Privacy statement for the personal data register concerning the use of Finnpark Pysäköinti Oy’s services
This privacy statement pursuant to Articles 13 and 14 of the General Data Protection Regulation (679/2016/EU) describes how the Controller processes personal data related to the use of its services.
1. Contact details of the Controller
Finnpark Pysäköinti Oy
Address: P.O. Box 15, FI-33211 Tampere
Business ID: 3375899-3
Email: asiakaspalvelu@finnpark.fi
2. Purpose of processing personal data
The Controller provides its contractual partners with services related to the operation of parking at various parking facilities. These parking facilities may use automatic number plate recognition (ANPR) systems, automatic camera surveillance systems, payment terminals, and control room and telephone services at payment terminals, doors and barriers. Personal data of persons using the parking facilities is processed in connection with the use of these systems and services.
The use of ANPR systems, camera surveillance, and control room and telephone services is indicated by signs at the parking facilities. Cameras are located at the entrances to the facilities, in common areas, along access routes and in yard areas, as well as in certain particularly vulnerable locations due to a specific need for monitoring.
The ANPR system is used, and the personal data processed in connection with its use is processed, for the automatic start and end of parking events, monitoring compliance with parking terms, verifying parking rights, investigating possible misuse, invoicing parking charges, carrying out debt collection measures, and handling customer service and complaint contacts.
Camera surveillance and control room and telephone services are used, and the personal data processed in connection with their use is processed, for access control and for verifying and implementing access rights, for customer service purposes, for maintaining safety and security, and for preventing and investigating security incidents and offences.
Personal data is also processed for the development of the services provided by the Controller. For this purpose, images obtained and stored through ANPR at parking facilities, and the vehicle registration number data generated from them, are also used to improve the functionality and accuracy of the ANPR system.
The purpose of processing personal data also includes the development of the Controller’s customer service and business operations, as well as customer communications and marketing.
3. Legal bases for processing personal data
The processing of personal data is necessary for the Controller to provide, on the basis of its contracts, services related to ANPR systems, camera surveillance systems, the use of payment terminals, and control room and telephone services. Personal data of persons using the parking facilities is processed in connection with the use of these services. In this respect, the Controller processes personal data on the basis of a contract (Article 6(1)(b) GDPR).
In addition, the Controller processes personal data on the basis of the Controller’s legitimate interest (Article 6(1)(f) GDPR) when the processing concerns access control, maintaining safety and security, preventing and investigating security incidents or offences, handling customer contacts, fulfilling statutory obligations, measures related to legal claims, and developing the Controller’s services, such as the ANPR system.
4. Personal data processed
Personal data processed on the basis of the use of the ANPR system includes the vehicle registration number, photographs of the vehicle and its number plate, the time and location of recognition (entry and exit), and the duration and price of parking.
Personal data processed on the basis of the use of payment terminals includes information concerning payment transactions, payment instruments and their holders.
Personal data processed on the basis of the use of camera surveillance includes images of vehicles and persons contained in recorded camera footage at camera-surveilled locations, as well as information concerning the place and time of recording.
Personal data processed on the basis of the use of the telephone service includes the person’s voice and information concerning the person’s location and the time of recording. Data collected in connection with customer service and complaints may also include the name, postal address, email address and telephone number of the person making contact and, where necessary, bank account details for the refund of a parking fee, the number of the parking event or the case number of the parking control fee concerned by the contact, background information or reasons for the complaint provided by the person making contact, which may include information such as details of the vehicle user or the purpose of parking, screenshots from a payment application or other similar documentation.
5. Regular sources of personal data
With regard to the ANPR system, the personal data processed is obtained automatically from cameras located at the entry and exit lanes of parking facilities using ANPR.
Where necessary, information on the owner and holder of the vehicle may be retrieved from official registers, such as Traficom, on the basis of the vehicle registration number identified by the ANPR system, in order to investigate breaches of contract.
With regard to camera surveillance, the data source consists of recording surveillance cameras located at camera-surveilled facilities.
With regard to telephone services and other customer service, the data sources are calls and customer service contacts recorded by telephone and customer service systems. The personal data processed in this context is obtained from surveillance material and from the person making contact.
6. Disclosure and transfer of personal data
Personal data contained in the register is disclosed to parking service providers and payment service providers that act as partners of the Controller in order to enable the use of the services provided by them, and to parties carrying out parking control tasks for the purpose of monitoring parking rights and the payment of parking charges.
Personal data may also be disclosed to Traficom in order to determine the details of the owner or holder of a vehicle and to allocate parking charges and any necessary contacts to the correct party. In addition, personal data may be disclosed to parties carrying out debt collection activities.
Data contained in the register may also be disclosed to authorities and other parties specified by law where required by legislation.
With the explicit consent of the data subject, personal data may be disclosed to third parties for direct marketing purposes, as well as for opinion polls, market research or other similar surveys.
Statistical usage data may be disclosed to third parties in a format that does not allow individual personal data to be identified.
Personal data may also be transferred to partners of the Controller who process personal data on behalf of the Controller in accordance with the Controller’s instructions. Such processors do not have the right to process personal data for their own purposes.
7. Transfer of data outside the EU or the EEA
Personal data processed by the Controller is stored on a server located within the European Union.
If personal data is transferred outside the European Union or the European Economic Area (EU/EEA), for example if a service provider is located outside the EU/EEA, the Controller ensures that the transfer takes place within the framework of applicable data protection provisions, such as adequacy decisions adopted by the European Commission.
8. Principles of register protection
The protection and processing of data contained in the register comply with the provisions and principles of the General Data Protection Regulation and other data protection legislation, as well as instructions issued by authorities and good data processing practices.
In addition, the Controller has an information security policy in place for the processing of personal data. The information security policy defines the principles according to which data is processed and protected.
The register is maintained as a technical record by the Controller or by a party authorised by the Controller within the EU/EEA. The electronic material contained in the register is stored in databases protected against misuse and intrusion by firewalls, passwords and other technical and application-level solutions of various levels commonly used in business operations.
The electronic register data is located in access-controlled, locked and monitored facilities. Access to the register is controlled by means of user-specific user IDs and passwords. Access to the register is limited to persons whose duties require such access. The Controller’s personnel are bound by confidentiality obligations.
9. Data retention period
Personal data is retained only for as long as necessary for the purpose of the processing or for as long as required by law. As a general rule, the following retention periods are observed:
Automatic camera data, such as image material and vehicle registration numbers that do not involve unpaid parking, a breach of rules or other suspected misuse, is automatically deleted from the system within one (1) year.
Data remaining in system backups is deleted within seven (7) days in accordance with the backup cycle.
Payment transactions and invoicing data are retained in accordance with the Accounting Act for six (6) years from the end of the financial year.
Recordings of telephone services and customer service contacts are retained for one (1) year.
Data collected during a complaint process, such as contact details, responses and attachments, is retained for three (3) years from the final resolution of the matter. The retention period is based on the limitation period for legal claims. If the matter proceeds to legal debt collection or court proceedings, the data is retained until the matter has been finally resolved and the receivables have been collected.
If, during the retention period, security incidents, damage to property or other offences occur, personal data is retained for as long as required for the investigation of such security incidents and offences.
Anonymised data may be retained until further notice.
10. Rights of the data subject
The data subject has the right to access their personal data contained in the register free of charge once per year. For more frequent exercise of the right of access, the Controller may charge reasonable compensation covering the direct costs incurred.
A written request for access must be submitted to the Controller using the contact details provided above. Before disclosing the data, the identity of the data subject is verified to ensure that the data is not disclosed to any party other than the data subject themselves.
In a request for access, the time of the camera recording or contact request concerned must be specified as precisely as possible. At the Controller’s discretion, information on the content of the recording may be presented to the person making the access request either at the Controller’s premises or, in the case of customer service contacts, as a transcript of the recording.
If the data subject notices that the personal data contained in the registers is inaccurate, incomplete or has been processed in violation of the purpose of the register or applicable legislation, they may request the Controller to rectify, block, restrict or erase the personal data in question by using the contact details provided above.
Where the processing of personal data is based on the data subject’s consent, the data subject may withdraw their consent at any time by notifying the Controller using the contact details of the Controller provided above.
If the data subject considers that their rights under the EU General Data Protection Regulation have been infringed, they have the right to lodge a complaint with a supervisory authority. The Finnish national supervisory authority is the Office of the Data Protection Ombudsman, whose contact details are:
Office of the Data Protection Ombudsman
P.O. Box 800, Lintulahdenkuja 4, FI-00531 Helsinki
Tel. +358 29 566 6700
tietosuoja@om.fi
www.tietosuoja.fi
11. Changes to the privacy statement
The Controller continuously develops its operations and therefore reserves the right to amend this privacy statement. Changes may also be based on changes in legislation.
In order to obtain up-to-date information on the processing of personal data, the Controller recommends reviewing the content of the privacy statement at regular intervals.selostetta. Muutokset voivat perustua myös lainsäädännön muuttumiseen. Henkilötietojen käsittelyä koskevien ajantasaisten tietojen saamiseksi rekisterinpitäjä suosittelee tutustumaan tietosuojaselosteen sisältöön säännöllisin väliajoin.


