The privacy policy

In order to provide our services, APCOA may share personal data with third parties such as consultants, suppliers or other members of the APCOA group. We will not share your personal data unless authorised to do so by law.

Our service providers provide, among others, the following services: information services, telephony services, support services and IT services, such as support, operation, improvement, development, mailing and invoice management services, reminder, collection and payment services.

These service providers may only process your personal data according to APCOA's explicit instructions and may not use your data for their own purposes. They are also legally and contractually obliged to protect your personal data.

For the development of customer management systems and the manual correction of registration numbers, APCOA uses service providers located in third countries. In this regard, APCOA has ensured adequate protection of the privacy and fundamental rights and freedoms of individuals in relation to access to APCOA customer data through the EU Commission Decision on standard contractual clauses between controllers and processors pursuant to Article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29(7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council. You have the right to obtain, upon request, information about the countries outside the EU/EEA to which your personal data is transferred and a copy of the safeguards that APCOA has put in place to protect your personal data.

Our suppliers may transfer personal data to countries outside the EU/EEA if the country has a so-called adequate level of protection, or if the supplier has put in place sufficient safeguards to ensure that your rights are respected and your privacy is protected.

For billing and collection purposes, we may share your personal data with our suppliers to fulfil our right to claim payment. We may also share the data with the vehicle owner who is also jointly and severally liable for inspection fees.

In case of unpaid fees and inspection fees, we or our suppliers may process your personal data or obtain additional information from public sources to fulfil our right to claim payment. This right is based partly on the Contracts Act and partly on the Act on Control Fees for Illegal Parking.

APCOA may also, in exceptional cases, share personal data with property owners/building societies in order to fulfil our part of our contracts. In these cases, we have based sharing on a balance of interests.

We will also send data to government institutions and authorities that are entitled to access this information within the framework of our statutory duty of disclosure or if we are obliged to disclose this data through them. The processing is necessary for the fulfilment of legal obligations.

In the context of a legal dispute, we may transfer data to other parties. The processing is necessary for the purposes of our legitimate interest in establishing, exercising and defending legal claims.

We may share personal data with law enforcement authorities, such as the police, if we are required by law to disclose your data or to assist in an ongoing criminal investigation. The processing is necessary to comply with legal obligations or to fulfil our legitimate interest in contributing to an ongoing criminal investigation upon request.

We may share information with potential buyers and sellers if we were to sell all or part of the business or in the event of a merger. The processing is necessary to fulfil our legitimate interest in carrying out the sale or merger.

We may also share information internally within the Group. The processing is necessary to fulfil our legitimate interest to administer and manage APCOA Sweden in an efficient way or to use certain products and services provided internally.

We may share personal data with consultants. These consultants act in their capacity as employees and may not process personal data outside of their work. They are also bound by professional secrecy even after the consultancy service has ended.

We take data protection within our company very seriously. Our staff and contracted service providers are bound by a duty of confidentiality and comply with legal provisions on data protection.
For more information on how we handle personal data in individual cases, see below or contact us.

Personal data is provided and collected before and in connection with the initiation of a customer relationship, the conclusion of a contract and/or the submission of an assignment, or otherwise in connection with a customer relationship. The data is processed by APCOA Sverige AB for incoming and outgoing administration and fulfilment of agreements entered into, and for APCOA Sverige AB to be able to fulfil its obligations under the law.

When initiating a customer relationship and for certain payments, APCOA Sverige AB may check personal data in accordance with the law and/or official decisions in order to be able to apply and ensure that the customer relationship can be initiated and payment can be made. The personal data may also form the basis for APCOA Sverige AB's market and customer analyses, business and method development, as well as statistics and risk management.

APCOA needs to fulfil a legal requirement to collect and process personal data. The legal basis for APCOA Parkering Sverige AB to have the right to collect personal data is regulated in the GDPR Regulation (EU) 2016/679, Article 6, paragraph 1 a-f and varies depending on the situation. Below you can find more info.

Article 6 GDPR, paragraph 1 a-f

a) The data subject has given consent to the processing of his/her personal data for one or more specific purposes.
b) The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
c) The processing is necessary for compliance with a legal obligation to which the controller is subject.
d) The processing is necessary to protect the vital interests of the data subject or of another natural person.
e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
f) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

See below on the processing of personal data in specific cases.

Account management

Purposes	APCOA processes your personal data when you register an account with us via pay.apcoa.se, APCOA FLOW or via other services that use account management.
Information to be processed	Identity data e.g. name, customer number, social security number, telephone number. Contact data e.g. address, e-mail address, telephone number. Financial data: Invoices, receipts, accounting, last four digits from bank cards.
Legal basis	b) The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. You enter into a contract with us when you register an account with us. We need your personal data to identify you or your vehicle, to provide our services and to receive payments.
Recipients of personal data	Controller: Apcoa Sverige AB Org nr: 556439-7478 (EU) Processors: Apcoa Holding Org nr: HRB 726108 (EU) (APCOA FLOW) Norandum Org nr: 559128-9011 (EU) (Development) Trust IT Org nr: 556538-4699 (EU) (IT Operations) Microsoft Sweden 1172 AB AB Org nr: 556952-8150 (EU) (IT and Cloud Services)
How long will personal data be stored	Active accounts are deleted no longer than 8 years after the last activity. Accounts can be deleted before that if the data subject deletes their account themselves.

Newsletters, data collection and cookies

Purposes	APCOA may process your personal data to communicate with you about our newsletter. You have the right to unsubscribe from mailings at any time by notifying us. APCOA Parking ensures that your data will not be passed on to third parties. We use "Cookies" to improve our website. Data relating to the use of our website may be sent to the USA but this is anonymised or pseudonymised by our suppliers. See more information below in "Cookies and website use"
Personal data	Identity data such as IP address. Contact details e.g. email address. Data about your use of our website e.g. which pages you visited, how long you stayed on our website.
Legal basis	a) The data subject has given his/her consent to the processing of his/her personal data for one or more specific purposes. This is done when you consent to our cookies. (Only non-essential Cookies). f) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. (Applies to necessary cookies) The processing of personal data is necessary to fulfil APCOA's legitimate interest to conduct research and improve, among other things, our website.
Recipients of personal data	Data controller: Apcoa Sverige AB Org nr: 556439-7478 (EU) Data processors: Apcoa Holding Org nr: HRB 726108 (EU) (apcoa.se) Apcoa Norge Org nr: 929292065 (EU) (betala.apcoa.se) Google Sweden AB Org nr: 556656-6880 (EU) (Google analytics) LinkedIn Sweden AB Org.nr: 556846-4969 (EU) (Cookies) Facebook Sweden AB Org.nr: 556762-6782 (EU) (Cookies)
How long will the personal data be stored	Depending on the task, up to 26 months.

Providing services - Short-term parking

Purposes	We may process your personal data to provide short-term parking services. When you park with us, you are entering into a contract and this means that we need to process your personal data in order to identify your vehicle and check whether the parking fee is paid or not.
Personal data	Identity data e.g. name, customer number, registration number, location data. Contact details e.g. address, e-mail address, telephone number. Financial data: invoices, receipts, last four digits of payment cards. Parking data e.g. time and place of parking.
Legal basis	a) The data subject has given his/her consent to the processing of his/her personal data for one or more specific purposes. Localisation via the FLOW app is not necessary, you consent to this by activating location services for the application, you can withdraw your consent at any time by deactivating the function in your mobile phone. b) The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into such a contract. Contract means the contract between the Customer and APCOA when you choose to park with us. f) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Applies when the customer and the vehicle owner are not the same person.
Recipients of personal data	Data controller: Apcoa Sverige AB Org nr: 556439-7478 (EU) Data processors: Apcoa Holding Org nr: HRB 726108 (EU) (When paying or using the FLOW app) Flowbird Sverige AB Org nr: 556554-8293 (EU) (When paying via flowbird or cale payment machine) Svea Inkasso AB Org nr: 556214-1423 (EU) (Control of digital permits and handling of control fees and related matters) EasyPark AB Org nr: 556626-7893 (EU) (When paying via EasyPark) Parkster AB Org nr: 556862-5841 (EU) (When paying via Parkster) TypoConsult A/S Org nr: 28505337 (EU) (When paying via ScanPay) Nets Sweden AB Org nr: 556761-4960 (EU) (When paying by card)
How long will the personal data be stored	Data on paid transactions is deleted after 8 years in accordance with the Accounting Act. We save your receipts 6 months after the transaction in order to handle your questions regarding your parking.

Providing services - Long-term parking/contract parking/subscription parking

Purpose of processing	APCOA processes your personal data to provide the Services. You enter into a contract with us when you rent a parking space or car park. We process your personal data in order to fulfil our obligations or enforce our rights under the contract. In cases where APCOA administers contract parking as the property owner's agent or supplier, we process personal data in order to fulfil our contract with the property owner or other party authorised to rent out parking spaces. We may share statistics or other data with the Property Owner and/or the client for the purpose of informing the party about the use of the parking space, administering contracts owned by the Property Owner or where the Property Owner is a party, where we assign the contract to another supplier or in other cases where the Property Owner has the right under the Data Protection Regulation to receive and process such data.
The data	Identity data e.g. name, customer number, social security number, telephone number, registration number. Contact data e.g. address, e-mail address, telephone number. Financial data: Invoices, receipts, accounting records. Contract parking data e.g. rental period, price, parking space details, extra services or other contract specifications. Contract history data including changes to the contract such as customer requests, reasons for termination including customer behaviour towards our employees or others, customer failure to fulfil their obligations or instructions from the Property Owner.
Lawful basis	b) The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into such a contract. Contract means the contract between the Customer and APCOA Sverige AB when the Customer chooses to park with us or the parking contract between the Customer and the Property Owner. f) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Applies when the customer and the vehicle owner are not the same person. Balancing of interests: We have balanced our interests and the health and safety of our employees and our financial interests outweigh those of the data subject when the data subject misbehaves and we note that we do not wish to enter into future contractual relationships with the data subject.
Recipients of personal data	Controller: Apcoa Sverige AB Org nr: 556439-7478 (EU) Norandum Org nr: 559128-9011 (EU) (Development) Trust IT Org nr: 556538-4699 (EU) (IT operations) Microsoft Sweden 1172 AB AB Org nr: 556952-8150 (EU) (IT and cloud services)
How long will the personal data be stored	Depending on the task, up to 8 years.

Providing services - Urban Hubs

Purpose	APCOA's Urban Hubs concept aims to offer various services and products at our car parks, such as parcel lockers, electric car charging or vehicle washing. APCOA is only the data controller in some cases, while our suppliers are responsible for the processing of personal data in other cases. We process your personal data when you use our Services in connection with Urban Hubs, such as payment via APCOA FLOW.
Personal data	Identity data e.g. name, customer number, social security number, telephone number, registration number. Contact data e.g. address, e-mail address, telephone number. Financial data: Invoices, receipts, accounting, last four digits from bank cards. Information about the specific service: Time and place, price, number of KW/hour for electric car charging, etc.
Legal basis	b) The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. Contract means the contract between the Customer and APCOA Parking when the Customer uses our Urban Hub services that require the processing of personal data. f) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Applies when we produce statistics on which services are used or to what extent.
Recipients of personal data	Data controller: Apcoa Sverige AB Org nr: 556439-7478 (EU) Data processors: Apcoa Holding Org nr: HRB 726108 (EU) (APCOA FLOW) Eways AB Org nr: 556167-9720 (EU) (Electric vehicle charging) Charge Node Europé AB Org nr: 559188-1130 (EU) (Electric vehicle charging) Greenflux Assets B.V. Org nr: 502095-9838 (EU) (Electric vehicle charging)
How long will personal data be stored	Data on paid transactions will be deleted after 8 years in accordance with the Accounting Act.

Providing services - Other services

Purpose	APCOA may modify the range or scope of services or change providers. In such cases, we will update our privacy policy to inform you who may have access to your personal data.
Personal data	Identity data e.g. name, customer number, social security number, telephone number, registration number. Contact data e.g. address, e-mail address, telephone number. Financial data: Invoices, receipts, accounting. Parking data e.g. time and place of parking. Other data specific to other services such as customer number, garage number, key number, IP address, device number etc.
Legal basis	a) The data subject has given consent to the processing of his/her personal data for one or more specific purposes. b) The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. f) The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Recipients of personal data	Controller: Apcoa Sverige AB Org nr: 556439-7478 (EU) Processors: Norandum Org nr: 559128-9011 (EU) (Development) Trust IT Org nr: 556538-4699 (EU) (IT Operations) Microsoft Sweden 1172 AB AB Org nr: 556952-8150 (EU) (IT and Cloud Services) Apcoa Holding Org nr: HRB 726108 (EU) (Development and certain web services) Parakey AB Org nr: 556975-7296 (EU) (Digital key) Accessy AB Orn nr: 559175-7082 (EU) (Digital key) Brobizz A/S Org nr: 31854822 (EU) (Broklubben) Öresundsbro konsortiet Org nr: 946001-3387 (EU) (Broklubben)
How long will the personal data be stored	Depending on the task, up to 8 years.

*Parakey or Accessy can be used instead of physical keys when you rent a garage or car park.

** Broklubben is a new collaboration with Öresundsbron that means lower costs for those who often use some of our parking facilities and travel through the Öresund Bridge. If you choose to become a member of Broklubben, you agree to enter into an agreement with Apcoa Parking. In order to fulfil our part of the agreement, we need to process your personal data such as registration number and information about the time and place of parking. More info can be found below in "Park & Go"

Providing services - Customer service

Purpose of processing	APCOA processes your personal data when you contact us or our customer service, the processing is necessary to answer your questions and provide relevant information.
Types of data	Identity data e.g. name, customer number, social security number, telephone number, registration number. Contact data e.g. address, e-mail address, telephone number. Financial data: Invoices, receipts, accounting. Parking data e.g. time and place of parking.
Legal basis	b) Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. b) Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. (c) processing is necessary for compliance with a legal obligation to which the controller is subject. (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Applicable when you are not a customer and have questions or concerns.
Recipients of personal data	Data controller: Apcoa Sverige AB Org nr: 556439-7478 (EU) Data processors: Norandum Org nr: 559128-9011 (EU) (Development) Trust IT Org nr: 556538-4699 (EU) (IT operations) Microsoft Sweden 1172 AB AB Org nr: 556952-8150 (EU) (IT, email and cloud services) Apcoa Holding Org nr: HRB 726108 (EU) (Development, APCOA FLOW and some web services) Zendesk Sweden AB Org.No: 559369-0356 (Zendesk Org. USA) (Contact via email, chat, phone or web form. Please note that web chat can be handled by AI agents. Zendesk AI agents have integration with ChatGPT, but the information processed is not stored and is not used to train ChatGPT. Zendesk has robust privacy features that ensure the customer's right to privacy and limited handling of personal data).
How long will the personal data be stored	Customer contact data will be deleted at the latest one year after the last contact with the customer. Customer service cases will be deleted after one year in normal cases and after two years in contract car park rental cases.

Fulfilling legal obligations

Purposes	APCOA Parking will process your personal data in order to fulfil legal obligations that apply to APCOA Parking, e.g. bookkeeping and accounting requirements.
Types of data	Identity data e.g. name, customer number, social security number, telephone number, registration number. Contact data e.g. address, e-mail address, telephone number. Financial data: invoices, receipts, accounting.
Legal basis	c) Processing is necessary for compliance with a legal obligation to which the controller is subject.
Recipients of personal data	Controller: Apcoa Sverige AB Org nr: 556439-7478 (EU) Processors: Navipro AB Org nr: 556553-8898 (EU) (Development) Trust IT Org nr: 556538-4699 (EU) (IT operations) Microsoft Sweden 1172 AB AB Org nr: 556952-8150 (EU) (IT, email and cloud services) Authorities with the power to require documents from us e.g.: Police, Tax authorities, etc.e.g.: Police, Swedish Tax Agency.
How long will the personal data be stored	Personal data is stored for the time necessary for the respective legal obligation.

Establish, exercise and defend legal claims

Purposes	APCOA processes your personal data for the purpose of establishing, exercising and defending legal claims, e.g. in connection with a dispute or legal proceedings. APCOA or our agents may retrieve your personal data from public sources such as vehicle registers for the purpose of exercising our rights.
Personal data	Identity data e.g. name, customer number, social security number, telephone number, registration number. Contact data e.g. address, e-mail address, telephone number. Other data related to the individual case e.g. contract data, inspection fee data, parking offence data. Possible collection of evidence.
Legal basis	c) Processing is necessary for compliance with a legal obligation to which the controller is subject. f) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. The processing is necessary for the purposes of the legitimate interest pursued by APCOA in the establishment, exercise or defence of legal claims.
Recipients of personal data	Controller: Apcoa Sverige AB Org nr: 556439-7478 (EU) Processors: Svea Inkasso AB Org nr: 556214-1423 (EU) (Handling of control fees and related disputes and cases)
How long will the personal data be stored	Personal data is stored for the time necessary to establish, enforce and defend the legal claim.

Payment and debiting

Purpose	APCOA Parking does not process payment data, transactions are made via banks and payment providers. APCOA may process identification data for the purpose of charging the correct driver, issuing receipts and handling customer service matters. APCOA may also request credit information about the customer in accordance with the Credit Information Act (SFS 1973:1173)
Information	Identity data e.g. name, customer number, social security number, telephone number, registration number. Contact data e.g. address, e-mail address, telephone number. Financial data: Invoices, receipts, accounts, last four digits from bank cards.
Legal basis	b) The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. Contract means the contract between the Customer and APCOA when the Customer chooses to park with us. c) Processing is necessary for compliance with a legal obligation to which the controller is subject. f) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Recipients of personal data	Controller: Apcoa Sverige AB Org nr: 556439-7478 (EU) Processors: Svea Inkasso AB Org nr: 556214-1423 (EU) (Handling of control fees and related disputes and cases) Svea Bank AB Org nr: 556158-7634 (EU) (Handling of certain payments) *Banks are usually separate controllers.
How long will the personal data be stored	Data on paid transactions will be deleted after 8 years in accordance with the Accounting Act.

Camera surveillance

More info can be found below in "Camera surveillance"

Camera parking

More info below in "Park & Go"

Static

We may use personal data to produce statistics. We transform the data so that it can no longer be linked to you or be considered personal data. We will never share the statistics with unauthorised parties.

Erasure of data

We will delete your personal data in accordance with the information set out above. We may also delete your personal data before when you contact us and use your right to be forgotten. Please note that the request does not mean that all your personal data will be deleted, but that a case-by-case analysis will be made.

Customer records

APCOA may retain information about past customers or past interactions with customers for the purpose of ensuring that APCOA's associates and employees have access to a respectful work environment. Such records may include information about harassment, threats, verbal or physical attacks, and any other interactions that contribute to an inappropriate work environment. APCOA may also retain information about payment history, fraud attempts or rogue behaviour to ensure respectful and professional delivery of our services.

APCOA has balanced its interests and our right to choose reputable customers outweighs the customers' right to rent parking.

Customers are given access to customer records when an extract from the register is requested or if we receive a request for disclosure of records from the customer.

APCOA keeps customer records for a maximum of 8 years for serious offences or offences related to rental agreements, and a maximum of 2 years for less serious offences.

When we or you delete your personal data, including your account in hyra.apcoa.se or APCOA FLOW, it may take up to 72 hours before the data disappears from our systems. After 72 hours, it is no longer possible to recover the data.

Camera parking - Park & Go.

Camera parking Park & Go means that you can park with us and pay in our app, on the website or on site without having to enter your registration number or parking time yourself.
We have chosen to give all our customers a payment deadline of 72 hours. This means that you don't have to worry about parking when you visit a popular tourist destination over the weekend, for example. You can pay at your leisure when you get home.

GDPR assessment

Based on the above measures, Apcoa has applied appropriate technical and organisational measures to ensure that the processing is secure and has a level of security appropriate to the risk represented by the processing. The measures are in accordance with ISO27001 and have been implemented in consultation with Apcoa's Data Protection Officer

Park & Go aims to facilitate our customers by offering a simplified payment solution (read more about Park & Go in https://www.apcoa.se/fastighetsaegare/vaara-tjaenster/park-go/Data on vehicles that have outstanding payments 72 hours after leaving APCOA's car park is sent to Svea Ekonomi AB, which handles all invoicing.

In cases where the camera cannot read the licence plate number, images are sent to countries outside EU/EEA areas for manual correction. We have taken appropriate security measures to ensure your privacy through standard contractual clauses (EU) 2021/914. You have the right to receive, upon request, information about the countries outside the EU/EEA area to which your personal data is transferred and a copy of the safeguards that APCOA has taken to protect your personal data.

Legal basis

Purposes	We may process your personal data for the purpose of identifying our customers who park in our facilities equipped with ANPR technology. We may obtain additional information from vehicle records in the event of unpaid parking charges in order to enforce our right to demand payment. We may use the images as evidence in the event of a dispute to prove that the customer parked with us. In certain circumstances, we may disclose the images to the police or other authorities to assist in investigations or if required by law. We may use and transform the data to produce statistics. This includes using the postcode where the vehicle is registered. Such statistics do not include any personal data.
The data	Images of vehicles entering our car parks. Registration number. Parking details: time, location, tariff, parking period.
Legal basis	b) Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. c) Processing is necessary for compliance with a legal obligation to which the controller is subject. f) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Applies when the customer and the vehicle owner are not the same person.
Recipients of personal data	Controller: Apcoa Sverige AB Org nr: 556439-7478 (EU) Processors: Apcoa Holding Org nr: HRB 726108 (EU) (APCOA FLOW) Flowbird Sverige AB Org nr: 556554-8293 (EU) (When paying via flowbird or cale payment machine) TypoConsult A/S Org nr: 28505337 (EU) (When paying via PnD in the Sky) Svea Inkasso AB Org nr: 556214-1423 (EU) (Handling of control fees and related disputes and cases) Riverty Sweden AB. Org nr: 556495-1704 (EU) (Payment by invoice) Trust IT Org nr: 556538-4699 (EU) (IT operations) Norandum Org nr: 559128-9011 (EU) (Development) Apcoa Norge. Org nr: 929292065 (EU) (ANPR technology and operations) Sakhsam Services. Org nr: GSTIN-09ARMPK6916C1ZN (third country) (Manual correction of reg.nr.)
How long will the personal data be stored	Data on paid transactions will be deleted after 8 years in accordance with the Accounting Act. Camera parking images will be deleted 3 months after the transaction has been paid. Registration number will be masked 12 months after the parking has been paid.

Registration

Description of the processing	Identifying vehicles and vehicle registration numbers (VRM) of cars parked at using camera technology. Registration takes place when the customer drives their vehicle in one of our car parks. The registration point is signposted so that the customer is informed in advance that the vehicle will be photographed.
Purpose of the processing	The purpose is to conduct commercial and cost-effective parking enforcement with an increased focus on driver service and parking experience. Through the use of camera technology, it becomes unnecessary for the driver to manually enter their licence plate number or make payments on the spot.
Categories of personal data	The categories of personal data processed are: Cars, licence plate numbers, pictures of people. Parking transaction data (time, place, price, vehicle), as well as registration numbers of stored vehicles.
Recipients of personal data	Controller: Apcoa Sverige AB Org nr: 556439-7478 (EU) Processors: Apcoa Holding Org nr: HRB 726108 (EU) Apcoa Norge Org nr: 929292065 (EU) Hojab Org nr: 556439-7478 (EU) Norandum Org nr: 559128-9011 (EU) Svea Ekonomi Org nr: 556489-2924 (EU) Trust IT Org nr: 556538-4699 (EU) Sakhsam Services Org nr: GSTIN-09ARMPK6916C1ZN (3rd country) Arvato Finance AB Org nr: 556495-1704 (EU)
How long will the personal data be stored	Images of paid transactions are stored for up to 3 months to help manage complaints. Data for a transaction that has been completed is stored for 8 years to fulfil accounting needs. Licence plates are masked after 12 months / expiry of the complaint deadline (whichever comes first). In cases where there are still outstanding claims, e.g. in the event of disputed claims, images and transaction data will be kept unmasked until the case is closed.

Payment via pay.apcoa.se

Description of the processing	The customer can use pay.apcoa.se to retrieve their car registration number up to 72 hours after the car park has ended and pay without any additional fees. If the customer does not pay, we will send an invoice with the invoice fee indicated on the signage.
Purpose of the processing	To enable the customer to pay for their parking after leaving the car park and up to 72 hours after the parking has ended*.
Categories of personal data	Name, telephone number, e-mail address, payment card reference, payment history, including transaction data of the parking (time, place, price, vehicle), as well as registration number of stored vehicles. It is also possible to pay anonymously without creating a user profile. In these cases, only masked payment card information is stored.
Recipients of personal data	Data controller: Apcoa Sverige AB Org nr: 556439-7478 (EU) Data processors: Apcoa Holding Org nr: HRB 726108 (EU) (APCOA FLOW) Apcoa Norge Org nr: 929292065 (EU) Trust IT Org nr: 556538-4699 (EU) (IT operations) Norandum Org nr: 559128-9011 (EU) (Development)
How long will personal data be stored	Images of paid transactions are stored for up to 3 months to help manage complaints. Data of a transaction that has been completed is stored for 8 years to fulfil accounting needs. Licence plates are masked after 12 months / expiry of the complaint deadline (whichever comes first). In cases where there are still outstanding claims, e.g. in the case of disputed claims, images and transaction data will be kept unmasked until the case is closed. Web: Customer history is stored as long as the customer is active. Information on inactive customers is deleted after 10 years, or immediately if the customer actively deletes their own profile via the logged-in interface. *Apcoa does not offer the possibility to search information in all our car parks at the same time, but you as a customer have to choose the car park you have visited. Receipts are only available for the car parks that you have paid for yourself, regardless of whether you have chosen to pay via pay.apcoa.se or in one of our apps. Your parking is only available until you have paid for it and for a maximum of 72 hours. If you pay on site at a machine before leaving the car park, no one can find your parking online. Apcoa has additional measures to strengthen your privacy, such as preventing anyone from bulk searching one or more registration numbers from the same device, a division of the garages that makes it difficult to find a vehicle without knowledge of the vehicle's parking, notification of activation of registration numbers and signage information to the user about our privacy policy before entering the car park. Regular parking with surveillance. This means that you pay on the spot in a machine or one of our apps and no other user can see your parking as they are never available online.

Payment via the bridge club

Description of the processing	We may share personal data with Öresundsbron if you are a member of Broklubben and choose to pay for your parking in connection with your journey via Öresundsbron.
The purpose of the processing	To enable the customer to pay for their parking in connection with payment of the Öresund Bridge. To offer favourable prices and thus constitute marketing.
Categories of personal data	Identification data: Name, customer number, registration number, membership number. Parking data: Time, location, rate, period.
Recipients of personal data	Data controller: Apcoa Sverige AB Org nr: 556439-7478 (EU) Data processors: Brobizz A/S Org nr: 31854822 (EU) Öresundsbro konsortiet Org nr: 946001-3387 (EU) Brobizz and Öresundsbron are only processors under certain conditions, in all other cases they are separate data controllers with their own legal basis in the processing.
How long will the personal data be stored	Data on parking transactions will be deleted after 8 years according to the Accounting Act. Registration number will be deleted 12 months after the parking fee has been paid.

Hotel and reception services and advance booking

Description of the processing	In some of our car parks, it is possible to enter your registration number via kiosk terminals or reception and thus obtain free parking with the Park & Go technology in our facilities. With the same technology, it is also possible to enter your registration number in advance and later ensure that you will find a free parking space when visiting our facilities.
Purpose of the processing	The purpose is to offer different services to certain customers through a registration instead of classic payment.
Categories of personal data	Registration number. Time, price and location of parking.
Recipients of personal data	Controller: Apcoa Sverige AB Org nr: 556439-7478 (EU) Processors: Apcoa Holding Org nr: HRB 726108 (EU) Apcoa Norge Org nr: 929292065 (EU) Trust IT Org nr: 556538-4699 (EU) Norandum Org nr: 559128-9011 (EU)
How long will the personal data be stored	Data for a transaction that has been completed will be retained for 8 years to meet accounting needs. Licence plates will be masked after 12 months/expiry of the complaint deadline (whichever comes first).

Automatic image correction

Description of the processing	We may use machine learning to improve the reading of your licence plate number when you drive into one of our ANPR facilities. We may also use images of your licence plate to improve our automatic correction tool.
Purpose of the processing	The purpose is to minimise the number of misreadings and misdeclarations and to be able to charge the correct driver for their parking.
Categories of personal data	Licence plate number, images of the licence plate or the vehicle.
Recipients of personal data	Recipients of personal data Controller: Apcoa Sverige AB Org nr: 556439-7478 (EU) Processors: Apcoa Holding Org nr: HRB 726108 (EU) Apcoa Norge Org nr: 929292065 (EU) DiDa Datenschmiede GmbH Org nr: HRB 194301 B
How long will the personal data be stored	Images from ANPR will be deleted no later than 3 months after the transaction was paid.

Our Park & Go facilities

Our car parks with ANPR technology include:

Stockholm Central
Stockholm - Kista One
Stockholm - Millenium
Stockholm - Torsplan 1
Gothenburg Central
Gothenburg - Frölunda Torg
Gothenburg - Kallebäcks Terrasser
Gothenburg - P-hus City
Gothenburg - Platinan
Gothenburg - Citygate
Malmö Central
Malmö - Triangeln
Malmö - Turning Torso
Malmö - Emporia
Mölnlycke - Mölnlycke Fabriker
Karlstad - Centralsjukhuset
Karlstad - Mitt i City
Karlstad - Pinassen
Kristianstad - Boulevard
Kolmårdens Zoo
Norrköping - Ankaret
Norrköping - Lyckan
Norrköping - Spiralen
Norrköping - Spiran
Skånes zoo
Skara Summerland
Örebro - Eyra garget
Tosselilla Summerland - Tomelilla
Uddevalla - Gyldenlöwe car park
Järfälla - Väpnaren
Partille - Allum

Partille - Allum slotskullen

Cookies are used

We use so-called "cookies" to enhance the usability of our website and make its use more convenient for you. "Cookies" mean that data may be stored on your computer when you visit our website. You have the option to prevent cookies from being stored on your computer by changing your browser settings, but this will limit your use of our website.

You can read our Cookie Policy and how to change your settings here

Data collection using Google Analytics

Our website uses Google Analytics 4, a web analytics service. Both Google and Google Analytics use so-called "cookies". Google Analytics collects information about your operating system, browser, the previously visited website (referring URL) and the date and time you visited our website. Google analytics 4 decided to no longer save IP address. Information about your use of our website is saved and stored in the EU. Google uses this information to analyse your use of our website, to compile reports on website activity for website operators and to provide other services relating to website activity and internet usage. Google will transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. This use is anonymous or uses pseudonyms. You can find more information about this at Google:www.google.com/intl/se/privacypolicy.html

Data protection regulations for the implementation and use of Google AdSense

The controller has integrated Google AdSense on this website. Google AdSense is an online service that enables the placement of adverts on third-party websites. Google AdSense is based on an algorithm that selects adverts displayed on third-party websites that match the content of the respective third-party website. Google AdSense enables interest-based targeted marketing of internet users, which is carried out by generating individual user profiles.

The operating company of Google AdSense is Alphabet Inc, 1600 Amphitheater Pkwy, Mountain View, CA 94043-1351, USA.

The purpose of the Google AdSense component is to integrate adverts on our website. Google AdSense places a cookie on the information and communication technology system of the person concerned. What cookies are has already been explained above. Setting the cookie enables Alphabet Inc. to analyse the use of our website. Each time one of the individual pages of this website, which is operated by the data controller and on which a Google AdSense component has been integrated, is called up, the Internet browser of the information and communication technology system of the person concerned is automatically activated by the respective Google AdSense component to transmit data to Alphabet Inc. for the purpose of carrying out online marketing and calculating commissions.

The person concerned may at any time, as already described above, prevent the setting of cookies by our website by making a corresponding setting in the Internet browser used and thus permanently object to the setting of cookies. Such a setting of the internet browser used would also prevent Alphabet Inc. from setting a cookie on the information and communication technology system of the person concerned. In addition, a cookie that has already been set by Alphabet Inc. can be deleted at any time via the internet browser or other software programs.

Google AdSense also uses so-called tracking pixels. A tracking pixel is a miniature graphic that is embedded on websites to enable log file recording and log file analysis, which allows a statistical evaluation. Based on the embedded tracking pixel, Alphabet Inc. can see if and when a website was accessed by a data subject and which links were clicked by data subjects. Tracking pixels are used, among other things, to evaluate the flow of visitors to a website.

Personal data and information, including the IP address, necessary for the collection and billing of the advertisements displayed, are transmitted to Alphabet Inc. in the USA via Google AdSense. This personal data is stored and processed in the USA. Alphabet Inc. may pass on this personal data collected via the technical process to third parties. Google AdSense is explained in more detail at the following link www.google.se/intl/sv/adsense/start/.

Data protection regulations for the implementation and use of Google Analytics (with anonymisation function)

The controller has integrated the Google Analytics component (with anonymisation function) on this website. Google Analytics is a web analytics service. Web analytics is the collection, collation and evaluation of data about the behaviour of visitors to websites. A web analytics service collects, among other things, data about the website from which a person came to a website (so-called referrer), which subpages of the website were visited or how often and for how long a subpage was viewed. Web analytics is mainly used to optimise a website and for cost-benefit analysis of internet advertising.

The operator of the Google Analytics component is Google Inc, 1600 Amphitheater Pkwy, Mountain View, CA 94043-1351, USA.

The controller uses the extension "_gat._anonymizeIp" for the web analysis via Google Analytics. With this extension, the IP address of the internet connection of the person concerned is shortened and anonymised by Google if our website is visited from a member state of the European Union or from another state party to the European Economic Area.

The purpose of the Google Analytics component is to analyse visitor flows on our website. Google uses the data and information obtained to, among other things, evaluate the use of our website, compile online reports for us showing the activities on our website and provide other services related to the use of our website.

Google Analytics places a cookie on the information technology system of the person concerned. What cookies are has already been explained above. By setting the cookie, Google can analyse the use of our website. Each time one of the individual pages of this website, which is operated by the controller and on which a Google Analytics component has been integrated, is called up, the Internet browser on the information technology system of the person concerned is automatically activated by the respective Google Analytics component to transmit data to Google for online analysis. As part of this technical process, Google becomes aware of personal data, such as the IP address of the person concerned, which Google uses, among other things,

The cookie is used to store personal information, such as the access time, the location from which the access was made and the frequency of visits to our website by the person concerned. Each time you visit our website, this personal data, including the IP address of the internet connection used by the person concerned, is transmitted to Google in the USA. This personal data is stored by Google in the USA. Google may pass on this personal data collected through the technical process to third parties.

The data subject may at any time, by making a corresponding setting in the browser used, prevent our website from placing cookies and thus permanently oppose the setting of cookies, as already described above. Such a setting of the browser used would also prevent Google from placing a cookie on the information technology system of the data subject. Furthermore, a cookie already placed by Google Analytics can be deleted at any time via the browser or other software.

Furthermore, the data subject has the possibility to object to and prevent the collection of data generated by Google Analytics in connection with the use of this website and the processing of this data by Google. To do this, the data subject must download and install a browser add-on via the link tools.google.com/dlpage/gaoptoutdownload. This browser add-on informs Google Analytics via JavaScript that no data and information about website visits may be transmitted to Google Analytics. The installation of the browser extension is considered by Google as a contradiction. If the data subject's information technology system is subsequently deleted, formatted or reinstalled, the data subject must reinstall the browser add-on to disable Google Analytics. If the browser add-on is uninstalled or deactivated by the data subject or another person who can be attributed to their sphere of influence, the option to reinstall or activate the browser add-on is available.

Further information and Google's current data protection policy can be found at www.google.se/intl/sv/policies/privacy/ and at www.google.com/analytics/terms/se.html. Google Analytics is explained in more detail at this link www.google.se/intl/sv_se/analytics/.

Data protection regulations for the implementation and use of Google Remarketing

The controller has integrated Google Remarketing services on this website. Google Remarketing is a feature of Google AdWords that allows a company to show adverts to internet users who have previously visited its website. The integration of Google Remarketing allows a company to create ads that are tailored to the interests of the user and thereby show interest-based ads to the internet user.

The operator of the Google Remarketing services is Google Inc, 1600 Amphitheater Pkwy, Mountain View, CA 94043-1351, USA.

The purpose of Google Remarketing is to show interest-based advertising. Google Remarketing enables us to display adverts via the Google advertising network or have them displayed on other websites, tailored to the individual needs and interests of internet users.

Google Remarketing places a cookie on the information technology system of the data subject. What cookies are has already been explained above. By placing the cookie, Google can recognise the visitor to our website if he or she subsequently visits websites that are also members of the Google advertising network. Each time a website is visited on which the Google Remarketing service has been integrated, the internet browser of the data subject automatically recognises itself to Google. As part of this technical process, Google becomes aware of personal data, such as the IP address or the user's browsing behaviour, which Google uses, among other things, to display interest-based advertising.

The cookie is used to store personal information, such as the web pages visited by the data subject. Therefore, personal data, including the IP address of the data subject's internet connection, is transmitted to Google in the USA each time our website is visited. This personal data is stored by Google in the USA. Google may pass on this personal data collected via the technical process to third parties.

The data subject may at any time, by making a corresponding setting in the browser used, prevent our website from placing cookies and thus permanently oppose the setting of cookies, as already described above. Such a setting of the browser used would also prevent Google from placing a cookie on the information technology system of the data subject. Furthermore, a cookie already placed by Google Remarketing can be deleted at any time via the browser or other software.

Furthermore, the data subject has the possibility to object to interest-based advertising by Google. To do this, the data subject must open the link www.google.se/settings/adsfrom each of the browsers used and make the desired settings there.

Further information and the applicable Google data protection regulations can be found at www.google.se/intl/sv/policies/privacy/.

Data protection regulations for the implementation and use of Google AdWords

The controller has integrated Google AdWords on this website. Google AdWords is an internet advertising service that allows advertisers to place adverts both in Google search results and in the Google advertising network. Google AdWords allows an advertiser to predefine certain keywords that will be used to display an advert in Google search results only when the user uses the search engine to retrieve a search result related to the keyword. In the Google ad network, the adverts are distributed to websites relevant to the topic using an automatic algorithm and taking into account the previously defined keywords.

The operator of the Google AdWords services is Google Inc, 1600 Amphitheater Pkwy, Mountain View, CA 94043-1351, USA.

The purpose of Google AdWords is to promote our website by displaying interest-based advertising on the websites of third-party companies and in the search results of the Google search engine, as well as to display third-party adverts on our website.

If a person accesses our website via a Google advert, a so-called conversion cookie is stored on the IT system of the person concerned by Google. What cookies are has already been explained above. A conversion cookie expires after thirty days and is not used to identify the person concerned. If the cookie has not expired, the conversion cookie is used to determine whether certain underlying pages, such as the shopping basket of an online shopping system, were visited on our website. The conversion cookie enables both us and Google to understand whether a person who came to our website via an AdWords advert generated revenue, i.e. completed or cancelled a purchase. The data and information collected through the use of the conversion cookie is used by Google to create visitor statistics for our website. In turn, we use these visitor statistics to determine the total number of users who were referred to us via AdWords ads, i.e. to determine the success or failure of the AdWords ad in question and to optimise our AdWords ads in the future. Neither our company nor other Google AdWords advertisers receive information from Google that could be used to identify the person concerned.

The conversion cookie is used to store personal information, such as the website visited by the person concerned. Therefore, every time you visit our website, personal data, including the IP address of the internet connection used by the person concerned, is transmitted to Google in the USA. This personal data is stored by Google in the USA. Google may pass on this personal data collected via the technical process to third parties.

The person concerned may at any time prevent the setting of cookies by our website, as already described above, by making a corresponding setting in the browser used and thus permanently object to the setting of cookies. Such a setting of the browser used would also prevent Google from setting a conversion cookie on the IT system of the person concerned. In addition, a cookie already set by Google AdWords can be deleted at any time via the browser or other software.

In addition, the data subject has the possibility to object to interest-based advertising by Google. To do this, the person concerned must open the link www.google.se/settings/adsfrom each of the browsers used and make the desired settings there.

Further information and the applicable Google data protection regulations can be found at www.google.se/intl/se/policies/privacy/.

Data protection regulations for the implementation and application of Instagram

The controller has integrated components of the Instagram service on this website. Instagram is a service that qualifies as an audiovisual platform and enables users to share photos and videos as well as to forward such data to other social networks.

The operating company for the Instagram services is Instagram LLC, 1 Hacker Way, Building 14 First Floor, Menlo Park, CA, USA.

Each time one of the individual pages of this website, which is operated by the controller and on which an Instagram component (Insta button) has been integrated, is called up, the Internet browser of the information technology system of the person concerned is automatically activated by the respective Instagram component, causing a representation of the corresponding component to be downloaded from Instagram. As part of this technical process, Instagram is informed which specific sub-page of our website is visited by the person concerned.

If the person concerned is logged into Instagram at the same time, Instagram recognises which specific sub-page the person concerned visits each time the person concerned calls up our website and throughout the stay on our website. This information is collected by the Instagram component and assigned by Instagram to the respective Instagram account of the person concerned. If the data subject clicks on any of the Instagram buttons integrated on our website, the data and information thus transmitted are assigned to the personal Instagram user account of the data subject and stored and processed by Instagram.

Instagram always receives information via the Instagram component that the data subject has visited our website if the data subject is logged into Instagram at the same time as they access our website; this happens regardless of whether the data subject clicks on the Instagram component or not. If the data subject does not want this information to be transferred to Instagram, they can prevent the transfer by logging out of their Instagram account before accessing our website.

Further information and the applicable data protection regulations for Instagram can be found at help.instagram.com/155833707900388 and www.instagram.com/about/legal/privacy/.

Data protection regulations for the implementation and use of LinkedIn

The controller has integrated components from LinkedIn Corporation on this website. LinkedIn is an internet-based social network that enables users to connect with existing business contacts and create new business contacts. Over 400 million registered people use LinkedIn in over 200 countries. LinkedIn is currently the largest platform for business connections and one of the most visited websites in the world.LinkedIn is operated by LinkedIn Corporation, 2029 Stierlin Court Mountain View, CA 94043, USA.LinkedIn Ireland, Privacy Policy Issues, Wilton Plaza, Wilton Place, Dublin 2, Ireland, is responsible for data protection issues outside the United States. Each time our website, which is equipped with a LinkedIn component (LinkedIn plug-in), is called up, this component causes the browser used by the person concerned to download a corresponding representation of the LinkedIn component. More information about LinkedIn plug-ins can be found at developer.linkedin.com/plugins. As part of this technical process, LinkedIn is informed which specific subpage of our website is visited by the data subject.

If the data subject is logged in to LinkedIn at the same time, LinkedIn recognises which specific subpage of our website is visited by the data subject each time the data subject calls up our website and throughout the data subject's stay on our website. This information is collected by the LinkedIn component and assigned to the respective LinkedIn account of the person concerned by LinkedIn. If the data subject clicks on a LinkedIn button integrated on our website, LinkedIn assigns this information to the data subject's personal LinkedIn user account and saves this personal data.

LinkedIn always receives information via the LinkedIn component that the data subject has visited our website if the data subject is logged into LinkedIn at the same time as they access our website; this happens regardless of whether the data subject clicks on the LinkedIn component or not. If the data subject does not want this information to be transmitted to LinkedIn, they can prevent the transmission by logging out of their LinkedIn account before accessing our website.

LinkedIn offers at www.linkedin.com/psettings/guest-controls the possibility to unsubscribe from emails, SMS messages and targeted ads as well as manage ad preferences. LinkedIn also uses partners such as Quantcast, Google Analytics, BlueKai, DoubleClick, Nielsen, Comscore, Eloqua and Lotame who may set cookies. Such cookies can be rejected at www.linkedin.com/legal/cookie-policy. LinkedIn applicable data protection regulations are available at www.linkedin.com/legal/privacy-policy.LinkedIn Cookie Policy is available at. www.linkedin.com/legal/cookie-policy.

You as a data subject, i.e. the person whose personal data is being processed, have a number of rights under the GDPR. As data controllers, APCOA has a responsibility to have procedures in place to deal with requests to exercise these rights when someone requests it.

Right to information

You have the right to be informed when your personal data is being processed. Information about the processing of personal data shall be provided by us as data controllers both when the data is collected and when you otherwise request it.

In addition, there are certain occasions when specific information must be provided to you, for example if there is a data breach or similar (a personal data incident) with us as data controllers and there is a risk of, for example, identity theft or fraud.

The information must be provided to you free of charge, in an easily accessible written form (which may be in electronic form) and in clear and plain language.

Among other things, you have the right to know

the purposes for which personal data will be processed

the legal basis for the processing

how long personal data will be stored

who will have access to the personal data

data subjects' rights under the GDPR

whether personal data will be transferred to a so-called third country (country outside the EU/EEA)

that you can lodge a complaint with IMY

that you can withdraw consent, if you have given it

the contact details of us and of our Data Protection Officer.

Right of access

You have the right to contact us as data controllers to find out whether or not your personal data is being processed. If your personal data is being processed, we must provide you with a copy of the data and provide information on, among other things

the categories of personal data being processed

what the personal data is used for

how long the data will be kept

who the personal data has been shared with

where the data comes from.

The right to receive a copy of your personal data does not mean that we always have to disclose the document containing the personal data. Often it may be sufficient to provide you with an intelligible summary of all the personal data contained in the document or otherwise being processed. The summary should be designed to enable you to check the accuracy and lawfulness of the data.

There may be circumstances in which information should not be disclosed, for example because of the provisions of other legislation or because disclosure of the information would be detrimental to others.

In some cases, as data controllers, we may also refuse to provide a copy of the data, for example if you make so-called unfounded or unreasonable requests, such as requesting access several times in a short period of time.

Right to rectification

You have the right to contact us as data controllers and ask for incorrect data to be rectified. This also means that you have the right to supplement with missing personal data that is relevant to the purpose of the personal data processing. The fact that we, as data controllers, must also ensure that the data is accurate and up to date is already clear from the basic principles of the GDPR.

If data is rectified at your request, we as controllers must inform those to whom they have disclosed data of the rectification. However, this does not apply if it would prove impossible or involve excessive effort. You also have the right to request information on to whom data has been disclosed.

Right to erasure

You have the right to contact us as data controllers and ask for your data to be deleted.

The data must be deleted in the following cases

if the data is no longer needed for the purposes for which it was collected

if the processing is based on your consent and you withdraw that consent

if the processing is for direct marketing purposes and you object to the processing

if you object to personal data processing that is carried out in the exercise of official authority or following a balancing of interests and there are no legitimate grounds that override your interest

if the personal data has been processed unlawfully

erasure is necessary to comply with a legal obligation

if the personal data relates to a child and has been collected in the context of the child creating a profile on a social network.

If data is deleted at your request, we must also inform those to whom it has been disclosed of the deletion. However, this does not apply if it would prove impossible or involve excessive effort.

When personal data has been published or otherwise made public (in a social network, an internet forum or on a website), it is not always sufficient to delete it there. In these situations, the publisher must also take reasonable steps to inform other data processors of the data subject's request so that copies or links to the data are also removed.

There are exceptions to the right to erasure and the obligation to inform others if it is necessary to fulfil other important rights such as the right to freedom of expression and information, to comply with a legal obligation, to perform a task carried out in the public interest or in the exercise of official authority.

Right to restriction of processing

In certain cases, you have the right to request that the processing of your personal data be restricted. Restriction means that the data is marked so that it can only be processed for certain limited purposes in the future.

The right to restriction applies, among other things, when you consider the data to be inaccurate and have requested rectification. In such cases, you can also request that the processing of the data be restricted while the accuracy of the data is being investigated.

When the restriction ends, we as data controllers will inform you of this.

Right to object

You have the right to object to our processing of your personal data.

The right to object applies when personal data is processed for the performance of a task carried out in the public interest, in the exercise of official authority or following a balancing of interests.

If you object to the processing in such cases, we as data controllers may only continue to process the data if it can be demonstrated that there are compelling legitimate grounds for the processing which override your interests, rights and freedoms, or if the processing is carried out for the establishment, exercise or defence of legal claims.

You always have the right to object to the use of your personal data for direct marketing purposes. Such an objection can be made at any time. If you object to direct marketing, your personal data may no longer be processed for such purposes.

Specific rules apply to personal data processed for scientific and historical research purposes or statistical purposes.

Right to data portability

In certain cases, you have the right to obtain and use your personal data elsewhere. As data controllers, we are obliged to facilitate such a transfer of personal data. A prerequisite is that we as data controllers process the personal data on the basis of the data subject's consent or to fulfil a contract.

This only applies to personal data that you as a data subject have provided yourself.

Automated decisions

You have the right not to be subject to a decision based solely on any form of automated decision-making, including profiling, where that decision is likely to produce legal effects or similarly significantly affect you.

Automated decision-making can be, for example, an automated rejection of an online credit application or a rejection of an online recruitment without personal contact.

Automated decision-making may be allowed if it is necessary for the conclusion or performance of a contract between the data subject and the controller or if the data subject has given his or her explicit consent. It may also be authorised by specific legislation.

The controller must inform the data subjects that automated decision-making is used in accordance with the general information obligation of the Regulation.

Automated decisions can be taken with or without profiling. Conversely, profiling can be used without leading to an automated decision. Profiling means any form of automated processing of personal data whereby the data are used to evaluate certain personal aspects relating to an individual, in particular to analyse or predict that individual's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Profiling is a processing of personal data that must comply with all the provisions of the GDPR

Facilitating the data subject

As a data controller, we have an obligation to facilitate data subjects in exercising their rights under the GDPR. This can be done, for example, through clear information on our website and otherwise by providing user-friendly communication channels through which a data subject can make a request in an efficient manner. Identification

We need to be able to identify that it is actually you making the request to ensure compliance with security measures and to minimise the risk of unauthorised disclosure of personal data.

If there are reasonable grounds to doubt your identity when you submit a request to exercise a right, we may request additional information necessary to enable identification. However, we may not collect more information than is necessary.

Time limits

As data controllers, we will deal with a request as quickly as possible, but we must act on the request within one month of receiving it.

The deadline may be extended by two months if necessary. In this case, we as controllers must inform you of the extension and the reason for the delay within one month of receiving the request. This means that the information you have requested must be provided no later than three months from receipt of the request.

Events that may justify an extension are, for example, if the request is complex or if we, as controllers, have received many requests at the same time.

What does one month mean?

The time limit starts on the day we as controllers receive the request. The deadline ends on the same date the following month.

If the end date is a Saturday, Sunday or public holiday, the deadline is extended to the next working day.

If the end date does not exist because the next month has fewer days, the end date will be the last day of the next month.

Compensation for damages

An individual who has suffered damage because his or her personal data has been processed in breach of the GDPR may be entitled to compensation from the controller or controllers involved in the processing.

A processor may also be liable for damages if the processor has breached the provisions specifically aimed at processors or has processed data contrary to the controller's instructions.

As a data subject, you can claim damages from us as data controllers or our processors or bring an action for damages in court.

Anyone who has suffered damage is in principle entitled to receive compensation for the entire damage from either the controller or the processor. They may then in turn settle this between themselves. However, a controller or processor is not obliged to pay compensation if they can prove that they are not in any way responsible for the damage.

Can we claim by regular mail?

To make it easier for you to make a rights request, it is also important to consider how we can collect additional information. For example, if we already use digital channels where your identity can be verified, data subjects should be able to use the same channel to make a rights request. If in such a situation you are instead directed to more cumbersome means of making a request, for example by regular mail for rights requests but not for other customer matters, it is questionable whether we have fulfilled the requirement to facilitate the exercise of the data subject's rights. Such an exception could be, for example, that it is necessary for security reasons. However, the starting point should be that we should offer alternative ways to submit the data.

Description of the processing	Cameras are used for extra security against theft in and from cars.
The purpose of the processing	Increase the security of those in the car park, both customers and staff. Detect and secure evidence in the event of vandalism At the request of the police, assist with image material in their investigations into crimes.
Categories of personal data	The categories of personal data processed are: Cars, licence plate numbers, pictures of people.
Recipients of personal data	Data controller: Apcoa Sverige AB Org nr: 556439-7478 (EU) Data processors: Verified Security Nordic AB Org nr: 556837-9514 (EU)
How long will the personal data be stored	14 days

The privacy policy

We care about your privacy. Read how we collect and protect your personal data in our privacy policy

Privacy policy

Definitions

Collection of personal data

Recipients of user data

Processing of personal data

Park & Go

Camera surveillance

Cookies and website use

Processing of sensitive data.

Use of personal data for other purposes

Your rights

More about your rights

Provisions on confidentiality.

Contact details

Amendment to the APCOA Privacy Policy

A podcast says that Apcoa is in breach of GDPR, is this true?