VARS Technology Ltd

Privacy Notice

Last Updated: 5th July 2024

Contents

1. Introduction
2. What is personal data?
3. Personal data we collect as a data controller
4. Personal data we process on behalf of our clients
5. How your personal data is collected
6. Purposes for which we use your personal data and the lawful basis
7. Sharing your personal data
8. International transfers
9. How long we keep your personal data
10. Security of your personal data
11. Your rights
12. How to complain
13. How to contact us

1. Introduction

We are VARS Technology Ltd (“VARS Technology”, “we”, “our”), a car park and forecourt management company. We are committed to protecting the privacy and security of the personal data we collect about end customers and users of our services (“you/your”).

The purpose of this privacy notice is to explain what personal data we collect about you when you use our website or correspond with us. When we do this, we are the data controller.

PLEASE NOTE: Where VARS Technology processes personal data as a part of performing one of our services listed in section 4 below, we act as a data processor. Please refer to the applicable controller’s privacy notice for more information about how your personal data may be used.

Please read this privacy notice carefully as it provides important information about how we handle your personal information and your rights. If you have any questions about any aspect of this privacy notice you can contact us using the information provided below or by emailing us at complaints@varsanpr.co.uk.

2. What is personal data?

‘Personal data’ is any information from which you can be identified, either directly or indirectly. For example, your name or an online identifier.

‘Special category personal data’ is more sensitive personal data and includes information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purposes of uniquely identifying someone, data concerning physical or mental health or data concerning someone’s sex life or sexual orientation.

3. Personal data we collect as a data controller

We collect, use and are responsible for certain personal data about you. When we do so we are subject to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

If you have contacted us via our “Request More Information” section, we will collect personal data including your full name, email address and any details you provide within your enquiry.

If you have submitted a commercial enquiry, we will collect personal data that may include your full name, company name, car park address, email address, phone number and any details provided within your enquiry.

Facial Recognition

When you enter a location where we operate facial recognition technology, we may collect personal data and special category data including:

• Images of your face
• A mathematical representation of your face which is used to compare against our database of Persons of Interest.
• Date and time you entered the location
• Date and time you left the location

If you are not a known person of interest, your personal data will be automatically deleted after 7 days.

If you are a known person of interest, your personal data will be retained for up to 12 months in order to prevent crime and protect the safety of the public, our customer's employees and their business. This data will be securely stored and only accessed by authorised personnel.

What is a Person of Interest?
A person of interest is someone who has been identified as a potential threat to the safety and security of the public, our customer's employees and/or their business. This may include individuals who have been banned from a location, individuals who have committed a crime or individuals who have been involved in anti-social behaviour.

Where is my personal and special category data stored?
All personal and special category data is stored within the UK and is not transferred outside of the UK. Our data is stored securely and is only accessible by authorised personnel.

Who is my personal and special category data shared with?
In order to provide our services, we may share your personal and special category data with the third parties listed in section 7, which include:

• Microsoft Azure
• AWS UK
• Our customers

What is special category data?
Special category data is more sensitive personal data and can include any of the following categories:

• Political opinions
• Race
• Ethnic origin
• Religious or philosophical beliefs
• Trade union membership
• Genetics
• Biometrics (including facial recognition)
• Health
• Sex life
• Sexual orientation

4. Personal data we process on behalf of our clients

Please see the relevant headings below for information specific to our different services. As mentioned above, where we process personal data as part of our services, we do so as a data processor on behalf of our clients. As such, the appropriate lawful basis is determined by our clients, please see their privacy notices for more information.

Parking

The personal data we process on behalf of our clients when you use a VARS-operated car park includes:

Photographs of the vehicles entering the car park (this may include the driver and other people within the vehicle), the corresponding vehicle’s Vehicle Registration Mark (VRM) and the time at which the vehicle has entered and left the car park. Individuals and/or their vehicles may also be captured by CCTV at the car park.

The personal data we process if you breach the contractual parking terms and conditions, and subsequently a Parking Charge Notice is issued, includes:

• Full name, address, images of the vehicle, VRM of the vehicle and the movements of the vehicle when using the car park.

The personal data we process on behalf of our clients if you submit an appeal in relation to a Parking Charge Notice, or correspond with us regarding a Parking Charge Notice, includes:

• Full name, address, contact details, the VRM of the vehicle, parking charge reference number, the capacity in which you are appealing (for example, keeper, driver, hirer, other) and any other information you may provide in this appeal or correspondence.

The personal data we process on behalf of our clients when you pay a parking charge includes:

• The VRM of the vehicle, a parking charge reference and email address. Additionally, your card details will be collected, including your card number, expiry date and security code.

Forecourt

The personal data we process on behalf of our clients when you use a VARS-operated forecourt includes:

• Photographs of the vehicles entering the forecourt (this may include the driver and other people within the vehicle), the corresponding vehicle’s Vehicle Registration Mark (VRM), and the time at which the vehicle has entered and left the forecourt. Individuals and/or their vehicles may also be captured by CCTV at the forecourt.

The personal data we process on behalf of our clients if you breach the contractual forecourt terms and conditions, and subsequently a Drive Off Notice is issued, includes

• Full name, address, images of the vehicle, VRM of the vehicle and the movements of the vehicle when using the forecourt.

The personal data we process on behalf of our clients if you raise a dispute in relation to a Drive Off Notice, or correspond with us regarding a Drive Off Notice, includes:

• Full name, address, contact details, the VRM of the vehicle, drive off reference number, the capacity in which you are appealing (for example, keeper, driver, hirer, other) and any other information you may provide in this dispute or correspondence.

The personal data we process on behalf of our clients when you pay a drive off notice includes:

• The VRM of the vehicle, a drive off reference number and email address. Additionally, your card details will be collected, including your card number, expiry date and security code.

5. How your personal data is collected

We collect most of this personal data directly from you via our website where you make an enquiry, provide us with your details at a trade show, pay a parking charge/drive off notice or appeal a parking charge/drive off notice. However, for our services we may also collect information from the following sources:

Parking

• Images of your vehicle and your VRM are collected from Automatic Number Plate Recognition cameras, Manual Number Plate Recognition cameras, CCTV cameras and/or attendants on-site.
• Where you are the registered keeper of the vehicle, your personal data has been provided by the Driver and Vehicle Licensing Agency or international equivalent. If you are not the registered keeper of the vehicle, your data has been collected from:
  • A third party who has confirmed that you were responsible for the vehicle, or driving the vehicle on that date, or
  • A third party who has confirmed the vehicle was on hire or leased to you on that date.

Forecourt

• Images of your vehicle and your VRM are collected from Automatic Number Plate Recognition cameras, Manual Number Plate Recognition cameras, CCTV cameras and/or attendants on-site.
• Where you are the registered keeper of the vehicle, your personal data has been provided by the Driver and Vehicle Licensing Agency or international equivalent. If you are not the registered keeper of the vehicle, your data has been collected from:
  • A third party who has confirmed that you were responsible for the vehicle, or driving the vehicle on that date, or
  • A third party who has confirmed the vehicle was on hire or leased to you on that date.

Facial Recognition

• Images of your face are captured by Facial Detection cameras upon entry to a premises which uses our facial recognition system. These images are then securely uploaded to our facial recognition platform where a facial recognition algorithm is used to compare your face against our database of known people of interest.
• If an incident is reported against you, further images and/or details about you may be provided to us by one of our customers.

6. Purposes for which we use your personal data and the lawful basis

When we process your personal data as a data controller, we are required to establish a valid lawful basis for doing so. As a data controller, we may use your it for the following purposes and on the following lawful basis:

• We process your personal data to review and respond to your enquiries, delivered either through our website, or in person at a trade show. It is in our legitimate interests to communicate with you in response to your message.
• Where your personal data has been collected for marketing purposes, we may send you brochures or emails from time to time informing you of products and services that are of interest to you. It is in our legitimate interests to provide you with information regarding products and services relevant to you.
• Where you provide your personal data in order to sign up to one of our services, we may need use this data in order to perform various obligations under our contract with you. When we do so, we rely on the basis of it being necessary for the performance of a contract.
• Where personal data is processed because it is necessary for the performance of a contract to which you are a party, we will be unable to provide our services without the required information.
• Where we process your personal data as part of our facial recognition technology, we do so on the basis of legitimate interests. We have a legitimate interest in processing your data in order to prevent crime and protect the safety of the public, our customer's employees and their business. In order to process your data, we have carried out a legitimate interests assessment (LIA).

7. Sharing your personal data

We may share your personal data with the below parties for the listed purposes:

External third parties:

• Payment provider - Cashflows Europe Limited
• The police or other security organisations for the safety and security of car park users
• The British Parking Association and the DVLA for audit purposes
• Vehicle hire and lease companies
• Any authorised sub-contractors, such as mail service providers, business process outsourcers, credit reference agencies, collection agents and IT service providers.

8. International Transfers

When we collect your personal data, it may be processed outside the UK. This is because the organisations we use to provide our services to you are located in other countries.

We have taken appropriate steps to ensure that where personal data processed outside the UK, it has an essentially equivalent level of protection as it has within the UK. We do this by ensuring that:

• Your personal data is only processed in a country which the Secretary of State has confirmed has an adequate level of protection (an adequacy regulation); or
• We enter into either International Data Transfers Agreements (IDTAs) or Standard Contractual Clauses (SCCs) (with the UK Addendum) with the receiving organisations and ensure that supplementary measures are also applied, where necessary.

9. How long we keep your personal data

We will retain your personal data for as long as is necessary to provide you with our services and for a reasonable period thereafter to enable us to meet our contractual and legal obligations and to deal with complaints and claims.

At the end of the retention period, your personal data will be securely deleted or anonymised.

10. Security of your personal data

We have implemented appropriate technical and organisational measures to safeguard your personal data and protect it from accidental or unlawful destruction, loss or alteration and from unauthorised disclosure or access.

In addition to the technical and organisational measures we have put in place, there are a number of simple things you can do to in order to further protect your personal information, such as;

• If you’re logged into any online service do not leave your computer unattended.
• Close down your internet browser once you’ve logged off.
• Never download software or let anyone log on to your computer or devices remotely, during or after a cold call.

Secure Online Services

You can easily identify secure websites by looking at the address in the top of your browser which will begin https:// rather than http://.

11. Your rights

You have certain rights in relation to the processing of your personal data, including to:

• Request access to your personal data (commonly known as a “Subject Access Request”). This enables you to receive a copy of the personal data we hold about you.
• Request rectification of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
• Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
• Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. If you object to us using your personal data for marketing purposes we will stop sending you marketing material.
• Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data, for example if you want us to establish its accuracy or the reason for processing it.
• Request the transfer of your personal data to another party (data portability).
• Automated decision-making. You have the right not to be subject to a decision based solely on automated processing which will significantly affect you. We do not use automated decision-making.

Right to withdraw consent

In the limited circumstances where you may have provided your consent to the processing of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we are permitted by law to do so.

How to exercise your rights

You will not usually need to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances. If you wish to exercise your rights, please contact us at complaints@varsanpr.co.uk.

12. How to complain

You have the right to lodge a complaint with the supervisory authority, if you believe we are infringing the UK data protection laws or you are concerned about the way in which we are handling your personal data. The supervisory authority in the UK is the Information Commissioner’s Office who can be contacted online at:

• Contact Us | ICO
• Or by telephone on 0303 123 1113

13. How to contact us

If you wish to contact us in relation to this privacy notice or if you wish to exercise any of your rights outlined above, then please address your correspondence to:

• PO Box 1405, Blackpool, FY1 9PP

Alternatively, you can email us at complaints@varsanpr.co.uk