External Privacy Notice

Version 2023:1

Last updated: 2023-06-12

1. Introduction

This privacy notice (”Privacy Notice”) explains how Gordon Services AB and all its subsidiaries within the GORDON Group (hereafter referred to as ”GORDON”, ”we”, ”our” or ”us”) Process Personal Data belonging to the categories of Data Subjects stated in section 1.1 below.

This Privacy Notice refers to ”GORDON”, ”we”, ”our” or ”us”. However, only an individual company within the GORDON Group can be, and is, the Controller for each individual Processing of Personal Data. For details regarding each company within the GORDON Group, please see section 14 (Contact details) below.

We are the Controller regarding all Processing of Personal Data performed by us or on our behalf when we determine the means and purpose of the Processing (in accordance with the principle of accountability). Unless otherwise stated in this Privacy Notice, we are the Controller for the Processing described.

1.1 Categories of Data Subjects

The Processing covered in this Privacy Notice pertains to the following categories of individuals whose Personal Data we Process (referred to as ”Data Subject” or “You”):

Category 1) – Customers, End-Customers and their representatives who receive deliveries from us

Customers.
End-Customers.
Persons representing a private or corporate Customer or End Customer (e.g. recipients, c/o address holders, or designated contact individuals).

Category 2) – Individuals who contact or interact with us

Individuals who use our application/websites/digital channels.
Individuals who encounter us through alternative means (such as interacting with our customer service or who contact us by, for example, phone, chat, social media or email.

Category 3) – The Client’s personnel

Individuals who are in contact with us in some way because they are representing or working on behalf of a Client, for example, but not limited to, a Client’s signatory, contact person or other staff members of the Client.

Category 4) – The Supplier’s personnel

Individuals who are in contact with us in some way because they are representing or working on behalf of a Supplier, for example, but not limited to, a Supplier’s signatory, contact person or other staff members of the Supplier.

2. Definitions

In addition to any terms defined in the running text of this Privacy Notice, the definitions below shall have the following meaning when expressed in capital letters as initial letters, whether used in plural or singular, in the definite or indefinite form:

”Candidates” refer to individuals who actively engage in the process of seeking employment opportunities by submitting their applications, resumes, or other relevant documents to be considered for potential positions within GORDON. It may also encompass individuals whom GORDON proactively approaches and offers employment opportunities to.

“Controller” refers to the person or entity who determines the purpose of a particular Processing of Personal Data and how the Processing is to be carried out. Individuals, legal persons, authorities, institutions, or other bodies may be Controllers.

“Customer” refers to individuals or entities who have purchased a service directly from GORDON.

“Client” refers to GORDON’s contracting party purchasing Delivery Services from GORDON for deliveries to the End-Customer.

“End-Customer” refers to the Client’s customer, i.e. the customer with whom the Client has an agreement regarding purchasing Goods.

“Data Subject” refers to the natural person who can be identified through the Personal Data.

“Delivery Services” refers to the delivery services conducted by GORDON and may include transport services.

“Distribution Center”, also called “DC”, refers to GORDON’s distribution terminals where Goods are sorted out on routes for delivery to the Customer or End-Customer.

“Driver” refers to the person driving the vehicle and performing the delivery assignment on behalf of GORDON.

“Driver App” refers to a mobile application provided by GORDON, that provides information to the Driver about the delivery assignment, such as how the delivery shall be conducted (e.g. if the parcels can be left outside the door), contact details of the End-Customer etc.

“GDPR” refers to regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons concerning the Processing of Personal Data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation). Where the Controller is Gordon Delivery UK Ltd, references herein to the “GDPR” shall refer to “The Data Protection Act 2018”, which is the UK’s implementation of the General Data Protection Regulation (GDPR).

“GORDON Last Mile Platform”, also called “LM”, refers to GORDON’s technical platform that enables a digitised flow for the Client’s deliveries.

“Goods” refers to the goods and products the Client engages GORDON to deliver to the End-Customer.

“Personal Data” refers to all data that, directly or indirectly, alone or together with other data, can be linked to an identified or identifiable physical living person.

“Processing” refers to everything made with Personal Data, regardless of whether it is being performed automated or not. Processing can occur through an individual measure or a combination of different measures. Common examples of Processing Personal Data are storage, erasure, sharing, usage, registration, copying, collection, organisation, use, adjustment, destruction, etc.

“Processor” refers to the one who Processes Personal Data on behalf of a Controller, according to the Controller’s instructions.

“SCC” refers to Commission implementing decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries according to Regulation (EU) 2016/679 of the European Parliament and of the Council, or later updated version.

“Services” includes the services that GORDON provides, including but not limited to Delivery Services, education programs, technical platforms, tools, websites, applications, and other digital channels.

“Supplier” refers to the contractors and subcontractors whom GORDON has engaged to assist in providing our Services or in connection with GORDON’s business operations, including but not limited to logistics companies or other parties.

“Payment Service Provider” refers to a service provider that, among other things, Processes payments on behalf of GORDON.
Any other GDPR-related terms not defined herein shall have the same meaning in this Privacy Notice as outlined in Article 4 of the GDPR.

3. How do we access the Personal Data that we Process?

We may access and collect Personal Data for example when:

We enter into an agreement with a Client, Customer or Supplier.
We conduct our Delivery Services, including delivery of parcels to an End-Customer, Customer or Client.
An individual contacts us in any way.

4. What information do we Process?

We only Process Personal Data that is adequate, necessary, and relevant to fulfil the purposes for which it was collected (in accordance with the principle of data minimisation).

We mainly Process the following categories of Personal Data:

Identity: First name, last name, personal identity number, government-issued ID or other relevant information requested for identity verification.
Contact: Email address, telephone number, delivery address.
Transactional: Purchase history, order details, transaction records, such as but not limited to details of Services and/or products accessed or utilised by Clients, Customers, and/or End-Customers.
Financial: Credit card information, payment history.
Employment: Job title, employer name, work address.
Demographic: Date of birth, nationality, language preference, and demographic data from public sources, including gender, age, and family situation.
Location: Physical address, GPS coordinates, delivery preferences.
Biometric: Voice recordings.
Online identifiers: Usernames, IP addresses, and device information.
Social media: Social media profiles, interactions, posts, likes, and comments.
Consent and preferences: Marketing preferences, communication preferences, communication consent, and cookie preferences.
Other Personal Data: Any additional Personal Data provided to us by the Data Subject or another third party.

5. Legal basis and purpose of our Processing of Personal Data

We only Process Personal Data for particular, explicitly stated, and justified purposes (in accordance with the principle of purpose limitation).

We mainly Process Personal Data to:

Provide, perform, and/or improve our Services and offerings, programs, tools, websites, applications and other digital channels.
Offer delivery, transportation and any additional Services.
Follow up on performed delivery, transportation and any additional Services.
Ensure reliable, safe, smooth, and transparent delivery of our Services.
Carry out our delivery, transport and additional Services at the right time.
Deliver our Services with a low carbon footprint in an optimised, predictable, and efficient way.
Follow up, analyse and improve our Services and offerings, programs, tools, website, applications and other digital channels delivered to Clients, Customers and End-Customers, and develop the quality of Services offered, including the interaction with us and the user experience.
Maintain, analyse, improve and develop our offerings and Services.

We Process Personal Data primarily on one of the following legal bases:

Consent: The Data Subject has consented to our Processing of their Personal Data for one or more specific purposes (Article 6(1)(a) GDPR).
Contract: The Processing is necessary to perform a contract to which the Data Subject is a party or take steps at the Data Subject’s request before entering into a contract (Article 6(1)(b) GDPR).
Legal obligation: The Processing is necessary for compliance with a legal obligation to which the Controller is subject (Article 6(1)(c) GDPR).
Legitimate interest: The Processing is necessary for the legitimate interests pursued by the Controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject, which require protection of Personal Data (Article 6(1)(f) GDPR).

You may have to provide Your Personal Data to enter into an agreement with us, get the Services or Goods You have ordered or comply with legal or contractual obligations.

In some cases, it is optional for You to provide Your Personal Data. However, if You do not provide Your Personal Data, we may be unable to provide the requested Services or support. Unless otherwise stated, You will not suffer any negative legal repercussions if You do not provide Your Personal Data.

When we Process Your Personal Data based on Your consent, You can withdraw it at any time without affecting the lawfulness of Processing based on consent before its withdrawal.

When we conduct a Processing of Personal Data in our capacity of Controller, based on the legal basis of Legitimate interest, we assess that the Processing does not constitute an infringement of Your right to privacy and integrity. After carefully weighing the impact of the Processing on Your interests and right to privacy against our or a third party’s legitimate interest in the matter, we have arrived at this conclusion. However, we never Process any Personal sensitive data based on legitimate interest as the legal basis.

Below You can read more about the legal basis we rely on for a particular Processing activity and the purpose of our Processing of Your Personal Data that we conduct in our capacity as the Controller. Where appropriate, we have also identified what the legitimate interests are.

6. Our Specific Processing Activities

6.1 When You use or visit our application, websites or digital channels

When You use or visit our application, websites or digital channels, we may collect the following categories of Personal Data:

Your choices, clicks, and engagement with pages and offers on our application, websites or digital channels.
Information You may provide when using our application, websites or digital channels, including feedback and comments.

Collecting the Personal Data mentioned above is to:

Provide You with relevant content.
Assess and enhance our Services.
Analyse the use of our Services.

We collect Personal Data that You provide us when You use our application, such as Your:

Name, address, and telephone number.
Location data.
Delivery preferences and history.
Payment information.

We use the Personal Data provided when You use our application to:

Provide and improve our Delivery Services to You.
Communicate with You about the status of our Delivery Services to You.
Respond to Your inquiries and requests.
Comply with legal obligations.

We do not sell or rent Your Personal Data to third parties for marketing purposes.

We also use cookies on our Websites. The use of non-necessary cookies takes place only if You consent to it. In our Cookie Notice, which is published on our Website, You can read more information about how we use cookies and how You can manage the storage of cookies.

We have a legitimate and justifiable interest in evaluating and improving our Services and providing relevant content. Legal basis for the Processing: Legitimate interest.

6.1.1 Third party website links

Our websites, applications and digital channels may contain links to external websites, plug-ins, or applications operated by third parties. It is important to note that clicking on these links or enabling such connections may result in the collection or sharing of Your Personal Data by these third parties. We want to make it clear that we have no control over these third party websites, plug-ins, or applications and we are not responsible for their privacy policies or statements.

We encourage You to exercise caution and to read the privacy policies of any website, application or service You visit or interact with. We are not liable for any actions, omissions, or practices of any third party, including their handling of Your Personal Data.

If You have any questions or concerns regarding the privacy practices of third party websites, plug-ins, or applications linked to from our websites, application or other digital channels, please reach out to the respective third party directly for clarification.

6.2 When You enter an agreement with us

When You enter into an agreement with us regarding our Services, we get access to the Personal Data You provided us. We register the Personal Data in the systems we use within our business operations, which may be developed by us or provided to us by a service provider.

Suppose You are a consumer who purchases our Services directly from us. In that case, in connection with entering into the service agreement with us, You may, for example, need to provide us with:

First name, last name and personal identity number.
Email address, delivery address, postal address and telephone number.
Billing information.

Suppose You are an individual who represents a company that purchases our Services directly from us. In that case, You need to provide the following Personal Data and information about entering into the service agreement:

The company name and registration number.
VAT number and other billing information.
The signatory and contact person’s name, email address and telephone number.

Providing the information mentioned above is necessary for us to Process to a) enter into the service agreement in question, b) perform and provide the agreed Services, and c) charge for the performed Services. The possible consequence of such information not being provided is that we cannot enter or fulfil the service agreement. Legal basis for the Processing of Personal Data: Contract.

6.3 When we conduct our Delivery Services

When we conduct our Delivery Services, we mainly Process the following categories of Personal Data and other information:

The Customer’s or End-Customer’s name and contact details, including telephone number, email address and physical address, information from previous deliveries conducted by us and any access codes or floor numbers required to make a successful delivery.
Information about the Customer or End-Customer that might be required for identification purposes, such as a personal identity number, government-issued ID card, signature, or electronic signature using Bank ID.
The Customer’s or End-Customer’s preferences for desired delivery date and time.
The amount of parcels we receive from the Client.
The amount of parcels to be delivered to the Customer or End-Customer.
Any supplementary information that could help us locate the delivery destination, such as a detailed description of the property or building.
Information about any additional Services selected by the Client, Customer and/or End-Customer.
If provided to us, we may also collect information about the parcel’s contents, including whether it contains dangerous or extra sensitive content or has a high value, among other relevant details.
Documentation confirming the delivery or attempted delivery, such as a photo of the parcel outside the receiver’s door or home.
Any other information provided to us by, or on behalf of, the Client, Customer or End-Customer.

The Personal Data we Process can be provided to us by someone else, other than the Data Subject the Personal Data belongs to, for example by a Client, Customer, Supplier or End-Customer. The information we receive from such third parties depends on the Data Subject and our respective relationships with the third party in question and, if applicable, their policies. For example, we receive information about the End-Customer’s name, telephone number, email address, order number, and delivery address (and, if applicable, c/o address holder) from the Client to be able to conduct the delivery of Goods to the End-Customer.

We register the Personal Data in the systems we use within our business operations, which may be developed by us or provided to us by a service provider.

An order for a delivery, including Personal Data contained in the order, will be displayed in the Driver App in order for the Driver to conduct the Delivery Service.

The Processing is conducted for the following purposes:

Offer personalised and exceptional experiences to all who use our Services, customised according to their preferences.
Suggest delivery options and review or increase the information provided by Clients and Customers or persons acting on their behalf.
Verify the parcel’s recipient’s identity, their legal age (if required), and ensure that the correct person receives the parcel.
Provide a Delivery Service that is safe, accurate, efficient, smooth, optimised, environmentally friendly and reliable, utilising the latest technology available.
Record the fulfilment or attempted fulfilment of parcel deliveries or returns to ensure that the parcels are delivered to the accurate address.
Maintain clear and consistent communication with Clients, Customers, End-Customers and/or persons acting on their behalf, and other parties involved in the transportation and/or delivery of the parcels, providing updates on the available order status and delivery options. We may document the interactions between the Client, Customer and/or End-Customer, and ourselves and/or the Driver responsible for delivering the parcel in accordance with our internal routines.
Suggest extra Services and functionalities, such as, but not limited to, purchasing specific delivery time slots. Moreover, we assist in modifications to the delivery method or time, including the switch from home delivery to delivery to a GORDON locker.

The legal basis for our Processing Your Personal Data depends on whether You: a) directly ordered a Service from us, b) ordered Goods through a Client which will be delivered to You by us, or c) You are representing our Client or Customer.

The following applies when You are a Customer of ours: In certain instances, Personal Data Processing may be necessary to perform a contractual agreement established between Yourself and us or to carry out actions that You requested before entering into such an agreement. Legal basis for the Processing of Personal Data: Contract.

The following applies when You have ordered Goods from a Client to be delivered to You by us or if You are representing our Client or Customer: Our legitimate and compelling interest in processing Your Personal Data lies in performing the Delivery Services and ensuring that they are carried out in an efficient, precise, and customised manner, in line with our Client’s or Customer’s preferences, including planning and scheduling of Delivery Services, as well as documenting the completion of these services. We may also Process Personal Data that is optional for determining the delivery address but is still justified for our Delivery Service’s efficient and customised performance. Legal basis for the Processing of Personal Data: Legitimate Interest.

6.4 When You purchase Services from us

We Process Personal Data in connection with Your purchase of our Services to provide You with the requested Service and charge You accordingly. Examples of such Services include delivery within a specified time slot, changes to the delivery method or day, or the entire transport and/or delivery service directly from us.

We Process the following categories of Personal Data in connection with Your purchase of our Services:

Name and contact information, including email address and telephone number.
Details of the Service You have purchased, including but not limited to the date and time of the purchase, type of Service and its corresponding price.
Your preferences related to the Service, such as the delivery method, preferred day or time slots (if applicable).
Information regarding Your payment.

Our Processing of Your Personal Data is essential to carry out our contractual obligations to You, such as delivering the Service You have ordered and charging You accordingly. Legal basis for the Processing of Personal Data: Contract.

6.5 When we register and/or update the Client, Customer and End-Customer profiles

We register and/or update each Client’s, Customer’s and End-Customer’s profiles in the systems used within our business operations. If You use any of our applications, Your profile will be securely stored for the duration of Your account with us. The Processing of the information serves two primary purposes:

To facilitate a more streamlined and convenient Delivery Service, eliminating the need for the Client or End-Customer to provide the same information for future deliveries repeatedly.
To suggest additional Services that may interest the Client, Customer or End-Customer.

We Process the following categories of Personal Data when we register and/or update a Client, Customer or End-Customer profile:

Personal Data that is relevant and necessary for us to carry out our contractual obligations, including information related to relevant contact details and delivery preferences.
Information that helps us locate the delivery address, which the Customer or End-Customer has previously provided, either by choosing us as the delivery method through a Client or by placing a direct order with us.
Any additional information that we may receive from Drivers, such as corrections to incorrect addresses, access codes to buildings, floor numbers, and other relevant details that may be required for the delivery to be made.
Details of any previous deliveries conducted by us, including the Customer’s or End-Customer’s delivery history and other relevant information that may be required for us to Process to perform the Services.

We collect the categories of Personal Data stated above to facilitate our Services. Our legitimate and compelling interest in Processing the Customer’s and End-Customer’s Personal Data lies in performing the ordered Services and ensuring they are carried out efficiently, precisely, and in a customised manner with the Customer’s or End-Customer’s preferences, including planning and scheduling of Delivery Services, as well as documenting the completion of these Services. Additionally, we may also Process data that is optional for determining the delivery address but is still justified for our Delivery Service’s efficient and customised performance. Legal basis for the Processing of Personal Data: Legitimate Interest.

If You use any of our applications, the Processing of Personal Data is essential for fulfilling our obligations outlined in terms of service governing the use of the application, which You agree to during the registration process. Legal basis for the Processing of Personal Data: Contract.

6.6 When we manage our relationship with a Customer, Client or Supplier

We may investigate complaints related to our Services. The following data types are Processed: name and email address of the person making the complaint, order number and the information provided regarding the complaint. The Processing is based on our legitimate interest in providing high-quality customer service and implementing preventive actions. Legal basis for the Processing of Personal Data: Legitimate Interest.

We may ask the Client, Customer or End-Customer to take a survey or leave a review regarding our Services, and, in such cases, the following types of data are Processed: name and email (if provided), time, date, answers to the survey and/or the written review. The Processing is based on our legitimate interest in growing and developing our business. Legal basis for the Processing of Personal Data: Consent.

Suppose we are obliged by the applicable law to notify the Data Subject about changes to our Privacy Notice or terms. In that case, the concerned Data Subject data types may be Processed: first name, last name, email address and telephone number. The Processing is necessary to comply with a legal obligation. Legal basis for the Processing of Personal Data: Legal obligation.

We Process the name and contact information, including employer information, of individuals serving as contact persons for Clients, Suppliers and other third parties collaborating with us in executing our Delivery Services. The purpose of the Processing is to perform the Services and/or manage our contractual relationship. We have a legitimate and justifiable interest in Processing the data for the purposes mentioned above. The legal basis for the Processing of Personal Data: Legitimate interest.

6.7 When You contact us

We Process Your Personal Data that we get access to when You contact us or reach out to us through our chat or contact forms available from on our Websites or by email, telephone or social media (such as Facebook, Instagram, etc.).

The following are the categories of Your Personal Data that we collect when You contact us or engage with us and/or our Services:

Your name and contact details, such as Your delivery address, telephone number, email address, and username for Your social media (if applicable). These categories of Personal Data are necessary for us to Process to handle Your inquiry and respond to You effectively.
Information related to Your matter or inquiry, order number and any other information that You provide us or that we may have collected from a previous interaction with You.
Recorded conversations between You and us, which may be used for quality assurance purposes or to help us address any issues arising during our communication.
Any other Personal Data included in telephone calls or message content (chat or email).

Providing first name, last name, and email address is mandatory in the contact forms on our Websites for the message to be sent to us. However, providing Your Personal Data through a contact form on our Website is not a statutory or contractual requirement, nor a requirement to enter a contract with us. You are thus not obliged to provide the Personal Data. However, the possible consequence of not providing such information is that the message will not be sent to us.

These are the purposes for which we Process Your Personal Data when You contact us or engage with us and/or our Services:

Know whom we are talking to and stay connected.
Communicate with You and manage Your inquiry, whether it is through our customer service, email forms, chat, telephone or social media accounts.
Analyse calls and chat interactions with You to enhance and improve our communication and better serve Your needs.

The following are the legal bases on which we Process Your Personal Data for the above purposes.

Contract: We process Your Personal Data to fulfil our obligations under the contract we have entered with You and otherwise to administer the obligations arising from the agreement.

Legitimate interest: Our legitimate interest in Processing Your Personal Data is to a) enable effective communication with You, which may include responding to Your inquiries or providing You with important information; b) provide You with relevant and useful information about our Services and/or c) analyse calls and other communications to improve our customer service.

6.8 When You receive newsletters from us or other marketing materials

You can choose to receive newsletters from us by actively consenting to the processing of your email address for the purpose of receiving newsletters. Providing Your email address to us for this purpose is voluntary, meaning it is not a legal or contractual requirement to enter into a contract with us.

To deliver relevant advertisements and content to You via email (newsletters), on the legal basis of Your consent, we Process the following types of data: Your first name, last name and email address. Legal basis for the Processing of Personal Data: Consent.

You can cancel Your newsletter subscription anytime by clicking on the unsubscribe link in the newsletter and withdrawing Your consent. If You withdraw Your consent, we will not continue sending You newsletters.

We may also send newsletters to Your email address which You have previously provided to us in connection with Your purchase of our Services. Processing Your email address then takes place for marketing purposes to send You information about our business and Services which may interest You.

We have a legitimate interest in the Personal Data being Processed for the marketing purpose described above. Processing is necessary for a purpose, a legitimate interest, and Your interest in protecting Your Personal Data does not outweigh our legitimate interest. We assess that the Processing in question does not infringe on Your fundamental rights and freedoms. Legal basis for the Processing of Personal Data: Legitimate Interest.

6.8.1 Unsubscribe from newsletters

If You unsubscribe from our newsletters, You will be removed from the email list of recipients of the newsletters, but Your email address will remain in the database with a block for receiving newsletters. This aims to ensure You do not receive any more newsletters from us. In our assessment, You and we have a legitimate interest in the Personal Data being Processed for this purpose. Processing is necessary for a purpose related to a legitimate interest, and Your interest in the protection of Your Personal Data is not outweighed. We assess that the Processing in question does not infringe on Your fundamental rights and freedoms. Legal basis for the Processing of Personal Data: Legitimate Interest.

If You want Your email address to be deleted from the block list, You can contact our support by email and request this. You are now informed that if Your email address is deleted from the block list, You can receive newsletters from us again if You or someone else register Your email address to receive newsletters again.

6.9 When we have a legal obligation to the Processing

If a law, court, or authority decision obliges us to Process specific Personal Data, the Processing takes place based on a legal obligation as a legal basis. In such cases, the Processing takes place only to the extent that we must fulfil our legal obligations. Then we only Process the necessary Personal Data for as long as the law requires it (in accordance with the principle of storage limitation). The Processing is made due to statutory provisions.

For example, we store invoices, receipts, and other accounting documents that we are obliged to Process by current legislation, such as the applicable accounting legislation and the tax agency’s requirements in the country of operations. Accounting documents, invoices, and vouchers may sometimes contain Personal Data, such as name, address, order information and any other contact information regarding the Customer and/or the Customer’s signatory, contact person etc. Such Personal Data is stored for as long as the law requires it. Legal basis for the Personal Data Processing: Legal obligation.

6.10 When individuals appear in our social media and digital platforms

When individuals appear in our social media and digital platforms, for example, through their participation in photos and/or texts that we publish, we may collect their Personal Data.

If we are aware of the names of the individuals involved, we will note their names in our register in order to establish a record of their participation. These details may be used for internal purposes, such as preserving historical content, administering and organising our material, and maintaining any communication with the individuals involved.

Our processing of the Data Subjects Personal Data is based on our legitimate interests of documenting and registering participation in photos, videos, or textual content on our social media and digital platforms, as permitted by applicable data protection laws. Legal basis for the Personal Data Processing: Legitimate interest.

We will retain the Personal Data for as long as necessary for the purposes of Processing or as required by applicable laws. We will take reasonable measures to ensure that Personal Data that is no longer needed is securely deleted or anonymized.

6.11 Other purposes for our Processing of Personal Data

Based on our legitimate interest, we also Process Personal Data for the following purposes:

Protection of our rights and property: to enforce our applicable terms and guidelines and prevent fraud or other illegal activities.
Data analytics: to improve our marketing, Services/products, Client and Customer relationships and experiences. This includes analysing data to understand user preferences, interests, and behaviour and to measure and optimise the effectiveness of our marketing campaigns.
Service development and maintenance: to develop our business and Services. This includes troubleshooting, identifying and prioritising improvement areas, and conducting research and testing to develop new features and functionality.
Quality Assurance: to broadly guarantee, test and enhance our Services’ quality, including educational objectives.
Feedback and incident management: to address issues and improve our Services by collecting, managing, and investigating comments, feedback, and incident reports submitted.
Statistical analysis: to compile statistics, reports, and other investigations regarding the performance and use of our Services, which helps us understand trends and insights.
Service evaluation and improvement: to enhance, develop and improve our Services and offerings through data analysis and assessment, including examining historical progress and performance and assessing changes in behaviour and demand associated with our Services and offerings.
Data aggregation: in our organisation, data aggregation plays a vital role in our data management strategy. By systematically collecting and merging diverse datasets from various sources, we can create a cohesive and comprehensive overview of information. This process empowers us to extract valuable insights, identify trends, discover patterns, and analyse key metrics. The aggregated data we derive offers us a broader perspective, enabling us to make informed decisions, streamline operations, and enhance the quality of our services.

Below is a summary of the data we may Process for the performance of the purposes mentioned above:

Recorded calls between Customers/Clients/End-Customers and representatives of GORDON (such as Drivers or traffic management).
Information provided by Customers, Clients or End-Customers in comments, feedback, and incident reports.
Contact information, such as name, email, telephone number and address.
Information on popular merchants and/or product and Service categories.
Demographic data from public sources, including gender, age, and family situation.
Data on the frequency and use of our Delivery Services and other Services, such as websites, apps, and emails.

We have concluded that we possess a legitimate and justifiable interest in Processing Personal Data for the purposes stated above for us to run our business, develop/improve/analyse our products/Services, provide administration and support etc. and that our legitimate interest does not constitute an infringement of the Data Subject’s right to privacy and integrity. Legal basis for the Personal Data Processing: Legitimate interest.

Suppose the Processing is made to comply with legal and/or regulatory obligations. In that case, Processing is necessary to comply with a legal obligation, and the legal basis for Processing Personal Data is: Legal obligation.

7. Where do we Process the Personal Data?

We always strive to Process Your data within the European Union (EU) or the European Economic Area (EEA). However, in certain situations, the information may be transferred to and Processed in countries outside the EU/EEA. As we are committed to always protecting Personal Data, we will take all reasonable legal, technical, and organisational measures to ensure that the Personal Data is handled securely and with an adequate level of protection comparable to and at the same level as the protection offered within the EU/EEA.

When such transfers occur, we take appropriate measures to ensure that the Personal Data receives a level of protection that is consistent with the requirements of EU data protection laws. These measures may include obtaining the Data Subject’s explicit consent, implementing contractual agreements with the receiving party that include standard contractual clauses (SCC) approved by the European Commission, or verifying that the recipient country has adequate data protection laws.

We will always strive to maintain the security and confidentiality of Your Personal Data, regardless of where it is Processed, and we will ensure that any transfers comply with applicable data protection laws.

8. How long do we store the Personal Data?

We will only retain the Personal Data for as long as necessary to fulfil the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements, in accordance with the principle of storage limitation. The exact duration of the retention period will depend on the type of Personal Data and the purpose for which it was collected.

When we store the Personal Data for purposes other than our contractual obligations, e.g., to meet anti-money laundering, accounting, and regulatory capital requirements, we only store the data for as long as necessary and/or statutory for each purpose.

We may also delete the Personal Data upon the Data Subject’s request unless we need to Process the Personal Data in question to fulfil contractual or legal obligations.

When the Personal Data no longer needs to be retained, it is either erased, de-identified or anonymized.
In the event of a claim against GORDON, we may retain the Personal Data until the expiration of the statutory limitation period. Similarly, in the case of an ongoing dispute, relevant Personal Data will be stored until the resolution of the dispute. We ensure compliance with applicable laws and regulations regarding the retention of Personal Data in these circumstances.

9. Who may we share Your Personal Data with?

We prioritise the protection of Your Personal Data and uphold strict confidentiality. However, it is important to note that to operate and conduct our business effectively, we may need to share Your Personal Data with selected companies that possess expertise in their respective fields or if it is necessary for us to comply with applicable laws (including social, labour, or tax law). In such cases, we will ensure that these companies act as our trusted partners and adhere to strict confidentiality and data protection standards.

Rest assured that any sharing of Personal Data is conducted per applicable privacy laws and regulations, focusing on safeguarding Your rights and privacy.

We may also share aggregated data, which consists of non-identifiable data, with our Clients, other third parties or the public. This aggregated data is derived from information collected through our technical and/or digital platforms or in connection to the performance of our Delivery Services. It should be noted that the aggregated data does not include any information that can be used to identify individuals and therefore does not constitute Personal Data.

We may disclose Personal Data to the recipients stated below to achieve the purposes set out in sections 5 (Legal basis and purpose of our Processing of Personal Data) and section 6 (Our Specific Processing Activities) above and as described below.

9.1 Subsidiaries and employees within the GORDON Group

In certain cases, it may be necessary to share Personal Data among our subsidiaries and employees within the GORDON Group for business purposes. This data sharing enables us to provide You with a seamless and integrated experience across our products and Services. We may share Personal Data for various reasons, including, but not limited to:

Facilitate the delivery of Goods or Services.
Handle any matters related to our Services (e.g., providing customer service or support to Clients, Customers or End-Customers of any company within GORDON Group).
Assist the Drivers in matters related to the Delivery Services.
Perform analysis and research.
Improve our products and Services.
Comply with legal or regulatory requirements.

However, we will only share Personal Data when permitted by applicable laws and regulations and when necessary to fulfil a legitimate business purpose. In all cases, we will only share the Personal Data necessary for the specific purpose, and we will ensure that the sharing of Personal Data complies with applicable data protection laws.

When we share or otherwise Process Personal Data within GORDON Group, we ensure that appropriate safeguards are in place to protect the data. These measures are designed to prevent unauthorised access, disclosure, alteration, or destruction of Your Personal Data. This means we have internal policies, procedures, and controls to safeguard Personal Data and ensure that it is Processed in compliance with applicable data protection laws.

It is important to note that when Personal Data is shared within GORDON Group, the receiving company is subject to the same privacy obligations and standards as the disclosing company. They are required to handle Your Personal Data in accordance with applicable data protection laws and regulations and are responsible for maintaining the privacy and security of Your information.

9.2 Clients

In some cases, we may share certain Personal Data of the Driver and/or End-Customer with the Client, if the Client has a legitimate interest in Processing such Personal Data. It is important to note that in such cases, the Client is considered an independent Controller with respect to the Processing of the shared Personal Data in question, and the Client is responsible for complying with all relevant data protection legislation regarding their Processing of Personal Data, including informing the Data Subject about their Processing activities.

Before we disclose any Personal Data to a Client, we enter into a data sharing agreement (DSA) with them in accordance with the provisions of the GDPR (and SCC if the Personal Data will be Processed outside the EU/EEA) to ensure a secure and correct Processing of Personal Data.

Clients have access to their End-Customer’s Data in LM, which contains the registered Personal Data including the tracking ID, to support the End-Customers with their delivery. Furthermore, Drivers may capture photographs of the parcel and the building, including the front door or any other preferred location where the parcel was delivered, to verify the completed delivery. These data are uploaded in the Driver App and made accessible to the Client through LM.

9.3 Authorities

We may provide the necessary information to authorities such as any law enforcement, police, tax authorities, or other authorities if we are legally obligated to disclose or share Your Personal Data to comply with any legal obligations. An example of a legal obligation to provide information is for anti-money laundering and terrorist financing measures.

Personal Data may also be disclosed to legal authorities in response to lawful inquiries or when necessary to prevent, detect, or investigate criminal activities. This disclosure is carried out to safeguard the property, interests, and safety of GORDON and other relevant parties.

9.4 Suppliers

We may share Personal Data with our contractors and subcontractors acting as our Processors or sub-processors, strictly following our instructions and implementing appropriate security measures to:

Safeguard our legal interests.
Fulfil our contractual and legal obligations.
Detect and prevent technical, operational or safety problems.
Provide, improve, and maintain our platforms/applications/websites (software maintenance).

We have carefully selected each service provider based on their expertise in delivering the specific services required and their capability to handle Your personal information. These providers have demonstrated sufficient guarantees to implement the necessary technical and organisational measures in line with the requirements of GDPR and our data protection standards.

We collaborate with various types of categories of Processors, including:

Server and web hosting companies responsible for the infrastructure supporting our Services (including our websites, apps and other digital channels).
Cloud services to efficiently manage our business operations, enhance productivity, streamline workflows, and ensure secure access to business resources from various locations.
Email reference companies who are facilitating email communications.
Analytical service companies providing data analysis and insights.
Other companies supplying our Services and supporting our business activities, such as Delivery Partners and other Suppliers.

The Processors have been chosen based on their ability to meet the necessary data protection standards and requirements, ensuring the security and confidentiality of Your personal information.

Before we disclose any Personal Data to such service providers, we enter into a data processing agreement (DPA) with them in accordance with the provisions of the GDPR (and SCC if the Personal Data will be Processed outside the EU/EEA) to ensure a secure and correct Processing of Personal Data.

9.5 Other third parties

We may disclose Personal Data to legal advisors, insurance companies, bankers, consultants, and partners, in accordance with applicable privacy laws if it is made for us to comply with legal obligations, contractual obligations, or to fulfil our legitimate interests.

In connection with or during negotiations of a transfer of company assets, merger, sale, financing or acquisition of all or part of our business, Personal Data data may be disclosed to the prospective buyer or seller involved in such transactions, including their personnel/contractors. This Processing will thus be conducted based on Legitimate interests (Art. 6 (1) f GDPR) as the legal basis.

10. Data Subject’s rights according to the GDPR

As a Data Subject under the GDPR, You have certain privacy rights. These rights include:

10.1 Right to information

You have the right to be informed about the collection and use of Your Personal Data. This includes details about the purposes of Processing, the categories of Personal Data involved, and any third parties with whom Your Personal Data may be shared. In addition, there are certain situations where specific information should be provided to You, such as in the event of a data breach or similar incident (a personal data breach) occurring at our end as the Controller, and there is a risk of identity theft or fraud, for example.

10.2 Right of access

You have the right to access Your Personal Data held by us. You can request information about the Processing of Your Personal Data, obtain a copy of the Personal Data in a machine-readable format (provided that there is no applicable exception to the right of access), and be informed about the safeguards for cross-border transfers. The compilation will be designed to allow You to verify the accuracy and lawfulness of the information. However, this does not mean You have the right to obtain the documents containing the Processed Personal Data.

10.3 Right to rectification

You can request the correction of inaccurate or incomplete Personal Data about You that we Process. If we Process Personal Data about You that are inaccurate or incomplete, we will, at Your request or on our initiative, complete, rectify or delete the Personal Data in question. If data is corrected at the request of the Data Subject, we will inform those to whom the data has been disclosed that the information has been corrected. However, this does not apply if it proves impossible or involves a disproportionate effort. You also have the right to request information about to whom the data has been disclosed.

10.4 Right to erasure

In certain circumstances, You have the right to have Your Personal Data erased. This applies, for example, if the data is no longer necessary for the purpose it was collected or if You withdraw Your consent and there is no other legal basis for the Processing. However, legal obligations may prevent us from immediately deleting parts of the Personal Data. These obligations may come from, for example, but are not limited to, accounting and tax legislation, banking and money laundering legislation, and consumer law. If data is erased at the request of the Data Subject, we will also inform those to whom the data has been disclosed about the erasure. However, this does not apply if it proves impossible or involves a disproportionate effort.

10.5 Right to restriction

You have the right to request the restriction of Processing of Your Personal data in certain cases. Restriction means that the data is marked so that it can only be Processed for specific limited purposes in the future. The right to restriction applies, among other things, when You believe the information is inaccurate and request rectification. In such cases, You can also request that the Processing of the data be restricted while the accuracy of the information is being investigated. When the restriction is lifted, we will inform You about this.

10.6 Right to data portability

You can receive and transfer Your Personal Data to another Controller where technically feasible. Another prerequisite is that the Processing of the Personal Data is based on Your consent or for fulfilling a contract. This right also only applies to Personal data that You have provided yourself.

10.7 Right to object

You have the right to object to our Processing of Your Personal Data. The right to object applies when Personal Data is Processed based on a legitimate interest. If You object to the Processing, we may only continue Processing the data if we can demonstrate compelling legitimate grounds for the Processing that override Your interests, rights, and freedoms or if the Processing is necessary to establish, exercise, or defend legal claims. However, You always have the right to object to using Your Personal Data for direct marketing. Such objections can be made at any time. If an objection is raised against direct marketing, the Personal Data may no longer be Processed for such purposes, and we will inform You when we have deleted the Personal Data if You request it.

10.8 Right not to be subject to automated decision-making

You have the right not to be subjected to decisions based solely on automated processing, including profiling, if these decisions significantly affect You. Exceptions apply in cases where the decision is necessary for the performance of a contract or is authorised by law. If an automated decision has been made, with or without profiling, You can request that it be reviewed or contested. We do not conduct any automated decisions, either with or without profiling.

11. How to exercise the rights

If You want to invoke any of the above rights as a Data Subject regarding Your Personal Data that we Process as Controller, You are welcome to contact us through the contact information listed below. However, it’s important to note that the rights mentioned above are subject to certain limitations and conditions under the GDPR.

Exercising the rights is free of charge, provided that Your requests are not exaggerated, repeated or unfounded. In such cases, we have the right to charge a reasonable fee to process Your request or refuse the execution of Your request.

Before we process or respond to Your request, we may request additional information from You if necessary to enable us to verify Your identity.

We will inform You of our processing of Your request without delay and no later than one (1) month after we receive the request. If the request is complex or if, for example, we have received many requests, this period can be extended by another two (2) months. In such cases, we will notify You of the extension within the first month after we receive Your request.

Suppose we cannot comply with Your request due to applicable law or other exceptions. In that case, we will inform You why we cannot comply with Your request with the limitations imposed by law.

12. Changes to this Privacy Notice

We review the contents of this Privacy Notice at least once a year to ensure that the information is accurate and up to date. The contents of this Privacy Notice may be updated if necessary, with or without prior notice. For example, if we need to provide clarification due to changes, new legislation, or any modifications in our Processing of Personal Data.

You are responsible for reading the contents of the at any time applicable Privacy Notice and keeping up to date on any changes. We will notify You if we make material changes provided that such notification is mandatory according to applicable law.

The applicable version of this Privacy Notice is always available on our Website.

13. Questions or complaints

If You have any questions about this Privacy Notice, our Processing of Personal Data, or are dissatisfied with our Processing of Your Personal Data, You can contact us by email: privacy@gordondelivery.com.

You also have the right to file a complaint with the relevant supervisory authority, if You are dissatisfied with how we Process Your Personal Data. Each company within the GORDON Group has a supervisory authority, as stated in the table in section 14 (Contact details) below.

Depending on Your country of residence, You may contact different supervisory authorities regarding concerns or complaints about our Processing of Your Personal Data. You can find the different EU Member States’ Supervisory Authorities through the following link:

https://edpb.europa.eu/about-edpb/about-edpb/members_en

14. Contact details

Please see the table below for contact details of the companies within the GORDON Group and the Supervisory Authority of each Controller.

Country	Sweden	Denmark	Finland	Norway	United Kingdom
Company name	Gordon Services AB	Gordon Delivery Denmark Aps	Gordon Delivery Finland Oy	Gordon Delivery Norway AS	Gordon Delivery UK Ltd
Reg. number	559016-9750	41720107	32360393	927759608	13851442
Postal address (invoicing)	Kabyssgatan 4D, BV 120 30 Stockholm	Gammel Køge Landevej 55, 4 2500 Valby	Porttipuistontie 9 01200 Vantaa	c/o Interfrukt SA Håndverksveien 311405 Langhus	Kemp House 160 City Road, London, EC1V 2NX
Supervisory Authority	Integritetsskydds- myndigheten (IMY) www.imy.se	Datatilsynet www.datatilsynet.dk	Tietosuojavaltuutetun toimisto / Dataombudsmannens byrå www.tietosuoja.fi/en	Datatilsynet www.datatilsynet.no/en/	Information Commissioner’s Office (ICO) www.ico.org.uk

If You are uncertain about which specific company that is acting as the Controller regarding Your Personal Data, please contact Gordon Services AB for further guidance and assistance: privacy@gordondelivery.com.

Cookie	Varaktighet	Beskrivning
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
JSESSIONID	session	The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Varaktighet	Beskrivning
_ga	1 year 1 month 4 days	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_*	1 minute	Google Analytics sets this cookie to store a unique user ID.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_hjAbsoluteSessionInProgress	30 minutes	Hotjar sets this cookie to detect the first pageview session of a user. This is a True/False flag set by the cookie.
_hjFirstSeen	30 minutes	Hotjar sets this cookie to identify a new user’s first session. It stores a true/false value, indicating whether it was the first time Hotjar saw this user.
_hjIncludedInPageviewSample	2 minutes	Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's pageview limit.
_hjIncludedInSessionSample_2683038	2 minutes	Set to determine if a user is included in the data sampling defined by your site's daily session limit.
_hjRecordingEnabled	never	Hotjar sets this cookie when a Recording starts and is read when the recording module is initialized, to see if the user is already in a recording in a particular session.
_hjRecordingLastActivity	never	Hotjar sets this cookie when a user recording starts and when data is sent through the WebSocket.
_hjSession_2683038	30 minutes	A cookie that holds the current session data. This ensures that subsequent requests within the session window will be attributed to the same Hotjar session.
_hjSessionUser_2683038	1 year	Hotjar cookie that is set when a user first lands on a page with the Hotjar script. It is used to persist the Hotjar User ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.