Privacy Policy for the Postbus Shuttle Driver App

This privacy policy describes how personal data is processed when the Driver App and its functionalities are used.

1. What is Personal Data?

Personal Data includes any information relating to an identified or identifiable natural person, for example your name, address, e-mail address or user behavior in relation to the Driver App.

2. Responsible Body

This Privacy Policy for the Postbus Shuttle Driver App applies to the contractual relationship between Österreichische Postbus Aktiengesellschaft, Am Hauptbahnhof 2, A-1100 Vienna, FN: 195030i (hereinafter "Postbus" or "we"), and you as a subcontractor (hereinafter "Subcontractor" or "you").

The subcontractor shall be obliged to perform trips for Postbus under the name "Postbus Shuttle". The service shall be provided using the Postbus Shuttle Driver App (hereinafter "Driver App"). The Driver App is connected to the Postbus Shuttle backend system of Postbus via a setup code.

The subcontractor is obligated to bring this data protection declaration to the attention of its drivers.

Österreichische Postbus Aktiengesellschaft (hereinafter referred to as "Postbus"), FN 195030i, Am Hauptbahnhof 2, 1100 Vienna, telephone +43 1 930000 is the data protection controller within the meaning of Article 4 number 7 GDPR for the implementation of the Postbus Shuttle operation.

Contact information:
Österreichische Postbus Aktiengesellschaft
1100 Vienna, Am Hautbahnhof 2
E-mail: datenschutz.postbus@pv.oebb.at  

3. What personal data is collected? How is the data collected from you used? On what legal principle is the use based?

a) Driver of the Postbus Shuttle Service

Postbus is entitled to process personal data based on the contract concluded with the subcontractor. The legal basis for this is Art. 6 para. 1 (b) (performance of the contract or steps prior to the conclusion of the contract).

An administrator at Postbus who is bound to confidentiality will create a driver account with your name, email address and phone number.

b) Installation of the App

When you install the Driver App and log in to your assigned service (e.g., Postbus Shuttle Service for a particular community), the following information is collected about the subcontractor:

Service setup code
Email address
Encrypted login credentials

This aforementioned information is processed for the purpose of registration and authentication as well as for verification of the user identity. The legal basis for this is Art. 6 para. 1 (b) GDPR (performance of a contract).

c) Use of the app

When using the app, the following personal data will be collected:

1. location-based data

The location and route of the vehicle will be tracked and displayed, live, to the operations control, and are therefore visible to the dispatcher. In addition, following a ride request or booking, the Rider can follow the location of the vehicle on the rider app. In addition, historic information relating to previous rides is stored by the operations control.

The purpose of this data collection is to carry out transportation requests, plan the route of the vehicle, monitor the quality of the service and optimize routes and rides between drivers in a service. The legal basis for this is Art. 6 para. 1 (b) GDPR (performance of a contract).

A recording of the official vehicle license plate in the driver app and in the associated operations control does not take place at Postbus Shuttle.

2. Device information

IP address, device type, operating system, manufacturer, model and version number and unique device identifiers such as the device ID (not IMEI) are automatically collected in order to diagnose problems and improve the service. The legal basis for this is Art. 6 para. 1 (b) GDPR (performance of a contract).

3. Mapbox

The Driver App uses the Mapbox Navigation SDK in the app. The Mapbox Navigation SDK provides maps and in app turn by turn navigation in the Driver App. This is a core feature of the Driver App and allows navigation to be provided in the app instead of relying on external navigation solutions. The Mapbox Navigation SDK collects anonymized device and location information to improve their service. (https://www.mapbox.com/legal/privacy/)

Mapbox automatically collects certain technical information, including IP address, device and browser information, operating system, the content of the request, the date and time of the request, limited usage data, and limited location data. IP addresses are deleted after 30 days. In addition, certain limited location and usage data is sent along with an ephemeral ID. This ephemeral ID changes hourly and we do not link it or the unprocessed mobile location data to personally identifiable information, including names, permanent IDs, email addresses, IP addresses or phone numbers. Mapbox also collects randomly generated IDs for the limited purpose of analyzing the use of the SDK, including the number of active users. Mapbox deletes the randomly generated IDs and the content of the requests to after 36 months.

4. Will the data and information about me be shared with others?

Your personal data will be disclosed to third parties only in the cases described in point 3 c).

If the transfer of personal data to an external service provider is necessary for the provision of a service or to respond to an inquiry, the responsible party or processor takes technical and organizational measures to ensure that the legal provisions on data protection under Art. 28 GDPR are complied with and shall also oblige the external service provider to comply with the relevant statutory data protection provisions, to treat the data confidentially and to delete the personal data immediately as soon as they are no longer needed.

5. Are data also transmitted to recipients outside the European Union or outside the European Economic Area (EEA)?

The data will only be transmitted to third parties in the cases described in point 3 c) 2nd and 3rd case.

Consent has been given for the use of Mapbox in accordance with Article 49 (1) lit. a GDPR. The data subject has been informed about the circumstance of the data transfer including the associated risks and has the right to revoke this consent at any time.

6 How long will my data be stored?

Personal data collected for this reason will be stored for a maximum period of 10 years and then deleted, unless there is a special reason for storage in an individual case (e.g. civil litigation still in progress) that justifies or requires a longer storage period.

For exceptions to the use of Mapbox, see point 3 c) 3rd sub-case.

7. What rights do I have?

As a data subject, you are entitled to assert the following data subject rights against Österreichische Postbus Aktiengesellschaft: (1) right to information (Article 15 GDPR), (2) right to rectification and erasure (Article 16 GDPR), (3) right to erasure (Article 17 GDPR), (4) right to restriction (Article 18 GDPR), (5) right to data portability (Article 20 GDPR), (6) right to object (Article 21 GDPR).

If you wish to assert a data subject right, contact us. The following contact options are available to you for this purpose:

Subject: Assertion of data subject rights
Österreichische Postbus Aktiengesellschaft
1100 Vienna, Am Hautbahnhof 2
E-mail: datenschutz.postbus@pv.oebb.at

You are also entitled to file a complaint with the data protection authority in accordance with §§ 24ff DSG and Article 77ff GDPR in the event of alleged violations of obligations under the GDPR.

Contact:
Austrian Data Protection Authority
1030 Vienna, Barichgasse 40-42
Phone: +43 1 52 152-0
E-mail: dsb@dsb.gv.at and www.dsb.gv.at  

You can contact our data protection officer as follows: Österreichische Postbus Aktiengesellschaft, Am Hautbahnhof 2, 1100 Vienna, e-mail: datenschutz.postbus@pv.oebb.at 

8. Contact

For information and suggestions regarding data protection, please contact datenschutz.postbus@pv.oebb.at.

Version from: March 22, 2021