The General Data Protection Regulation (GDPR) And PayByPhone
PayByPhone is trusted by millions around the world to take the stress of parking and we want to make sure that our users know that PayByPhone takes data security very seriously and that we are taking all the necessary steps to comply with the new data protection law called the General Data Protection Regulation (GDPR) that comes into effect on May 25, 2018. The GDPR governs the collection, use and storage of personal data concerning data subjects in the European Union and therefore applies to companies around the world, including PayByPhone.
What is the “GDPR”?
The General Data Protection Regulation was adopted by the European Parliament in April of 2016, with the intent of harmonizing data protection laws across the European Union. The key principles of the GDPR require businesses to protect the personal data and privacy of European citizens (so even if a company is located outside of the European Union, the GDPR has ‘extra-territorial’ reach as long as the company is processing personal data of individuals who live in the European Union).
What has PayByPhone done to prepare for GDPR?
PayByPhone is already compliant with the fundamental principles of data processing under the GDPR in that we process data in a lawful, fair, limited, specific manner and ensures the security, integrity and confidentiality of the data.
PayByPhone performed a lengthy evaluation of our data collection, use and storing to ensure that we made any necessary changes to be compliant before the coming into force of the GDPR. This included updating our services as well as our legal documentation to ensure compliance with the GDPR. Specifically, we updated our Terms and Conditions, Privacy Policy, Cookies Policy, consent mechanism and user flow in order to be more transparent about how PayByPhone collects, uses and stores our users’ Personal Data.
Why is PayByPhone complying with the GDPR?
The goal of the GDPR is to restore the imbalance of power and contract that individuals like you have when you interact and share Personal Data with companies.
At PayByPhone we are committed to our users and want to be more transparent with them about what Personal Data is collected, how we use it and how we keep that Personal Data safe all while protecting their fundamental rights.
What is “Personal Data”?
Under the GDPR ‘Personal Data’ is any information relating to an identified or identifiable natural person or ‘Data Subject’. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to other Personal Data.
Examples of Personal Data processed by PayByPhone are: name, email address, location, IP address, cookies, other device identifiers, and customer support tickets having any of the same information.
Why does PayByPhone Collect Personal Data?
We only process your Personal Data for the purposes for which we have a lawful basis. A list of examples can be found in our Privacy Policy | PayByPhone
What are “Controllers” and “Processors”?
A Controller is the entity that determines purposes and means of processing Personal Data of the EU resident. A Processor is the entity that processes Personal Data on behalf of Controllers, according to their instructions. The GDPR applies to both Controllers and Data processors.
PayByPhone is both a Controller in that we determine what Personal Data we require on Data Subjects in order to offer our parking payment services, as well as a Processor, in that we process data on behalf of our clients.
What are the Lawful Basis of Processing Data?
Under the GDPR, there are six lawful basis of processing data: consent, contractual obligation, legal obligation, best interest of the data subject, best interest of the public, or the best interest of the company.
Every piece of personal data that is processed by PayByPhone is processed under one of the lawful basis of processing including a contractual relationship, a legal obligation, consent or a legitimate interest. PayByPhone is transparent with our users about this processing in our Terms and Conditions.
What is Consent under GDPR?
The GDPR changes the way companies can obtain consent from its users. The GDPR requires that consent be given freely, with a positive action, clearly distinguishable from other matters, in an intelligible and easily accessible form using plain language.
PayByPhone has changed the way that we obtain consent from our users by increasing the transparency and simplifying the language. Users can adjust their communication preferences at any time in their account or by calling the customer support centre.
What Additional Rights do users have under the GDPR?
GDPR significantly enhances people’s right to access their own Personal Data, to make sure that it is up to date, and to have their Personal Data deleted from a company’s database. Under the GDPR, people also have a right to restrict their Personal Data from being used for direct marketing purposes.
PayByPhone already offers our users the ability to access and update their Personal Data and will now allow users to request the erasure of their data, where possible. All users can also choose their communication preferences for direct marketing.
Does the GDPR require EU Personal Data to stay in the EU?
There are many that believe that the GDPR places a data residency requirement that Personal Data about EU Data Subjects is only allowed to be processed in the EU. The GDPR does not require EU personal data to stay in the EU. Under the GDPR, Personal Data is allowed to be transferred to other countries outside of the EU, as long as it is done in a compliant way: meaning that it is transferred to a country that is deems ‘Adequate’ in terms of data protection and privacy, that it is transferred under Model or Contractual clauses, or that it is transferred under Binding Corporate Rules.
PayByPhone offers our services around the world and has offices in Europe and North America. Personal Data is transferred to Canada (that is deemed Adequate in terms of data protection and privacy), and only with entities with whom we have Model or Contractual clauses.
Data Security under GDPR - what is “Privacy by Design”?
The GDPR requires Controllers and Processors to apply a reasonable level of security to the data collected to prevent against loss, unauthorized changes, or data breach. Privacy by design is a fundamental concept under the GDPR that requires companies to implement appropriate measures to mitigate privacy risks at the time of conception of any product or services offering such that as soon as the company collects Personal Data it is only collecting Personal Data that is actually required to offer the service and that the Personal Data is used only for the purposes that it is collected and stored in a secure manner.
Data privacy has always been a priority for PayByPhone since the inception of the company. One of the founding principles of PayByPhone is to offer an extremely convenient service while never sacrificing data protection. PayByPhone strives to only collect information that we require in order to offer the best possible service to our users, and to keep all that information safe and secure by using appropriate technical and organisation measures such as pseudonization, anonymization and encryption of data.
Find out more
To learn more about your rights, please refer to PayByPhone’s Terms and Conditions, Privacy Policy and Cookies Policy.
If you have any questions about PayByPhone and the GDPR, please don’t hesitate to reach out to our Customer Support Team. We will continue to share further information in the coming weeks and months.
Customer Support Centres
USA and Canada
General: 604 642 4286
Sales: 1 866 783 7787
Email: https://paybyphone.ada.support/chat/
1290 Homer Street
Suite 600
Vancouver, BC
V6B 2Y5
Canada
Europe
Email: uksupport@paybyphone.com
Bishops Court
17A The Broadway
Old Hatfield
AL9 5HZ