Skip to content

Does the GDPR Cover Information Relating to My Company’s Car Park in the UK?

Table of Contents

Despite many businesses encouraging staff to use public transport, including offering season ticket loans, many employees will still wish to drive to work. Many UK companies own or lease a car park on private land for their staff and operate a CCTV system for that area. This article will explore how the GDPR applies to information relating to a company car park, including any CCTV footage. This will allow you to understand your legal obligations under the GDPR to avoid the threat of a hefty fine from the Information Commissioner’s Office (ICO).

The GDPR

The General Data Protection Regulation (UK GDPR) applies to all personal data relating to individuals. It defines ‘personal data’ broadly as including all and any information that could identify a living person. Generally speaking, personal information can include the following:

  • birth dates;
  • health data;
  • photographs;
  • biometric data; and 
  • phone numbers.  

In terms of car parks, personal data can also include licence plate numbers and car model details.

Any violation of GDPR rules concerning personal data can result in a fine of up to £17.5m from the ICO. As a UK business owner, you no doubt wish to avoid any financial penalties and the reputational damage caused by the online publication of the ICO fine.

The ICO

The Information Commissioner’s Office is an independent body that enforces data protection legislation against UK organisations.

Whilst the ICO assists UK businesses through its helpful online guidance on the GDPR and Data Protection Act, it also regularly fines UK companies for breaches of data protection law.  The ICO believes businesses will be motivated to follow data protection rules to avoid substantial financial penalties.

Front page of publication
UK Startup Manual

LegalVision’s Startup Manual is essential reading material for any startup founder looking to launch and grow a successful startup.

Download Now
Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

GDPR and a Company’s Car Park

The GDPR requires your business to record, process and store personal data safely and securely.  Therefore, any personal information within your company car park is caught by the GDPR. It does not matter whether you own or lease the car park land. Some examples of personal information are the following:

  1. vehicle registration marks;
  2. arrival and departure times of vehicles;
  3. ANPR cameras which are automatic numberplate recognition systems;
  4. any parking ticket rules.  
  5. vehicle model and colour; and 
  6. a desire to issue a parking charge notice, which records personal information to ensure only staff use your car park or that non-staff pay for the privilege 

These things likely constitute personal information because they can identify an individual. So, for example, your organisation can identify a staff member from their vehicle registration plate through CCTV footage of them leaving the vehicle. If your CCTV system is high definition, as most now are, the actual images of individuals’ faces will constitute photographic information concerning them.

 Most businesses also record vehicle registration plates to ensure only staff use the car park, which also constitutes personal data.

GDPR and the Use of Personal Data

As your company will likely handle a lot of personal information relating to its car park, there are GDPR obligations you need to comply with. Some of the main ones include:

  1. placing CCTV warning signs around the car park to warn of video recording;
  2. ensuring all CCTV recordings are stored safely and preferably encrypted; 
  3. password-protecting documents linking vehicle registration numbers to individuals; and
  4. deleting information about vehicle entry and departure into the company car park when no longer relevant.

These requirements relate to various GDPR compliance principles, which include:

  1. limiting the storage of information to the minimum period for it to meet its purpose;
  2. only recording information which is truly required for your company to function correctly;
  3. keeping all data in a safe and secure place (to guard against theft or unauthorised use); and
  4. only processing information for lawful purposes.

Key Takeaways

The ICO’s website stresses that UK businesses must protect personally identifiable information.  Therefore, your organisation must follow GDPR rules when handling data that could identify a living person. This includes details of their vehicle, their arrival and leaving times concerning your car park and images of them within CCTV systems. It is essential to follow GDPR rules to avoid a hefty fine of up to £17.5m from the ICO.  These rules include providing signs to warn of CCTV use, automatic numberplate recognition systems (ANPR cameras), and parking ticket rules.  Therefore, your business needs to be transparent about monitoring systems and handle information obtained through those systems with care.

If you need help safely processing and recording information relating to a company car park, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.  

Frequently Asked Questions

Does it matter whether the business owns or leases the car park?

No, the ICO only cares whether your business records personal data or not, rather than the ownership of the land.

What personal information may relate to my company car park for the purposes of the GDPR?

A variety of personal information may relate to your company car park for the purpose of the GDPR, such as number plates and times of people coming and going from the car park.

Register for our free webinars

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards