they provide services for which they have been commissioned.
Members of the Delivery Hero AG Group Within a group it is sometimes necessary to use resources effectively. In this context, we support each other within our Group in optimizing our processes. In addition, we provide joint content and services. This includes, for example, the technical support of systems.

This is a joint responsibility within the meaning of Art. 26 DSGVO. The employer is fully responsible for fulfilling the data protection requirements together with Delivery Hero SE. Within the framework of joint regulations, both the employer and Delivery Hero SE have agreed that both will guarantee their rights equally. You can therefore address any requests both to the employer and to Delivery Hero SE, Oranienburger Straße 70, 10117 Berlin.

You can reach the data protection officer at [email protected] .

Prosecuting authorities and legal proceedings Unfortunately, it can happen that a few of our rider and service providers do not behave fairly and want to harm us. In these cases we are not only obliged to hand over personal data due to legal obligations, it is of course also in our interest to prevent damage and to enforce our claims and to reject unjustified claims.
To which third countries do we transfer personal data?

We process your data mainly within the European Union (EU) and the European Economic Area (EEA). However, some of our service providers mentioned above are based outside the EU and the EEA.

The GDPR has high requirements for the transfer of personal data to third countries. All our data receivers have to measure up to these requirements. Before we transfer your data to a service provider in third countries, every service provider is first assessed with regard to its data protection level. Only if they can demonstrate an adequate level of data protection will they be shortlisted for service providers.

Regardless of whether our service providers are located within the EU/EEA or in third countries, each service provider must sign a data processing agreement with us. Service providers outside the EU/EEA must meet additional requirements. According to Art. 44 ff. GDPR personal data may be transferred to service providers that meet at least one of the following requirements:

  1. Commission has decided that the third country ensures an adequate level of protection (e.g. Israel and Canada)
  1. Standard data protection clauses adopted:

These are contractual clauses which cannot be modified by the contracting parties and in which they undertake to ensure an adequate level of data protection.

  1. Approved certification mechanism:

Under international agreements, companies can be certified according to defined criteria. One of these certifications is the EU-US Privacy Shield Agreement.

On the following link you can see certified companies: https://www.privacyshield.gov/welcome

We will only transfer your data to service providers who meet at least one of these requirements.

What are rights of data subjects and how can they be asserted?

You have the right to receive explicit information from us about the personal data we have stored about you, free of charge.

In addition, you have the following rights:

  • Right of access – The right to know what data was collected and how it is processed
  • Right to rectification – The right to request the modification of personal data if it is not up to date
  • Right to erasure – The right to request the deletion of personal data
  • Right to restriction of processing – The right to limit processing of personal data
  • Right to data portability – The right to transfer personal data in a machine-readable format
  • Right to object – The right to withdraw from given consent or object to the processing of personal data
  • Right to lodge a complaint to the supervisory authority – The right to submit a complaint against us at a supervisory authority, which can be either the responsible authority as named below or any other supervisory authority within the EU.

The responsible supervisory authority for us is:

Die für uns zuständige Behörde ist:

Österreichische Datenschutzbehörde

Barichgasse 40-42  

1030 Wien
Telefon: +43 1 52 152-0

E-Mail: [email protected]