What the GDPR is
The GDPR is a new comprehensive data protection law in the EU that updates existing laws to strengthen the protection of personal data. It replaces the patchwork of national data protection laws currently in place with a single set of rules, directly enforceable in each EU member state. It is effective from May 25, 2018. EU residents will now have greater say over what, how, why, where, and when their personal data is used, processed, or disposed. This rule clarifies how the EU personal data laws apply even beyond the borders of the EU. Any organization that works with EU residents’ personal data in any manner, regardless of location, has obligations to protect the data. We fully understand this, so we collect as little personal data as possible and safeguard it as well as we can.
The Right of Access
Data subjects have the right to access all data a business holds about them at any time. This includes session and payment data.
What if a customer demands to see their data?
As a data processor, we’re under a legal obligation to assist the data controller to provide this information.
One thing to bear in mind is that there’s a big risk around Data Subject Right Requests: They can be used for fraud. We have to be careful to authenticate the customer before providing the information. We don’t want an identity thief to exploit your system in order to steal consumer information.
The Right to be Forgotten – what data you can (and can’t) delete
Another important Data Subject Right is the Right to be Forgotten. In a marketing context, this means deleting every record of the consumer and never contacting them again. This is straightforward. But it’s not so clear-cut when it comes to payment and bookkeeping data, and there are situations when certain data can’t be revoked.
There are situations when certain data can’t be revoked.
For example, in a product sales scenario, where there are statutory warranties in place, e.g. if your customer has an annual subscription, which hasn’t been canceled, you need to keep the data in order to continue billing or store data for bookkeeping.
Who the GDPR applies to
The GDPR applies to all organizations operating in the EU or processing “personal data” of EU and Switzerland residents.
What data the GDPR applies to
Under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”). Personal Data is anything that you could conceivably use to identify a person within a larger group. That includes name, address, email, IP address, cookies, location etc.
What personal data we collect and why
|Mobile number||Every account is unique due to the uniqueness of the mobile number, which is used to identify you as a user, log you in, notify you, connect to you.||User identification|
|Country (from ip info)||
Loading relevant settings for user
When used the service
|Type of service used (e.g. parking, pre-booking)||
Can be referred to as Session info
Bookkeeping, Statistics, customer support
|Timestamp, when used|
|Place, where used and price|
When added payment method
|Credit card type||Credit card info stored by Adyen.|
|Company VAT ID|
3rd parties with whom personal information may be shared
|InvoiceOcean||Name, email, vehicle registration plate number, used services||To create invoices automatically||Invoicing|
|Zoho||Name, email, vehicle registration plate number, used services||Bookkeeping related info|
|Messente||Mobile number||SMS authentication|
|IpInfo||IP address||Setting automatically users country/language and calling code. In order to detect the misuse of the system, combat abuse, and for logging purposes.|
|Clevertap||Email, phone, country, name, language, session info||Analytics, reminders, payment info for end users, push notifications.|
|Adyen||Credit card info, email||Payments|
Data is stored in a database hosted in DigitalOcean’s data center in Amsterdam, Netherlands and AWS server in Ireland.