Car Park Privacy Policy
Bristol Alliance Limited Partnership, Cabot Circus Car Park, Newfoundland Rd, Bristol BS2 9AP (“the Company”, “we”, “our” or “us”) has certain obligations under the General Data Protection Regulation (“GDPR”) to notify individuals (“you” or “your”) about how it will process any personal data it collects from or about them. We treat your data privacy very seriously and understand that you will wish to know how we will use that personal data. We maintain a registration as a data controller with the Information Commissioner’s office (www.ico.org.uk) and have registration number Z1439711. To contact us if you have any questions about this Policy or our processing of your personal data (including to exercise your rights under GDPR), including details of our Data Protection Officer, please see our contact details included below in this Policy under ‘How to contact the Company?’ header. We are part of the Hammerson group of companies (“the Hammerson Group”), which may also be provided with personal data about you. This Policy will inform you of what personal information we collect in relation to our car parking facilities only, how that information is used, our lawful basis for such use, who it is shared with and why, where it is transferred, your rights in relation to it and how you can exercise such rights. What personal data is collected? We collect various “personal data” about you in order to provide you with this car park service, as set out in our terms and conditions, including to ensure the security of our car park. This Policy relates only to your use of our car-parking services, not other services which we may provide to you. If you are using any of our other services, please consider our website for other applicable privacy notices/policies www.cabotcircus.com/terms-conditions Under the GDPR, personal data is information from which you are indentified or are identifiable (directly or indirectly). The personal data which may be collected and used by us in our provision of the car park service include your: • vehicle registration number (collected by automatic number plate recognition cameras (“ANPR”)), and other details relating to your car such as car make/model/car colour/fuel type/emissions; • photograph (which may be collected as part of ANPR image); • video recording (without sound) (collected by CCTV used in the car park); • time and date of use of our services (and, consequently, your location); and/or • payments and payment methods for the use of the car park. In the majority of cases we do not (unless you are a customer for any additional services we may provide such as pre-booking services and loyalty schemes) seek to combine the above information with other information we have about you, such as name/contact details, which makes it harder for us to identify you. Circumstances where we can and do identify you include: (i) when it is necessary to obtain vehicle-owner information from the DVLA (in the limited circumstances permitted by law); (ii) if you contact us and provide such additional information to enable us to identify you from the above data, for example (a) when raising an enquiry with us about your use of our services or (b) when signing up for other services which we may provide where applicable (including pre-booking services or to administer loyalty schemes); and (iii) if you are eligible for automatic entry/exit to the car park (e.g. if you are a Company employee, Hammerson Group employee, a contract parker, pre-paid parker, competition winner for free parking or recipient of a loyalty or promotional offer). In addition, should we need to carry out further enquiries, in accordance with our terms and conditions and/or to deal with an enquiry raised by you and/or to enable you to sign up for other services (where applicable) such as pre-booking services (season tickets and/or day-to-day) or to administer loyalty schemes, we may also collect your: • name; • contact details (business or personal); • opinions or suggestions on our services; and/or • bank account details (for the purposes processing payments). If we offer and you have chosen to use an online portal or a mobile app to enable you to interact with us (including to use our car-parking services), your use of that online portal or app may lead to us processing additional types of personal data about you. This will be described in a separate privacy notice/policy which we will make available to online portal users and app users as relevant. Furthermore, we may process details of your unresolved, non-compliance (if any) with contracts between us (e.g. if there has been a non-payment or other breach of contract by you in relation to your use of the car park), whether your vehicle has been involved in crime in relation to the car park, or in relation to facilitating the exit from the shopping centre following the commission of a crime, or is otherwise known to the control authorities (police, intelligent services and local authorities), or whether you are subject to a banning order from the shopping centre the car park is affiliated with. In these circumstances, we may have determined not to permit your vehicle, or the vehicle we have connected to you, to enter the car park based on that previous behaviour. In addition, we may (unintentionally) also process ”special category personal data” about you (as described in this paragraph), in particular when your image is captured by CCTV or ANPR cameras. For example, your race/ethnicity, health information (for example where this is apparent from images captured by CCTV images), sexual life, religious beliefs, political opinions, or trade union membership. Such processing is only incidental to our use of CCTV or ANPR cameras, and we do not use this special category personal data to make any decisions about you or otherwise act on it. We may also process your personal data which relates to the commission, or alleged commission of offences to the extent this is caught on car park CCTV. For what purposes will your personal data be used and what is our corresponding lawful basis under GDPR? We may process your personal data for the following purposes: • providing car park services (and, where applicable, pre-booking services (season tickets and/or day to day) and loyalty schemes) to you in accordance with our terms and conditions. Our lawful basis under GDPR in relation to these purposes is that it is necessary for the performance of our contract with you (or in order to take steps at your request prior to entering into a contract with you); • legitimate business reasons - management reporting, accounting, other internal business (including joint ventures and business sales) and sales management, if any personal data is involved. Our lawful basis under GDPR in relation to these purposes is that it is necessary for the purposes of our (or a third party’s) legitimate business interests (e.g. to manage our business responsibly and efficiently), which are not overridden by your interests, fundamental rights and freedoms; • customer relationship management - dealing with any queries or correspondence from you. Our lawful basis under GDPR in relation to these purposes is as follows: (i) where the processing relates directly to responding to you, our lawful basis is that you have consented to us responding to you, by making a request to us which requires a response; and (ii) where the processing is not directly related to responding to you (e.g. obtaining professional advice to allow us to consider our response, discussing your request in management meetings), our lawful basis is that it is necessary for the purposes of our (or a third party’s) legitimate business interests (e.g. to manage our business responsibly and efficiently, and to consider and protect our own legal rights), which are not overridden by your interests, fundamental rights and freedoms. • enforcement of our terms and conditions. Our lawful basis under GDPR in relation to these purposes is that it is necessary for the performance of our contract with you (or in order to take steps at your request prior to entering into a contract with you); • compliance with legal, regulatory and other good governance obligations, including to request additional information from third parties (eg the DVLA) to allow us to meet these obligations. Our lawful basis it is necessary for compliance with a legal obligation to which we are subject; • where we have determined not to permit your vehicle (or a vehicle that we have associated with you) to enter the car park based on previous behaviour (e.g. non-payment, breach of contract, criminal behaviour, banning orders, as explained above), our lawful basis under GDPR in relation to this purpose is that it is in our (or a third party’s, such as other users of our car park) legitimate business interests (e.g. to ensure that vehicles entering the car park do not present us with security or breach of contract risk, to enforce previous contracts, to protect others’ property rights or for the security of our car park), which are not overridden by your interests, fundamental rights and freedoms; and/or • where our processing of the personal data referred to above, or otherwise to the extent this is caught on car park CCTV, relates to criminal offences (or alleged) (including its disclosure to law enforcement authorities or otherwise in relation to legal claims or determining not to permit your vehicle to enter the cark park), our lawful basis for determining not to permit your vehicle to enter the car park or disclosure to law enforcement authorities is that it is in in the substantial public interest and necessary for prevention or detection of an unlawful act (and if we sought your consent for this it would prejudice these purposes), and in respect of legal claims is that it is necessary for the establishment, exercise or defence of such claims. We may also convert the personal data into statistical, aggregated non-identifiable form. This anonymised data cannot be linked back to you. We may then use that anonymised data to conduct research and analysis, including to produce statistical research and reports. For example, to help us understand car-park usage. The anonymised data, research and reports may also be made available to and used for market research/analysis purposes within the Hammerson corporate group of companies (who will not be able to identify you from the data made available to them). Profiling and automated decisions (and our corresponding lawful basis under GDPR for this) In addition to the purposes outlined above, we may also carry out profiling which involves the processing of your personal data. The profiling we carry out is focused on your vehicle (or in some instances a vehicle which we have associated with you), although because we are able to identify you from your vehicle details (in conjunction with other personal data held about you, as described above in this Policy) this will constitute profiling based on your personal data. We create a profile of your vehicle, including whether (or not, to the extent relevant) your vehicle is permitted to enter the car park based on previous behaviour (e.g. non-payment, breach of contract, criminal behaviour, banning orders, as explained above in this Policy), frequency of visits, vehicle and fuel type, or whether you are eligible for automatic entry/exit to the car park (e.g. if you are a Company employee, Hammerson Group employee, a contract parker, pre-paid parker, competition winner for free parking or recipient of a loyalty or promotional offer). This enables us to determine whether to permit you to enter the car park, to enter into and enforce our contracts, or to potentially offer discounts (e.g. to low-emission vehicles, vehicles with certain characteristics, loyalty offers). Where our profiling does not have legal or similarly significant effect on you, or where we (ie a person within Hammerson) has made a decision which is being implanted via our car park gates, such as to determine that the vehicle you are driving matches the details of a vehicle we have previously determined should be permitted or not to access the car park, our lawful basis under GDPR is that is necessary for the purposes of our (or a third party’s) legitimate business interests (e.g. to ensure that vehicles entering the car park do not present us with security or breach of contract risk, to enforce previous contracts, to protect other’s property rights or for the security of our car park) in the case of vehicles which are not permitted to enter the car park), which are not overridden by your interests, fundamental rights and freedoms, or that it is necessary for performance of a contract with you (e.g. as to automatic entry/exit). However, where we use the personal data (including profiling) to make automated decisions about you which produce legal effects on you or similarly significantly affects you, we do so where it is necessary for entering into (or performing) a contract between us and you, as set out below. We will implement suitable measures to safeguard your rights, including providing you with the right to obtain human intervention, to express your point of view and contest the decision. We may make such automated decisions based on your personal data where this is necessary for performance of a contract between you and us in order to: • issue parking charge notices; and • determine the correct tariff for our services to you – for example to offer discounts to low-emission vehicles or discounts based on other certain features of a vehicle (such as colour or vehicle type). Where we make these automated decisions, to obtain human intervention (i.e. a human will review the automated decision which has been taken), express your point of view and contest the decision, please contact us as set out under the ‘How can I contact the Company?’ header below. Who will see my personal data? Your personal data may be made available to third parties providing relevant services under contract to us, or the Hammerson Group for these purposes, such as: • providers of certain business function services, such as IT support, processing of payment card/details website and data hosting providers and administrators. These parties will process the personal data on our behalf (as our data processor). We will disclose your personal data to them so that they can perform those functions. Examples of these providers include our outsourced IT systems software and maintenance, payment processing and back up and server hosting providers; and • security/parking team service provider (for watching CCTV and responding to barrier/ticket questions). This provider will process the personal data on our behalf (as our data processor) and will disclose your personal data to it so it they can provide us with these services. Your personal data will also be made available: • when we believe that disclosure is appropriate in connection with efforts to investigate, prevent, or take action regarding illegal activity, suspected fraud, or other wrongdoing; to protect and defend the rights, property or safety of the Company, its customers, staff, suppliers or others; to comply with applicable law or co-operate with law enforcement; or to enforce its terms or other agreements (including, for example, where a vehicle has been abandoned in our car park). Our lawful bases under GDPR, and (where relevant) the Data Protection Act 2018 (“DPA”), for this processing are set out above in this Policy; • to our advisors (such as consultants, legal advisors, auditors and other professional advisors), in order that we can receive advice and services from them. Our lawful basis under GDPR for this processing is that it is necessary for the purposes of our (or a third party’s) legitimate business interests (e.g. for us to be able to obtain professional or legal advice), which are not overridden by your interests, fundamental rights and freedoms. To the extent that the personal data disclosed consitutes crinimal offences (including alleged), this will be limited to disclosures in relation to legal claims and our lawful basis under the DPA is that the processing is necessary for the establishment, exercise or defence of legal claims. • in response to a court order, or a request for cooperation from a law enforcement or other government agency; to establish or exercise its legal rights; to defend legal claims; or as otherwise required or permitted by applicable laws and/or regulations. Our lawful bases for this processing is set out above in this Policy; and/or • to prospective or actual buyers in the event that the Company sells or buys any of its business or assets. Our lawful basis under GDPR for this processing is that it is necessary for the purposes of our (or a third party’s) legitimate business interests (e.g. for a purchaser of any of our business to have details of individuals using the services provided by that part of the business), which are not overridden by your interests, fundamental rights and freedoms. Will my personal data be transferred abroad? Your personal data processed in accordance with this Policy may be transferred to recipients who are located within the European Economic Area (“EEA”). It will not be transferred to or otherwise processed by recipients located outside of the EEA. Security The Company takes precautions including administrative, technical and physical measures to protect your personal data against loss, theft and misuse, as well as against unauthorised access and disclosure. How long do we retain your personal data? We will only keep the personal data for a limited amount of time and no longer than is necessary for the purposes for which it is processed, as set out below: • Personal data related to your transaction (with the exception of CCTV images) will be retained for a period of up to 5 years from the date of the transaction, to the extent necessary for the purposes of legal claims and dealing with any queries from you; and • CCTV images will be retained by us for 30 days, unless required to be kept for longer due to legal obligations or legal claims (although note that the shopping centre within the Hammerson corporate group of companies who control the processing of personal data in CCTV images may retain this for a different period – you should consult the relevant fair processing notice/policy issued by the shopping centre for details). What rights do I have in relation to my personal data and how to exercise them? You have certain legal rights in relation to any personal data about you which we hold, as summarized below. They do not apply in all circumstances. If you wish to exercise any of them we will explain at that time if they are engaged or not: • the right to be informed about your processing of your personal information; • the right to have your personal information corrected if it is inaccurate and to have incomplete personal information completed; • the right to object to processing of your personal information (see further details below); • the right to restrict processing of your personal information; • the right to have your personal information erased (the “right to be forgotten”); • the right to request access to your personal information and to obtain information about how we process it; • the right to move, copy or transfer your personal information (“data portability”); • rights in relation to automated decision making which has a legal effect or otherwise significantly affects you – as described under the ‘Profiling and automated decisions’ header above. Where our processing of your personal data is based on your consent (i.e. directly responding to any requests or enquiries that you make of us), you have the right to withdraw your consent at any time. If you do decide to withdraw your consent we will stop processing your personal data for that purpose, unless there is another lawful basis we can rely on – in which case, we will let you know. Your withdrawal of your consent won’t impact any of our processing up to that point. Where our processing of your personal data is necessary for our legitimate interests, you can object to this processing at any time. If you do this, we will need to show either a compelling reason why our processing should continue, which overrides your interests, rights and freedoms or that the processing is necessary for us to establish, exercise or defend a legal claim. If you wish to exercise any of your rights please contact us as set out below under the ‘How can I contact the Company?’ header. You also have the right to lodge a complaint with the Information Commissioner’s Office, which is the UK data protection regulator. More information can be found on the Information Commissioner’s Office website at https://ico.org.uk/. Updates to this Policy We may update this Policy from time to time to reflect changes to the type of personal data that we process and/or the way in which it is processed. We will then publish the updated Policy on our website www.cabotcircus.com/terms-conditions. We also encourage you to check this Policy on a regular basis so that you are aware of updates. How can I contact the Company? In first instance, you are encouraged to contact car.park@cabotcircus.com with any queries or concerns relating to this Policy, or to exercise your rights in relation to your personal data. Your initial query, concern or rights request may be onward raised to our Data Protection Officer, whose contact details are set out below, but equally you are able to escalate your query, concern or request directly or raise other queries about our compliance with the GDPR in relation to your personal data to our Data Protection Officer. Our Data Protection Officer can be contacted at Kings Place, 90 York Way, London N1 9GE or Dataprotectionofficer@hammerson.com Date last updated: 14/08/2020