Introduction

This document sets out the Privacy Policy of the Q-Park Group (‘Q-Park’). This Privacy Policy document (‘the Privacy Policy’) specifies how Q-Park handles personal data.

The purpose of the Privacy Policy is to provide principles and guidelines on how to manage and protect personal data. The Privacy Policy is also intended to clearly define tasks and responsibilities involved in the protection of Personal Data (also known as privacy governance). The policy is formulated more specifically in operational documents, work procedures and work agreements for each department.

Privacy as an aspect of the mission statement

Q-Park’s mission statement reads as follows: Q-Park improves the quality of life by providing clean and safe parking facilities that are operated according to the pillars of convenience, reliability and hospitality. Privacy comes under the reliability pillar. Ensuring that Q-Park takes a responsible approach to how it handles the personal data of its customers, employees and suppliers not only enhances the company’s trustworthiness, but also ties in with the company’s ultimate goal: Quality in parking.

The use of Personal Data

Q-Park collects and uses the personal data of its customers, employees, contacts, suppliers and other business relations. One defines personal data as data relating to an identified or identifiable natural person.

Q-Park has drawn up this Privacy Policy so that people working for Q-Park can take note of it. Q-Park requires them to comply with the provisions of this Privacy Policy. Q-Park’s aim is to ensure that each person acts as carefully as possible in conformity with national data protection law, and other national and European legislation governing privacy, including the General Data Protection Regulation (‘GDPR’).

Q-Park informs its customers and business relations about how it handles Personal Data in its Privacy Statement. The Privacy Statement is published on Q-Park’s website.

Q-Park has appointed Privacy Officers (‘PO’). The PO is the internal and external contact for all privacy-related matters and ensures that Q-Park processes the Personal Data in accordance with the relevant legislation. The PO prepares an annual report on his or her activities and maintains contact with the national privacy regulatory, the Data Protection Authority.

Definitions

The following terms are defined in keeping with and in addition to national law:

  • Controller: the natural person, legal entity or any other party or administrative body that determines the purpose and means of processing Personal Data, acting alone or with others.
  • Data Protection Authority: The national regulatory authority that oversees the implementation of and compliance with the various privacy laws and regulations.
  • Data Subject: The Data Subject is the person whose Personal Data is processed by an organisation. This is the person to whom the Personal Data is related.
  • File: a structured set of Personal Data, regardless of whether this data set is centralised or functionally or geographically distributed, which can be accessed according to certain criteria and relates to various people.
  • Personal data: all data relating to an identified or identifiable natural person.
  • Employees: people employed by or working for the Controller.
  • Privacy Officer: the person who internally supervises the processing of Personal Data.
  • Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • Processor: the person who processes Personal Data for the Controller, without being subject to the Controller’s direct authority.
  • The Act: national data protection law / General Data Protection Regulation (GDPR).

Scope

This Privacy Policy covers all fully or partially automated processing of the Personal Data of Data Subjects (customers, suppliers, employees) and the underlying documents that Q-Park keeps in a file and data for which Q-Park is responsible. This policy also covers the non-automated processing of Personal Data that is kept in a file or is intended to be kept in a file.

Document structure

The structure of the Privacy Policy is based on the General Data Protection Regulation (GDPR) and the guidelines and policy rules of the Data Protection Authority.

Concluding remarks

Q-Park reserves the right to amend the Privacy Policy in the future. The latest version of the Privacy Policy is held by the PO and available upon request. That latest version is the binding version.

This Privacy Policy is published on the corporate website.

Term of validity

The Privacy Policy is approved by the Executive Board under the articles of association. This document is also assessed at least once a year and reviewed by the internal owner of the compliance area if necessary and approved by the national director. The policy may also be reviewed on an interim basis if there is a reason to do so (major reorganisation, legislative amendment, results of risks analyses, etc.).

1. What Personal Data does Q-Park process?

Q-Park processes the data of its customers and employees. It determines the purpose and means of processing the Personal Data, which makes Q-Park the Controller within the meaning of the GDPR.

Q-Park may process the following Personal Data (not necessarily in every country):

  • Contact details (name and address, telephone number, e-mail address)
  • Bank account number (IBAN)
  • Creditcard details
  • Vehicle registration number
  • Photos (for general parking facility bans)
  • Details concerning unlawful or objectionable behaviour in relation to a ban resulting from that behaviour
  • Date and place of birth of persons causing nuisance
  • Criminal data
  • Location details (Q-Park App, Track & Trace system
    for company cars)
  • Video recordings
  • Voice recordings
  • Certificate of good conduct
  • Human Resources data (performance interviews,
    salaries, administration, sickness absence, etc.)

Sensitive Personal Data

Q-Park collects and processes sensitive Personal Data including: Social Security Number and personal data concerning race, health, religious beliefs and sexual orientation by processing CCTV images. The GDPR also defines other data as sensitive Personal Data. However, this data is not processed by Q-Park and is therefore not mentioned here.

2. Reasons for processing Personal Data

Q-Park processes Personal Data only for one or more of the following reasons:

  • The Data Subject has granted unambiguous consent for the data to be processed.
    • Personal data may be processed if the Data Subject has given explicit consent (preferably in writing, such as by e-mail) for this to be done. Consent must be granted for the specific processing for which consent is required. If the data is being processed for several purposes, separate consent is required for each type of processing. The consent must be kept as evidence.
    • This relates to matters such as:
      • Direct marketing
      • Newsletters
      • The use of cookies on the Q-Park websites
      • Q-Park App
    • Data Subjects can refuse or withdraw their consent at all times. If a Data Subject refuses or withdraws consent, the processing of that person’s Personal Data must stop immediately.
  • The data needs to be processed to perform an agreement to which the Data Subject is a party or to take pre-contractual measures in response to a request made by the Data Subject and which are necessary to conclude an agreement.
    • This is the reason why Q-Park processes data in the most cases. This includes processing Personal Data for:
      • Parking in one of the Q-Park parking facilities.
      • Effecting a season ticket.
      • Executing an employment contract.
  • The data needs to be processed to be compliant with a legal obligation affecting Q-Park.
    • This could include issuing Personal Data under a warrant issued by the judicial authorities or the Tax and Customs Administration.
  • The Personal Data needs to be processed to protect a vital interest of the Data Subject.
    • This could relate to a vital medical interest of the Data Subject being at stake; a situation that will not generally arise at Q-Park.
  • The Personal Data needs to be processed to protect a legitimate interest of Q-Park or a third party to which data has been issued.
    • The following additional criteria must be met before this legal ground for processing is applicable:
      • Q-Park or the third party will be unable to pursue its activities correctly if it does not process the Personal Data;
      • Q-Park or the third party has no other or less drastic ways of achieving its legitimate interest;
      • The infringement of the rights of the Data Subject (right to the protection of privacy) does not outweigh the interest of Q-Park or the third party.
    • This could include:
      • Customer surveys;
      • Preventing and investigating actual or suspected legal violations;
      • The rights, freedoms, health or safety of Q-Park employees.

The PO should be consulted upfront if there are doubts about whether there is a valid legitimate ground to process Personal Data.

3. Purposes of processing Personal Data

Q-Park processes Personal Data solely for the purpose for which it was obtained. The purpose must be clearly defined and the Data Subject must be informed of it in advance.

Q-Park processes the collected data for the following purposes:

  • Processing customer data in order to perform an agreement with the customer (for example number plate registration and season tickets);
  • Prevention of nuisance, registering alleged crime and denying access to the parking facilities: registering the Personal Data of Data Subjects for the prevention of nuisance and crime and to make it available to participating car park organisations to ascertain whether a person can be denied access to the parking facilities or has previously been issued with a warning;
  • Denying access to the parking facilities: the general parking facility ban is the method used by the participants to jointly deter burglars and people causing nuisance from their business premises in order to stop the increasing nuisance in and around parking facilities;
  • Improving safety/security in and around parking facilities;
  • Combating/preventing car break-ins and nuisance;
  • ‘Projecting’ prevention;
  • Discouraging people from causing nuisance at parking facilities;
  • Improving the business climate;
  • Raising the organisational level of entrepreneurs;
  • General parking facility bans.

Personal data may be processed for a purpose other than that for which it was collected, provided the PO has given his or her prior written permission. However, it is important to ensure that the two purposes are related and that there are no adverse effects on the Data Subject or on the guarantees given in this regard, e.g. through:

  • Limiting access to the Personal Data;
  • Additional confidentiality obligations;
  • Additional security measures;
  • Informing the Data Subject about the processing of his Personal Data for other purposes;
  • Offering an opt-out against processing Personal Data for other purposes;
  • Obtaining prior permission (opt-in) from the Data Subject.

Always consult the PO to check whether additional measures should be taken and, if so, which measures. In cases where Personal Data is used for another purpose, this must always be documented and extra guarantees must be put in place.

4. Quality of the processing of Personal Data

Personal data may only be processed in a way that is necessary to meeting the purpose of collecting it. This implies that:

a. No details may be processed if this is not necessary to meet the intended purpose (no excessive data processing);

b. All data needed for the purpose must be processed (not processing insufficient data);

c. No data is processed if it is not required for the purpose. Only the data necessary to achieve the purpose may be processed.

The Personal Data must be correct, accurate and complete and must be kept up to date where necessary to the purpose. Q-Park periodically takes action to ensure that the quality of the processing of Personal Data is maintained at the required level.

5. Retention period and destruction of Personal Data

The retention periods applicable to the data processing are laid down in a separate ‘retention period’ document.

Q-Park retains Personal Data exclusively:

a. Where necessary in view of the relevant purposes;

b. Where doing so can reasonably be considered necessary to comply with current statutory obligations;

c. Where doing so is advisable in view of a current time limit;

d. Where doing so is advisable in view of disputes (or dispute settlement).

The Personal Data is no longer used after the retention period/destruction period. At the end of the retention/destruction period, the Personal Data must be carefully and protectively destroyed or anonymised in such a way that it can no longer be traced back to a person. This will be monitored by means of random checks.

Q-Park ensures that Personal Data of the Data Subjects (also if third parties are involved) is destroyed if:

a. The Personal Data is no longer needed for the purpose for which it was processed;

b. The Data Subject has withdrawn permission for the data to be processed and there is no other legitimate ground for processing it;

c. The permissible retention period has expired and there is no other legitimate ground for processing the data;

d. The processing does not meet the legislative requirements.

This will be monitored by means of random checks coordinated by the PO.

6. Information sources

Q-Park only processes Personal Data that originates from the following sources:

a. Data obtained from the Data Subject;

b. Data obtained from employees;

c. Data obtained from the police.

The PO’s explicit permission is required to process Personal Data that originates from other sources.

7. Direct marketing

Q-Park will not use the Personal Data for direct marketing purposes without the explicit consent (opt-in) of the Data Subject. Direct marketing is defined as: contacting a Data Subject by means of e-mail, letter, SMS, MMS, telephone, social media or paying visits or other forms of contact for commercial purposes. The fact that commercial information is involved will be clearly communicated to the Data Subject. In the case of direct marketing, Q-Park will clearly inform the Data Subject about their right to opt out (free of charge) and how they can exercise it.

The consent outlined above is not required if:

a. Q-Park has obtained the necessary Personal Data directly from the Data Subject; and

b. it was obtained no longer than one year prior to the direct marketing for the sale of an identical or similar product or service.

It should be noted that Q-Park entities are able to make use of this exception only for direct marketing to its own customers, such as users of a Q-Park season ticket.

Q-Park keeps a database of which Data Subjects have made use of their opt-out or opt-in or have registered with Do Not Call Registers or Post Registers. Q-Park will clean up the files of Data Subjects who have been selected for direct marketing using Postfilter (linked to National Registers of Death and Post Registers). Q-Park will only contact Data Subjects who are listed in Do Not Call Registers by telephone if they have granted their consent for this.

In the case of direct marketing or other commercial communications, the name, address and contact details of the relevant entity of Q-Park will always be made recognisable to the Data Subject.

Q-Park is responsible for the direct marketing carried out by a third party engaged by Q-Park and will make agreements with that third party and lay them down in a processor’s agreement on complying with the relevant laws and regulations and complying with Q-Park’s instructions. Q-Park will not sell Personal Data to third parties without the Data Subject’s consent.

8. Right to inspect, amend, delete and object

The PO must be informed if a Data Subject wishes to exercise their rights. These are the Data Subject’s rights to inspect, amend, delete and object to Personal Data. A Data Subject’s request to exercise one of these rights will always be processed in line with the instructions of the PO.

Access request

All Data Subjects have the right to apply to Q-Park for a summary of their Personal Data processed for or on behalf of Q-Park. This request must be met in writing within four weeks. Where reasonably possible, this summary must include:

a. A complete summary of which data of the Data Subject is processed by Q-Park;

b. A description of the purpose or purposes of processing the data;

c. The categories of processed data;

d. The names of third parties that have received the Personal Data;

e. If available, information about the origin of the Personal Data.

Q-Park is also obliged on request to provide information about the system used to automatically process the data.

Q-Park must ascertain that the person requesting the information is also the person about whom information is being requested. If the Data Subject is under the age of 16 or has been placed under guardianship, an access request can also be made by the legal representative.

Request to correct/supplement/delete Personal Data

If the Personal Data is incorrect or incomplete or not compliant with the current laws and regulations, the Data Subject has the right to have it corrected, supplemented, protected or deleted. If data is corrected, Q-Park must inform third parties who have been issued with the Data Subject’s incorrect data of the amendments.

Objection by the Data Subject

The Data Subject also has the right to object to the processing of their Personal Data on the basis of compelling personal grounds unless the Personal Data needs to be processed for one of the reasons provided for in Article 2 of this document.

Refusal of a request

Q-Park can refuse a Data Subject’s request if:

a. The request is not sufficiently specific;

b. It is not possible to establish the Data Subject’s identity with reasonable certainty;

c. The data processing is permitted in the context of a fraud investigation, a statutory obligation or a legal procedure;

d. The request follows a previous request within an unreasonable interval or the request constitutes an abuse of the Data Subject’s rights. An interval of six months or less will generally be regarded as unreasonable.

The Data Subject will be informed that a request has been turned down in accordance with the PO’s instructions.

9. Security

Personal Data security

Q-Park has put appropriate technical and organisational measures in place to protect the Personal Data against abuse and unlawful or unauthorised destruction, loss, amendment, disclosure, acquisition or access.

Access to Personal Data

Q-Park has a management system based on roles and rights to ensure that only authorised users have access to a defined set of data, including Personal Data, which they need for the performance of their duties. The management system is tested annually during the routine audit cycle. Employees with access to Personal Data are subject to a non-disclosure agreement. Also, all employees need to work in accordance with the Code of Conduct.

Data breach/security breach

All data breaches involving Personal Data must be reported internally and documented by the PO. Any employee or Processor can report a data breach. The matter can also be reported by somebody from outside of the company to a Q-Park employee. The report must be made directly by telephone to the PO and confirmed in writing. The PO aligns with the internal owner of the GDPR compliance area and establishes. The owner of the GDPR compliance area decides on the measures to be taken to resolve the breach and its implications in consultation with the Executive Board under the articles of association and the Legal department. For the complete procedure, see ‘Data Breach Procedure’.

10. Transfer of Personal Data to third parties

Q-Park is permitted to transfer Personal Data to third parties or to grant third parties access to Personal Data held in Q-Park’s systems provided that the following requirements are met:

a. The third party processes the Personal Data on behalf of Q-Park and the Personal Data is obtained and processed by Q-Park in accordance with this Privacy Policy;

b. Q-Park has concluded an appropriate processor’s agreement with the third party, which has been approved by Q-Park’s Legal department;

c. Before transferring the Personal Data to the third party, Q-Park has verified that the third party has taken sufficient technical and organisational measures to protect the Personal Data against loss or any form of unlawful processing (including unnecessary collection or further processing);

d. Q-Park performs risk-based monitoring on the main Processors;

e. Q-Park remains responsible for the Personal Data processed by a third party within the meaning of national legislation and the GDPR.

11. Data Privacy Impact Assessments (DPIA)

Q-Park performs Data Privacy Impact Assessments (‘DPIA’) to document the infrastructure and performance of the ICT systems it uses to process Personal Data.

By performing a DPIA, Q-Park tests, assesses and identifies the risks involved in processing Personal Data. Q-Park also performs DPIAs to establish whether previous or potential measures are or will be effective. High-risk processing operations include:

a. Processing sensitive Personal Data;

b. Processing large amounts of Personal Data;

c. Automated decisions made by systems regarding Data Subjects;

d. Processing the Personal Data of children and genetic or biometric Personal Data;

e. Behavioural targeting (registering the digital viewing behaviour of website visitors to obtain information about their interests and behaviour) and profiling;

f. Other processing operations requiring the prior approval of the regulatory or PO.

The PO indicates whether a DPIA is to be performed and helps the designated DPIA manager to perform it. The Privacy Officer designates the manager responsible for performing the DPIA. The PO assesses the content of the DPIA and asks additional questions or proposes measures if necessary.

Privacy by default

Q-Park plans to set up new infrastructure that only processes essential Personal Data that is needed for a certain purpose and period of time. When setting up the new infrastructure, attention will also be paid to the accessibility of Personal Data: only employees who need access for the performance of their duties and who have signed a non-disclosure agreement will have access to Personal Data.

12. Privacy Officer (PO)

Q-Park has appointed a Privacy Officers (‘PO’) to oversee compliance with this Privacy Policy. The PO is in all cases responsible for:

a. Overseeing compliance with Q-Park’s Privacy Policy;

b. Keeping records of the systems used to process Personal Data at Q-Park and managing these records;

c. Answering internal and external questions regarding the processing of Personal Data as described in this Privacy Policy;

d. Handling inspection requests from Data Subjects;

e. Handling complaints from Data Subjects;

f. Granting permission to process Personal Data for purposes other than those for which they were collected and, if necessary, deciding on additional guarantees in this regard;

g. Granting permission to process special Personal Data under a national or international obligation;

h. Acting as the first point of contact at Q-Park for the national regulator, the Data Protection Authority;

i. Commissioning external audits on compliance with this policy in consultation with with the Head of Compliance and the internal owner of the GDPR compliance area;

j. Organising and giving training on the Privacy Policy and current developments;

k. Supervising the documenting and reporting of data breaches;

l. Conducting and monitoring of DPIAs;

m. Drawing up and managing annual reports on the Privacy Policy and its pursuance for the Executive Board.

13. Privacy management

Privacy is embedded in the Q-Park organisation in the sense that the final responsibility is placed with Q-Park’s Executive Board under the articles of association. The Executive Board has appointed an internal owner of the GDPR compliance area to draw up, monitor and rectify the Privacy Policy (possibly together with others) and POs for local implementation supported by a project team. Each Q-Park Region / country also provides one or more employees to draw attention to, support and implement the privacy project.

The PO informs and instructs the organisation on the importance of privacy and creates awareness of the Privacy Policy and its legal framework. Employees are informed by means of workshops, meetings and newsletters.

Processes

The privacy risks of all new business processes are recorded by testing the project plans against a DPIA Quickscan. A full DPIA is carried out if a DPIA Quickscan scores 5 or more (out of 10). All existing business processes involving Personal Data processing are also periodically assessed and any necessary measures are taken to raise the privacy level.

A DPIA Quickscan is added to the project plan for all new projects. A DPIA Quickscan is carried out to determine on the basis of ten simple questions whether it is useful, desirable or necessary to carry out a full DPIA.

A full DPIA is carried out if the DPIA Quickscan has a high score (5 or more questions answered with ‘yes’). A DPIA is used to assess the privacy risks of a new application, service or product. How the risks are to be mitigated is determined for each project on the basis of the identified risks.

Continuous monitoring

Q-Park sets out to meet its privacy compliance objectives by mapping out its current business processes more clearly and assessing the privacy aspects of new projects. This forms the basis of a transparent monitoring system in which processes are evaluated at predetermined times and the privacy aspects of projects are evaluated on commencement.

14. Complaint procedure

Data Subjects have the right to use Q-Park’s complaints procedure to file complaints about compliance with the laws and regulations governing the protection of Personal Data. The Customer Service department registers complaints about privacy and settles them in accordance with the complaints procedure. The Customer Service department informs the PO about the complaints it has received on a weekly basis.

Compliance with the Privacy Policy

The PO promotes compliance with this Privacy Policy by providing training for Q-Park employees who have access to Personal Data. The first-line management bears initial responsibility for the measures to be taken to protect Personal Data. If necessary, the Privacy Officer can advise the department in question on the measures to be taken to ensure compliance with this Privacy Policy. The PO also ensures that the department puts these measures in place.

Q-Park employees who act contrary to this policy may face disciplinary measures.

15. Privacy & Cookie statement

The Privacy Statement is published on Q-Park’s website. The Privacy Statement, like the General Terms and Conditions, is issued for all legal acts with natural persons. Accordingly, the correct links to the statement are given on all Q-Park websites. All Q-Park websites are required to provide a link to the statement on the main website. The PO manages and makes any necessary amendments to the Privacy Statement. The Privacy Statement makes reference to the Privacy Officer. Each country will include their national Q-Park privacy e-mail address in their national Privacy Statement. The PO is the person to contact for questions, comments and complaints.

The same applies to the Cookie Statement as to the Privacy Statement, in that its content is also managed by the PO.

16. Camera surveillance, access passes and visitors

Camera surveillance

Q-Park uses cameras at its premises and parking facilities. Q-Park does not keep recordings for any longer than required. There is a separate procedure for viewing and sharing these recordings with third parties. For more information, see the Camera Policy.

Access passes

Q-Park employees can be issued with an access pass that they use to open doors of Q-Park Offices. The passes are registered by name and the use of the passes is logged in the system. There is a separate procedure for obtaining these details and log files.

Visitors

Visitors of Q-Park Offices must always sign in before being admitted to a Q-Park Office. Visitor records must be deleted within three months of the visit.

Concluding remarks

Q-Park reserves the right to amend the Privacy Policy in the future. The latest version of the Privacy Policy is held by the PO and available upon request. That latest version is the binding version.