Privacy Notice for the Processing of Personal Data
Articles 13–14 EU Regulation No. 679/2016 (GDPR)
APCOA FLOW MOBILE APP
Dear User,
EU Regulation No. 679/2016 (GDPR) and Legislative Decree 196/2003 (Italian Privacy Code) set out rules to protect individuals regarding the processing of their personal data.
In accordance with the above regulations, APCOA ITALIA S.p.A. aims to provide you with full information on how your personal data will be processed, adhering to principles of lawfulness, fairness, and transparency, as well as purpose limitation, data minimisation, accuracy, integrity, and confidentiality.
This notice complements the general privacy information available at: www.apcoa.it/privacy
Who processes my personal data?
Data Controller
APCOA ITALIA S.p.A.
Registered Office: Via Zanellini 15, 46100 Mantua (MN), Italy
VAT No.: 01578450205
Email: privacy@apcoa.it
Data Protection Officer (DPO)
The Data Controller has appointed a DPO to handle any requests regarding data subject rights.
Email: ext.dpo@apcoa.it
Why is my personal data being processed?
Personal data is processed solely to the extent necessary for the following purposes.
Data is processed primarily using IT systems. Appropriate security measures are in place to prevent data loss, unlawful or incorrect use, and unauthorised access.
User Registration
Processed Data:
First and last name
Email address
Login credentials (password)
Vehicle license plate number
Registration log records
Purpose of Processing:
To generate user credentials for access to the APCOA Flow mobile app.
When downloading the app, some data is transmitted to the App Store (e.g. username, email address, account number, time of download, payment details, device ID). APCOA has no control over this and is not responsible for such data collection. We only process data necessary to allow the app download.
Legal Basis:
Article 6(1)(b) GDPR – Processing is necessary for the performance of a contract (service provision and app usage terms).
Social login is based on consent. Users may also register without using their social media profiles.
Retention Period:
Personal data is stored until the account is deleted. Data related to user choices (e.g. consent logs) is retained thereafter for auditing purposes.
What happens if I refuse to provide my data?
Where processing is contract-based or legally required, failure to provide data prevents account creation.
App Use (Bookings, Payments, Location, Contact)
Processed Data:
Full name
Contact details
User ID
Vehicle license plate
Phone number (optional)
Billing/tax data
Parking location requested
Location data
Parking sessions and payment history
Purpose of Processing:
To enable use of the app for booking and payment of parking sessions, which may require location data access. Contact information is used for customer service purposes.
Legal Basis:
Article 6(1)(b) GDPR – Contract execution
Article 6(1)(a) GDPR – Consent (for location tracking, required for parking management)
Location access is authorised via system settings and can be revoked at any time in the app settings.
Note: Payment is handled via the secure protocol of Ingenico (independent data controller). APCOA does not receive or store sensitive payment data.
Retention Period:
Personal and payment data are retained for the duration required by law or the contract, even after uninstalling the app or deleting login credentials.
Location data is not stored, only tariff zone data is retained.
Payment method details are not retained.
What happens if I refuse to provide my data?
Where legally or contractually required, refusal prevents service provision. Location data is essential for booking a parking session.
To whom is my data disclosed?
Data may be shared with legal consultants (as independent controllers), and with Ingenico, the payment service provider, also as an independent controller.
Marketing Notifications
Processed Data:
Email address
Purpose:
With your consent, we may send promotional messages, discounts, and news via email.
Legal Basis:
Article 6(1)(a) GDPR – Consent
Retention Period:
Until consent is withdrawn.
What happens if I refuse to provide my data?
The app remains fully usable even without subscribing to marketing emails.
Are there any other purposes for collecting personal data?
We may conduct statistical analyses to improve services. These are based on aggregated, anonymised data, and no individual profiles are created.
When your account is deactivated, all personal data, credentials, and transaction records are deleted. Consent logs may be retained for compliance purposes.
Anonymous data may be retained for statistical analysis.
Push notifications (e.g. parking reminders) are controlled via app/system settings.
Who can access my personal data?
Data may be disclosed to internal or external parties when:
Required by law
Necessary for contract performance
Necessary for the purposes outlined above
Third-Party Recipients
Data may be shared, for technical and operational reasons, with:
Companies within the APCOA Group (e.g. APCOA Holdings GmbH), for legitimate internal administrative needs, including app operation support
Public authorities as required by law
Banks, financial institutions, insurance companies for business-related obligations
Public/private entities APCOA operates on behalf of, under contractual terms
App payment providers
IT service providers (e.g. email, cloud, software, helpdesk), acting as data processors under Art. 28 GDPR
More information about these processors can be requested by emailing: privacy@apcoa.it
Personal data will not be publicly disclosed.
Where is my personal data processed?
Data is primarily processed within the European Union.
Cloud infrastructure providers declare that their data centers are located within the EU.
If data is transferred outside the EU, it is protected by Standard Contractual Clauses.
What safeguards are in place for non-EU transfers?
When providers are outside the EU and no adequacy decision exists, Article 46 GDPR safeguards (e.g. SCCs) are used.
What are my rights?
According to Articles 15–22 GDPR, you have the right to:
Access your data and get detailed information
Rectify inaccurate or incomplete data
Erase your data (right to be forgotten), in applicable cases
Restrict processing, for example, to preserve data for legal claims
Data portability, where applicable (contract/consent-based and automated processing)
Object to processing, particularly when based on legitimate interest
Withdraw consent at any time, where processing is based on consent
How can I exercise my rights?
You may file a complaint with the Italian Data Protection Authority (Garante Privacy).
More info: https://bit.ly/2w1mcjS
You can request more information or exercise your rights by:
Emailing privacy@apcoa.it
Using the contact form on www.apcoa.it/privacy
Or use our contact form at www.apcoa.it/privacy
_________________________________________
PLEASE NOTE that you must be the person registered as the keeper of vehicle being entered or are authorised by them to use and register that vehicle.
