APCOA FLOW Privacy Policy

We are very pleased that you are visiting an application of APCOA Deutschland GmbH, Air Freight Centre 605/6, Level 6, 70629 Stuttgart (Airport), registered in the Commercial Register of Stuttgart Local Court under No. HRB 221831, and thank you for your interest in our company and services.

Data protection is of a particularly high priority for the management of the APCOA Deutschland GmbH. The processing of personal data, such as the name, address, e-mail address, licence plate number or telephone number of a data subject, is always carried out in accordance with the General Data Protection Regulation and in compliance with the country-specific data protection regulations applicable to APCOA. By means of this data protection declaration, we would like to inform the public and you in particular about the type, scope and purpose of the personal data collected, used and processed by us. Furthermore, you will be informed of the rights to which you are entitled by means of this privacy policy.

As the controller, APCOA has implemented numerous technical and organisational measures to ensure the most complete protection of personal data processed. The security measures are continuously improved in line with technological developments. Nevertheless, Internet-based data transmissions can generally have security gaps, meaning that absolute protection cannot be guaranteed.

Overview: A. General information

I.Definitions

1.personal data

2.data subjects

3.processing

4. restriction of processing

5.profiling

6. pseudonymisation

7. controller or controller responsible for the processing

8.processor

9.recipient

10.third party

11.consent

II.Name and address of the controller

III.collection of general data and information

IV.Obligation to provide / necessity of personal data for the conclusion of the contract

V. Existence of automated decision-making

B. Collection, processing and use of your personal data

I.General information on the purposes of data processing

II.Scope of data collection, data processing and data use

1.mobile app

2. registration for the APCOA FLOW user account

3. ordering and sending the APCOA FLOW access medium

4 APCOA FLOW car park service

5.payment and billing

6.managing credit card details

7. parking history

8. transmission of geodata

9. receive messages (push notifications)

10.contact option via the website and the mobile app

11.APCOA FLOW newsletter

12.use of Clevertap

III.passing on the data

1. selected developers and companies ("API partners")

2.production and dispatch of the APCOA FLOW RFID tag

3. payment service providers, debtor management service providers, debt collection

4.third countries

C.Routine deletion of personal data

D.Your rights

I.Right to confirmation

II.Right of access

III.right to rectification

IV.Right to erasure (right to be forgotten)

V.Right to restriction of processing

VI.right to data portability

VII.right to object

VIII.Automated decisions in individual cases including profiling

IX.Right to withdraw consent under data protection law

E.Cookies

F.Information on the use of offers from third-party providers

I.Data protection provisions about the application and use of Facebook

II.Google Maps Plugin

III Data protection provisions about the application and use of Google Analytics (with anonymisation function)

IV Data protection provisions about the application and use of Google Analytics for Firebase

V. Data protection provisions about the application and use of Google Remarketing

VI Data protection provisions about the application and use of Google AdWords

VII Data protection provisions about the application and use of DoubleClick

A. General information

I.Definitions

The data protection declaration of APCOA is based on the terms used by the European legislator for the adoption of the General Data Protection Regulation (GDPR). Our privacy policy should be easy to read and understand for the public as well as for our customers and business partners. To ensure this, we would like to first explain the terminology used.

We use the following terms, among others, in this privacy policy:

1.personal data

Personal data means any information relating to an identified or identifiable natural person (hereinafter "data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

2.data subjects

Data subject is any identified or identifiable natural person whose personal data is processed by the controller responsible for the processing.

3. processing

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

4. restriction of processing

Restriction of processing is the marking of stored personal data with the aim of limiting their future processing.

5.profiling

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

6.pseudonymisation

Pseudonymisation is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

7. controller or controller responsible for the processing

Controller or controller responsible for the processing is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

8. processor

Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

9. recipient

Recipient is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular enquiry in accordance with Union or Member State law shall not be regarded as recipients.

10.third party

Third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

11.consent

Consent is any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

II. name and address of the controller

Controller for the purposes of the General Data Protection Regulation (GDPR), other data protection laws applicable in Member states of the European Union and other provisions related to data protection is:

APCOA Deutschland GmbH
Air Cargo Centre 605/6, Level 6
70629 Stuttgart (Airport)
Germany
Phone: 0711 94791-0
Internet: www.apcoa.de

You can contact our data protection officer at datenschutz@apcoa.de or at our postal address with the addition "the data protection officer".

III Collection of general data and information

In principle, you can use the services of APCOA Flow without telling us who you are. In this case, a range of general data and information is collected. This general data and information is stored in the server log files. The following can be recorded

the browser types and versions used
the operating system used by the accessing system
the website from which an accessing system reaches our website (so-called referrer)
the sub-websites that are accessed via an accessing system on our website,
the type and time of the action, e.g. login, logout and the selected login method
an internet protocol address (IP address),
the internet service provider of the accessing system,
the type of device and browser used, e.g. "iPhone 7 & Safari"
the services from which you visit us,
the location from which the login takes place as part of our security strategy and
other similar data and information used for security purposes in the event of attacks on our information technology systems.

When using this general data and information, APCOA does not draw any conclusions about the data subject. Rather, this information is required in order to

correctly deliver the content of our website,
optimise the content of our website and the advertising for it
ensure the long-term functionality of our information technology systems and the technology of our website, and
to provide law enforcement authorities with the information necessary for criminal prosecution in the event of a cyber attack.

Therefore, APCOA analyses anonymously collected data and information statistically, with the aim of increasing the data protection and data security of our enterprise, and to ensure an optimal level of protection for the personal data we process. The anonymous data of the server log files are stored separately from all personal data provided by you.

IV Obligation to provide / necessity of personal data for the conclusion of the contract

We inform you that the provision of personal data is partly required by law (e.g. tax regulations) or may also result from contractual provisions (e.g. information on the contractual partner). Required data such as name and e-mail address must be provided in order to register and conclude the contract of use via APCOA FLOW. Without these, we will not be able to enter into a user relationship with you. As part of the user contract, you are contractually obliged to keep the data provided true and complete with regard to all applications you use for the entire term of the contract. We will inform you during the input process if the provision of personal data is required for the respective function or application ("mandatory field"). In the case of required data, failure to provide it will mean that the function or application in question cannot be provided. In the case of optional data, failure to provide it may mean that we are unable to provide our services in the same form and to the same extent.

V. Existence of automated decision-making

As a responsible company, we do not use automated decision-making or profiling.

B.Collection, processing and use of your personal data

I.General information on the purposes of data processing

The operation of a service such as APCOA FLOW is naturally subject to very dynamic development. It is therefore not possible to describe every single detail. However, we would like to show you the essential details of data processing. Your personal data includes information such as your name, your address, your telephone number, your licence plate number or your e-mail address. Personal data is only collected, processed and/or used if you provide it to us voluntarily, e.g. to establish, define the content of or amend a contractual relationship between you and us or to register for personalised services.

Your data is processed in particular to fulfil our contractual obligations towards our users. In these cases, the processing is based on Art. 6 I lit. b GDPR. The same applies to such processing operations that are necessary for the implementation of pre-contractual measures, for example in cases of enquiries about our products or services.

By way of derogation, we process your data to protect our legitimate interests, taking into account your interests, e.g. if we send you promotional newsletters. In these cases, the processing operations are based on Art. 6 I lit. f GDPR.

And, of course, in some cases we are legally obliged to process data, e.g. to hand over data to investigating authorities (Art. 6 I lit. c GDPR).

As part of the fulfilment of our contractual obligations towards our users, we always try to adapt our services to the needs of our users. Personalisation plays an important role here. This involves creating interest and usage profiles. To determine these interests, we use the information that you provide to us, but also implicit feedback, i.e. information that we receive automatically based on your use of APCOA FLOW (through so-called "tracking"). In such cases, processing is based on Art. 6 I lit. d GDPR and is permitted if it is necessary to safeguard a legitimate interest of our company or a third party, provided that the interests, fundamental rights and freedoms of the data subject do not prevail.

In addition, your personal data will only be used if you have given your prior consent (Art. 6 I lit. a GDPR).

II Scope of data collection, data processing and data use

1. mobile app

a) Downloading the mobile app
When you download the mobile app, the required information is transmitted to the App Store, in particular your user name, email address and customer number of your account, the time of the download and the individual device identification number. We have no influence on this data collection and are not responsible for it. We only process the data to the extent necessary for downloading the mobile app to your mobile device.

b) Use of the mobile app

When using the mobile app, we collect the personal data described below to enable convenient use of the functions. If you wish to use our mobile app, we collect the following data, which is technically necessary for us to offer you the functions of our mobile app and to ensure stability and security (legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR):

IP address
Date and time of the request
Time zone difference to Greenwich Mean Time (GMT)
Content of the request (specific page)
Access status/HTTP status code
Amount of data transferred in each case
Website from which the request originates
browser
Operating system and its interface
Language and version of the browser software.

We also need your device identification, unique number of the end device (IMEI = International Mobile Equipment Identity), unique number of the network subscriber (IMSI = International Mobile Subscriber Identity), mobile phone number (MSISDN), MAC address for WLAN use, name of your mobile end device, e-mail address.

2. registration for the APCOA FLOW user account

You need an APCOA FLOW user account to use the APCOA FLOW services (e.g. APCOA FLOW app). To register, you will need your first name and surname, your e-mail address and a password of your choice. Optionally, you can enter a vehicle licence plate number. Registration takes place via the mobile APCOA FLOW app. APCOA uses the so-called double opt-in procedure to complete the registration and confirm the consent you have given there. This involves sending an email to the email address you have provided asking for confirmation.

With the APCOA FLOW user account, you can register for the APCOA FLOW services (e.g. the APCOA FLOW app, purchase and use of an RFID tag). You then do not have to register again, but can use the data entered during initial registration for the services. If you do so, the services will be linked to the central user account to which an APCOA FLOW customer number is assigned.

During registration, the IP address assigned by your Internet service provider (ISP), the date and time of registration are also stored. This data is stored against the background that this is the only way to prevent misuse of our services and, if necessary, to enable criminal offences to be investigated. In this respect, the storage of this data is necessary to protect APCOA. This data will not be passed on to third parties unless there is a legal obligation to pass it on or it serves the purpose of criminal prosecution.

Your registration with voluntary provision of personal data enables us to offer you content or services which, due to the nature of the matter, can only be offered to registered users.

The legal basis for this processing of personal data is Art. 6 I b) EU GDPR.

Registered persons are free to change the personal data provided during registration at any time or to have it completely deleted from APCOA's database.

APCOA will provide you with information about the personal data stored about you at any time upon request. Furthermore, APCOA will correct or delete personal data at your request or indication, provided that this does not conflict with any statutory retention obligations. APCOA's data protection officer is available to you as a contact person in this context.

3 Ordering and sending the APCOA FLOW RFID tag

In order to use the APCOA FLOW parking service, you must purchase an APCOA FLOW RFID tag, which enables contactless entry and exit to the APCOA FLOW parking facilities. The APCOA FLOW RFID tag must be purchased from APCOA for a fee. We require your postal address in order to send you the APCOA FLOW RFID tag by post. The data required for this purpose is collected by us as part of the ordering process via our mobile app or our website.

As part of the production of the APCOA FLOW RFID tag, a unique identifier (UID) is assigned to it and allocated to your user account and stored. This helps us to authenticate and allocate your parking transactions and thus to ensure your security.

The legal basis for this processing of personal data is Art. 6 I b) EU GDPR.

4.APCOA FLOW car park service

We collect and process the following personal data for the processing and billing of parking transactions carried out by you using the APCOA FLOW access medium: Surname, first name, APCOA FLOW customer number, identifier of the APCOA FLOW access medium (e.g. UID of the RFID tag or the optionally stored vehicle licence plate number), start of the parking process (date, time), end of the parking process (date, time), location of the parking facility/car park, the parking fee incurred.

The legal basis for this processing of personal data is Art. 6 I b) EU GDPR.

The data is stored in compliance with the statutory retention periods and data protection regulations.

5. payment and billing

Payment of the parking and service fees charged by us is made by credit card payment. Processing takes place via one or more payment service providers (payment services).

a)Payment

You instruct us to process the payment of the parking and service fees. The credit card data is collected directly by the relevant payment services and is only used by them for payment processing. The relevant payment service stores your credit card data for payment processing for the parking processes, so you do not have to re-enter your data for each parking process. The following data is transmitted to the payment service: Surname, first name, credit card details (credit card number, CVC code (card verification number) and expiry date. If the payment service responsible for processing your payments changes, the data will be transferred from the outgoing payment service to the payment service responsible in the future. We receive the so-called payment ID and the last four digits of your credit card number from the payment service. This is used for authentication and allocation of your parking transactions and therefore for your security.

After the first entry, the credit card details are checked for validity by the payment service. For this purpose, the payment service carries out a credit card authorisation of a few cents with the issuer of your credit card. The amount will not be debited from your account. If the check reveals that the credit card number is incorrect, the CVC code (card verification code) does not match the credit card number, the expiry date has expired or the credit card has been stolen, the payment service will send us these error messages so that we can display them in the app or on our website

With the direct debit order, we send the payment service a booking text that should appear on your account statement. This text contains the booking period and billing number.

If a direct debit fails, for example because the credit card used does not have sufficient funds or the validity period has expired, we will be informed by the payment service. We will be informed of the reason for the error and your user ID generated by us.

In the event of a chargeback that you did not personally initiate, e.g. if a direct debit was reversed due to insufficient funds, you instruct us to carry out another direct debit at a later date.

In the event that you initiate a chargeback procedure or we grant you a refund, the amount in question will be reversed by the payment service. For this purpose, we transmit the following data to the payment service: Amount, the reason for the chargeback as well as your user ID and transaction ID generated by us and assigned to the parking process.

The legal basis for this processing of personal data is Art. 6 I b) EU GDPR.

The payment service deletes your personal data when you finally cancel your user account for the APCOA FLOW parking service, the payment service is no longer responsible for processing, no outstanding amounts are due for collection and the chargeback and statutory retention periods have expired.

b)Billing

As a rule, you will receive a monthly statement from us, including a transaction overview (parking and service fees). We use the following data for this purpose and for customer service purposes (e.g. processing refund orders):

Surname, first name, address, e-mail address, parking facility, parking times, parking and service fees and the date on which these were paid or unsuccessfully debited. APCOA stores and archives the accounting and billing data in accordance with legal requirements.

The legal basis for this processing of personal data is Art. 6 I b) EU GDPR.

6. managing credit card data

You can change the credit card details you provided during registration at any time in your user account under "My profile/payment methods".

7.parking history

You can view your current and past (completed) parking transactions via the "My parking transactions" menu item in our mobile app and on our website.

The legal basis for this processing of personal data is Art. 6 I f) EU GDPR.

The entire parking history is stored on our data server (for up to 10 years), taking into account the statutory retention periods and data protection regulations. Information about the individual data can be found under point "II. Parking".

8. transmission of geodata

In order to use various services (e.g. recognising the car park used, navigating to the location of the selected car park, saving the location where you parked your vehicle) within the app, geodata must be transmitted. Geodata refers to the position data of the mobile device. Geodata is only transmitted if you have activated this function in the app.

The legal basis for this processing of personal data is Art. 6 I f) EU GDPR.

9. receipt of messages (push notifications)

For individual areas, our mobile app offers the option of being informed via push notification (push technology or server push describes a type of communication in which data is transmitted even though the receiving app is running in the background), for example about the start and end of a parking process or about a failed payment transaction.

The legal basis for this processing of personal data is Art. 6 I f) EU GDPR.

You can configure this function via the menu settings of your end device and activate/deactivate the notifications. The delivery of the messages requires the storage of a push token of your mobile device with us.

10.contact option via the website and the mobile app

Due to legal regulations, our website and our mobile app contain information that enables quick electronic contact to our company and direct communication with us, which also includes a general address for so-called electronic mail (e-mail address). You can send a message directly to our customer service team via the "Help" menu item in our mobile app and on our website. The personal data you transmit will be stored automatically. Such personal data transmitted to us by you on a voluntary basis will be stored for the purposes of processing or contacting you.

The legal basis for this processing of personal data is Art. 6 I b) EU GDPR.

To implement this service, we have integrated Atlassian Jira Service Desk components in our app and on our website. Jira Service Desk is a user-friendly helpdesk software from Atlassian that enables our company to process our customers' support requests in a structured manner. Enquiries can thus be resolved faster and better. The operating company of Jira Service Desk is Atlassian Pty Ltd, c/o Atlassian, Inc, 1098 Harrison Street, San Francisco, CA 94103, USA. Further information and the applicable data protection provisions of Atlassian can be found at www.atlassian.com/legal/privacy-policy.

11.APCOA FLOW Newsletter

You have the option of subscribing to our company newsletter on our website or our mobile app. The input mask used for this purpose determines what personal data are transmitted to the controller when you subscribe to the newsletter.

The legal basis for this processing of personal data is Art. 6 I f) EU GDPR.

APCOA informs its customers and business partners regularly by means of a newsletter about enterprise offers. The APCOA newsletter may only be received by the data subject if (1) the data subject has a valid e-mail address and (2) the data subject registers for the newsletter shipping. For legal reasons, a confirmation email is sent to the email address entered by a data subject for the first time for the newsletter mailing using the double opt-in procedure. This confirmation email is used to check whether the owner of the email address as the data subject has authorised receipt of the newsletter.

When registering for the newsletter, we also store the IP address assigned by the Internet service provider (ISP) of the computer system used by the data subject at the time of registration, as well as the date and time of registration. The collection of this data is necessary in order to be able to trace the (possible) misuse of a data subject's email address at a later date and therefore serves as legal protection for the controller.

The personal data collected as part of a registration for the newsletter is used exclusively for sending our newsletter. Furthermore, subscribers to the newsletter may be informed by e-mail if this is necessary for the operation of the newsletter service or a registration in this regard, as could be the case in the event of changes to the newsletter offer or in the event of a change in technical circumstances. The personal data collected as part of the newsletter service will not be passed on to third parties. The subscription to our newsletter can be cancelled by the data subject at any time. The consent to the storage of personal data, which the data subject has given us for the newsletter dispatch, can be revoked at any time. There is a corresponding link in every newsletter for the purpose of revoking consent. It is also possible to unsubscribe from the newsletter at any time directly on the controller's website or to inform the controller of this in another way.

APCOA's newsletters contain so-called tracking pixels. A tracking pixel is a miniature graphic that is embedded in emails that are sent in HTML format to enable log file recording and log file analysis. This allows the success or failure of online marketing campaigns to be statistically analysed. Based on the embedded tracking pixel, APCOA may see if and when an e-mail was opened by a data subject, and which links in the e-mail were called up by data subjects.

Such personal data collected via the tracking pixels contained in the newsletters are stored and evaluated by APCOA in order to optimise the newsletter dispatch and to adapt the content of future newsletters even better to the interests of the data subject. This personal data is not passed on to third parties. Data subjects are entitled at any time to revoke the separate declaration of consent given in this regard via the double opt-in procedure. After cancellation, this personal data will be deleted by APCOA. Unsubscribing from the newsletter is automatically interpreted by APCOA as a cancellation.

12.use of Clevertap

We have integrated Clevertap components into our app. Clevertap is a combination of analysis and marketing solution in one system. Clevertap enables the app operator to collect data on the use of the app and to individualise marketing activities. The operating company of Clevertap is WizRocket Inc, 440 N Wolfe Rd, Sunnyvale, CA 94085, USA.

The legal basis for this processing of personal data is Art. 6 I f) EU GDPR.

Each time our app is accessed, Clevertap collects and stores data for marketing and optimisation purposes. The data collected is used to create user profiles. The user profiles are used for the purpose of analysing visitor behaviour and enable us to improve our app offering.

We use Clevertap to use the data and information obtained via our app to evaluate your user behaviour. The data is also used to create reports on user activity and to provide other services related to the use of our app.

You can revoke your consent to the use of Clevertap by our app at any time by uninstalling our app.

The applicable data protection provisions of Clevertap may be retrieved under clevertap.com/privacy-policy/.

III. disclosure of the data

We only pass on your personal data to third parties if this is necessary to fulfil our own business purposes (i.e. in particular to provide the services owed to you) (e.g. sending the APCOA FLOW access medium, credit card payment), if you have given your consent for this (e.g. if you use an external application) or if we are obliged to do so by law or due to a court or official order.

If we work together with external service providers in the context of data processing (e.g. in software development), this is usually done on the basis of so-called order processing, in which we remain responsible for data processing. We check each of these service providers in advance for the data protection and data security measures they have taken and thus ensure that the contractual regulations required by law for the protection of personal data are met.

1.selected developers and companies ("API partners")

We provide selected developers and companies ("API partners") with APCOA for the development and operation of APCOA FLOW, which allows users of the API partners' applications to access data and content outside APCOA FLOW and to integrate content into APCOA FLOW from outside.

The aim is to make APCOA FLOW even more attractive and useful for the user by connecting external applications. The APCOA FLOW API is a so-called Application Programming Interface, i.e. an interface provided by us that allows the API partner to connect one or more applications operated by it to APCOA FLOW in read and, if necessary, write mode in accordance with our contractual specifications.

Every application of an API partner that is to be used to access user data requires prior authorisation from us. We have established criteria to ensure the security of APCOA FLOW users' data.

If an application provides for the processing of personal data in countries outside the European Union, we will make the contractual arrangements required under data protection law to ensure an adequate level of protection for personal data with the API partner.

2. production and dispatch of the APCOA FLOW access medium

We use external service providers for the production and dispatch of APCOA FLOW access media. For this purpose, we transmit the following data collected from you during the registration and purchase of the APCOA FLOW access medium to our service providers: first and last name, postal address and APCOA FLOW customer number.

The external service provider responsible for production and dispatch deletes your personal data once the order process has been completed, the statutory warranty and limitation periods have expired, it is no longer responsible for dispatching the APCOA FLOW access media and statutory retention periods have expired.

3 Payment service providers, debtor management service providers, debt collection

If you use chargeable functions within APCOA FLOW, we process your credit card data for the purpose of payment processing and billing in accordance with the selected payment method. To the extent necessary, your payment data and other data required to process the transaction, including billing and, if applicable, debt collection, will be transmitted to service providers such as credit card institutions, payment providers or debt collection service providers or collected directly by them and processed there.

Your payment data is stored to enable payment processing and billing of parking transactions.

4. third countries

Data is transferred to third countries, but only in compliance with the statutory conditions of admissibility.

If the transfer of data to a third country does not serve to fulfil our contract with you, we do not have your consent, the transfer is not necessary for the assertion, exercise or defence of legal claims and no other exception applies, we will only transfer your data to a third country if an adequacy decision pursuant to Art. 45 EU GDPR or suitable guarantees pursuant to Art. 46 EU GDPR exist.

C. Routine erasure and blocking of personal data

APCOA processes and stores your personal data only for the period of time necessary to achieve the purpose of storage or if this has been provided for by the European legislator or another legislator in laws or regulations to which APCOA is subject.

The criterion for the duration of the storage of personal data is the respective statutory retention period. After this period has expired, the corresponding data is routinely deleted, provided it is no longer required for the fulfilment or initiation of a contract.

D. Your rights

I. Right to confirmation
Each data subject shall have the right granted by the European legislator to obtain from the controller the confirmation as to whether or not personal data concerning him or her are being processed. If you wish to exercise this right of confirmation, you can contact our data protection officer at any time.

II. right to information
Any person affected by the processing of personal data has the right, granted by the European Directive and Regulation, to obtain information free of charge at any time from the controller about the personal data stored about him/her and a copy of this information. Furthermore, the European legislator has granted the data subject access to the following information:

the purposes of the processing
the categories of personal data being processed
the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations
where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing
the existence of the right to lodge a complaint with a supervisory authority
if the personal data are not collected from the data subject: All available information about the origin of the data
the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject

Furthermore, the data subject has a right of access as to whether personal data has been transferred to a third country or to an international organisation. If this is the case, the data subject also has the right to be informed of the appropriate safeguards relating to the transfer.

If you would like to exercise this right to information, you can contact our data protection officer at any time.

III Right to rectification

Any person affected by the processing of personal data has the right granted by the European legislator of directives and regulations to demand the immediate correction of incorrect personal data concerning them. Taking into account the purposes of the processing, the data subject shall also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

If you wish to exercise this right to rectification, you can contact our data protection officer at any time.

4. right to erasure (right to be forgotten)
Any person affected by the processing of personal data has the right, granted by the European legislator, to obtain from the controller the erasure of personal data concerning him or her without undue delay where one of the following grounds applies and insofar as the processing is not necessary:

The personal data have been collected or otherwise processed for purposes for which they are no longer necessary.
The data subject withdraws consent on which the processing is based according to point (a) of Article 6(1) of the GDPR, or point (a) of Article 9(2) of the GDPR, and where there is no other legal ground for the processing.
The data subject objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the GDPR.
The personal data have been processed unlawfully.
The personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
The personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.

If one of the aforementioned reasons applies and you wish to request the erasure of personal data stored by APCOA, you can contact our data protection officer at any time. The data protection officer of APCOA or another employee shall promptly ensure that the erasure request is complied with immediately.

Where APCOA has made the personal data public and is obliged pursuant to Article 17(1) of the GDPR to erase the personal data, APCOA, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform other controllers processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, those personal data, as far as processing is not required. The data protection officer of APCOA will take the necessary steps in individual cases.

V. Right to restriction of processing
Any person affected by the processing of personal data has the right, granted by the European legislator, to obtain from the controller restriction of processing where one of the following applies:

The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data.
The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead.
The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.
The data subject has objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.

If one of the aforementioned conditions is met, and you wish to request the restriction of the processing of personal data stored by APCOA, you can contact our data protection officer at any time. APCOA's data protection officer will arrange for the restriction of processing.

VI. right to data portability

Any person affected by the processing of personal data has the right, granted by the European legislator, to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format. He or she also has the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent pursuant to point (a) of Article 6(1) of the GDPR or point (a) of Article 9(2) of the GDPR or on a contract pursuant to point (b) of Article 6(1) of the GDPR and the processing is carried out by automated means, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Furthermore, in exercising his or her right to data portability pursuant to Art. 20 (1) GDPR, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible and when doing so does not adversely affect the rights and freedoms of others.

To assert the right to data portability, you can contact the data protection officer appointed by APCOA at any time.

VII. right to object

Any person affected by the processing of personal data has the right granted by the European legislator to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) of the GDPR. This also applies to profiling based on these provisions.

APCOA shall no longer process the personal data in the event of the objection, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.

If APCOA processes personal data for direct marketing purposes, you have the right to object at any time to the processing of your personal data for the purpose of such advertising. This also applies to profiling insofar as it is associated with such direct advertising. If you object to APCOA processing your personal data for direct marketing purposes, APCOA will no longer process the personal data for these purposes.

You also have the right to object, on grounds relating to your particular situation, to processing of personal data concerning you by APCOA for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) of the GDPR, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

To exercise your right to object, you can contact APCOA's data protection officer directly. You are also free to exercise your right to object in connection with the use of information society services, notwithstanding Directive 2002/58/EC, by means of automated procedures using technical specifications.

VIII Automated decisions in individual cases including profiling

Each data subject shall have the right granted by the European legislator not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her, or similarly significantly affects him or her, provided that the decision (1) is not necessary for the conclusion or performance of a contract between the data subject and the controller, or (2) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, or (3) is based on the data subject's explicit consent.

If the decision (1) is necessary for entering into, or the performance of, a contract between the data subject and a data controller, or (2) it is based on the data subject's explicit consent, APCOA shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of APCOA, to express his or her point of view and contest the decision.

If you wish to assert rights relating to automated decisions, you can contact our data protection officer at any time.

IX. right to withdraw consent under data protection law

Any person affected by the processing of personal data has the right granted by the European legislator of directives and regulations to withdraw consent to the processing of personal data at any time.

If you wish to exercise your right to withdraw consent, you can contact our data protection officer at any time.

E. Cookies

We use cookies on our website (www.apcoa.de) and the APCOA FLOW mobile app.

Cookies are text files that are placed and stored on your end device via an internet browser. Many cookies contain a so-called cookie ID. A cookie ID is a unique identifier for the cookie. It consists of a string of characters that can be used to assign websites and servers to the specific internet browser in which the cookie was stored. This enables the websites and servers visited to distinguish the individual browser of the data subject from other Internet browsers that contain other cookies. A specific internet browser can be recognised and identified via the unique cookie ID.

By using cookies, we can provide users of our website and our mobile app with more user-friendly services that would not be possible without cookies. Cookies also protect the security of your user account.

Cookies can be used to optimise the information and offers on our website and mobile app for the benefit of the user. As already mentioned, cookies enable us to recognise the users of our website and our app. The purpose of this recognition is to make it easier for users to use our website and our app. For example, the user of a website or app that uses cookies does not have to re-enter their access data each time they visit the website or app, as this is done by the website or app and the cookie stored on the user's device.

You can prevent the setting of cookies by our website at any time by means of a corresponding setting of the Internet browser used and thus permanently object to the setting of cookies. Furthermore, cookies that have already been set can be deleted at any time via an Internet browser or other software programmes. This is possible in all common Internet browsers. If you deactivate the setting of cookies in the Internet browser used, you may not be able to use all functions of our website to their full extent.

Personal data may be stored in cookies if you have given your consent or if this is technically absolutely necessary, e.g. to enable a secure login.

BY USING THE APCOA FLOW APP, YOU CONSENT TO THE USE AND STORAGE OF COOKIES ON YOUR END DEVICE. CONSENT TO THE USE AND STORAGE OF COOKIES CAN BE WITHDRAWN AT ANY TIME BY UNINSTALLING THE APP.

IF YOU USE THE APCOA FLOW WEB OFFERS INTEGRATED OR REFERENCED IN THE APCOA FLOW APP, YOU CONSENT TO THE USE AND STORAGE OF COOKIES ON YOUR END DEVICE. YOU CAN WITHDRAW YOUR CONSENT TO THE USE AND STORAGE OF COOKIES AT ANY TIME BY UNINSTALLING THE APP.

F. Notes on the use of offers from third-party providers

The offers in our mobile app and on our website may also include content, services and benefits from other providers that supplement our offer. Examples of such services include maps from Google Maps or third-party graphics. Accessing these third-party services regularly requires the transmission of your IP address. This enables these providers to recognise your user IP address and store it. We make every effort to include only those third-party providers who use IP addresses solely for the delivery of content. However, we have no influence on which third-party provider may store the IP address. This storage may be used for statistical purposes, for example. If we become aware of storage processes by third-party providers, we will inform our users of this fact immediately. In this context, please also note the special data protection declarations for individual third-party providers and service providers whose services we use. They can also be found in this privacy policy.

I. Data protection provisions about the application and use of AddThis

You have the option of using an existing Facebook account for registration. For this purpose, we have integrated components of Facebook within our app and on our website. Facebook is a social network.

A social network is a social meeting place operated on the Internet, an online community that generally enables users to communicate with each other and interact in virtual space. A social network can serve as a platform for the exchange of opinions and experiences or enable the Internet community to provide personal or company-related information. Among other things, Facebook allows users of the social network to create private profiles, upload photos and network via friend requests.

The operating company of Facebook is Facebook, Inc, 1 Hacker Way, Menlo Park, CA 94025, USA. If a data subject lives outside the USA or Canada, the controller for the processing of personal data is Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

Each time you access one of the individual pages of our mobile app or our website on which a Facebook component (Facebook plug-in) has been integrated, the Internet browser on the information technology system you are using for this purpose is automatically prompted by the respective Facebook component to download a representation of the corresponding Facebook component from Facebook. A complete overview of all Facebook plug-ins can be accessed at developers.facebook.com/docs/plugins/. As part of this technical process, Facebook receives information about which specific subpage of our mobile app or our website you are visiting.

If you are logged in to Facebook at the same time, Facebook recognises which specific sub-page of our website you are visiting each time you access our mobile app or our website and for the entire duration of your visit to our mobile app or our website. This information is collected by the Facebook component and assigned to your respective Facebook account by Facebook. If you click on one of the Facebook buttons integrated on our mobile app or our website, for example the "Like" button, or if you leave a comment, Facebook assigns this information to your personal Facebook user account and stores this personal data.

Facebook always receives information via the Facebook component that you have visited our mobile app or our website if you are logged in to Facebook at the same time as accessing our mobile app or our website; this occurs regardless of whether you click on the Facebook component or not. If you do not want this information to be transmitted to Facebook, you can prevent it from being transmitted by logging out of your Facebook account before accessing our mobile app or our website.

The data policy published by Facebook, which can be accessed at de-de.facebook.com/about/privacy, provides information about the collection, processing and use of personal data by Facebook. It also explains the setting options Facebook offers to protect the privacy of the data subject. In addition, various applications are available that make it possible to suppress the transmission of data to Facebook. Such applications can be used by you to suppress data transmission to Facebook.

II Google Maps plugin

We use a plugin from the Google Maps internet service in our mobile app and on our website.

The operator of Google Maps is Google Inc. based in the USA, CA 94043, 1600 Amphitheatre Parkway, Mountain View.

When you use Google Maps in our app or on our website, information about the use of our app and our website and your IP address are transmitted to a Google server in the USA and also stored on this server. We have no knowledge of the exact content of the data transmitted, nor of its use by Google. In this context, the company denies the linking of the data with information from other Google services and the collection of personal data. However, Google may transmit the information to third parties. If you deactivate Javascript in your browser, you prevent Google Maps from running. However, you will then also not be able to use the map display on our website. By using our mobile app and our website, you consent to the collection and processing of information by Google Inc. as described above.

You can find out more about the data protection provisions and terms of use for Google Maps here: www.google.com/intl/de_de/help/terms_maps.html. ;

III Data protection provisions about the application and use of Google Analytics (with anonymisation function)

We have integrated components of Google Analytics, a web analysis service of Google Inc, in our mobile app and on our website. The use includes the Universal Analytics operating mode. This makes it possible to assign data, sessions and interactions across multiple devices to a pseudonymous user ID and thus to analyse the activities of a user across devices.

The operating company of the Google Analytics component is Google Inc, 1600 Amphitheatre Parkway Mountain View, CA 94043-1351, USA.

Google Analytics uses "cookies", which are text files placed on your computer, to help the website analyse how users use the site. The information generated by the cookie about your use of this website is usually transmitted to a Google server in the USA and stored there. However, if IP anonymisation is activated on this website, your IP address will first be truncated by Google within member states of the European Union or in other signatory states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data. On behalf of the operator of this website, Google will use this information to analyse your use of the website, to compile reports on the activities on our website and to provide other services related to the use of our website and internet usage to the operator of the website. Our legitimate interest in data processing also lies in these purposes.

The legal basis for the use of Google Analytics is Section 15 (3) TMG and Art. 6 (1) (f) GDPR. The data sent by us and linked to cookies, user identifiers (e.g. user ID) or advertising IDs are automatically deleted after 14 months. Data that has reached the end of its retention period is automatically deleted once a month.

You can find more information on terms of use and data protection at www.google.com/analytics/terms/de.html or at policies.google.com.

You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of our website. You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google by downloading and installing the tools.google.com/dlpage/gaoptout. Opt-out cookies prevent the future collection of your data when you visit our website. To prevent Universal Analytics from collecting data across different devices, you must opt out on all systems used.

IV Data protection provisions about the application and use of Google Analytics for Firebase

We also use the Google Analytics for Firebase service for our mobile app to analyse and categorise user groups.

The operating company of the Google Firebase component is Google Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043-1351, USA.

Google Analytics for Firebase is part of the Google Cloud Platform and offers other services in addition to a real-time database:

Google Analytics for Firebase enables us to analyse the use of our app offering. This means that information about the use of our app is collected and transmitted to Google and stored there. Google uses the advertising ID of the end device for this purpose. Google will use this information to analyse the use of our app and to provide us with other services related to the use of apps. You can restrict the use of the advertising ID in the device settings (iOS: Privacy / Advertising / No Ad Tracking; Android: Account / Google / Ads).

Firebase Crash Reporting is used to stabilise and improve the app. It collects information about the devices used and the use of our app (e.g. the time stamp, when the app was started and when the crash occurred), which enables us to diagnose and solve problems.

Firebase Cloud Messaging is used to send push messages or so-called in-app messages (messages that are only displayed within the app). A pseudonymised push reference is assigned to the mobile device, which serves as the destination for the push messages or in-app messages. The push messages can be deactivated and reactivated at any time in the settings of the mobile device.

Where possible, we use servers located in the EU. However, it cannot be ruled out that data may also be transferred to the USA. Google has joined the EU-US Privacy Shield, a data protection agreement between the EU and the USA. Further information on Google Analytics Firebase and data protection can be found at www.google.com/policies/privacy/ and at firebase.google.com.

If you have deactivated measurement via Google Analytics (see above), measurement via Firebase is also deactivated, but only on this device, not on other devices that you may use

V. Data protection provisions about the application and use of Google Remarketing

We have integrated Google Remarketing services in our app and on our website. Google Remarketing is a function of Google AdWords that enables a company to display adverts to Internet users who have previously visited the company's website. The integration of Google Remarketing therefore allows a company to create user-related advertising and consequently to display adverts relevant to the interests of the Internet user.

The operating company of the Google Remarketing services is Google Inc, 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.

The purpose of Google Remarketing is to display interest-relevant advertising. Google Remarketing enables us to display adverts via the Google advertising network or on other websites that are tailored to the individual needs and interests of internet users.

Google Remarketing places a cookie on the information technology system you are using. What cookies are has already been explained above. By setting the cookie, Google is able to recognise the visitor to our app or our website when they subsequently access websites that are also members of the Google advertising network. Each time a website on which the Google Remarketing service has been integrated is accessed, the data subject's internet browser automatically identifies itself to Google. As part of this technical process, Google receives knowledge of personal data, such as the IP address or the surfing behaviour of the user, which Google uses, among other things, to display interest-relevant advertising.

Cookies are used to store personal information, such as the websites you have visited. Each time you visit our app or our website, personal data, including the IP address of the internet connection you are using, is therefore transmitted to Google in the United States of America. This personal data is stored by Google in the United States of America. Google may share this personal data collected through the technical process with third parties.

You can prevent the setting of cookies by our website, as already described above, at any time by means of a corresponding setting of the Internet browser used and thus permanently object to the setting of cookies. Such a setting of the Internet browser used would also prevent Google from setting a cookie on the information technology system you are using. In addition, a cookie already set by Google Analytics can be deleted at any time via the Internet browser or other software programmes.

You also have the option of objecting to interest-based advertising by Google. To do this, you must call up the link www.google.de/settings/ads from each of the Internet browsers you use and make the desired settings there.

You can revoke your consent to the use and storage of cookies by our app at any time by uninstalling our app.

Further information and the applicable data protection provisions of Google may be retrieved under www.google.de/intl/de/policies/privacy/.

VI Data protection provisions about the application and use of Google AdWords

We have integrated Google AdWords on this website. Google AdWords is an internet advertising service that allows advertisers to place adverts both in Google's search engine results and in the Google advertising network. Google AdWords allows an advertiser to specify certain keywords in advance, which are used to display an advert in Google's search engine results only when the user uses the search engine to retrieve a keyword-relevant search result. In the Google advertising network, the adverts are distributed on topic-relevant websites using an automatic algorithm and taking into account the previously defined keywords.

The operating company of the Google AdWords services is Google Inc, 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.

The purpose of Google AdWords is to advertise our app and our website by displaying interest-relevant advertising on the websites of third-party companies and in the search engine results of the Google search engine and by displaying third-party advertising in our app and on our website.

If you reach our website via a Google advert, a so-called conversion cookie is stored by Google on the information technology system you are using. What cookies are has already been explained above. A conversion cookie loses its validity after thirty days and is not used to identify you. If the cookie has not yet expired, the conversion cookie is used to track whether certain subpages on our website have been accessed. The conversion cookie enables both us and Google to track whether you have reached our website via an AdWords ad and generated sales, i.e. completed or cancelled a purchase.

The data and information collected through the use of the conversion cookie is used by Google to compile visit statistics for our website. These visit statistics are in turn used by us to determine the total number of users who were referred to us via AdWords ads, i.e. to determine the success or failure of the respective AdWords ad and to optimise our AdWords ads for the future. Neither our company nor other Google AdWords advertisers receive information from Google that could be used to identify you.

The conversion cookie is used to store personal information, such as the websites you have visited. Each time you visit our app or our website, personal data, including the IP address of the internet connection used by the data subject, is therefore transmitted to Google in the United States of America. This personal data is stored by Google in the United States of America. Google may share this personal data collected through the technical process with third parties.

You can prevent the setting of cookies by our website, as already described above, at any time by means of a corresponding setting of the Internet browser used and thus permanently object to the setting of cookies. Such a setting of the Internet browser used would also prevent Google from placing a conversion cookie on the information technology system you are using. In addition, a cookie already set by Google AdWords can be deleted at any time via the Internet browser or other software programmes.

You can revoke your consent to the use and storage of cookies by our app at any time by uninstalling our app.

Further information and the applicable data protection provisions of Google may be retrieved under www.google.de/intl/de/policies/privacy/.

VII Data protection provisions about the application and use of DoubleClick

We have integrated components from DoubleClick by Google in our app and on our website. DoubleClick is a Google brand under which special online marketing solutions are primarily marketed to advertising agencies and publishers.

The operating company of DoubleClick by Google is Google Inc, 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.

DoubleClick by Google transmits data to the DoubleClick server with every impression as well as with clicks or other activities. Each of these data transfers triggers a cookie request to the browser you are using. If the browser accepts this request, DoubleClick places a cookie on the information technology system you are using. What cookies are has already been explained above. The purpose of the cookie is to optimise and display advertising. The cookie is used, among other things, to place and display user-relevant adverts and to create reports on advertising campaigns or to improve them. The cookie is also used to avoid multiple displays of the same adverts.

DoubleClick uses a cookie ID that is required for the technical process. The cookie ID is required, for example, to display an advert in a browser. DoubleClick can also use the cookie ID to record which adverts have already been displayed in a browser in order to avoid duplication. The cookie ID also enables DoubleClick to record conversions. Conversions are recorded, for example, if a user has previously been shown a DoubleClick advert and subsequently makes a purchase on the advertiser's website using the same internet browser.

A DoubleClick cookie does not contain any personal data. However, a DoubleClick cookie may contain additional campaign identifiers. A campaign identifier is used to identify the campaigns with which the user has already been in contact.

Each time you access one of the individual pages of our app or our website on which a DoubleClick component has been integrated, the Internet browser on the information technology system you are using is automatically prompted by the respective DoubleClick component to transmit data to Google for the purpose of online advertising and billing of commissions. As part of this technical process, Google obtains knowledge of data that Google also uses to create commission statements. Among other things, Google can track that you have clicked on certain links on our website.

You can prevent the setting of cookies by our website at any time, as already described above, by means of a corresponding setting of the Internet browser used and thus permanently object to the setting of cookies. Such a setting of the Internet browser used would also prevent Google from setting a cookie on the information technology system you are using. In addition, cookies already set by Google can be deleted at any time via an internet browser or other software programmes.

You can revoke your consent to the use and storage of cookies by our app at any time by uninstalling our app.

Further information and the applicable data protection provisions of DoubleClick by Google may be retrieved under www.google.com/intl/de/policies/.

Status: January 2021