This privacy statement under Articles 13 and 14 of the General Data Protection Regulation (679/2016/EU) describes how Ruutuluotsi processes personal data connected to its parking control operations.
Ruutuluotsi
Address: P.O. Box 15, FI-33210 Tampere
Business ID: 3219976-3
Email: info@ruutuluotsi.fi
Ruutuluotsi is an auxiliary business name of Finnpark Pysäköinti Oy.
Ruutuluotsi controls compliance with parking terms in private parking areas. In this operation, Ruutuluotsi processes the personal data of parking area users as well as the holders and owners of parked vehicles. Personal data is processed for the purposes of parking control, to ensure the validity of parking rights, to issue and administer parking control fees, to process fees and for bookkeeping, to process complaints, to manage and develop customer service, and to compile statistics and maintain information security.
Anonymised information generated from the data contained in the register is also processed for machine learning purposes.
The processing of personal data is necessary for the performance of the contract (Article 6(b) of the EU General Data Protection Regulation, GDPR) and for the legitimate interest of the controller based on customer relationships or other factual connections (Article 6(f) of the EU General Data Protection Regulation, GDPR).
Processed personal data include photographs of vehicles, vehicle registration numbers and other vehicle data, location of parking, area and period of validity of parking rights, grounds for and amount of control fees, free-form reports on incorrect parking, information on measures taken in the matter and information received/collected from authorities.
In addition, personal data processed in case of a complaint include the name, identification and contact details of the person filing the complaint and other driver of the vehicle, as well as the processing details of the complaint and the content of customer service messages in customer service events. Processed personal data also includes the names and e-mail addresses of the users logging in to the controller’s online service.
The personal data contained in the register is obtained from parking controllers carrying out parking control, who photograph parked vehicles for the purpose of checking parking rights. Vehicles can also be photographed using automatic camera surveillance at parking areas. Vehicle registration numbers are used to check parking rights in the parking control or payment services used in the area. The check is carried out through a programmed enquiry, where the validity of the parking right is checked against the registration number sent to each service in the enquiry.
The image files concerning incorrectly parked vehicles and any free-form report on incorrect parking are stored in the controller’s information system.
If the vehicle does not have a valid parking right or the vehicle has been parked incorrectly in some other way, the parking controller will issue the parking control fee. The control fee printout is left on the windscreen of the vehicle, and the vehicle user can use the printed code to log in to the controller’s website, where it is possible to check the stored information concerning the incorrect parking of the vehicle.
The control fee printout and the controller’s website contain instructions for any complaints and for contacting customer service. In connection with complaints and other customer service contacts, personal data may be collected from the data subjects themselves.
If the supervisory fee is not paid on the due date, the controller transfers the information on the control fee to a collection agency for recovery measures. In this context, the collection agency retrieves the personal data of the owner or holder of the vehicle from Traficom based on the registration number of the vehicle in order to investigate contact details and breaches of contract.
Personal data is disclosed to parking control and payment service providers for the purpose of checking parking rights. Personal data may also be disclosed to the owner or holder of the parking area in order to check parking rights and investigate possible abuse, to system suppliers of the controller for system delivery and to payment intermediaries for the processing of payments. In addition, after two collection letters sent as commission collection, information on outstanding control fees is disclosed to the collection agency, which then purchases the control fees as its own receivables.
Personal data may also be disclosed to authorities in order to fulfil statutory obligations.
Statistical usage data may be disclosed to third parties in a format that does not allow for the identification of individual personal data.
Personal data may be transferred to the controller’s partners who process personal data on behalf of the controller in accordance with the controller’s instructions.
The personal data processed by the controller is stored on a server located within the area of the European Union. If personal data is transferred outside the European Union/European Economic Area (EU/EEA), for example, when the service provider is located outside the EU/EEA, the data is transferred within the framework of applicable data protection provisions, such as decisions on adequate levels of information security adopted by the EU Commission.
The customer’s personal data is stored only for the time required for the purpose of the processing or for as long as required of the controller by law.
However, if suspected misconduct occurs during the data storage period, or the data is needed for court proceedings, personal data will be stored for as long as is required for the investigation of the suspicion or until the court case is legally resolved and the claims are collected.
Anonymised data may be stored until further notice.
The protection and processing of the data contained in the register complies with the provisions and principles of the General Data Protection Regulation and other data protection provisions as well as the regulations of authorities and good data processing practices. In addition, the controller has an information security policy in place for the processing of personal data. The information security policy defines the principles by which data is processed and protected.
The register is maintained as a technical recording by the controller or a party authorised by the controller within the EU/EEA. The electronic material contained in the register is stored in databases that are protected against abuse and intrusion by firewalls, passwords and other technical and application solutions of different levels that are normally used in business operations.
The electronic register data is located in locked and supervised facilities protected by access control. Access to the register is controlled with user IDs and passwords. Access to the register is limited to individuals whose job description requires access to the register. The controller’s personnel are under an obligation of confidentiality.
A data subject has the right to access their register data free of charge once a year. For more frequent exercise of the right of access, the controller may charge a reasonable compensation covering any direct expenses to the controller. A written request for access must be submitted to the controller including the contact details mentioned above. Before disclosing the data, the identity of the data subject is checked to ensure that the data are not disclosed to a party that is not the data subject.
If the data subject finds that the personal data in the register is inaccurate, incomplete, or has been processed in violation of the purpose of the register or applicable legislation, the data subject may use the e-mail address mentioned above to request the controller to rectify, block, restrict, or erase the personal data in question.
If the data subject finds that their rights under the EU General Data Protection Regulation have been violated, they have the right to lodge a complaint with the supervisory authority. The Finnish national supervisory authority is the Office of the Data Protection Ombudsman, whose contact details are:
Office of the Data Protection Ombudsman
P.O. Box 800, Lintulahdenkuja 4, FI-00531 Helsinki
Tel. +358 29 566 6700
tietosuoja@om.fi
www.tietosuoja.fi
The controller continuously develops its operations and therefore reserves the right to update this privacy statement. Updates may also be based on changes in legislation. In order to obtain up-to-date information on the processing of personal data, the controller recommends that the content of the privacy statement is reviewed at regular intervals.