SKIP_NAV_LINK
Dundrum LOGO

Car Park Privacy Policy

Dundrum Town Centre Car Park Privacy Policy ("Policy")

Dundrum Car Park Limited Partnership, 6th Floor, 2 Grand Canal Square, Dublin 2 (“the Company”, “we”, “our” or “us”) has certain obligations under the General Data Protection Regulation (“GDPR”) to notify individuals (“you” or “your”) about how we will process any personal data we collect from or about them. We treat your data privacy very seriously and understand that you will wish to know how we will use your personal data. To contact us if you have any questions about this Policy or our processing of your personal data (including to exercise your rights under the GDPR), including details of our Data Protection Officer, please see our contact details included below in this Policy under ‘How to contact the Company?’ header.

We are part of the Hammerson group of companies (“the Hammerson Group”), which may also be provided with personal data about you. This Policy will inform you of what personal data we collect in relation to our car parking services only, how that information is used, our lawful basis for such use, who it is shared with and why, where it is transferred, your rights in relation to it and how you can exercise our data protection rights.

What personal data is collected? We collect various “personal data” about you in order to provide you with our car park services, as set out in our terms and conditions, including to ensure the security of our car park. This Policy relates only to your use of our car parking services, not other services which we may provide to you. If you are using any of our other services, please consider our website for other applicable privacy notices/policies (www.dundrum.ie). Under the GDPR, personal data is information from which you are indentified or are identifiable (directly or indirectly). We collect personal data in the following instances:

When you enter/exit the car park

The personal data which may be collected and used by us in our provision of the car park services include your:

  • vehicle registration number (collected by automatic number plate recognition cameras (“ANPR”);

  • video recording (without sound) (collected by CCTV used in the car park); and/or

  • payments and payment methods for the use of the car park.

In the majority of cases we do not (unless you are a customer for any additional car park services that we may provide, such as pre-booking services and loyalty schemes) seek to combine the above personal data with other information we may have about you.

When you interact with us

We may collect personal data such as name/contact details if you contact us and provide such additional information to enable us to identify you (or your vehicle). For example:

  • when raising an enquiry with us about your use of our car park services (such as the location of your vehicle); or

  • when signing up for other car park services which we may provide where applicable (including pre-booking services or to administer loyalty schemes); and

  • if you are eligible for automatic entry/exit to the car park (e.g. if you are a Company employee, Hammerson Group employee, a contract parker, pre-paid parker, competition winner for free parking or recipient of a loyalty or promotional offer).

In addition, should we need to carry out further enquiries, in accordance with our terms and conditions and/or to deal with an enquiry raised by you and/or to enable you to sign up for other services (where applicable) such as pre-booking services (season tickets and/or day-to-day) or to administer loyalty schemes, we may also collect your:

  • name;

  • contact details (business or personal);

  • opinions or suggestions on our services; and/or

  • bank account details (for the purposes processing payments).

If we offer and you have chosen to use an online portal or a mobile app to enable you to interact with us (including to use our car park services), your use of that online portal or app may lead to us processing additional types of personal data about you. This will be detailed in a separate privacy notice/policy which we will make available to online portal users and app users as relevant.

When you are non-compliant with our car park contract

We may process details of your unresolved, non-compliance (if any) with contracts between us (e.g. if there has been a non-payment or other breach of contract by you in relation to your use of the car park).

When you/your vehicle is involved in an alleged crime in the car park

We may process personal data if your vehicle has been involved in alleged crime (to the extent it is caught on our car park CCTV), or in relation to facilitating the exit from the shopping centre following the commission of an alleged crime (to the extent it is caught on our car park CCTV), or as otherwise reported to and subject to investigation by An Garda Síochána, or whether you are subject to a banning order from the shopping centre to which the car park is affiliated. In these circumstances, we may have determined not to permit your vehicle, or the vehicle we have connected to you, to enter the car park based on that previous behaviour.

Incidental Processing of your personal data

In addition, we may (unintentionally) also process "special category personal data” about you (as described in this paragraph), in particular when your image is captured by CCTV. Such processing is only incidental to our use of CCTV, and we do not use this data to deduce special category personal data about you or to make any decisions about you or otherwise act on it.

Anonymised data for statistical analysis

We may also convert the personal data into statistical, aggregated non-identifiable form. This anonymised data cannot be linked back to you. We may then use that anonymised data to conduct research and analysis, including to produce statistical research and reports. For example, to help us understand car-park usage. The anonymised data, research and reports may also be made available to and used for market research/analysis purposes within the Hammerson Group (who will not be able to identify you from the data made available to them).

For what purposes will your personal data be used and what is our corresponding lawful basis under GDPR?

We may process your personal data for the following purposes:

  • providing car park services (and, where applicable, pre-booking services (season tickets and/or day to day) and loyalty schemes) to you in accordance with our terms and conditions. Our lawful basis under the GDPR in relation to these purposes is that it is necessary for the performance of our contract with you (or in order to take steps at your request prior to entering into a contract with you);

  • legitimate business reasons - management reporting, accounting, other internal business (including joint ventures and business sales) and sales management, if any personal data is involved. Our lawful basis under the GDPR in relation to these purposes is that it is necessary for the purposes of our (or a third party’s) legitimate business interests (e.g. to manage our business responsibly and efficiently), which are not overridden by your interests, fundamental rights and freedoms;

  • customer relationship management - dealing with any queries or correspondence from you (including your opinions or suggestions on our services). Our lawful basis under the GDPR in relation to these purposes is as follows: (i) where the processing relates directly to responding to you, our lawful basis under the GDPR is that you have consented to us responding to you, by making a direct request to us which requires a response; and (ii) where the processing is not directly related to responding to you (e.g. obtaining professional or legal advice to allow us to consider our response, discussing your request in management meetings), our lawful basis is that it is necessary for the purposes of our (or a third party’s) legitimate business interests (e.g. to manage our business responsibly and efficiently, and to consider and protect our own legal rights), which are not overridden by your interests, fundamental rights and freedoms.

  • enforcement of our terms and conditions. Our lawful basis under the GDPR in relation to these purposes is that it is necessary for the performance of our contract with you (or in order to take steps at your request prior to entering into a contract with you);

  • compliance with legal obligations. Our lawful basis under the GDPR it is necessary for compliance with a legal obligation to which we are subject;

  • where we have determined not to permit your vehicle (or a vehicle that we have associated with you) to enter the car park based on previous behaviour (e.g. non-payment, breach of contract, (alleged) criminal behaviour, banning orders, as explained above), our lawful basis under the GDPR in relation to this purpose is that it is in our (or a third party’s, such as other users of our car park) legitimate business interests (e.g. to ensure that vehicles entering the car park do not present us with security or breach of contract risk, to enforce previous contracts, to protect others’ property rights or for the security of our car park), which are not overridden by your interests, fundamental rights and freedoms; and/or

  • where our processing of the personal data referred to above, or otherwise to the extent this is caught on car park CCTV, relates to criminal offences (or alleged) (including its disclosure to law enforcement authorities such as An Garda Síochána or otherwise in relation to legal claims or determining not to permit your vehicle to enter the cark park), our lawful bases for determining not to permit your vehicle to enter the car park or disclosure to law enforcement authorities (such as An Garda Síochána) under the GDPR is that the processing is necessary for the purposes of our (or a third party’s) legitimate business interests (e.g. to ensure the safety of the car park, and to consider and protect our own legal rights), which are not overridden by your interests, fundamental rights and freedoms and under the Data Protection Act 2018 our legal bases are to prevent injury or other damage to you or other individuals or loss in respect of, or damage to, property or otherwise to protect your vital interests or the vital interests of another person and in respect of legal claims is that it is necessary for the establishment, exercise or defence of such claims.

Profiling and automated decisions (and our corresponding lawful basis under GDPR for this)

In some limited cases, we may also carry out profiling which involves the processing of your personal data. The profiling we carry out is focused on your vehicle registration number (or in some instances another vehicle registration number which we have associated with you), although because we may be able to identify you from your vehicle registration number details (in conjunction with other personal data held about you, as described above in this Policy). This will constitute profiling based on your personal data. We create a profile of your vehicle registration number, including whether (or not, to the extent relevant) your vehicle is permitted to enter the car park based on previous behaviour (e.g. non-payment, breach of contract, criminal behaviour, banning orders, as explained above in this Policy), frequency of visits or whether you are eligible for automatic entry/exit to the car park (e.g. if you are a Company employee, Hammerson Group employee, a contract parker, pre-paid parker, competition winner for free parking or recipient of a loyalty or promotional offer). This enables us to determine whether to permit you to enter the car park, to enter into and enforce our contracts, or to potentially offer discounts (e.g. loyalty offers).

Where our profiling does not have legal or similarly significant effect on you, or where we (i.e. a person within the Company or Hammerson Group) has made a decision which is being implanted via our car park gates, such as to determine that the vehicle registration number of the vehicle you are driving matches the details of a vehicle registration number we have previously determined should be permitted or not to access the car park, our lawful basis under the GDPR is that is necessary for the purposes of our (or a third party’s) legitimate business interests (e.g. to ensure that vehicles entering the car park do not present us with security or breach of contract risk, to enforce previous contracts, to protect other’s property rights or for the security of our car park) in the case of vehicles which are not permitted to enter the car park), which are not overridden by your interests, fundamental rights and freedoms, or that it is necessary for performance of a contract with you (e.g. as to automatic entry/exit).

However, where we use the personal data (including profiling) to make automated decisions about you which produce legal effects on you or similarly significantly affects you, we do so where it is necessary for entering into (or performing) a contract between us and you, as set out below. We will implement suitable measures to safeguard your rights, including providing you with the right to obtain human intervention, to express your point of view and contest the decision.

Where we make these automated decisions, to obtain human intervention (i.e. a human will review the automated decision which has been taken), express your point of view and contest the decision, please contact us as set out under the ‘How can I contact the Company?’ header below.

Who will see my personal data?

Your personal data may be made available to third parties providing relevant services under contract to us, or the Hammerson Group for these purposes, such as:

  • providers of certain business function services, such as IT support, processing of payment card/details, website and data hosting providers and administrators. These parties will process the personal data on our behalf (as our data processor). We will disclose your personal data to them so that they can perform those functions. Examples of these providers include our outsourced IT systems software and maintenance, payment processing and back up and server hosting providers; and

  • security/parking team service provider (for watching CCTV and responding to barrier/ticket questions). This provider will process the personal data on our behalf (as our data processor) and will disclose your personal data to it so it they can provide us with these services.

Your personal data may also be made available:

  • when we are required to disclose it to An Garda Síochána in connection with efforts to investigate, detect, prevent, or take action regarding illegal activity, suspected fraud, or other wrongdoing or otherwise comply with applicable law or co-operate with An Garda Síochána; to protect and defend the rights, property or safety of the Company, its customers, staff, suppliers or others; or to enforce the cark park terms and conditions or other agreements (including, for example, where a vehicle has been abandoned in our car park). Our lawful bases under the GDPR and (where relevant) the Data Protection Act 2018, for this processing are set out above in this Policy;

  • to our advisors (such as consultants, legal advisors, auditors and other professional advisors), in order that we can receive advice and services from them. Our lawful basis under the GDPR for this processing is that it is necessary for the purposes of our (or a third party’s) legitimate business interests (e.g. for us to be able to obtain professional or legal advice), which are not overridden by your interests, fundamental rights and freedoms. To the extent that the personal data disclosed consitutes criminal offences (including alleged), this will be limited to disclosures in relation to legal claims and our lawful basis under the Data Protection Act 2018 is that the processing is necessary for the establishment, exercise or defence of legal claims;

  • in response to a court order, or a request for cooperation from a law enforcement (such as An Garda Síochána) or other government agency; to establish or exercise its legal rights; to defend legal claims; or as otherwise required or permitted by applicable laws and/or regulations. Our lawful bases for this processing is set out above in this Policy; and/or

  • to prospective or actual buyers in the event that the Company sells or buys any of its business or assets. Our lawful basis under the GDPR for this processing is that it is necessary for the purposes of our (or a third party’s) legitimate business interests (e.g. for a purchaser of any of our business to have details of individuals using the services provided by that part of the business), which are not overridden by your interests, fundamental rights and freedoms.

Will my personal data be transferred abroad?

Your personal data processed in accordance with this Policy may be transferred to recipients who are located within the European Economic Area (“EEA”). It will not be transferred to or otherwise processed by recipients located outside of the EEA.

Security

The Company takes precautions including administrative, technical and physical measures to protect your personal data against loss, theft and misuse, as well as against unauthorised access and disclosure.

How long do we retain your personal data?

We will only keep the personal data for a limited amount of time and no longer than is necessary for the purposes for which it is processed, as set out below:

  • your vehicle registration number will be retained for as long is necessary for the Company to complete business and financial reporting on the car park services including such other periods as are necessary for the purposes of legal claims and dealing with any queries from you; and

  • CCTV images will be retained by us for 28 days, unless required to be kept for longer due to investigations into alleged crimes in the car park, legal obligations or legal claims [(although note that the shopping centre within the Hammerson Group who controls the processing of personal data in CCTV images may retain this for a different period – you should consult the relevant fair processing notice/policy issued by the shopping centre for details).

What rights do I have in relation to my personal data and how to exercise them?

You have certain legal rights in relation to any personal data about you which we hold, as summarised below. They do not apply in all circumstances. If you wish to exercise any of them we will explain at that time if they are engaged or not:

  • the right to be informed about your processing of your personal data;

  • the right to have your personal data corrected if it is inaccurate and to have incomplete personal information completed;

  • the right to object to processing of your personal data (see further details below);

  • the right to restrict processing of your personal data;

  • the right to have your personal data erased (the “right to be forgotten”);

  • the right to request access to your personal data and to obtain information about how we process it;

  • the right to move, copy or transfer your personal data (“data portability”);

  • rights in relation to automated decision making which has a legal effect or otherwise significantly affects you – as described under the ‘Profiling and automated decisions’ header above.

Where our processing of your personal data is based on your consent (i.e. directly responding to any requests or enquiries that you make of us), you have the right to withdraw your consent at any time. If you do decide to withdraw your consent we will stop processing your personal data for that purpose, unless there is another lawful basis we can rely on – in which case, we will let you know. Your withdrawal of your consent won’t impact any of our processing up to that point.

Where our processing of your personal data is necessary for our legitimate interests, you can object to this processing at any time. If you do this, we will need to show either a compelling reason why our processing should continue, which overrides your interests, rights and freedoms or that the processing is necessary for us to establish, exercise or defend a legal claim.

If you wish to exercise any of your data protection rights please contact us as set out below under the ‘How can I contact the Company?’ header.

You also have the right to lodge a complaint with the Data Protection Commission, which is the Irish data protection regulator. More information can be found on making a complaint to the Data Protection Commission at https://www.dataprotection.ie/en/individuals/raising-concern-commission.

Updates to this Policy

We may update this Policy from time to time to reflect changes to the type of personal data that we process and/or the way in which it is processed. We will then publish the updated Policy on our website (www.dundrum.ie) and it will also be made available upon request at our customer service desks. We also encourage you to check this Policy on a regular basis so that you are aware of updates.

How can I contact the Company?

In first instance, you are encouraged to contact info@dundrum.ie with any queries or concerns relating to this Policy, or to exercise your rights in relation to your personal data. Your initial query, concern or rights request may be onward raised to our Data Protection Officer, but equally you are able to escalate your query, concern or request directly or raise other queries about our compliance with the GDPR in relation to your personal data to our Data Protection Officer who can be contacted at Kings Place, 90 York Way, London N1 9GE or Dataprotectionofficer@hammerson.com

Date last updated: January 2020.