We are pleased that you are interested in data protection. We would like to give you an easily understandable overview of the data processing practices and our privacy compliance measures in relation to our delivery websites, applications and related services (we’ll call all of these together simply the “platform” below). Our goal is to provide you with an amazing experience while keeping your personal data secure. Trust, transparency and honesty are our leading principles. Your trust in our product is the reason why we can provide you with an amazing experience.
We are Delivery Hero Innovations Hub GmbH, but usually we just use the name foodpanda. You can always contact us via the following methods:
Oranienburger Straße 70
10117 Berlin, Germany
E-mail address: [email protected]
As regards the processing activities conducted on our platform, foodpanda will be the data controller responsible for what happens with your personal data. “Data controller” is a legal term and simply means that we are the party determining how your personal data is processed, for what purposes this is done and by what means. While we are required by law to provide you with all of the following information, we do so also out of the belief that a partnership should always be honest.
If you have any questions about data protection at foodpanda, you can also contact our data protection officer at any time by sending an email to [email protected].
We are also a member of the large and fascinating family of the international Delivery Hero Group. As a family, we make certain decisions together. Both our parent company, Delivery Hero SE, Oranienburger Straße 70, 10117 Berlin and foodpanda, to some extent, jointly decide which means we will use to process your personal data and which purposes we consider to be appropriate. Legally, this means that foodpanda and Delivery Hero SE are also jointly responsible for these joint data processing activities and you are free to assert your rights against both parties in relation to the processing activities listed in this Privacy Policy.
Basically, you can take the following steps to control and manage how much personal data you share with us:
Cookies & web-tracking: You can set your device or web browser to decline cookies and other web-tracking technologies (which is also possible through our consent manager). If you deactivate web-tracking, you will no longer see any personalized contents, offers or ads.
Under the EU General Data Protection Regulation (GDPR) and other data protection laws, you can assert the following legal rights against us:
| Right to access
|
You have the right to be informed which data we store about you and how we process this data. This also includes receiving a copy of your data. |
| Right to rectification
|
If you notice that processed data is incorrect, you can always ask us to correct it. |
| Right to erasure
|
You can ask us at any time to delete the data we have stored about you. |
| Right to restriction of processing
|
If you do not wish to delete your data, but do not want us to process it further, you can ask us to restrict the processing of your personal data. |
| Right to withdraw consent
|
You can withdraw your given consent at any time, with future effect. |
| Automated decision-making | On the platform, we do not subject you to any decisions based solely on automated processing, including profiling, producing a legal effect for you or similarly significantly affecting you. One notable exception to this are our fraud detection and prevention systems; these will determine in an automated way, based on your behaviour on our platform, whether you might be a fraudulent actor.
We also provide you with a personalized user experience on our platform so you will see contents based on your previous orders or meal preferences.You are free to request us to provide you with a non-customized experience instead of tailoring the platform to your needs. In any case, you always have the right to contact us and challenge a decision made by our automated systems. To do this, just get in touch with us. |
| Right of complaint | If you believe that we have done something wrong with your personal data or your rights, you can complain to a supervisory authority at any time. You can raise a complaint about our processing of your personal data with the data protection authority in the EU Member State of your habitual residence, at our seat of business, your place of work or the place where you think a violation of the GDPR has occurred. You can also lodge a complaint with our international lead supervisory authority in Berlin, Germany. |
We never give your data to unauthorized third parties. However, to run our business efficiently, we obtain the services of selected service providers and give them limited and strictly monitored access to some of our data. However, before we forward personal data to these partner companies for processing on our behalf, each individual company undergoes an audit. All data recipients must meet the legal data protection requirements and prove their data protection level with appropriate documentation.
As we already let you know at the beginning of this Privacy Policy we are part of an international group of companies with legal entities in many parts of the world. This also includes our group’s headquarters operated by Delivery Hero SE in Berlin, Germany. To use our resources efficiently and ensure that our business processes are functioning properly, we will share personal data with our joint controller Delivery Hero SE on a regular basis. In certain situations, we might also share limited data with other group companies, for example, to assist with customer support requests, conduct legal assessments or implement IT and platform security measures.
All Delivery Hero Group Companies are bound by strict intra-group data transfer agreements ascertaining compliance with the GDPR’s data processing principles whenever sharing personal data with affiliated companies.
We use different service providers for our daily processing activities. Most of these providers process your personal data as so-called “data processors” in accordance with the requirements of Art. 28 GDPR. This means they are permitted to process any personal data only according to our instructions and have no claims whatsoever to process your personal data for their own, independent purposes. We also monitor our processors and include only those who meet our high data protection standards.
You have already learned about some of the parties we use as service providers above and can also find information on data recipients in our Cookies, SDKs and Web-Tracking Policy. Our user platforms and databases run on cloud resources provided by the EU subsidiaries of Google and Amazon Web Services (AWS). Because we use different data processors and change them from time to time, it is not possible for us to identify all individual recipients of personal data in this Privacy Policy. However, if you are interested, we will be happy to disclose the name of the processor(s) in use at that time upon request.
In addition to data processors, we also work with third parties, to whom we also transmit your personal data, but who are not bound by our instructions. These are, for example, our consultants, lawyers or tax consultants who receive your data from us on the basis of a contract and process your personal data for legal reasons or to protect our own interests. We do not sell or rent your personal data to third parties under any circumstances. This will never take place without your explicit, informed consent.
Unfortunately, it can happen that a few of our customers and service providers do not behave fairly and want to harm us. In these cases, we are not only obliged to hand over personal data to public authorities due to legal obligations, it is also in our interest to prevent damage and to enforce our claims and to reject unjustified claims.
We process your data mainly within the European Union (EU) and the European Economic Area (EEA). However, some of our service providers or affiliated companies mentioned above are based outside the EEA in so-called “third countries”. The GDPR has high requirements for the transfer of personal data to such third countries. All our data recipients have to measure up to these requirements.
Before we transfer your data to a recipient in a third country, this recipient is first assessed with regard to their data protection level. They will only be chosen if they can demonstrate an adequate level of data protection even outside the territory of the EEA. According to Art. 44 ff. GDPR personal data may be transferred to service providers meeting at least one of the following requirements:
– The European Commission has decided that the third country ensures an adequate level of protection (e.g. Israel and Canada).
– Standard contractual clauses (also called “standard data protection clauses”) have been incorporated into our contract with the data recipient (including any supplementary measures, if required to guarantee an adequate level of protection for personal data).
– Further appropriate safeguards in accordance with Art. 46 GDPR have been provided (for example Binding Corporate Rules).
We generally delete your personal data after the purpose of their processing has been fulfilled. The exact deletion rules are defined in our global policies and supporting local retention schedules. Different deletion rules apply depending on the purpose of the processing. Within our deletion concepts we have defined various data classes and assigned regular maximum retention and deletion periods to them. When the retention period has expired, the stored data will be deleted accordingly.
Furthermore, we will continue to store your data if we have a right to do so in accordance with Art. 17 (3) GDPR. This applies in particular if we need your personal data for the establishment, exercise or defence of legal claims.
We reserve the right to change this data protection declaration in compliance with the statutory provisions. We will inform you of any significant changes, such as changes of purpose or new purposes of processing.
Date: Apr 8, 2022