PRIVACY POLICY-RIDER | foodpanda

Who is the data controller?

This privacy policy sets out the basis which Delivery Hero Logistics (Thailand) Co., Ltd. (“foodpanda”, “we”, “us” or “our”) and our Affiliates (as the case may be) collect, use, disclose or otherwise process your (“rider” or “independent contractor”) personal data in accordance with all applicable laws (including the Personal Data Protection Act B.E. 2562 (“PDPA”)), regulations, guidance, advisories, notification and codes of practice, relating to the Processing of your personal data in the applicable jurisdiction and issued by the relevant regulatory authority governing the Processing (“Data Privacy Laws”).

Why and which personal data do we process?

Below you can see which of your data we need for which purposes and under which circumstances we share your data with others.
Personal data means data, whether true or not, about an individual who can be identified — (a) from that data; or (b) from that data and other information to which the organisation has or is likely to have access.This includes your first and last name, address, phone number, date of birth, location data or email address.

Which personal data do we process?

In order to provide our delivery service to our customers, we use various tools and systems that are absolutely necessary for the delivery of orders. We also use external and internal tools and systems to process your personal data for personnel management and business operations.
We collect, process and store the following categories of personal data within the scope of using the tools and systems:

Data categoriesExplanation
Identification dataName, Surname, Address, Picture/Photograph
Contact dataEmail Address, Phone number
Account dataDate of birth, Place of birth, nationality, gender, bank account details, identification number
Performance dataUsage time of applications, order details
Geolocation dataGPS data
Technical dataDevice data
For what purposes (“Purposes”) do we process personal data?

We only process your personal data for required and lawful Purposes as set out below:

PurposeWhy do we process data for this purpose?
RecruitingAs part of the application process, we collect, process and store your personal data on the basis of the data you have made available to us. The purpose of the processing is to make a decision regarding the acceptance or refusal of an applicant.

Categories of personal data: 
– Identification data
– Contact data
– Account data

Identity Verification
In order to protect your application profile from possible fraudulent attacks, we need to verify your identity and make sure that the profile owner is who they claim to be. To this end, we use identity verification measures to ensure that suspicious behavior patterns are detected at an early stage. We will ask you to upload a “selfie” picture/photograph to our systems that will be verified and reviewed by us. The image will be deleted as soon as the identity has been verified and we no longer need this data.

Categories of personal data: 
– Identification data
Applicant reactivationIf an applicant does not continue the application process, SMS or emails will be sent to remind the applicant of the steps that need to be taken to complete the application process.

Categories of personal data: 
– Identification data
– Contact data
ContractConclusion of an independent contractor agreement

Categories of personal data: 
– Identification data
– Account data
OnboardingPreparation of the first day of service, training of new riders

Categories of personal data: 
– Identification data
– Account data
Presence monitoringAssessment of the reliability of riders with regard to the fulfilment of their contractual obligations 

Categories of personal data: 
– Identification data
– Account data
– Contact details
AccountsCreation of required accounts for the applications used

Categories of personal data: 
– Identification data
– Account data
Working time recordingRecording of work performed by the rider

Categories of personal data: 
– Identification data
– Start and end date of shift
Customer communicationCommunication with customers about the status of the order or delivery

Categories of personal data: 
– Identification data
– Contact details
– Location data
– Content of communication
– Picture (if available)
Photos and videosTaking and publishing photos and videos of riders

Categories of personal data: 
– Identification data
– Picture/Video
Rider administrationWe collect, process and store your personal data for the processing and creation of legally required documents and proofs as well as for the remuneration of our riders.

Categories of personal data: 
– Identification data
– Contact data
– Account data
CommunicationDifferent tools are used for communication between us and the riders. The purpose of the processing is the communication of necessary information.

Categories of personal data: 
– Identification data
– Contact data
DeliveryTo ensure a prompt delivery of the products ordered by our customers, the coordination data of our riders is collected and the order is assigned to those riders who are in an optimal region.

Categories of personal data: 
– Identification data
– Contact data
– Geolocation data
– Technical data
Delivery EstimationIn order to be able to inform customers of the expected delivery time, average speed data is processed in anonymous form.  

Categories of personal data: 
– Geolocation data (anonymized)
PaymentsPreparation of statements; payment of service fees

Categories of personal data: 
– Identification data
– Contact data
– Bank account information
Rider equipmentRiders receive rider equipment from us. This serves the uniform appearance of our riders as well as the protection of our riders. We manage and monitor the equipment provided to ensure that the necessary equipment is always available. 

Categories of personal data: 
– Identification data
– Contact data
Time recordingWe collect, process and store personal data of our riders for the actual exercise of deliveries. The purpose of the processing is to collect the hours worked and to create the necessary records.

Categories of personal data: 
– Identification data
– Contact data
– Account data
– Performance data
– Geolocation data
Performance evaluationEvaluation of driver performance based on the quality (restaurant and customer complaints), quantity of orders delivered. It also includes but is not limited to, reliability, proper login and acceptance of orders during the shift until the end of the shift. Also the proper execution of the order.

Categories of personal data: 
– Identification data
– Contact data
– Performance data
– Geolocation data
– Technical data
TerminationOrdinary and extraordinary terminations of contracts with riders

Categories of personal data: 
– Identification data
– Contact data
Off-boardingDeactivation of existing accounts; return of received clothing and equipment.

Categories of personal data: 
– Identification data
– Contact data
ArchivingArchiving of documents subject to retention for tax purposes, the prevention of fraud, and the fulfilment of any other legal or regulatory obligations applicable to us.

Categories of personal data: 
– Identification data
– Contact data
– Date of birth
– Tax information
– Working times
– Identification number (partial) (e.g. SXXXX123A)
Advertising and marketingOnline marketing
Our hiring process is based to a large extent on finding potential riders. In order to reach the right candidates, we run marketing campaigns.  Therefore, we would like to present to you our processes as transparently as possible. The following online marketing processing activities we pursue include targeting and retargeting:

1)    TargetingIn principle, targeting means the switching and fading in of advertising banners on websites that are tailored to specific target groups. The aim is to display the most attractive banners as individually as possible for the user and potential riders. Firstly, we define a target group and secondly, we commission our service providers to show our advertising to the defined target group. We do not process any personal data, as these are initially made anonymous. We segment different target groups and place different ads on different portals for optimized targeting.

2)    RetargetingAs soon as you have visited our website for obtaining further information on our rider program, we store this information in cookies. If you continue to surf other websites, our advertising partners will remind you on our behalf that you have not yet submitted an application. We don’t want you to miss out on our amazing rider program.You can disable retargeting by installing appropriate add-ons for your browser. Furthermore, you can and should also regularly delete the cookies stored in the browser you are using.

Categories of personal data:
– Contact data
– Website visitor data
Operational safety and fraud preventionOne of our main priorities is to ensure a secure platform and safe delivery experience for everyone participating in our platform. To achieve this objective, proactive measures to prevent fraudulent activity and to ensure operational safety are implemented. 

We employ various processes to detect and prevent fraudulent activities, including those involving shift and location manipulation. We also leverage facial recognition, ID verification and liveness detection technologies to ensure that only legitimate account holders access rider accounts. For this purpose, we utilize ARKit and TrueDepth technologies for Apple devices and MLKit for Google devices that serves us to confirm the image of your face belongs to you. We assure that your data processed during this process is not used for any other purposes and not disclosed to any other unauthorized third parties. Additionally, analysis of device data helps to identify potentially unsafe riders and improve driving standards. Rest assured, your images are deleted immediately after the purpose is fulfilled with respect to applicable statutory retention periods. 

Some of these processes may be done automatically by taking into account all relevant factors mentioned above. If you have any inquiries regarding this process, you can always contact support agents and request human review.

Categories of personal data: 
– Identification data (including government issues IDs, work permit)
– Image of your face
How long do we store personal data?

We generally delete your data after the purpose has been fulfilled. The exact deletion rules are defined in our regional deletion concepts. Different deletion rules apply depending on the purpose of the processing. Within our deletion concepts we have defined various data classes and assigned rule deletion periods to them. When the retention period is met, the stored data will be deleted accordingly.
Under certain circumstances, any requests for deletion may be opposed by legal retention periods, which prevent us from deleting the stored data for a fixed minimum period of time. In order to comply with these legal requirements, we block the relevant data after the purpose has been fulfilled and thereby guarantee data completeness and data integrity.

With which data processors and why do we share personal data?

We never give your data to unauthorized third parties. However, as part of our work we obtain the services of selected service providers and give them limited and strictly monitored access to some of our data. However, before we forward personal data to these data processors for processing on our behalf, each individual company undergoes an audit. All data recipients must meet the legal data protection requirements and prove their data protection level with appropriate proofs.

In the following we would like to inform you in a transparent and understandable way about all our data recipients with the respective reasons:

Data recipientReason
External service providerThey support our business activities by providing us with IT solutions and infrastructure or by ensuring the security of our business operations, for example by identifying and rectifying faults. Furthermore, personal data may also be disclosed to external tax consultants, lawyers or auditors if they provide services for which they have been commissioned. 
Members of the Delivery Hero SE GroupWithin a group it is sometimes necessary to use resources effectively. In this context, we support each other within our Group in optimizing our processes. In addition, we provide joint content and services. This includes, for example, the technical support of systems.We are fully responsible for fulfilling the data protection requirements together with Delivery Hero SE. Within the framework of joint regulations, we and Delivery Hero SE have agreed that both will guarantee their rights equally. You can therefore address any requests both to us and to Delivery Hero SE, Oranienburger Straße 70, 10117 Berlin. You can reach the data protection officer at [email protected] (Delivery Hero SE). 
Prosecuting authorities and legal proceedingsWe may also share your personal data with law enforcement agencies, government and regulatory bodies to meet applicable legal or regulatory obligations, including requests .
To which third countries do we transfer personal data?

We process your data mainly within the Asia-Pacific (APAC). However, some of our service providers mentioned above are based outside of APAC.
All our data receivers have to measure up to certain requirements for the transfer of personal data to third countries. Before we transfer your data to a service provider in third countries, every service provider is first assessed with regard to its data protection level. Only if they can demonstrate an adequate level of data protection will they be shortlisted for service providers.

Regardless of whether our service providers are located within APAC or in third countries, each service provider must sign a contract with us, which shall contain the provisions as required by the PDPA. We shall ensure that any personal data transferred out of Thailand is protected to a comparable standard as that required under the PDPA.

Cookies

In order to make the visit of our website attractive and to enable the use of certain functions, we use so-called cookies on various pages. These are small text files that are stored on your device. Some of the cookies we use are deleted after the end of the browser session, i.e. after closing your browser (so-called session cookies). Other cookies remain on your device and allow us or our affiliate to recognize your browser on your next visit (persistent cookies). You can set your browser so that you are informed about the setting of cookies and individually decide on their acceptance or exclude the acceptance of cookies for specific cases or in general. Failure to accept cookies may limit the functionality of our website/app.

You can install additional add-ons in your browser that block unnecessary cookies. By doing so, you will not see any interest-based advertisements.

Categories of personal data:

Limited device information such as IP address, device ID, MAC address, operating system, device type, Apple Advertiser ID (IDFA) or Android Ad ID (AAID) 

You can find our cookie policy with all the cookies we use in our Cookies and Web-Tracking Policy.

What are your rights as data subjects and how can they be asserted?

You have the right to receive explicit information from us about the personal data we have stored about you.

In addition, you have the following rights:

Right to accessYou have the right to be informed which data we store about you and how we process this data.
We will respond to your access request as soon as practicable, in any case within thirty (30) days upon receiving your access request. We will also inform you within the timeframe if we are unable to adhere to your request (with reasons) or require additional time to effect the request.
Right to rectificationIf you notice that stored data is incorrect, you can always ask us to correct it.
We will respond to your correction request as soon as practicable, in any case within thirty (30) days upon receiving your correction request. We will also inform you within the timeframe if we are unable to adhere to your request (with reasons) or require additional time to effect the request.
Right to withdraw your consent

You can withdraw your consent to our collection, use and disclosure of your personal data at any time for any or all of the Purposes. Upon receiving your withdrawal request, we may require reasonable time (depending on the complexity of the request and its impact on our relationship with you) for your request to be processed and for us to notify you of the consequences of us acceding to the same, including any legal consequences which may affect your rights and liabilities to us. 
We will endeavour to process your request within ten (10) business days upon receipt, and will notify you accordingly if we require additional time.
Data Protection Officer

You may contact our Data Protection Officer (DPO) to exercise your data subject rights or find out more about our data protection processes and how we process your personal data by emailing [email protected]

Supervisory Authority

The supervisory authority responsible for us is:
Name: Personal Data Protection Commission Thailand
Address: Chaeng Watthana Rd, Thung Song Hong, Lak Si, Bangkok 10210
Contact details: [email protected]

Last updated: 13 May 2024