Information on the processing of personal data Art. 13-14 EU Reg. No. 679/2016 | APCOA FLOW MOBILE APP

Dear User, EU Regulation no. 679/2016 (GDPR) and Legislative Decree 196/2003 (Privacy Code) set out the rules for the protection of persons with regard to the processing of their personal data.

In compliance with the indicated legislation, APCOA ITALIA SPA intends to provide you with all the information on the processing of your personal data according to the principles of lawfulness, correctness and transparency, purpose limitation and storage, data minimisation, accuracy, integrity and confidentiality.

This notice supplements the general information on data processing given on www.apcoa.it/privacy.

1.Who processes my personal data?

1.1. Data controller

APCOA ITALIA SPA

Head office. Mantua (MN), Via Zanellini 15

P.IVA 01578450205

privacy@ apcoa.it

1.2. Data Protection Officer

The Data Controller uses the DPO to respond to requests relating to the exercise of data subjects' rights. ext.dpo@apcoa.it

2. Why are my personal data processed?

Personal data are processed in a limited and proportionate manner for the following purposes.

The data is processed mainly by computer. Appropriate security measures are observed to prevent loss of data, illegal or incorrect use and unauthorised access.

2.1. User registration

2.1.1. What data are processed

  • First name surname
  • Email
  • Login credentials (password)
  • Car number plate
  • Registration operation log

2.1.2. Purpose of processing

Data is processed to create access credentials for the APCOA Flow mobile app.

When you download the mobile app, the required information is transferred to the App Store, in particular your user name, e-mail address and account number, download time, payment information and code number of your device. We have no influence on this data collection and are not responsible for it. We only process data if this is necessary to download the Mobile App to your mobile device.

2.1.3. Legal basis

Article 6(b) GDPR (contract execution) - the data is necessary to execute the service contract and the terms of use of the app.

The social login is based on consent and the user can create new credentials without using their social profiles.

2.1.4. Retention period

Personal data is retained until the request to delete the account is made. Data necessary for reporting user choices (authorisation and consent flag logs) will be retained thereafter.

2.1.5. What happens if I refuse to give my data?

When the processing is based on a contract or on a legal obligation, failure to provide data prevents the contract from being executed. It is not possible to generate access credentials without the required data.

2.2. APP use (bookings, payments, location, contacts)

2.2.1. What data is processed

First name surname

Contact data

User ID

Car number plate

Telephone number (optional)

Fiscal data for invoicing

Parking place for which the request is sent

Location data

Payment history and parking sessions

2.2.2. Purpose of processing

Data is processed for the use of the mobile app, including parking bookings and payments that require the use of location authorisation. Contact data is collected for customer care and support needs.

2.2.3. Legal basis

Article 6(b) GDPR (execution of customer contract)

Article 6(a) GDPR (consent) - With the user's consent, we may collect location data to enable the management of parking at the car park. Authorisation for the collection of location data GPD is provided through the system and the user can change this at any time from the web app settings. 
 

The payment phase does not involve the communication of confidential data of the means of payment to APCOA as the secure protocol of the provider Ingenico (autonomous data controller) ensures the encryption of the transmission of the same.

2.2.4. Retention period

Personal data and payment receipts will be retained for the period specified by law or for a period relating to the contractual relationship, even after any uninstallation of the pp/cancellation of access credentials.

Position data shall not be stored, but only tariff zone data.

Payment method data are not stored.

2.2.5. What happens if I refuse to give my data?

When the processing is based on a contract or on a legal obligation, failure to give it prevents the assignment.

Location data are necessary for the booking of parking.

2.3. To whom will my data be disclosed?

The data may be disclosed to our legal advisors as autonomous data controllers.

The data will be disclosed to the payment service provider Ingenico as autonomous data controller.

2.3. Commercial notifications

2.3.1 Which data are processed

Email address

2.3.2. Purpose of processing

With your consent, we may send you messages via electronic mail (Email) for business proposals, socnts and news.

2.3.3.Legal basis

Article 6 a) GDPR (consent)

2.3.4. Retention period

Data will be retained until consent is revoked.

2.3.5. What happens if I refuse to give my data?

The user can use the mobile app without restriction even without giving consent to receive commercial messages.

2.4. For what other purposes can personal data be collected?

In order to improve our services we carry out statistical analyses. These analyses are carried out in order to extract reports of aggregated data, without creating profiles on individuals.

If you deactivate your account, all your personal data, login credentials and purchases made will be deleted. However, the data relating to the consent given for the processing of personal data will be retained.

After deactivation of accounts and deletion of personal data, we store data in anonymous form for statistical purposes.

Push notifications about parking and parking updates on your account are managed by system and app settings.

3. Who may process my personal data?

The personal data collected may be communicated to parties, internal or external to APCOA, to whom the communication is configured as the fulfilment of legal or contractual obligations or as necessary for the pursuit of the purposes specified above.

3.1. Third-party recipients of the data

The data may be communicated to third parties, exclusively for technical and operational needs strictly related to the purposes set out above and in particular to the following categories of subjects:

  • The data may be communicated within the APCOA business group, e.g. to APCOA GmbH in order to pursue its own legitimate interest with reference to internal administrative purposes, including the provision of technological services necessary for the operation of the app.
  • from/to Public Administrations for purposes related to the fulfilment of legal obligations.
  • from/to parties to whom the right to access personal data is recognised by provision of law or secondary or EU regulations, as well as by specific contracts and agreements duly signed;
  • from/to banks, financial institutions, insurances or other subjects to whom the communication of the data is necessary for the performance of the activity of our company in relation to the fulfilment by us of the contractual/commercial obligations towards the customers
  • from/to parties to whom the communication of personal data is necessary or functional for the performance of existing contractual obligations.
  • from/to public and private entities on whose behalf APCOA ITALIA SPA carries out its activities, for the purposes and within the limits provided for in the relevant contracts.
  • to service payment providers for in app payment transactions.

3.2. Data processors

For the pursuit of the purposes indicated above, APCOA may also disclose some personal data to third parties who provide a service to the Data Controller, for example, for the supply of technological services including, in particular, the e-mail service and cloud infrastructure, for the supply of management software or in any case in relation to the fulfilment of all the technical and operational requirements strictly connected to the exercise of contractual rights or to respond to user requests.

These entities process personal data as data controllers pursuant to and for the purposes of Article 28 of the GDPR.

More information on the data processors can be requested from the Controller at any time by writing to privacy@apcoa.it.

3.3. Dissemination of personal data

Personal data will not be disseminated.

4. Where are my personal data processed?

Personal data are mainly processed within the European Union.

The providers of the cloud infrastructure declare that the data centres used are located within the territory of the European Union. Where there are transfers of personal data, they are obliged to protect the data on the basis of the signed Standard Contractual Clauses.

4.1. What mechanism protects the transfer of my data outside the EU?

Service providers based outside the European Union will be appointed as data controllers and the transfer of your personal data to such entities, limited to the performance of specific processing activities, will be regulated in accordance with Chapter V of the GDPR.

In particular, where an adequacy decision pursuant to Article 45 GDPR is lacking, adequate safeguards pursuant to Article 46 GDPR will be used.

5. What are my rights?

Pursuant to Articles 15-22 GDPR the data subject has the right to ...

5.1. Right of access to data

The data subject may obtain confirmation that personal data concerning him or her is being processed, obtain more information about the processing and a copy of the personal data.

5.2. Right of rectification

You may rectify inaccurate data or supplement them.

5.3. Right of erasure

In legal cases, you may request that your data be forgotten and/or deleted.

5.4. Right to restriction of processing

The data subject may request that processing be restricted by objecting to the deletion insofar as it is necessary for the exercise or defence of a right in court or in other cases provided for by law.

5.5. Right to data portability

The data subject has the right to receive the personal data provided in a commonly used structured format when the data are processed by automated means on the basis of consent or a contract.

5.6. Right to object to processing

For particular reasons, you may object to processing based on legitimate interest or in other cases provided for by law.

5.7. When the processing is based on consent, you have the right to withdraw your consent at any time.

5.8. How can I protect my rights?

You may lodge a complaint with the Garante per la Protezione dei dati personali [Italian Data Protection Authority].

More information: https://bit.ly/2w1mcjS 

You can ask for more information or exercise your rights by using the following contact form or by sending an email to: privacy@apcoa.it