Processing of Personal Data in Gardermoen Parkering AS (hereafter referred to as GP)
GP will process personal data in connection with our business operations.
Our processing of personal data as the data controller is based on the nature and purpose of our business activities. Information about the personal data we process about you, the legal basis for processing, the purpose of the processing, how long we process the personal data, etc., is provided below.
If you have any questions or want to know more about our processing of personal data, you can contact us – see the contact details below.
- Responsible for the Processing of Personal Data
GP is the data controller, which means that we decide why and how personal data will be processed for the processing described below.
Contact Information for the Data Controller:
• Address: Museumsvegen 15, 2060 Gardermoen
• Email: mail@gardermoenparkering.no
• Phone: +47 63 94 95 96
• Organization number: 990456763
2. Why We Collect Personal Data and What Information We Collect
We collect and use personal data for different purposes, depending on who you are and how we come into contact with you.
All processing of personal data is carried out in accordance with the applicable privacy regulations at all times, including the Personal Data Act and the General Data Protection Regulation (GDPR).
“Personal data” refers to all information that can be linked to a physical person (referred to as the “data subject”).
“Processing” refers to everything done with personal data, such as collection, registration, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or any other form of making available, alignment or combination, restriction, deletion, or destruction.
3. Communication and Contact
We process personal data about those who contact us to respond to and document communication and to reach out to others. This applies to all forms of communication, physical and digital, written and oral.
In such cases, we process names, phone numbers, email addresses, and any personal data that may be included in the inquiry, including the history/log of the inquiry.
The processing of data is based on our legitimate interest in processing personal data related to the above (see GDPR Article 6 (1) f). We have assessed that our legitimate interest in communicating with the outside world is a part of our business, to document the activities we conduct, and to respond to those who contact us and register such contact. We have assessed that this is necessary for us to handle inquiries we receive and that the privacy of the data subjects does not outweigh these interests.
Providing us with personal data is voluntary, but it will be necessary to provide the information for us to respond to inquiries.
We process the information until we consider that there will be no further follow-up of the contact, normally within one year.
4. Retention and Deletion of Personal Data
We retain personal data as long as it is necessary for the purpose for which the personal data was collected and delete the data in accordance with regulatory requirements. The duration for which we process specific types of data is provided above where individual processes are described.
For example, personal data processed based on your consent will be deleted if you withdraw your consent. Personal data processed to fulfill an agreement with you will be deleted when the agreement is fulfilled and all obligations arising from the contractual relationship are met, such as legal obligations related to accounting, customer relationship follow-up related to complaints, etc. Personal data processed due to a legal obligation will be deleted as soon as we are no longer required to retain the data.
5. Disclosure of Personal Data to Others
We do not share your personal data with others unless there is a legal basis for this. Examples of such legal basis typically include an agreement with you or a legal obligation that requires us to disclose the information.
We use data processors to collect, store, or otherwise process personal data on our behalf. In such cases, we have entered into agreements to ensure data security at all stages of the processing. Currently, we use the following data processors:
Giant Leap (Autopark), Nettmaker, Riverty, and Skidata
For logistics and operational purposes of parking areas fields A, B, C, and D
Name, email, phone, and license plate number.
6. Security of Processing
All processing of personal data is secured with the required technical and organizational measures.
We handle information so that it is accurate, available, and managed according to the level of sensitivity of the data. We also use various security technologies and information security procedures to protect personal data from unauthorized access, use, or disclosure. Risk assessments are conducted for the processing of personal data.
We have entered into data processing agreements with all our suppliers who process personal data, where they undertake the same level of security as we have for our processing of personal data.
We limit access to personal data to the personnel or third parties who will process the data on our behalf. These parties are subject to a duty of confidentiality.
Procedures for handling breaches of information security and routines (data breaches) are established, and if there is a breach that poses a risk to the privacy of the data subjects, we will report the incident to the Norwegian Data Protection Authority as soon as possible and no later than 72 hours after the breach was discovered. If the breach poses a high risk to the privacy of the data subjects, we will also notify them.
7. Your Rights When We Process Personal Data About You
Below are your rights regarding the processing of personal data. To exercise your rights, you must contact us via our website at https://www.gardermoenparkering.no/kontakt-oss/generelt. We will respond to your inquiry as soon as possible, and no later than one month. If it takes longer than one month, you will be informed.
We will ask you to confirm your identity or provide additional information before allowing you to exercise your rights with us. We do this to ensure that we only grant access to your personal data to you – and not to someone pretending to be you.
Information
You have the right to receive information about the personal data we process about you. Through this statement, we inform you about our processing of personal data. You can also contact us if you want more information.
Access
You have the right to request access to the personal data processed about you. Contact us if you wish to gain access.
Modification and Deletion
You can also ask us to correct incorrect information we have about you or ask us to delete personal data. We will accommodate a request to delete personal data as far as possible, but we may not be able to do so if we still need the data.
Processing Based on Consent
If we process personal data based on your consent, you can withdraw your consent at any time. The easiest way to do this is to use the method provided when you gave consent or contact us.
Right to Restrict or Object to Processing
You have the right to have the processing restricted in certain cases, see GDPR Article 21, such as:
• You dispute the accuracy of the personal data – the processing is stopped for a period that allows us to verify the accuracy of the personal data.
• The processing is unlawful, and you oppose the deletion of personal data and instead request that the use of the personal data be restricted.
• We no longer need the personal data for the purpose of the processing, but you need it to establish, exercise, or defend legal claims.
You may also object to processing under GDPR Article 21, paragraph 1, pending verification of whether our legitimate interests override your privacy rights.
Right to Data Portability
For data you have provided to us and is necessary to fulfill an agreement with us, and which is processed automatically (i.e., not manually by us), you may request to have the personal data about you delivered or transferred to another provider in a structured, commonly used, and machine-readable format (data portability).
Automated Processing, Including Profiling
There will be no automated processing, including profiling, based on your personal data that has legal effects or significantly affects those to whom the personal data pertains. See GDPR Article 22, paragraphs 1 and 4.
You have the right to refuse automated processing or profiling that affects you by contacting us.
8. Complaints
If you believe that our processing of personal data does not comply with what we have described here or that we otherwise violate data protection laws, you can file a complaint with the Norwegian Data Protection Authority.
You can find information about your rights and how to contact the Norwegian Data Protection Authority on their website: www.datatilsynet.no.
9. Changes
If there are changes to our services or changes in regulations on the processing of personal data, this may lead to changes in the information provided here. If we have your contact details, we will notify you of these changes. Otherwise, updated information will always be readily available on our website.