Car Park Privacy Policy
Hines Ireland M.S.O Limited, Third Floor, Central Quay, Riverside IV, Sir John Rogerson’s Quay, Dublin 2 (“Hines“, “we“, “us” or “our“) is the controller of the personal data which is processed about you to the extent that your personal data is processed in the context of the operation of the car park at Liffey Valley Shopping Centre, Fonthill Road, Clondalkin, Dublin 22.
We treat your data privacy very seriously and understand that you will wish to know how we will use your personal data. This Data Protection Notice (“Notice“) tells you about how we, as controller, collect and process your personal data when you visit our car park, how that information is used, our lawful bases for such use, who it is shared with and why, where it is transferred, your rights in relation to it and how you can exercise your data protection rights.
Please note that Hines is part of the Hines Group group of entities (“Hines Group“), which may also be provided with personal data about you.
This Notice relates to our car parking services only. It does not relate to other services which we may provide to you. If you are using any of our other services, please consider our website (www.liffeyvalley.ie) for other applicable privacy notices/policies.
1. The personal data we may collect and process
“Personal data” means any information about an individual from which that individual can be identified. “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
2. How and why we process the personal data we collect
We will use your personal data for the purposes and according to the legal bases set out below.
Point of collection | Categories of personal data collected | Purpose(s) for Processing | Legal Basis |
When you enter / exit the car park | Vehicle data· vehicle registration number (collected by automatic number plate recognition cameras aka ANPR);CCTV data· video recording (without sound) (collected by CCTV used in the car park); and/orPayment data· payments and payment methods for the use of the car park. | · to provide car parking services to you;· to calculate and process your car parking charge using our ticketless payment system;· for management reporting, accounting, other internal business (including joint ventures and business sales) and sales management; and/or· enforcement of our terms and conditions. | · in pursuit of our legitimate interests in communicating with you, making our car parking services available, and protecting the security and integrity of our services and systems (except where your interests or fundamental rights override these). · to fulfil the contract we have with you for provision of car parking services. If you do not provide this data, then we may not be able to contract with you and provide you with a car parking space or services. |
When you interact with us or our agents | Contact data· name;· email address; and/or· phone number. | · customer relationship management – dealing with any queries or correspondence from you (including your opinions or suggestions on our services); and/or· when raising an enquiry with us about your use of our car park services (such as the location of your vehicle). | · our lawful basis is that it is necessary for the purposes of our (or a third party’s) legitimate interests (e.g. to manage our business responsibly and efficiently, and to consider and protect our own legal rights), which are not overridden by your interests, fundamental rights and freedoms. |
When you are non-compliant with our car park contract / terms and conditions | Contact data· name;· email address; and/or· phone number.Payment data· payments and payment methods for the use of the car park.Vehicle data· Vehicle registration number (collected by ANPR); andCCTV data· video recording (without sound) (collected by CCTV used in the car park). | · to record where there has been a non-payment or other breach of contract by you in relation to your use of the car park; and/or· to take such actions as we may deem appropriate in light of your non-compliance of our terms and conditions, including moving your vehicle, and to contact you in relation to same; and/or· to prevent your vehicle (or a vehicle that we have associated with you) to enter the car park based on previous behaviour (e.g. non-payment, breach of contract, (alleged) criminal behaviour, banning orders, etc.). | · to perform and enforce the terms of our contract with you for the provision of car parking services.· it is in our legitimate interests (or those of a third party, such as other users of our car park) which are not overridden by your interests, fundamental rights and freedoms. Such interests include ensuring that vehicles entering the car park do not present us with security or breach of contract risk, enforcing previous contracts, protecting others’ property rights and ensuring the security of our car park.· we also process such personal data on the legal basis (provided for in the Data Protection Act 2018) of preventing injury or other damage to you or other individuals or loss in respect of, or damage to, property or otherwise to protect your vital interests or the vital interests of another person, and as necessary for the establishment, exercise or defence of legal claims. |
When you/your vehicle is involved in an alleged crime in the car park | Vehicle data· vehicle registration number (collected by ANPR); andCCTV data· video recording (without sound) (collected by CCTV used in the car park) | · to record/evidence if your vehicle has been involved in alleged crime (to the extent it is caught on our car park CCTV), or in relation to facilitating the exit from the shopping centre following the commission of an alleged crime (to the extent it is caught on our car park CCTV);· to prevent crime and protect buildings and assets from damage, disruption, vandalism and other malicious acts;· for the personal safety of staff, visitors and other members of the public and to act as a deterrent against crime including fraud;· to support law enforcement bodies in the prevention, detection and prosecution of crime; and· to assist in ensuring the health and safety of staff and others. | · in pursuit of our legitimate interests in protecting the security and integrity of our services and systems, to ensure the safety of the car park, and to consider and protect our own legal rights (except where your interests or fundamental rights override these). · where processing is necessary for compliance with a legal obligation to which we are subject.· we also process such personal data on the legal basis (provided for in the Data Protection Act 2018) of preventing injury or other damage to you or other individuals or loss in respect of, or damage to, property or otherwise to protect your vital interests or the vital interests of another person, and as necessary for the establishment, exercise or defence of legal claims. |
When you sign up or are eligible for “additional services” such as our online ParkEasy service or other benefits | Contact data· name;· contact details (business or personal);Vehicle data· vehicle registration number (collected by ANPR); and/orPayment data· bank account details (for the purposes of processing payments).Eligibility data· place of employment;· competition winner status;· loyalty scheme membership;· use of promotional offer or service. | · to enable you to sign up and use Park Easy;· to administer loyalty schemes; and/or· if you are eligible for automatic entry/exit to the car park (e.g. if you are a competition winner for free parking or recipient of a loyalty or promotional offer). | · To fulfil the contract we have with you for the provision of car parking services. If you do not provide this data, then we may not be able to contract with you and provide you with car parking services.· In pursuit of our legitimate interests and those of Hines Group companies, Liffey Valley Shopping Centre and its retailers, in providing free parking and other benefits where it is appropriate and/or practical to do so (except where your interests or fundamental rights override these). |
When we need to contact you in relation to your Park Easy account | Contact data· contact data· name;· email address; and/or· phone number. | · from time to time, we may contact you with updates on your Park Easy account, for example scheduled maintenance or necessary updates to your account. | · in pursuit of our legitimate interests in providing the Park Easy service to you. |
When you are eligible for sweepstakes or “spot prizes” | Contact data· name;· contact details (business or personal) | · from time to time, we may select a random winner from our list of registered Park Easy and loyalty scheme users to win a spot prize (e.g. a €500 Liffey Valley Gift Card).· these promotions are run without payment or consideration and determined upon chance. Please see https://www.liffeyvalley.ie/ for details. | · where we have collected your consent to receive marketing and other account-related communications from us. |
When you agree to receive marketing material from us | Contact data· contact data· name;· email address; and/or· phone number. | · to send you promotional material and updates on the activities of the car park at Liffey Valley.· to register your interest in taking part in the Liffey Valley campaigns. | · where we have collected your consent to receive marketing communications from us. |
Please note:· we may also need to use your personal data for the purpose of obtaining legal advice or for the purposes of, or in connection with, legal claims, prospective legal claims, legal proceedings or prospective legal proceedings, or otherwise necessary for the purposes of establishing, exercising or defending legal rights.· where your personal data is processed on the basis of legitimate interests, you may object to such processing by contacting us using the contact details set out below. |
3. Disclosure of your personal data to third party recipients
We may disclose your personal data to the following third party recipients:
- providers of certain business function services, such as IT support, processing of payment card/details, website and data hosting providers and administrators. These parties will process the personal data on our behalf (as our data processors). We will disclose your personal data to them so that they can perform those functions. Examples of these providers include our outsourced IT systems software and maintenance, payment processing and back up and server hosting providers; and
- our car park services service provider (for watching CCTV, responding to barrier/ticket questions and generally managing and operating the car park on our behalf). This service provider will process the personal data on our behalf (as our data processor) and we will disclose your personal data to it so it they can provide us with these services. Our carpark service provider is APCOA Parking Ireland Limited (APCOA). APCOA may also collect personal data from you on our behalf. APCOA may in turn share your personal data with other recipients, such as in particular Bidvest Noonan (who provide security services) and Liffey Valley Shopping Centre Management Limited, in furtherance of these purposes.
Your personal data may also be made available:
- to An Garda Síochána, where we are required to disclose it in connection with efforts to investigate, detect, prevent, or take action regarding illegal activity, suspected fraud, or other wrongdoing, or to otherwise comply with applicable law or co-operate with An Garda Síochána; to protect and defend the rights, property or safety of Hines, its customers, staff, suppliers or others; or to enforce the car park terms and conditions or other agreements (including, for example, where a vehicle has been abandoned in our car park). Our lawful bases for this processing under the GDPR and (where relevant) the Data Protection Act 2018 are set out above in this Notice;
- to our advisors (such as consultants, legal advisors, auditors and other professional advisors), in order that we can receive advice and services from them. Our lawful basis under the GDPR for this processing is that it is necessary for the purposes of our (or a third party’s) legitimate interests (e.g. for us to be able to obtain professional or legal advice), which are not overridden by your interests, fundamental rights and freedoms. To the extent that the personal data disclosed constitutes criminal (including alleged) offences data, this will be limited to disclosures in relation to legal claims and our lawful basis under the Data Protection Act 2018 is that the processing is necessary for the establishment, exercise or defence of legal claims;
- in response to a court order, or a request for cooperation from law enforcement (such as An Garda Síochána) or other government agency; to establish or exercise our legal rights; to defend legal claims; or as otherwise required or permitted by applicable laws and/or regulations; and/or
- to prospective or actual buyers in the event that Hines sells or buys any of its business or assets. Our lawful basis under the GDPR for this processing is that it is necessary for the purposes of our (or a third party’s) legitimate interests (e.g. for a purchaser of any of our business to have details of individuals using the services provided by that part of the business), which are not overridden by your interests, fundamental rights and freedoms.
4. Profiling and automated decisions (and our corresponding lawful basis under GDPR for this)
In some limited cases, we may carry out profiling, which involves the processing of your personal data to analyse your use of our car park. The profiling we carry out is focused on your vehicle registration number, or any vehicle registration number that you have associated with your account (as our service allows you to add multiple vehicle registrations to your account). As we may be able to identify you from this vehicle registration number in conjunction with other personal data held about you (as described above in this Notice) this analysis constitutes profiling based on your personal data. We create a profile for your vehicle registration number, including setting out whether (or not, to the extent relevant) your vehicle is permitted to enter the car park based on previous behaviour (e.g. non-payment, breach of contract, criminal behaviour, banning orders, as explained above in this Notice), frequency of visits and whether you are eligible for automatic entry/exit to the car park (e.g. if you are a contract parker, competition winner for free parking or recipient of a loyalty or promotional offer). This enables us to determine whether to permit you to enter the car park, to enter into and enforce our contracts, and to potentially offer discounts (e.g. loyalty offers).
Where our profiling does not have legal or similarly significant effect on you, or where we (i.e. a person within Hines or the Hines Group) has made a decision which is being implemented via our car park gates, such as determining that the vehicle registration number of the vehicle you are driving matches the details of a vehicle registration number we have previously determined should be permitted or not to access the car park, our lawful bases under the GDPR are that it is necessary for the purposes of our (or a third party’s) legitimate interests (e.g. to ensure that vehicles entering the car park do not present us with security or breach of contract risk, to enforce previous contracts, to protect other’s property rights and for the security of our car park) which are not overridden by your interests, fundamental rights and freedoms, and that it is necessary for performance of our contract with you (e.g. as to automatic entry/exit).
However, where we perform profiling and/or make automated decisions about you which produce legal or similarly significant effects on you, we do so on the legal basis that it is necessary for entering into (or performing) a contract between us and you. We implement suitable measures to safeguard your rights, including providing you with the right to obtain human intervention, to express your point of view and to contest the decision. To obtain human intervention (i.e. for a human to review the automated decision which has been taken), express your point of view and/or contest the decision, please contact us via the means set out in the ‘Contact Us’ section below.
5. Transfers of personal data outside of the European Economic Area
The personal data we process in accordance with this Notice may be transferred to recipients who are located within the European Economic Area (“EEA”). It will not be transferred to or otherwise processed by recipients located outside of the EEA.
6. Your rights
You have the following rights under applicable law, subject to certain exceptions, with respect to your personal data:
- Right of Access. You may request a copy of the personal data that we process about you.
- Right to Rectification. You may ask us to correct any inaccurate or incomplete personal data.
- Right to Erasure. You may request that we delete the personal data that we have about you in certain circumstances, for example where it is no longer necessary for us to process it.
- Right to Restriction of Processing. You have the right to request that we restrict processing your personal data under certain circumstances.
- Right to Object. You have the right to object to your personal data being processed on the basis of our legitimate interests (or those of a third party). We will cease processing your personal data, unless the processing is based on compelling legitimate grounds or is needed for the exercise or defence of legal claims. Where we use your personal data for direct marketing purposes, you can always object and opt out of future marketing messages using the unsubscribe link in such communications.
- Right to Withdraw Consent. In the event that we request, and receive, your consent to process your personal data for a specific purpose, you have the right to withdraw your consent at any time. Your withdrawal of consent will not affect the lawfulness of our processing based on consent before its withdrawal.
You can exercise any of these rights by submitting a request to us. Please see the “Contact Us” section below.
You also have the right to lodge a complaint with the Office of the Data Protection Commission (“DPC”) at any time. Contact details of the DPC are available here.
When handling requests to exercise your privacy rights, we check the identity of the requesting party to ensure that he or she is the person legally entitled to make such a request. While we maintain a policy to respond to these requests free of charge, should your request be repetitive or unduly onerous, we reserve the right to charge you a reasonable fee for compliance with your request.
7. Data retention
In general, we expect to keep your personal data only for as long as is necessary for the purpose for which it is collected and for a reasonable period thereafter. Once we have determined that we no longer need to retain your personal data, we will delete it from our systems.
For example, your vehicle registration number will be retained for as long as is necessary for Hines to complete business and financial reporting on the car park services, and for such further periods as may be necessary for the purposes of legal claims or dealing with any queries from you. Vehicle registration numbers will typically be retained for 3 months.
CCTV images from the car park will be retained for 30 days, unless required to be kept for longer due to investigations into alleged crimes in the car park, for compliance with legal or regulatory obligations or in relation to legal claims. Please note that CCTV images from the shopping centre may be retained for a different period – you should consult the relevant fair processing notice/policy issued by the shopping centre for details.
8. Security
Although we will do our best to protect your personal data, we cannot guarantee the security of your personal data. We use appropriate security measures to seek to prevent unauthorised access or disclosure of your personal data. We will continue to revise policies and implement additional security features as new technologies become available.
9. Changes to this Notice
We reserve the right to change this Notice from time to time at our sole discretion. If we make any changes, we will post those changes here and update the “Last Updated” date at the bottom of this Notice. Please review this Notice periodically for updates.
10. Contact Us
You are encouraged to contact [email protected] with any queries or concerns relating to this Notice, or to exercise your rights in relation to your personal data. Your initial query, concern or rights request may be forwarded on to our Data Protection Officer, but equally you are able to escalate your query, concern or request directly or raise other queries about our compliance with the GDPR in relation to your personal data to our Data Protection Officer who can be contacted at [email protected].
Last Updated: September 2022