EuroPark Finland Oy stores and processes personal data in accordance with the General Data Protection Regulation of the EU (GDPR).
1. Data controller
EuroPark Finland Oy, 1544350-9 P.O. Box 336, 00101 Helsinki (hereinafter ‘EPF’)
*2Park Technologies AS, Martin Linges vei 25, 1364 Fornebu, Oslo, Norway (hereinafter ‘2Park’). 2Park acts as the data controller of personal data that a customer adds when registering as a user of the www.autopay.io parking system.
2. Contact person for matters relating to the register
3. Name of the register
4. Purpose and legal basis for the processing of personal data
The purpose of the processing of personal data is to manage and maintain the relationship between EuroPark Finland Oy and its customer. The personal data stored in the register can be used to investigate cases of misconduct related to the parking service provided by the data controller.
The processing of personal data can also be based on the long-term rental of a parking space, in which case the customer relationship is maintained for the duration of the contractual relationship. The legal basis for the processing of personal data is the contractual relationship between the data controller and the customer and/or our legitimate interest based on the customer relationship or other factual connection.
We also process personal data for camera surveillance purposes. The purpose of camera surveillance is to protect property, prevent vandalism and criminal offences, and help solve offences that have already occurred and investigate situations that pose a risk to property and security. In addition, the purpose of surveillance is to ensure the safety of persons moving around the area and the premises. The camera in the car park captures the number plate of each vehicle entering the car park. The legal basis for the processing of personal data is our legitimate interest. Signs/labels are in place in the vicinity of the camera surveillance equipment to inform people of the recording surveillance system. Camera surveillance footage is destroyed within four weeks.
5. Data content of the register
The register contains the registration number of the vehicle, photographs of the vehicle's front and rear plates as well as information about the car park and the date and time of parking. If the customer orders an SMS receipt when they pay for parking, we will also process the customer's phone number data for this purpose. The phone number will be deleted after 90 days.
In the case of short-term parking, the number plate camera takes a photo of the number plates of the vehicle upon entrance. The registration number links the customer's registration number to the parking system. The customer shall pay for parking on site or within 48 hours of exit at https://autopay.io.
If the customer does not pay for parking on site and is not registered as a customer, we will send them an invoice. The system retrieves the customer’s name and address for the invoice from the Finnish Transport and Communications Agency Traficom's vehicle register.
If the customer has registered as an Autopay customer, the system will also store the customer's payment card number in addition to their contact details (first name, last name, email address, telephone number, registration number). Parking is automatically charged to the payment card registered in the system. In these cases, the data controller is 2Park.
If the customer is a contract parking customer, the register contains the name, email address, telephone number, fax, business ID/social security number and billing address of the customer as well as information on the number of parking spaces contracted and the parking area. If the customer is a corporate customer, the contact details of the company's contact person are also stored in the register.
In addition, we process other necessary information concerning the customer and the contract, such as:
• information on past and current contracts and orders
• a user profile created based on the customership
• phone call recordings
• correspondence and other communications with the data subject
All personal data are retained for the minimum period necessary to provide and maintain the service.
6. Regular sources of data
7. Personal data recipients/categories of recipients
The registration number of the vehicle will be disclosed to the Finnish Transport and Communications Agency Traficom in order to discover the address details of the vehicle’s owner/holder. In addition, we may disclose information to a debt collection agency for the purpose of debt collection.
We use subcontractors in the processing of personal data. We have outsourced IT management (services related to information systems), accounting and legal services, and telephone customer service to an external service provider.
8. Transfer of personal data outside the EU and the EEA
Personal data will not be disclosed outside the EU or the EEA.
Personal data may be processed outside the EU/EEA by the processor (subcontractor). We have taken appropriate safety measures for such subcontractors in accordance with the General Data Protection Regulation. An appropriate personal data processing agreement has been drawn up with the processor and the processor is covered by the EU-U.S. Privacy Shield.
9. Retention of personal data and principles of protection
We retain personal data for as long as it is justified for the delivery of our products and/or services and/or in accordance with the legislation in force at the time. Personal data of contractual customers are stored in the register for the duration of the contract, after which the data are erased. In the case of short-term and contractual parking, footage concerning the vehicle's registration plates is retained for a maximum of two weeks. Personal data concerning the owner/holder of the vehicle collected from Traficom in connection with suspected misconduct are retained for the time necessary to settle the matter. In addition, we will take reasonable steps to ensure that no personal data are stored that are incompatible, outdated or inaccurate with the purposes of the processing.
Only employees authorised to process customer data for their work are entitled to use systems containing personal data. Each user has their own username and password for the system. Data is collected in databases that are protected by firewalls, passwords and other technical measures. The databases and their backups are located in locked rooms. The data can only be accessed by persons specifically authorised to process the data.
10. Rights of the data subject
The customer (data subject) has the right to inspect the personal data collected of them and stored in the personal data register and to demand the rectification or erasure of incorrect, outdated, unnecessary or illegal data. The customer also has the right to object or request restriction of processing and to lodge a complaint with the supervisory authority regarding the processing of their personal data.
For specific personal reasons, the customer has the right to object to the processing of their data when the processing of data is based on a legitimate interest. Your claim must specify the specific situation on the basis of which you object to the processing. We may only refuse to comply with a request for objection on the grounds laid down by law.
However, please note that personal data that are necessary for the purposes set out in this policy, or that are required by law to be retained, cannot be erased.