2020 Data Lab processes and manages data on behalf of car park management companies. When collecting the data specified in this policy, we are the Data Processor. Our clients are the Data Controllers to whom we report.
2. Statement of intent
2020 Data Lab is required to keep and process certain information about both its employees and any other personal information accessible as part of its day to day business in accordance with its legal obligations under the General Data Protection Regulation (GDPR).
This policy outlines how the Company complies with the following core principles of the GDPR.
Organisational methods for keeping data secure are imperative, and 2020 Data Lab believes that it is good practice to keep clear practical policies, backed up by written procedures.
This policy has been produced in line with the General Data Protection Regulation 2016 and the Data Protection Act 2018. This policy was last updated on 31st January 2019.
3. Legal framework
This policy has due regard to legislation, including, but not limited to the following:
This policy will also have regard to the following guidance:
4. Applicable data
For the purpose of this policy, personal data refers to information that relates to an identifiable, living individual, including information such as an online identifier, such as an IP address or a Vehicle Registration Mark (VRM) which can be linked to an individual. The GDPR applies to both automated personal data and to manual filing systems, where personal data is accessible according to specific criteria, as well as to chronologically ordered data and pseudonymised data, e.g. key-coded or encrypted data. Sensitive personal data is referred to in the GDPR as ‘special categories of personal data’, which include the processing of genetic data, biometric data and data concerning health matters.
When you use a client car park, we collect and process data comprising of images of vehicles using the car park and/or the Vehicle Registration Mark (VRM). This information is shared securely with our client, the car park operator. If the contractual parking terms and conditions are breached, a Parking Charge Notice will be issued by our client. We do not collect or have access to vehicle keeper records.
In accordance with the requirements outlined in the GDPR, personal data will be:
The GDPR also requires that “the controller shall be responsible for, and able to demonstrate, compliance with the principles”.
For the avoidance of any doubt, the Company operates its day to day business as the Data Processor acting on behalf of the Car Park Operator (the Data Controller). However, the Company takes the processing of personal data very seriously and therefore acts under the principle that all data should be treated as if the Company were the Data Controller
Records of activities relating to higher risk processing will be maintained, such as the processing of special categories data or that in relation to criminal convictions and offences.
The Company will implement measures that meet the principles of data protection by design and data protection by default, such as:
Data protection impact assessments will be used, where appropriate.
7. Data protection officer (DPO)
A DPO will be appointed in order to:
An existing employee will be appointed to the role of DPO provided that their duties are compatible with the duties of the DPO and do not lead to a conflict of interests.
The individual appointed as DPO will have professional experience and knowledge of data protection law, particularly that in relation to camera surveillance.
The DPO will report to the highest level of management at the Company, which is the Board of Directors. The DPO will operate independently and will not be dismissed or penalised for performing their task. Sufficient resources will be provided to the DPO to enable them to meet their GDPR obligations.
The DPO appointee may change from time to time. If there is any doubt over how to communicate with the DPO, an email should be sent to firstname.lastname@example.org for further details.
8. Lawful processing
The legal bases for processing business data has been identified and documented within separate documention. Under the GDPR, business transaction data will be lawfully processed under the following conditions:
Under these lawful bases, 2020 Data Lab collects and processes data on behalf of the Car Park Operators (Data Controller) and then shares applicable infringement data with the Data Controller.
9. The right to be informed
The privacy notice supplied to individuals in regards to the processing of their personal data will be written in clear, plain language which is concise, transparent, easily accessible and free of charge.
As subcontractor to and Data Processor of the Car Park Operator (“the Data Controller”), the Company will fully cooperate with the Car Park Operator in any privacy notice request.
In relation to data obtained both directly from the data subject e.g. employee details and not obtained directly from the data subject e.g. VRMs, the following information will be supplied within the collection of data for the privacy notice:
Where data is obtained directly from the data subject, information regarding whether the provision of personal data is part of a statutory or contractual requirement and the details of the categories of personal data, as well as any possible consequences of failing to provide the personal data, will be provided.
Where data is not obtained directly from the data subject, information regarding the source the personal data originates from and whether it came from publicly accessible sources, will be provided.
For data obtained directly from the data subject, this information will be supplied at the time the data is obtained.
In relation to data that is not obtained directly from the data subject, this information will be supplied:
10. The right of access
Individuals have the right to obtain confirmation that their data is being processed.
Individuals have the right to submit a subject access request (SAR) to gain access to their personal data in order to verify the lawfulness of the processing.
Within the Company’s business activities, 2020 Data Lab acting as Data Processor will fully support the Data Controller for any SAR.
The Company will verify the identity of the person making the request before any information is supplied.
A copy of the information will be supplied to the individual free of charge; however, the Company may impose a ‘reasonable fee’ to comply with requests for further copies of the same information.
Where a SAR has been made electronically, the information will be provided in a commonly used electronic format.
Where a request is manifestly unfounded, excessive or repetitive, a reasonable fee will be charged. All fees will be based on the administrative cost of providing the information.
All requests will be responded to without delay and at the latest, within 30 days of receipt.
In the event of numerous or complex requests, the period of compliance will be extended by a further two months. The individual will be informed of this extension and will receive an explanation of why the extension is necessary, within one month of the receipt of the request.
Where a request is manifestly unfounded or excessive, the Company holds the right to refuse to respond to the request. The individual will be informed of this decision and the reasoning behind it, as well as their right to complain to the supervisory authority and to a judicial remedy, within one month of the refusal.
In the event that a large quantity of information is being processed about an individual, the Company will ask the individual to specify the precise information the request is in relation to.
11. The right to rectification
Individuals are entitled to have any inaccurate or incomplete personal data rectified.
Where the personal data in question has been disclosed to third parties, the Company will inform them of the rectification where possible.
Where appropriate, the Company will inform the individual about the third parties that the data has been disclosed to.
Requests for rectification will be responded to within one month; this will be extended by two months where the request for rectification is complex.
Where no action is being taken in response to a request for rectification, the Company will explain the reason for this to the individual and will inform them of their right to complain to the supervisory authority and to a judicial remedy.
12. The right to erasure
Individuals hold the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
Individuals have the right to erasure in the following circumstances:
The Company has the right to refuse a request for erasure where the personal data is being processed for the following reasons:
Where personal data has been disclosed to third parties, they will be informed about the erasure of the personal data, unless it is impossible or involves disproportionate effort to do so.
Where personal data has been made public within an online environment, the Company will inform other organisations who process the personal data to erase links to and copies of the personal data in question.
13. The right to object
The Company will inform individuals of their right to object at the first point of communication, and this information will be outlined in the privacy notice and explicitly brought to the attention of the data subject, ensuring that it is presented clearly and separately from any other information.
Individuals have the right to object to the following:
Where personal data is processed for the performance of a legal task or legitimate interests:
Where personal data is processed for direct marketing purposes:
Where personal data is processed for research purposes:
Where the processing activity is outlined above, but is carried out online, the Company will offer a method for individuals to object online.
14. Privacy by design and privacy impact assessments
The Company will act in accordance with the GDPR by adopting a privacy by design approach and implementing technical and organisational measures which demonstrate how the Company has considered and integrated data protection into processing activities.
Data protection impact assessments (DPIAs) will be used to identify the most effective method of complying with the Company’s data protection obligations and meeting individuals’ expectations of privacy.
DPIAs will allow the Company to identify and resolve problems at an early stage, thus reducing associated costs and preventing damage from being caused to the Company’s reputation which might otherwise occur.
A DPIA will be used when using new technologies or when the processing is likely to result in a high risk to the rights and freedoms of individuals.
A DPIA will be used for more than one project, where necessary. High risk processing includes, but is not limited to, the following:
The Company will ensure that all DPIAs include the following information:
Where a DPIA indicates high risk data processing, the Company will consult the ICO to seek its opinion as to whether the processing operation complies with the GDPR.
15. Data breaches
The term ‘personal data breach’ refers to a breach of security which has led to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
The Principal will ensure that all staff members are made aware of, and understand, what constitutes as a data breach as part of their continuous development training.
Where a breach is likely to result in a risk to the rights and freedoms of individuals, the relevant supervisory authority will be informed.
All notifiable breaches will be reported to the relevant supervisory authority within 72 hours of the Company becoming aware of it.
The risk of the breach having a detrimental effect on the individual, and the need to notify the relevant supervisory authority, will be assessed on a case-by-case basis.
In the event that a breach is likely to result in a high risk to the rights and freedoms of an individual, the Company will notify those concerned directly.
A ‘high risk’ breach means that the threshold for notifying the individual is higher than that for notifying the relevant supervisory authority.
In the event that a breach is sufficiently serious, the public will be notified without undue delay.
Effective and robust breach detection, investigation and internal reporting procedures are in place at the Company, which facilitate decision-making in relation to whether the relevant supervisory authority or the public need to be notified.
Within a breach notification, the following information will be outlined:
16. Data security
Confidential paper records will be kept in a locked filing cabinet, drawer or safe, with restricted access.
Confidential paper records will not be left unattended or in clear view anywhere with general access.
Digital data is coded, encrypted or password-protected, both on a local hard drive and on a network drive that is regularly backed up off-site or stored on cloud which has its own password protected security design.
Where data is saved on removable storage or a portable device, the device will be kept in a locked filing cabinet, drawer or safe when not in use.
Memory sticks will not be used to hold personal information unless they are password-protected and fully encrypted.
All electronic devices are password-protected to protect the information on the device in case of theft.
All necessary members of staff are provided with their own secure login and password, and every computer regularly prompts users to change their password.
Emails containing sensitive or confidential information are password-protected if there are unsecure servers between the sender and the recipient.
Where personal information that could be considered private or confidential is taken off the premises, either in electronic or paper format, employees will take extra care to follow the same procedures for security, e.g. keeping devices under lock and key. The person taking the information from the Company premises accepts full responsibility for the security of the data.
Before sharing data, all employees will ensure:
Under no circumstances are visitors allowed access to confidential or personal information. Visitors to areas of the Company containing sensitive information are supervised at all times.
The physical security of the Company’s buildings and storage systems, and access to them, is reviewed on a termly basis. If an increased risk in vandalism/burglary/theft is identified, extra measures to secure data storage will be put in place.
2020 Data Lab takes its duties under the GDPR seriously and any unauthorised disclosure may result in disciplinary action.
The Data Protection Officer is responsible for continuity and recovery measures are in place to ensure the security of protected data.
17. Data retention
Data will not be kept for longer than is strictly necessary. Unrequired data will be deleted as soon as practicable.
Paper documents will be shredded or pulped, and electronic memories scrubbed clean or destroyed, once the data should no longer be retained.
The Company maintains a separate Data Retention Policy