General Data Protection Regulation (GDPR) Policy

General Data Protection Regulation (GDPR) Policy

 

This Policy governs the processing of personal data collected from visitors and/or users through the www.parkpay.world website and/or the ParkPay online application (hereinafter referred to as the Platform or ParkPay), but also through our social media accounts (Facebook, LinkedIn etc).

The data controller is ParkPay SRL, based in 169A Calea Floreasca, Building A, 4th Floor, Sector 1, Bucharest, Romania, registered at the Trade Register with no. J40/12909/2012, CUI (tax identification code): 30869952 (hereinafter referred to as the controller, ParkPay, we or our).

The person responsible for the protection of personal data can be contacted at the following contact details: email: gdpr@parkpay.world.

The processing of personal data for natural persons is mainly regulated in the EU Regulation no. 679/2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (GDPR) - the official text can be consulted on https://eur-lex.europa.eu/.

The terms used in this Policy have the meaning defined in the GDPR.

I. CATEGORIES OF PERSONAL DATA CONCERNED. THEIR SOURCE OF ORIGIN. OBLIGATION TO PROVIDE DATA (if applicable)

According to the Terms and Conditions, you must be at least 18 years old to be able to use the Platform. Therefore, we do not want to collect or process data of persons who are under the age of 18. Moreover, we do not collect and process sensitive data, as provided by the GDPR, and please do not send us such data, either through the contact form, email, messages or in any other way.

Types of processed data:

  • profile data, such as: name, first name, email, password; optional: telephone, photo (when logged via Facebook), gender, country.

We receive these data from the user when they create the account by choosing the New Account option or when they modify or insert additional profile data. The password is encrypted, we do not have access to it.

The user must provide us with these data (except the optional ones) in order to create the account and use the services offered by ParkPay. Without providing such data, the user shall not be able to use the services offered by the Platform.

The optional data enhance the user experience; they are not mandatory.

These data can be changed at any time from the account settings.

If the user chooses to create the account using the data from their Facebook account, by activating the Continue with Facebook button, it should be kept in mind that:

Facebook is a social network, having as data controller Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, www.facebook.com.

If you choose this option, you shall be redirected to a Facebook page, where this controller may request various permissions. If and after you grant permissions, depending on your own options, your Facebook profile shall connect to the ParkPay Platform. Thereby, you shall be able to login to our Platform using the data already registered in your Facebook account, without having to enter other data.

Signing in by using your existing Facebook account shall allow us to view the data you have entered in your Facebook profile (including, for example, public profile, profile picture). From these data we shall use, for identification purposes, only the first and last name, the email address and the profile picture. These data (with the exception of the profile picture) are required to create the user account and to use the ParkPay Platform. In the absence of these necessary data, you cannot use our Platform (you can opt for Create a new account).

Please keep in mind that when connecting with Facebook, the device type, its operating system, language, time zone, resolution, application version, location of your time zone (depending on the country) will automatically be transmitted to Facebook.

We recommend that you carefully read the Facebook Privacy Policy (https://www.facebook.com/privacy/explanation) before continuing to authenticate via Facebook.

Please access the Continue with Facebook button only if you agree with the above.

If you do not agree, you can create your account by accessing the Create New Account field.

  • account data, such as: vehicle license plate, billing data, subscription data (if applicable), account opening/account changes date, the options expressed by the user.

We receive some of these data from the user when the account is created or when the data in the account is modified or supplemented. The rest of the data is generated by the Platform based on the use of the services provided.

The car license plate is required to be able to access the parking spaces using the ParkPay Platform. Without it, you can partially use the Platform, for example, only to find out information about a specific parking lot or to navigate to a parking lot (if you have the device location option enabled).

The billing data is required in order to generate the invoice for the services or products purchased through the Platform. In their absence, the invoice is issued on the user’s behalf. The invoice is delivered to the email address registered in the user account.

The subscription data is required if you want to make a subscription in a parking space through the ParkPay Platform. If you do not provide this data, you shall not be able to purchase the desired subscription.

  • bank card data: we process these data to a limited extent in the following way:

The user registes the bank card data directly in the independent, secure platform, offered by the payment service processor we collaborate with, namely by PayU S.A. with the registered office in Poznań, 60-166 Poznań, at ul. Grunwaldzka 186, Poland.

It holds the PCI DSS certification (Payment Card Industry - Data Security Standard - mandatory standards for storing and viewing sensitive card information).

The data required by the payment processor with which we collaborate include, as a rule: card number and holder, card expiration date and CVC/CVV2 code.

The payment service provider independently processes the data you have entered in the secure platform. Details on how the secure platform processes these data can be found at https://corporate.payu.com/payu-privacy-policy.

In order to be able to verify the payments, we receive from the payment processor: the last four digits of the bank card number, its expiration date, the card status data (stolen, expired etc.) and the name of the card issuing processing company (e.g. Visa/Mastercard).

These data are automatically filled in the user account within the Platform.

  • data about the device used: location data of the device on which the Platform is used, the unique type and number of identification of the device (IP), the operating system used, the preferred language on the device.

The location data are collected when you have the ParkPay Platform open and you have activated the geolocation service on the device used for this purpose. These data are required to be able to use the navigation service for the desired parking space. If you do not allow us access to the location data, you shall still be able to use the Platform, for example to access a parking space (if you have an open account and completed car and payment data), but you shall not benefit from the navigation service to it.

The other data are collected each time you access or use the Platform. You can always change your preferred language data in your account settings, depending on your choice.

  • services use data: parking history (license plate, parking location, duration and time intervals when the car was in the parking lot), the cost associated with the services used through ParkPay, related invoices, information about promotions or special situations for the user ( such as subscriptions or gratuity situations).

The data related to the parking history are collected from the surveillance cameras from the entrance to/exit from the parking spaces that you access by using the Platform. The platform shall generate the organization of these data.

The data regarding the cost of the services used, including the related invoices, are generated by the Platform based on the rates established by each parking space and on the parking times.

The data regarding promotions or special situations for the users are either received from the administrators of the Parking spaces or generated by the Platform.

  • payment data, such as: payments made, (possibly) data on non-availability on the bank card associated with the account, payment status data, card status data (stolen, expired etc).

These data are collected from the secure platform of the payment processor.

  • data from communications, such as: site contact form, chat, Facebook/LinkedIn messaging, notifications/complaints, support demands, various requests, communications transmitted by users, ratings, recommendations received from users. Such communications may contain various personal data, such as: name, address, email, telephone, message data.

We receive these data when we are sent messages through the contact form or the chat on the www.parkpay.world website, through Facebook or LinkedIn messaging or when we are sent various requests or other communications, in writing or by telephone at any of our contact details (including call center).

Transmission of identification data (name) and contact information (address, email, telephone) is necessary in order to register the request, to make the necessary checks, to respond to communications (as appropriate), and in some cases, to make the person identification. Without it, we may not be able to respond properly to the request. In the contact form, the transmission of the telephone number is optional.

When you contact us via Facebook/LinkedIn messaging, we can view the data that is public on your profile from the corresponding social network (for example, name, contact details, profile picture etc.). From these data we can use, as appropriate, the first and last name, the contact details, in order to respond to the submitted request.

Please keep in mind that these social networks process in turn the content of the messages transmitted by these means. Please read carefully the Policy for the use of data specific to these networks, namely Facebook (https://www.facebook.com/privacy/explanation) and LinkedIn (https://www.linkedin.com/legal/privacy-policy), before contacting us through the dedicated messaging of these social networks.

Moreover, depending on the type of communication, it is possible that the provision of certain data by you shall be precisely a legal obligation.

  • data on the use and operation of the Platform, such as: cases where the Platform or other systems (e.g. Internet) are not working properly, date and duration of your access to the Platform, the type of browser used and related information (such as browser settings), the pages viewed on the Platform and the view duration, third-party sites or services you have used before interacting with our services.

We collect these data when you use the Platform, including through cookies or other similar means.

  • cookies and similar technologies: we can store and collect information through cookies and similar technologies on the website.

Details about these technologies, how we use this information and how you can block or delete cookies can be found in the Cookie Policy.

  • Third-party personal data

If the data provided (for example, a license plate, bank card) belong to or are used by persons other than the user (for example, when the car has a different owner than the user), before submitting this data, make sure that you legally own those data, that you have the right to send them to us and that you have correctly and completely informed the person concerned that you have transmitted their data to us and for what purpose. For example, it is your responsibility, before submitting the data,  to inform the person whose data you send to us about the fact that you are further transmitting those data, about the content of this Data Processing Policy and to obtain prior and informed consent of the person concerned in this regard. 

In order to fully and correctly ensure the protection of your personal data, please keep in mind that WHEN YOU DO NOT USE DIRECTLY (even if only temporarily) a car registered in your account, YOU MUST inform the actual user of the car completely, correctly and in advance about the fact that, as long as the account to which the car is associated is active, the parking history is registered and can be viewed only by you, as an account holder. YOU MUST make sure that the (temporary) user of the car is aware of, understands and agrees with these aspects and the ParkPay Terms and Conditions BEFORE accessing a parking lot using the services provided by the ParkPay Platform. BY REGISTERING AN ACCOUNT ON THE PARKPAY PLATFORM, YOU THEREBY DECLARE THAT YOU FULLY AND CONTINUALLY COMPLY WITH THESE REQUIREMENTS.

When we collect third-party data that you provide us with, we expect you to fully meet the above requirements. Moreover, we expect you to provide us with accurate, complete and precise information, but also limited to the intended purpose.

Given these premises, but also the fact that we do not have a direct relationship with such persons, we shall not inform them separately. We base this conduct on the provisions of art. 14 paragraph 5 lit. a of the GDPR which exempts the controller from the obligation to inform the individual, in case the person concerned already has the necessary information.

Since it is very important for us to comply with the data protection requirements, please do not provide us with third-party data for which you have not fulfilled the obligations and requirements mentioned above.

Data Update

It is very important that the data we process about you are accurate and correct. Please check your account data periodically and change such data if you notice errors or if they have changed. We shall send you periodic notifications to remind you to update your data.  

II. PURPOSE AND LEGAL GROUNDS FOR THE PROCESSING

Your personal data shall be used for the following purposes:

2.1 Offering and providing to the user the services offered by the Platform

We use the data collected to be able to offer and, subsequently, provide the services we make available to you through the Platform, in compliance with the contractual conditions. Therefore, we use the data for purposes such as:

  • creating, updating and managing the user account
  • identity verification
  • ensuring the navigation service to the desired parking
  • facilitating access, namely access to/out of the desired parking
  • calculating the parking time, parking fees billing
  • subscription purchase, subscription billing
  • transmission of invoices and collection of fees
  • payment of the parking costs to the administrators of the parking spaces
  • transmission of various information about the services used through the Platform and the status of the payment, by email or telephone  
  • blocking the use of services in case of unpaid services
  • solving any problems related to the use of the Platform, such as about the services used, related payments, the operating mode of the Platform etc.
  • closing the user account
  • providing support services, including giving answers to requests or questions regarding the services provided through the Platform
  • conducting internal technical operations necessary to provide the services, such as monitoring and analyzing the operation and use of the Platform, operational tests, interventions and service in case of operational problems
  • for the purpose of registering payments, calculating, reporting, paying related duties and taxes, for archiving related documents and for various other fiscal matters.

The processing of data for the purposes mentioned above is, in most cases, necessary for the conclusion and execution of the contract between you and ParkPay. In addition, certain processing subsumed for these purposes are required by the obligations under the law, including tax, accounting and archiving legislation.

We rely the processing of location data and optional data (such as telephone, gender, photo) on your prior consent. Sending notifications over the phone is also based on your prior consent. You do not have to give us this consent! You can use the services provided by the Platform, even if you do not agree to have these data processed. Details on how you can express or withdraw your consent and on the consequences of such  withdrawal can be found in Section V below.

The lack of consent may either affect the operation of the services (you shall no longer be able to navigate with us to the desired parking space) or the user experience shall be less enjoyable (for example, you shall no longer receive telephone notifications about the services used).

2.2 Customer Support

We use personal data received through the contact form, via chat, Facebook/LinkedIn messaging, collected by telephone (including call center), received at the contact email addresses or by any other forms of communications/notifications/petitions, in order to assist you regarding the issues for which you contact us, assistance which may include, as appropriate:

  • analyzing and solving the formulated issues
  • transmission and investigation of the issues reported to/by the responsible persons
  • sending a response to the contact details provided  
  • monitoring and analyzing the customer support activity in order to improve the services offered.

We rely these processes either on the need to take the necessary steps at the request of the data subject to sign a contract, or on our legitimate interest to carry out our activity under the best cirsumstances, providing support to our users, and to develop the commercial activity, ensuring that all the measures we take guarantee a balance between our interests and your fundamental rights and freedoms.

Depending on the specific situation, certain processing may be imposed by the obligations which we have under the law, such as the obligation to respond to requests regarding personal data.

2.3 Marketing Activities

We would like to send you periodically marketing communications about the new services we offer through the Platform, but also about promotions or other offers that might interest you. Therefore, we could send you various messages, via email or SMS, including in the form of a newsletter, containing information about services similar or complementary to the ones you have used, completely new services compared to those used, offers or promotions and other commercial communications aimed at our commercial activity, such as market research and opinion surveys.

We rely the transmission of marketing communications on your prior consent. You do not have to give us this consent!

You can use the services provided by the Platform even if you do not agree to have any marketing communications sent to. Details on how you can express or withdraw your consent and on the consequences of such withdrawal can be found in Section V below. 

2.4 Safety and Security

We use some of the data collected to ensure and maintain the security and integrity of the Platform and your user data. Therefore, we use the data collected on, for example, the device used, profile data or other information in order to:

  • prevent and detect fraud, theft/loss/data deletion, unauthorized access and/or use, inappropriate behavior and such on the Platform, devices, systems and computer networks, software programs, databases, servers, emails and in general on the assets and means used by ParkPay to provide the services through the Platform
  • limit or eliminate their effects
  • analyze, synthesize and, where appropriate, report such incidents to the competent authorities.

In some cases, such incidents may result in the use of the Platform being blocked.

We rely such processing mainly on our legitimate interest to conduct our business under the best circumstances and to protect our business and commercial interests, including those carried out through the Platform, ensuring that all the measures we take guarantee a balance between our interests and your fundamental rights and freedoms.

Depending on the specific situation, we may rely our data processing for this purpose, to the extent necessary, including on the legitimate interest of other people, when frauds may affect the data of users or of other parties (for example, service providers), or on various legal obligations such as the obligation to report to the authorities theft, fraud or security incidents or to take other measures to prevent or detect fraud.

2.5 Analysis and Improvement of Services Offered

We want to offer you the best experience of using the Platform and the services offered through it. For this purpose, we may collect and use certain information, especially in relation to how users use the Platform, in order to analyze the functioning of the Platform, its improvement and the services provided, with the purpose of developing new functionalities.

We rely these activities on our legitimate interest to conduct and develop our commercial activities, always making sure that your fundamental rights and freedoms shall not be affected.

In the case of cookies and similar means used on our website, we rely our processing on your prior consent (except for cookies that are strictly necessary for the operation of the website). Details on how you can express your consent, block or delete cookies can be found in the Cookie Policy

The lack of consent may either affect the operation of the services (you shall no longer be able to navigate with us to the desired parking space), or it may cause  a less enjoyable user experience.

2.6 Fulfillment of Our Legal Obligations 

We process the collected data, to the extent necessary, including to comply with various legal requirements that are applicable to us, obligations that may include, as appropriate:

  • issuing, registering and archiving of invoices;
  • calculating, reporting, paying related duties and taxes and for various other fiscal matters;
  • archiving related documents;
  • keeping the records required by law;
  • registering and archiving user agreements;
  • providing data to the Romanian authorities upon request or when required by law;
  • providing data to users, upon request or in cases established by law etc.

We rely these processes on the need to comply with the legal obligations that apply to us.

2.7 Conduct of Legal Procedures

We can also process a series of data, depending on the specific situation, in order to:

  • analyze and resolve requests, notifications, complaints, disputes regarding our activity or the functioning of the Platform;
  • defend, preserve or exercise our rights, in all procedural phases: pre-litigation, litigation (mediation, courts, arbitration), forced execution.

We rely these processes mainly on our legitimate interest to protect our business and commercial interests, ensuring that all the measures we take guarantee a balance between our interests and your fundamental rights and freedoms. Depending on the specific situation, we may rely our data processing for this purpose to a limited extent and as far as it is relevant, including on the legitimate interest of other people or on the public interest.

Furthermore, in certain cases we rely our processing on legal obligations, such as the obligation to make available to the judicial authorities the data that they might request.

III. AUTOMATED DATA PROCESSING. PROFILING

Please keep in mind that if you have accessed a parking space through ParkPay and its payment shall not be collected immediately after leaving the space (for example, you have insufficient funds, the card is blocked etc.), the use of the services offered by ParkPay shall be automatically restricted (namely access to other parking spaces through ParkPay, subscription purchase or other services from the Platform) until the payment of such services is carried out. This processing is necessary in order to continue providing our services.

For this purpose, you shall be notified immediately at the email address registered in your account and, if you have given your consent, by a notification on your telephone.

If you would like further information or object to the restriction, please contact us at any of the contact details in the final part of this Policy (see Section XIHow to exercise your rights). You can also add another card to your account for the disbursement at any time.

It is also possible to create profiles to monitor, prevent, detect and report fraud, in the cases provided by law. Such incidents can lead to inactivation of the user account or to blocking the use of the Platform.

IV. RIGHT TO OBJECT TO PROCESSING

Please note that for the data we process based on LEGAL INTEREST (as detailed above) you have the RIGHT TO OBJECT to such processing for reasons related to your particular situation.

Please also bear in mind that you have the right to object when we process your personal data for DIRECT MARKETING purposes. Therefore, you shall have the right to object at any time to processing of personal data, including profiling, to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, the personal data shall no longer be processed for such purpose.

More information about the right to object can be found in Section X below, as well as in art. 21 of the GDPR.

V. RIGHT TO WITHDRAW CONSENT

We process the following types of data based on your prior consent:

  • location data of the device used, for navigation purposes to the desired parking;
  • optional account data (telephone, gender, photo), which either facilitate the use of the services offered or improve the user experience; 
  • telephone notifications about access to and out of the parking lot (we process the telephone number, location data and time);
  • telephone or email notifications about marketing communications such as offers, promotions, newsletters or the like (we process your telephone number and/or email).

Please keep in mind that you do not have to consent to any of these processing. You may use the services provided by the Platform even if you do not agree to process any of those data. The choice is yours alone!

You may express or withdraw your consent at any time as follows:

  • for location data, you can set your preferences as follows:

- before installing the app (for iOS devices) or when you first use the app (for Android devices), you shall be asked if you allow access to the device location;

- if the device location is disabled or if you did not give permission in the above step, you shall also be asked if you allow access to the location every time after having logged in;

- alternatively, you can log into your user account, then Account Settings and then Privacy Settings. You can set your preferences through the dedicated field: Access to the device location;

  • for optional account data (telephone, gender, photo): you can choose to fill in the data when creating the account or you can fill/change these data by logging into your user account, then Account Settings and then my Account. There you can also change the Country or Language Preferences.
  • for telephone notifications about the access to and out of the parking lot: you can set your preferences by logging into your user account, then Account Settings and then Privacy Settings. There you can enable or disable the I want to receive information about the use of services field.
  • for marketing communications:

- you can choose to receive such information when you create your account or

- you can accept or discard such information at any time thereafter, by logging into your user account, then Account Settings, followed by Privacy Settings. You can set your preferences through the dedicated field: I want to receive marketing communications or

- you can subscribe to the marketing communications, in the Subscribe to our newsletter section in the final part of our website www.parkpay.world;

- you can also withdraw your consent by accessing the unsubscribe link displayed at the end of the emails we send you for marketing communications (this can be called unsubscribe) and by following the steps described in the link that will be open thereof.

However, please keep in mind that, due to the technical processing times, sometimes between the moment you have expressed your new option and the moment when that is fully implemented at the Platform level, a certain time interval can pass. Therefore, we cannot completely exclude that, within a short time after you have withdrawn your consent (which, in principle, should not exceed several hours), the processing continues and you still receive, for example, telephone notifications or marketing communications. We assure you that we are making every effort to prevent that from happening.

In the unlikely situation where you continue to receive telephone notifications or marketing communications after having followed any of the steps above, please contact us at gdpr@parkpay.world to ensure that your request is implemented.

Keep in mind that the withdrawal of the consent means that we shall not be able to process that data later, using as ground your consent. Nevertheless, it is possible that, depending on the circumstances, we might continue to process, for limited purposes, those data based on other grounds, for example, in order to preserve, exercise or defend rights in court, to fulfill certain legal obligations or in other similar cases that are closely related to the initial processing.

In any case, please note that the withdrawal of the consent does not affect the legality of the processing previously carried out based on the expressed consent, nor the processing of data that is not carried out based on the consent. 

VI. DATA STORAGE PERIOD

6.1 Platform Account Data

We store your personal data, as a rule, throughout the entire period of your ParkPay account, but also subsequently, as described below.

Please note that the location data we process for navigation purposes shall only be stored for as long as you are navigating through ParkPay (so that once you have reached your destination, we shall no longer process and keep such data). However, keep in mind that, separately, we also process the location of the parkings accessed through ParkPay by the cars registered in the account, as well as the duration and time intervals during which the car was in the parking lot. These data are, as a rule, included in the Parking History of your account and are kept at least for as long as you have a ParkPay account.

You can request to close your account at any time, provided that none of the cars registered in your account is in a parking space accessed by us and that you have paid for all the used parking until the account is closed. To close the account, log into your user account, then Account Settings, then Privacy Settings. In the final part, you shall find the Close Account field. Please bear in mind that after closing your account, you shall lose your account details. It is therefore advisable to request a Report with your data from the Platform prior to closing it (also through Privacy Settings).

When closing the account, some of the data associated with the account (such as photo, telephone, country) shall be deleted or, as appropriate, anonymised on the Platform.

Please note, however, that after closing your account, we may continue to process some of your user account data, either because the law requires us to keep certain data for certain periods or to make available to the authorities certain data, either for identifcation purposes, fraud prevention and security, either to preserve, exercise or defend our rights or interests, for example in the case of disputes, investigations, frauds, as follows:

invoice data (name, first name, address, email), parking history (license plate, accessed parkings, entrances, exits, payment status), but also the required accounting records, as well as any other supporting documents underlying the accounting records, or which are indicated by law – shall be kept for a period established by law;

agreements and options expressed by the user, emails and notifications sent to/received from the user, correspondence with the user, as well as any other data that may be relevant in case of control/investigations by the competent authorities or in case of disputes/requests/complaints/etc. – shall be kept at least for the general limitation period (or any other applicable limitation period) and subsequently, if applicable, for the entire duration of the control, investigation or litigation (until all the procedural stages are completed);

in general, we shall continue to process the data to the extent required by law, for the duration provided by law.

In order to limit the data we process after the closure of the account to what is strictly necessary, we shall periodically check the need to continue processing after the closure of the account. 

At the end of the processing period, your personal data shall be securely deleted, destroyed or anonymised, within a reasonable period of time for the implementation of such measures.

Data Collected or Used through Cookies or Other Similar Means

These data are kept in accordance with the Cookie Policy which we kindly ask you to read for this purpose.

Other Data

The data in the contact form, chat, messages, requests, demands or any other communications that you send to us shall be kept until the issues described therein are solved and, subsequently, for the applicable general limitation period (as a rule 3 years), and if applicable for the entire duration necessary to settle any related disputes or controls.

If the received messages have no content, the data are, as a rule, deleted within 3 months of receiving them, unless it is needed for other purposes (for example, to defend our rights or to respond to other requests related to them). 

VII. RECIPIENTS OF PERSONAL DATA

The personal data mentioned in this Policy may be, to a limited extent, transmitted to/accessed by affiliated entities, service providers, employees of the Company or other independent legal entities, but also to public authorities or institutions, such as:

owners and/or administrators of the parking spaces accessed through ParkPay, generally limited to the data that any such entity collects from the parking users (such as license plate, entrance - exit data, cost, payment status) and limited to the users of that parking space;

collaborators, service providers or other entities with which the Company has signed various service provision contracts or other types of contracts, aimed at the proper functioning and/or development of our activity (e.g. IT service providers, email and server services, marketing, analysis, web optimization and security, logistics, technical assistance, parking space brokers, accounting and auditing services, banks/payment service processors, market research service providers, insurers, couriers etc.). Where appropriate, they may act as controller or authorized persons on our behalf. In general, the access of these entities to personal data is restricted or limited to the minimum required for the provision of the services in question;

lawyers, judicial executors and/or other external professional consultants. They generally have the legal obligation to keep the data confidential;

public authorities, persons invested with public power, public institutions, relevant courts etc., from Romania or abroad, in case of control, at their request or at our initiative, when we are required or to protect our legitimate rights and interests, in accordance with the applicable law. In this case too, we consider a limitation of the personal data that are transmitted to the data strictly necessary for that purpose;

potential buyers or investors in the case of analyzing, planning, negotiating, signing or implementing various types of transactions/operations for sale merger, division, reorganization, etc. of ParkPay. In general, the data provided are either statistical or anonymised, and where the transfer of personal data is required, they shall be limited to the minimum necessary for such purpose;

other third parties, in the cases provided for or permitted by law;

in other cases, with your prior notification.

Keep in mind that, depending on the specificity and the way of carrying out the services/activities provided and the related legal requirements, it is possible that any of these entities/people shall send the data thus obtained to public authorities, accountants, lawyers, courts, other entities/people etc. (for example, each might have their own IT provider that may have limited access to data). 

Moreover, keep in mind that our website uses cookies and similar technologies. To learn about where the data collected thereby are transmitted, please read the Cookie Policy.

VIII. TRANSFER OF DATA TO RECIPIENTS FROM THIRD COUNTRIES OR INTERNATIONAL ORGANIZATIONS

For the safe and optimal functioning of the Platform and of the services provided through it, we use a number of services provided by international companies that have their main business premises in the United States of America.

These services may have access to certain user information (for example, when checking the security of the website or when using the chat service etc.)

In August 2016, the Commission Implementing Decision (EU) 2016/1250 of 12th of July 2016 was published in the EU’s Official Journal, pursuant to Directive 95/46/EC of the European Parliament and of the Council, on the adequacy of the protection provided by the EU-U.S. Privacy Shield. Under this decision, the United States guarantees an adequate level of protection of personal data transferred from the European Union to organizations in the United States under the EU-U.S. Privacy Shield, provided that such entities process personal data in accordance with a powerful set of principles and guarantees for the protection of privacy and personal data that are equivalent to those of the European Union.

The text of the Commission Decision can be consulted on:

https://eur-lex.europa.eu/legal-content/RO/TXT/PDF/?uri=CELEX:32016D1250&from=EN

The U.S. Department of Commerce website (https://www.privacyshield.gov/welcome) includes a list of companies that fall under the EU-U.S. and Swiss-U.S. Privacy Shield.

All companies based in the United States from which we use services are included in this List, thus being subject to the EU-U.S. Privacy Shield.

Therefore, we use:

the server service is provided by Microsoft Azure, developed and owned by Microsoft Corporation, based in the United States, One Microsoft Way, RedmondWA, 98052.

The data are stored on the server in a data center in Germany.

According to Microsoft’s licensing terms (which can be downloaded from https://www.microsoft.com/en-us/licensing/product-licensing/products#OST), Microsoft may transfer, store and process data in the United States of America or any other country where Microsoft or its subcontractors operate.

Under these contractual terms, Microsoft states that: it will comply with the legal requirements on the protection of personal data in the European Economic Area and Switzerland regarding the collection, use, transfer, storage and other processing of personal data in the European Economic Area and Switzerland. Transfers of personal data to a third country or an international organization shall comply with the appropriate safeguards provided for in Article 46 of the GDPR and such transfers and safeguards shall be documented in accordance with Article 30 paragraph (2) of the GDPR.

In addition, Microsoft is certified in accordance with the EU-U.S. and Swiss-U.S. Privacy Shield Framework Agreements and their commitments. Microsoft agrees to notify the Customer if it determines that the latter can no longer meet its obligation to provide the same level of protection as required by the Privacy Shield Principles.’

At the same time, data transfers outside the European Union, the European Economic Area and Switzerland are regulated by Annex 3 to these contractual terms.

Microsoft is included in the EU-U.S. Privacy Shield List along with 27 affiliated entities.

The web optimization and security service is provided by Cloudflare, owned by Cloudflare Inc., with headquarters in the United States of America 101 Townsend St., San Francisco, CA 94107. It has designated CloudflareGermanyGmbH. as legal representative in the European Union, with headquarters in Rosental 7,  80331 Munich, Germany.

According to Cloudflare’s Privacy Policy (https://www.cloudflare.com/privacypolicy/), it can transfer or access information anywhere in the world, in order to facilitate its global operation. According to Cloudflare, when transferring personal information from the European Economic Area or from Switzerland, outside this area, it complies with the standard EU contractual terms or the Privacy Shield Framework.

the chat service is provided by tawk.to, service owned by Tawk.to Inc., a company based in the United States of America, 187 EastWarmSprings Rd, SB298, Las Vegas, Nevada, 89119. For people located in the European Economic Area, processing of personal data is done through the UK affiliate of this company, namely Tawk.to Ltd.

According to Tawk.to’s Privacy Policy (https://www.tawk.to/privacy-policy/), it may periodically transfer personal information to countries outside the United States of America.

According to Tawk.to, it has operations in the United States, Europe and Asia-Pacific and a number of remote international contractors. Personal information may be processed in any country where an employee or contractor accesses the tawk.to system. According to its Privacy Policy, Tawk.to complies with the EU-U.S. and the Swiss–U.S. Privacy Shield Frameworks, regarding the collection, use and retention of personal information transferred from the European Union and Switzerland to the United States.

the web analysis service is provided by Google Analytics, which is owned by Google LLC. For users in the European Economic Area, Google services are provided by Google Ireland Limited, a company incorporated and operating under the laws of Ireland (registered number: 368047) and located at Gordon House, Barrow Street, Dublin 4, Ireland. According to Google, it has servers worldwide; it is possible that the information collected is processed through servers located in a country other than the one in which you live. According to Google, regardless of where the processing is done, it offers the same level of protection as described in its Privacy Policy and it complies with the EU-U.S. Privacy Shield.

At the date of this Policy, except for the above, we do not transfer and do not intend to transfer your personal data to entities or people outside the European Union or to international organizations. The collaborators, partners and, in general, the people and entities that we directly contract and to which we promptly send personal data are, as a rule, Romanian people/entities or from the European Union. In every case, their access to data is, in general, extremely limited (only to what is necessary for the provision of the service in question).

However, we cannot exclude that they send or process, in certain situations, your data in/from other states, which may be members or non-members of the European Union (for example, if they have servers located, in their turn, at Microsoft). In the contractual clauses that we shall sign with them, we shall make sure these entities/people take the adequate security measures and safeguards designed to ensure the approppriate confidentiality and protection of your personal data.

If the Company transfers personal data to entities/people outside the European Union, we shall ensure that adequate measures are taken to protect the personal data, or we shall ask for your consent to make such transfers, with your prior information about potential risks. In exceptional situations where it shall be necessary to transfer data outside the European Union, and the aforementioned conditions are not met, we shall ensure that the transfer is done exclusively in cases where the law allows express derogations (e.g. art. 49 of the GDPR).

IX. DATA SECURITY

We have a constant and elevated concern to ensure the security of your data.

First of all, your card data is processed through the secure payment processor platform, which has implemented specific security measures.

We have also taken appropriate technical and organizational measures to ensure data security and to limit the risks that may be generated by the destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data transmitted, stored or processed in a different way.

ParkPay uses advanced security methods and technologies, has implemented internal policies and working procedures to protect the processing of personal data and constantly analyzes the compliance and protection of the data security and systems used.

Please keep in mind that, due to the way personal data is transmitted and processed electronically, there may be a risk of interception, loss, copying, blocking of data and information. We cannot guarantee the absolute security of the data during transmission or storage in our systems. We have taken steps to identify any attempt to gain unauthorized access to our database. We cannot be held responsible for the vulnerabilities of the systems that are not under our control, nor for the errors that occur due to the users’ negligence regarding the security and confidentiality of the email, account and password used, or of the devices and networks used for data transmission.

In case of breach of security, we shall report these incidents to the competent authorities, and, if necessary, we shall inform you directly (by email, in-app notifications, or by other available means).

X. RIGHTS, IN RELATION TO THE CONTROLLER, CONCERNING DATA PROCESSING

You have the following main rights, which you can exercise, under the terms established by law (these rights are set out in articles 12-22 of the GPDR):

right of access (art. 15 of the GDPR): you shall have the right to obtain our confirmation whether personal data regarding you is being processed or not and, if so, get access to the data in question and to the following information:

the purposes of processing;

the categories of personal data concerned;

the recipients or categories of recipients to whom the personal data have been or shall be disclosed, in particular recipients in third countries or international organizations;

where possible, the envisaged period for which the personal data shall to be stored or, if not possible, the criteria used to determine that period;

the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or the right to object to such processing;

the right to lodge a complaint with a supervisory authority;

if the personal data are not collected from the data subject, any available information as to their source;

the existence of automated decision-making, including profiling (referred to in Article 22 (1) and (4) of the GDPR) and, at least in those cases, relevant information about the logic involved , as well as the significance and the envisaged consequences of such processing for the data subject. In this case, if the processing is carried out by automatic means you have the right not to be subject to an individual decision.

if personal data are transferred to a third country or to an international organization, you shall have the right to be informed about the appropriate safeguards relating to the transfer (pursuant to Article 46 of the GDPR).

Without prejudice to the rights and freedoms of others, you shall have the right to receive a copy of your personal data that are the subject of the processing.

You can easily get a copy of your personal data processed within the Platform by logging into your user account, then Account Settings and then Privacy Settings. In the final part, click the field: Request personal data and follow the instructions. In a very short time, you shall receive, by email, a Report with the personal data processed within the Platform. The Report shall not include the data that have been deleted or modified.

Before submitting this request to us, please keep in mind that the Report shall contain your personal data which must be protected. Carefully check the security of the networks, devices and services you use to store or transmit those data. For added security, after completing the actions regarding your data, it is advisable to delete or otherwise secure the email received and the downloaded files containing your personal data from your device.

Please note that, in addition to the information resulting in this Report, we may process other data about you (for example, if we have exchanged emails separately). If you would like to learn more about the data we process, please see section How to exercise your rights.

right to rectification (art. 16 of the GDPR): you shall have the right to rectify, without undue delay, inaccurate data concerning you; depending on the purposes for which your data are processed, you shall have the right to obtain the completion of personal data which are incomplete, including by providing an additional statement.

We must notify each recipient to whom we have disclosed your personal data of any  personal data rectification, unless this proves impossible or involves disproportionate effort. If you request it, we shall inform you about those recipients.

right to erasure (right to be forgotten’) (art. 17 of the GDPR): you shall have the right to delete your personal data and we have the obligation to remove such data without undue delay, if one of the following reasons applies:

personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

you withdraw your consent to the data processing and there is no other legal ground for the processing;

you object to the processing pursuant to art. 21 paragraph (1) of the GDPR - namely, for reasons related to your particular situation when, for example, the processing is done based on legitimate interest (details below) and there are no legitimate overriding reasons to continue with the processing;

you object to the processing pursuant to art. 21 paragraph (2) of the GDPR – namely, when the processing of personal data has direct marketing purposes (details below);

personal data has been processed unlawfully;

personal data must be deleted to fulfill a legal obligation under Union law or national law to which the data controller is subject;

personal data were collected in connection with the provision of information society services directly to a child (referred to in Article 8 paragraph (1) of the GDPR), which in our case should not happen.

If we have made your personal data available and are obliged to delete them, we must, taking into account the available technology and the cost of implementation, take reasonable measures, including technical measures, to inform the controllers that are processing the personal data that you have requested the erasure of any links to, or copies or reproductions of, that personal data.

Please note that in certain cases expressly allowed by law (in art. 17 paragraph (3) of the GDPR), we may not delete the data (for example, if we have to keep it in order to comply with a legal obligation, such as the data from invoices that we must keep for the period established by law).

We must also notify any recipient, to whom the personal data have been disclosed, of any data deletion, unless this proves impossible or involves disproportionate effort. If you request it, we shall inform you about those recipients.

right to restriction of processing (art. 18 of the GDPR): you shall have the right to obtain from us restriction of data processing where one of the following applies:

if you contest the accuracy of the personal data, for a period enabling us to verify the accuracy of the personal data;

the processing is unlawful and you object to the erasure of the personal data, requesting the restriction of their use instead;

we no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims; or

you have objected to processing pursuant to art. 21 paragraph (1) of the GDPR (namely, for reasons related to the particular situation you are in, when, for example, the processing is done based on a legitimate interest) pending the verification whether our legitimate grounds override your own.

We shall communicate any restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. If you request it, we shall inform you about those recipients.

right to data portability (art. 20 of the GDPR): you shall have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller, without hindrance on our part, where:

the processing is based on consent or on a contract and

the processing is carried out by automated means.

You shall also have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

You can exercise your right to data portability by logging into your user account, then Account Settings and then Privacy Settings. In the final part, click the field: Request personal data and follow the instructions. In a very short time, you shall receive, by email, a Report with the personal data processed within the Platform. The Report shall not include the data that have been deleted or modified.

Before submitting this request to us, please keep in mind that the Report shall contain your personal data, which must be protected. Carefully check the security of the networks, devices and services you use to store or transmit those data. For added security, after completing the actions regarding your data, it is advisable to delete or otherwise secure the email received and the downloaded files containing your personal data from your device.  

right to object to processing (art. 21 of the GDPR): you shall have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you, pursuant to art. 6 paragraph (1) lit. (e) of the GDPR (namely, when the processing is carried out for the fulfillment of a task that serves a public interest or which results from the exercise of the public authority with which the controller is invested) or lit. (f) (namely, when the processing is carried out for the legitimate interests pursued by the controller or a third party), including profiling based on those provisions.

In such case, we shall no longer process your personal data, unless we can demonstrate that we have legitimate and compelling reasons that justify the processing and that override your interests, rights and freedoms, or that the purpose is to establish, exercise or defend legal claims.

You shall also have the right to object, at any time, to processing of personal data concerning you for direct marketing purposes, which includes profiling, to the extent that it is related to such direct marketing. In this case, the personal data shall no longer be processed for such purposes.

Please note that in the emails we send you for marketing communications, you shall find the unsubscribe link at the end (this can be called unsubscribe). If you do not wish to receive such emails, access that link and follow the steps described therein.

XI. HOW TO EXERCISE YOUR GDPR RIGHTS

To exercise your rights, please see Section X above, where we have explained in detail how you can exercise certain rights directly from your account.

You can also ask us any questions, requests or concerns about any of these rights, at the following contact information:

Address: 169A Calea Floreasca, Building A, 4th floor, Sector 1, 014472 Bucharest, Romania

Email:            gdpr@parkpay.world

Please keep in mind that submitting such requests shall require further processing of your data.

In order to respond to the requests submitted, we may request the provision of additional information necessary to confirm your identity.

We believe that you shall not exercise these rights in an unreasonable, excessive or abusive form.

XII. RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY

If you consider that we do not comply with the data protection legislation, you shall have the right to lodge a complaint with the data protection authority.

In Romania this is:

The National Supervisory Authority For Personal Data Processing (ANSPDCP).

On the date hereof, ANSPDCP has the following contact details:

Headquarters: 28-30 Bd. Gheorghe Magheru, Bucharest, Sector 1, postal code 010336, Romania

Email: anspdcp@dataprotection.ro

Fax:    +40.318.059.602

Website: www.dataprotection.ro