Skip to main content

GDPR and Urbantz: What You Need to Know

Ioana Nicolae
Updated

In this article, we cover the topic of GDPR and how Urbantz handles it.

What is GDPR?

GDPR (General Data Protection Regulation) is a European regulation aimed to protect personal data within the European Union which came into force on 25 May 2018. In its commercial relations with its suppliers, Urbantz is classified as a data "processor" and is subject to GDPR as such.

As a general rule, our customers, are classified as data "controllers" within the scope of this regulation.

What data does Urbantz collect?

Urbantz only collects data strictly needed to operate the solution efficiently.  

The data subjects' categories are:

  • The client's customers (recipients, consumers)
  • The end users (dispatchers, customer services and delivery staff, etc.)
  • The subcontractors, suppliers, and participants in the customer's delivery chain

The data consists in:

  • The recipient's address and the time of the delivery
  • Identification and contact data: surname, first name, email address, telephone number, language used, signature, and any other necessary data that the user/client may decide to insert in the solution (to complete a delivery)
  • Economic data: all other necessary data that the user may decide to insert in the solution (to complete a delivery for example)
  • Geolocation data: Global Positioning System (GPS) data (the recipient can see on a map the driver approaching, and the GPS position of the delivery person can be stored)
  • Contact information for end users or users of the solution (name, email, telephone)
  • Login data: IP address, login credentials, pages viewed, time spent, browser, operating system, calendarists date, cookies, trackers, navigation data
  • Other data: delivery and order data (destination, collection data, size, driver instructions, delivery date, number of packages, etc.).

  • Urbantz does not collect any data categorized as "special categories of personal data" within the meaning of GDPR (such as health-related data, political or religious opinions, etc), nor other sensitive information. Our Customers will not disclose any special categories of data to Urbantz or any category of personal data that is not strictly necessary for the use of the Urbantz solution.

What is the retention period?

The duration of the processing will be the same as the duration of the contract (i.e. purposes of the processing) until the personal data is returned or destroyed by Urbantz at the client's request.

Urbantz will anonymize the personal data of the data subjects X months after the last activity related to this data subject. This period can be adapted on a customer basis in the signed contract and it varies between 1 and 36 months.

The logs (user actions) are available for 3 months (on an active basis), then they go into an archive database for a period of 12 months. Finally, logs older than 1 year are permanently deleted.

Where can I find additional information?

We provide information about our GDPR compliance in two more ways:

  • In our general terms and conditions and privacy policy, available on our website.
  • For customers who have signed an enterprise contract, in the Data Protection Agreement (DPA) linked to the contract.

How does the anonymization process work?

Anonymization is a technique that replaces personal data with modified values. This makes reverse engineering or detection impossible once anonymization is applied.

We categorize this data into two types:

  • Task recipient details
  • Urbantz user details

How can I perform an anonymization?

  • For individual anonymization: These can be executed by a user with a Platform Manager role. 
  •  For scheduled anonymization: This can be configured for a period of up to 3 years after data creation. This configuration requires formal agreement from the client and approval from our DPO.

The anonymization can be performed:

  • Manually, by a user with a Platform Manager role by navigating to the task and choosing the Anonymize option (see below).

  • Automatically, on a scheduled basis defined by a time period specified in the client's contract

Below is an overview of the anonymization options available for each type of data

Domain Options available
Task/Delivery recipient details

1. Automated anonymization: Data will be anonymized ‘X’ months after delivery. ‘X’ will be the duration that is determined by the controller (i.e. the Urbantz Customer). This period can vary from 1 to 36 months.


2. Manual anonymization: For specific task(s) for individual and punctual requests. This request should always come through the data controller (the Urbantz Customer). If Urbantz receives a request directly from the recipient, Urbantz will transfer the request to the Customer (once identified).
Urbantz user details 

For the default data:

> Automated anonymization: Data will be anonymized after ‘N’ months of user inactivity. ‘N’ will be the duration determined by the controller (i.e. the Urbantz Customer). This period can vary from 1 to 36 months.


For the  relation between the round and the driver

> Automated anonymisation: Data will be anonymised ‘Z’ months after the round was done by the driver. ‘Z’ will be the duration that is determined by the controller (i.e. the Urbantz Customer). This period can vary from 1 to 36 months.

 

Important note:

Once anonymization has been applied, there is no way to retrieve the original value. The original data is therefore lost. Please proceed with the anonymization of the data with the utmost care.

For additional information, please reach out to your designated CSM and please make sure to familiarize yourself with this article as well: GDPR - Which Data Gets Anonymized?

 

 

Related articles