UK's Just Eat faces probe after woman tweets chat-up texts from 'delivery guy' A customer of takeaway delivery firm Just Eat has alleged a driver from an eatery used her phone number to ask her for a date. Michelle Midwinter claimed that, after using Just Eat to order a takeaway, she had received an uninvited WhatsApp message from someone she didn’t know. According to screenshots shared on Twitter, the …
Just Eat pass all of your details, including address and phone number, to the restaurant you order from (and they tell you that they do this) so that in the event of query on either order or delivery the restaurant can ring you for clarification.
Whilst I agree that JE response to the complaint falls way short of what it should have been, they are right in that the complaint really needs to be made to the restaurant rather than themselves.
Surely, JE are the 'data controller' in this instance. It is therefore their legal duty to ensure the data they have received from you (your phone number in this case) is used only for the purpose you have consented to, and deleted afterwards. That this may be a difficult task once it has been passed onto the restaurant is their problem, not the consumer's.
Things will only get worse for them once GDPR comes into force. They will have to report, on request, exactly who has that data, for what purpose, and for how long it will be retained, and also delete all of it on request.
What this does highlight is that JE clearly have no procedures in place to control that information once it has been passed onto the restaurant. They should at the very least, be able to ensure that the restaurant deletes it once they have finished with it (i.e. once the delivery has been made), this includes use, and retention, by employees of the restaurant, such as the delivery driver.
@ Loyal Commenter
"What this does highlight is that JE clearly have no procedures in place to control that information once it has been passed onto the restaurant. They should at the very least, be able to ensure that the restaurant deletes it once they have finished with it (i.e. once the delivery has been made), this includes use, and retention, by employees of the restaurant, such as the delivery driver."
This is surely an impossibility unless JE literally handles all the SMS stuff themselves and bans the restaurant from direct contact with the customer except the delivery itself. This ridiculous interference is a bad idea. When did people stop thinking for themselves? Contact the restaurant and if you dont like their response then dont use them again. If you have an issue with JE dont use it. If enough people dont like the service then JE will vanish, otherwise it can go on serving many happy people and those who dont like it can contact restaurants themselves.
The delivery guy is at fault. The course of action is up to the restaurant. JE has no authority over the restaurant so at most can remove them from its offerings.
"This is surely an impossibility unless JE literally handles all the SMS stuff themselves and bans the restaurant from direct contact with the customer except the delivery itself. "
Far from impossible, but clearly JE want the money but not the work involved.
They just need to look at how Amazon let traders communicate with you by email, but without giving up your email address. A proxy system. No reason why JE could not do the same with your phone number, so that it was never revealed to the restaurant, and JE could audit texts etc.
@ pleb
"They just need to look at how Amazon let traders communicate with you by email, but without giving up your email address."
Only your actual address which gets passed even further onto a delivery company. But we accept this because we want items to arrive at our premises and if we have an issue with that we get off our backside and go to a shop. The takeaway system is similar but shorter range (within delivery range) which means the restaurant by its very nature of its work has to directly deal with the customer via personal information even if JE somehow handle routing of calls/sms to the client. Adjusting orders and delivery instructions by email is not only impractical, it puts the restaurant at further risk as your food is sitting there until someone checks their junk folder.
We use hungry house and JE and when (not if) there is an issue, either with the order or with delivery we want communication right away and we want it from the restaurant. If I have a problem with the order or any issues I contact the restaurant. The only time we have contacted JE/HH was when a delivery was 2 hrs late and we wanted to let them know the level of service we received, but we didnt blame JE/HH,
They are a facilitator. They make it easier for takeaways to get business and be visible.
unless JE literally handles all the SMS stuff themselves and bans the restaurant from direct contact with the customer except the delivery itself.
That's what it should do. Ebay, Amazon, Booking.com all do that and THIS is what they charge for.
If Just Eat is not doing it, I do not quite see how they are going to sustain their business. It is a can of worms which once opened cannot be closed - DPA, GDPR, spammers, stalkers, restaurants bypassing you, etc.
The funny thing is, this woman is running her own business. The Companies Act 1995 states that it is an offence to withhold or hide contact information of a business. She has a public facing website linked from her Twitter account that has no contact information available other than a "contact us" form. Legally she must advertise her name and address so that "documents can be served" as per the Act. If she uses her mobile for business, then that too is considered public information. By not having this information available on her website she can be investigated by trading standards who can force her to comply. All it needs is someone to make a formal complaint.
At the same time, the Inland Revenue are very interested in people who are clearly running a business, but try to hide their identity. A business that hides it's location and owner is usually a business that is avoiding it's tax liabilities. Again all it takes is a formal complaint to the Inland Revenue and they will investigate very thoroughly.
The companies act 1995 also states that it is a criminal offence if you do not provide such details when requested. So, all it needs is someone to formally ask for her business details on her twitter account, and if she refuses, then it's time to report her criminal activity. In fact even if she responded in private, there is nothing to stop that information being made public by the recipient.
Also, a business that has been trading for over 3 months has to register itself with HMRC for the purposes of taxation. If that registration does not occur, then whoops, another offence has been comitted.
TLDR a woman who is complaining loudly about lack of privacy appears to be withholding information that should be public, which is probably the same info.
Rather ironically, if you want privacy, it's probably best not to take a picture of your house, and send it to the papers, along with it's location which is really easy to google.
http://www.dailymail.co.uk/news/article-2806125/Proud-homeowner-takes-photo-new-house-notice-GHOST-staring-window.html
JE has no authority over the restaurant
Except that they do. There must have been a terms of service agreement between the two (and I suspect that, if the guys at my curry takeaway are right, that JustEat are fairly aggressive about putting it in place) and I would be very surprised if those ToS don't include data security provisions.
@ Loyal Commenter
Each business that stores any personal data should have has its own data controller, even ones as small as takeaways. JE clearly state that they will pass your details, including name and contact number, to the third-party for the purpose described: "the Restaurant may use your information to provide you with status updates or other information regarding your Order by e-mail, telephone, mobile or mobile messaging (e.g. SMS, MMS etc.). "
Once the data is passed from JE to the restaurant the care of that data becomes the restaurant's problem, not JEs. This does not change with GPDR.
@Vinyl-Junkie
You seem to have some mixed up facts about 'GPDR'. You don't have your own data controller. You are either a data controller or a data processor - as in the organisation. You may appoint or even be required to appoint a Data Protection Officer under GDPR (depending on the amount of data you control/process).
If someone utilises the services of Just Eat then Just Eat is the data controller and responsible for adequately safeguarding their data. The restaurant is the data processor carrying out activities which require the potential processing of that data. Just Eat would be required to ensure the safety and adequate processing of data by its data processors, including ensuring staff are trained and that the data is held in a secure way, retained for the minimum amount of time and is minimal in scope. If data has been breached at a data processor then the data controller is still responsible and would need to utilise the indemnity clauses in their contract to make a claim against their data processor for damages.
The ICO may also fine the Data Controller if it is felt that there were not adequate safeguards in place. This is similar to paying someone £20 to disposed of some old furniture for you. They dump it in a layby, you get done for not ensuring they were a licensed disposer of waste.
So Just Eat could ensure training and safeguards are in place to stop the data being misused and if that is not possible they could set a up a relay system where you call or contact a customer using a Just Eat telephone number followed by an order number which connects them through (the same way that ebay uses for e-mails between buyer & seller), for instance.
TL,DR; You can't pass all your responsibilities and liabilities as a data controller to your data processor under GDPR.
@AC, very well put, and saved me the bother of writing all that detail!
As it happens, like many in the software industry, I am currently involved in producing software to deal with GDPR when it comes into force. A lot of organisations will be woefully unprepared for it, especially those (like Google, allegedly) who think that they can slurp your data with impunity. The regulations in the EU (and UK after the brexaster if we ever want to deal with EU data in any way) are already a far cry from the vary laissez-faire attitude in the US, and GDPR tightens them up considerably.
@Vinyl-Junkie
Surely JE are the data controller and the restaurant are the data processor or at a push joint controller.
As you are giving JE the consent to hold/process your data, they cannot simply wash their hands of any issues. Don't they have a responsibility (even more so when GDPR is enforced) to make sure data is being handled and processed as per the original consent?
"As you are giving JE the consent to hold/process your data, they cannot simply wash their hands of any issues. Don't they have a responsibility (even more so when GDPR is enforced) to make sure data is being handled and processed as per the original consent?"
There is such a thing as legitimate interest and intent. You can't order food from a drive delivery and not have an expectation of your contact details not being used to deliver the food. This includes the ability to phone in case of problems. And to forestall the 'but....', yes you could have a technological fix to isolate the two but it isn't sensible. You order food, your details in relation to that particular service has to be used.
Fine.
But you can't stop rogue staff taking details. The same would be true if someone was taking your payment details over the phone, and they happen to write down your details and use that to fraudulantly make purchases. The rogue staff is the problem here.
Just Eat, though, just look like the dicks they are because they foolishly didn't train their staff regarding these mysterious 'policies' they have in place.
@Loyal Commenter wrote:
Surely, JE are the 'data controller' in this instance. It is therefore their legal duty to ensure the data they have received from you (your phone number in this case) is used only for the purpose you have consented to, and deleted afterwards.
You are forgetting:
"Once you have their data, never give it back".
- Google's First Law of Acquisition
Just Eat's service could definitely be improved to reduce the chances of this occurring.. but at the end of the of the day, all they offer is a market place and presence for independent takeaways.
Fault of this this lays with a slimy moped rider, who thought because some innocent woman ordered a take away, it meant she way "game".. he should have behaviour corrective therapy... delivered by a cattle prod!
Whilst I think she'll regret the fallout and continued press from this, she should be applauded for shining a light on this.
The only way that they could reduce this happening is to create an app that would SMS/call the client without divulging the number to the driver and instead of passing the phone number with the order to the restaurant give a PIN to enter into the application. If the person responds back then they give away their phone number. Of course there'd be no way to hide the name and address though they could just pass along the first name and only show the full name in the app if the driver can't find the place. Once it's delivered, by having the customer sign or tap a button on the app then the details can't be shown to the delivery person.
But you are creating a system in which every delivery person would have to sign up for the app or be registered by the restaurant. It's an extra step and wouldn't always stop this problem, just reduce it.
Hungry House do this too but you still don't expect to be harassed by the restaurant staff and have Just Eat ignore it (especially since they gave your details to the restaurant anyway)..
Appropirate reasons to contact the customer: 1: The driver can't find the address. 2: The chef dropped the pizza so the order will be late.
Inappropriate reasons to contact the customer: 1: "I really like you. When are you ordering again?" 2: "Do you have a boyfriend/girlfriend?"
Just Eats biggest issue is this:
“This lacked empathy and does not reflect our policies or the way Just Eat would expect something like this to be dealt with,”
The way that 'Trixie' handled the subsequent well merited complaint was appalling and actually proves that Just Eat had not policies or at least didn't tell their staff about said policies
Whereas you could say how this data could be seperated, if Midwinter had contacted the eatery in question direct, she still would have had to provide her details to get the delivery, and chances are if she had then this would still have happened. What is unacceptable is the delivery guy thinking this is ok.
There are two issues here. Just Eat and their approach to this, and the Resturant and the failure of them to ensure their staff follow proper guidelines. They are not the same thing.
£10 voucher indeed. They deserve all the bad publicity they should rightly get. And the restuarant should be named, too.
Id have to agree with you, on both points the complaint should have been taken up with the restaurant and the evidence past on to the police for sexual harassment.
You cant blame Just Eat for what the driver did, because this could have happened via any food ordering app, or even if the lady had placed the order with the restaurant directly. However what I think made the whole situation worse and is the most disgusting bit, was the response from Just Eat, which was a very much we don't care, here have some money, now go away.
Now as for the data protection bit, if Just Eat didn't pass on your contact details to the restaurant, how do expect the person delivering your order to get a hold of you? If the order is running late, they cant find you or something has happened? You cant have it both ways! They either can pass your contact details on so they can contact you if needed, or they don't you could be left wondering why the order hasn't arrived yet.
One text conversation does not a harassment charge make. If from this he continues to attempt to contact this woman IRL or otherwise then that pattern of behaviour MAY constitute harassment.
Even here in Scotland which has tighter harassment laws than England it would not IMO constitute harassment.
It's JE's job to make sure that people who receive personal information, like phone numbers, are properly trained and aware of what they can and can't do with it. Simple as that, really.
if the driver breached those rules, then they need to accept responsibility for that breach. That includes both disciplining and/or retraining the driver, and making appropriate reparation to the customer. And, of course, recording it as a procedural failure and identifying ways to stop it from happening again.
What surprises me somewhat is that this is news - outside of JE's management, anyway. I'd be very surprised if it's the first, or last, time this has happened.
Having run this past a barrister friend of mine she is of the opinion that JE is not the data controller in this instance, either under the existing or forthcoming data protection acts. The key here is (according to her) that in order to be a data processor an organisation has to be processing the data on behalf of the data controller, not for their own ends. Once JE has handed the data over to the restaurant the restaurant is processing the data for its own ends (the supply and delivery of food) rather than for JE's benefit. Indeed she said that a good lawyer could probably prove the case that JE is the data processor for multiple organisations who are the data controllers, because of one key sentence: "legal contract for the supply and purchase of Products is between you and the Restaurant that you place your Order with".
At best there are two data controllers (the restaurant and JE) in this relationship, not a controller and a processor.
Except Just Eat do have ends when the restaurant starts processing the data.
1. They extract a fee for the service and the establishments on their books pay to be presented there.
2. JE have an expectation of further business.
together these give JE a data dog in the fight which has to be taken into account. I think your barrister friend has failed to take these facts into account. An opinion which does not take all the facts into account is on dodgy legal ground.
"Having run this past a barrister friend of mine she is of the opinion that ..."
Well sorry to say it but either your barrister friend is:
a) not a barrister (are you sure they aren't a barista?)
b) not qualified in data protection law
c) not very good at their job
Anyone who has been heavily involved in data protection and the upcoming GDPR would realise that Just Eat is the data controller and responsible for the customer data.
Further to add. Just ask the questions:
Who decides what data about the subject is collected? [Just Eat]
Who decides what that data will be used for? [Just Eat]
Who decides what subjects will have their data collected [Just Eat]
Who decides what data to pass on the processor? [Just Eat]
Who decides whether to pass the data on to a third party or not? [Just Eat]
Another simple question: Who would be able to make a request that data is deleted or changed?
e.g. Just Eat can ask a restaurant to delete a Just Eat's customer data or change it. A restaurant cannot request Just Eat to delete or change customer data on their systems.
Who decides if and how they will contact you regarding the order? [The restaurant]
Who decides if they will retain your data for future orders? [The restaurant]
So the relationship is, as my friend thinks, that of data controller to data controller. JE have made it clear that your data will be passed to a third-party, who will be responsible for that COPY of your data (which in fact probably isn't retained for longer than necessary to process the order but in theory it could be). Just Eat continue to be responsible for their copy of your data (which includes many additional details not supplied to the restaurant such as stored payment details) because they need it to process further orders from you, quite possibly from other restaurants. The key item is that you have made a legal contract with the restaurant and not with JE, and that JE tell you that the restaurant can choose how to use the personal data they are supplied with.
Just Eat can ask a restaurant to delete a Just Eat's customer data or change it.. Only an individual can request changes to, or deletion, of their data (all or in part) and then only if it is inaccurate. This will change under GPDR, and under GPDR JE will have to make it clearer about who is responsible for the data. However as the law stands I can ask JE to delete my inaccurate data. However if they are not directly responsible for the maintenance of data by the third-party, and everything on their website suggests they think they are not (and that was presumably written by lawyers with a very good understanding of data protection) then I think they would be telling me that I need to contact the restaurant directly rather than JE asking them to change the data.
My friend thinks that the balance here is a fine one, and thinks that it would take a test case to establish a precedent (which probably won't happen as GPDR closes up a lot of the ambiguities that have plagued the DPA); however her opinion is that there is sufficient wiggle room in the relationship for JE to be able to successfully argue that they are not the data controller for the restricted copy of the data supplied to the restaurant under the act as it stands.
On the subject as a whole, she thinks that JE will not be brought to book in any case, as even if it were proven that they were the data controller, the Terms and Conditions imposed on restaurants that sign up with JE contain sufficient strictures on compliance with the handling of personal data that they would be judged to have shown due diligence. Again this may well change under GPDR; I merely asked her how she thought the position stands at the moment.
Just Eat get your data, and are responsible for protecting it. Sure the problem may have occurred by an employee of one of their suppliers/partners (who *also* have a responsibility for protecting your data) but this doesn't mean Just Eat don't have a responsibility.
Every company needs to think about how to protect themselves from rouge employees, and this fits into that space. The obvious answer is don't give phone numbers to restaurants. Contact can be made via Just Eat (or and app or whatever). This could have the added 'brand value' that calls come from Just Eat, not the resultant or someone mobile.
The same can go for addresses, the restaurant doesn't need your name/address in their records, on paperwork all over the shop, only the delivery driver needs your address, so give them an app where it can be provided to them as they need it.
Sure this isn't how deliveries currently work, and would involve work setting up the infrastructure, but setting up infrastructure and writing apps is Just Eats core business.
When i use just eat or any of the many alternatives, I expect the details i have provided such as my address and telephone number to be provided to the takeaway, especially if i chose to have my food delivered.
If my details had not been passed on I fail to see how I could expect to receive my order, I suppose the just eat terminal could relay message from the takeaway to the customer if there was a problem with the order removing the need to pass on your phone number but honestly, i'd prefer a direct call...
I'd be more concerned that the takeaway was hiring drivers like this but then, a takeaway doesn't have the cash that Just Eat does...
The delivery driver should not have had access to the buyers phone number. If the delivery was going to be late he should have contacted the restaurant and then they should have contacted the customer. This should have been part of the agreement between just eat and the restaurant / seller.
Saying that the delvery driver of my washing machine did, as he got lost in my road
Why? The delivery driver works for the restaurant he should be no less trusted than any other member of the take-away. Considering how busy most take-aways are I'd much rather the driver had my number to directly call me then than to spend 20 mins trying to get through to the restaurant to ask which house is mind, for them to call me, then call the driver back and give a garbled message. If you don't trust the driver then you probably shouldn't trust any of the restaurant staff and not give them your number at all.
The delivery driver is employed by the restaurant directly. Any data breach has been done by the restaurant (well actually the driver)
Seems like people are confusing JustEat with Deliveroo/UberEats.
Obviously JustEat should consider dropping restaurants who don't live up to their standards, but they're hardly the first port of call. Any more than it's Yellow Pages' fault if you use it to look up a dodgy plumber.
IMHO, the whole chain of people are responsible for the breach:
The driver, for using the number for an unauthorised purpose, and retaining it for longer than required to make the delivery.
The restaurant, for failing to have an effective policy in place to prevent this.
Just Eat, for failing to have a policy in place to ensure data protection compliance by the restaurant.
I've not used Just Eat myself so not sure on the service but if JE are the frontend to all these restaurants and you pay JE, then how can they not be your first port of call.
Does the customer not deal directly with JE and pay them directly?
If so then that is completely different to using the yellow pages.
The delivery driver should not have had access to the buyers phone number
Indeed. There's no absolute requirement that Just Eat had to pass the phone details to the restaurant, and no absolute requirement for the restaurant to pass it on to the delivery guy. The service is fulfilling food delivery to an address and that doesn't require having a phone number.
If there is a problem with the delivery the delivery guy can phone the restaurant and they can phone Just Eat who have kept the phone details safe within their system.
And, yes, I know that's a potential PITA, but that's what it takes to keep data from being abused.
Just Eat passed the number on knowing it could be abused, the restaurant passed it on knowing it could be abused, the delivery guy did abuse it. So I'm also with the 'everyone is to blame' crowd.
Now that we have technology, we can demand that Just Eat provide temporary means of communications between restaurants, their delivery people and customers! The delivery person can carry a smartphone with a secure app sending properly authenticated messages to a web interface provided by Just Eat, who will then relay the messages securely to the customer. The delivery person never gets the contact information of the customer, and All Is Well.
Except that well, you know, the delivery person necessarily needs to receive the name and address of the customer. In order to deliver. Let's invent a complex system which ensures safe deliveries, protecting the anonymity of the customer through a complex system of go-betweens which shall have appropriate levels of authorizations separated by double-blind communication channels!
Or maybe we shouldn't be so anal about private data. Delivery people have had the name, address and phone number of customers for many years, and the privacy issues can mostly be solved by a simple rule that if you call the customers for anything unrelated to work you get fired. I am not convinced that this system is broken or needs fixing.
would that cost more than £0.00? Now you know why it wasn't done.
And here is the entire point of data protection legislation. It changes the equation from, "will it cost any money to secure the customer's data," to "will it cost more than the potential fine and lost reputation from failing to secure the customer's data."
Companies like Just Eat make money by acting as a broker, I would imagine it is typically a small percentage of the order total, but scales to be very profitable with volume. It certainly is more than enough to pay for flashy TV advertising. They can certainly afford some technical solutions to help protect customer data, even if it the rather low-tech response of putting things right after they have gone wrong (which they failed to do in this instance). If their business model cannot sustain the cost of protecting their customers, then they do not have a viable business model. The fact that they appear to have a cash tap from their current business model suggests that this is not the case.
"...I would imagine it is typically a small percentage of the order total..."
Looks like it's £699+VAT just to sign up with JE and 14% commission thereafter (https://restaurants.just-eat.co.uk/Benefits). A takeaway owner recently told me of one of the big 'brokers' charging a 25% commission. Makes PayPal fees look generous!
Our (absolutely brilliant) local Caribbean takeaway is always getting asked to go on just eat.
He tells them all the same thing "they want 800 quid and a lot of my markup, I can't." he also mentioned a monthly fee, but that could have been incorrect.
He gets almost no custom from those of a-level to uni age. They will only order things off an app. They won't pick up a phone and order form a menu. He says he sees them once, they inquire about just eat/hungry house etc when collecting their order, or when it's dropped off,and he doesn't see them again.
"If there is a problem with the delivery the delivery guy can phone the restaurant and they can phone Just Eat who have kept the phone details safe within their system."
Maybe JustEat could create an app for the takeaways and drivers which asks for permission to make calls, then the app could make the call if the shop/driver presses a button and so never needs to see the number?
(Is that possible? I've never allowed an app to make calls so have no idea if the number would show in call history/logs.)
An app to provide feedback on the move is a daft idea, as it depends on mobile Internet coverage, and this is not necessarily a given. SMS isn't a reliable method either for the same reason.
A call forwarding service might work, but the only way to reliably provide customer contact is a phone call.
(For the smartarses that think JustEat only operates in urban areas with decent coverage, half a mile from me there's fibre broadband available, and full mobile coverage, but data frequently drops down to GPRS)
"The delivery driver should not have had access to the buyers phone number."
Agree...
But your solution falls short.
As the delivery driver for a JustEat using provider he should therefore log into the JustEat app (either on a personal device or one provided by the provider) as a driver and log that there is a delay, that will then be sent via SMS or email to the buyer without the driver ever needing to see it.
He knows where she lives! Instead he'll show up at her door, or leave a note on her car (if it is a house with a driveway or a space marked by apartment number it would be easy to tell) which would leave her feeling even more violated.
Creepers are gonna creep, the only solution is to fire them immediately when this sort of thing happens.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
