Skip to content
LegalVision UK

Does the GDPR Cover Information Relating to My Company’s Car Park in the UK?

Avatar photo

By Thomas Sutherland

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Table of Contents

Despite many businesses encouraging staff to use public transport, including offering season ticket loans, many employees will still wish to drive to work. Many UK companies own or lease a car park on private land for their staff and operate a CCTV system for that area. This article will explore how the GDPR applies to information relating to a company car park, including any CCTV footage. This will allow you to understand your legal obligations under the GDPR to avoid the threat of a hefty fine from the Information Commissioner’s Office (ICO).

The GDPR

The General Data Protection Regulation (UK GDPR) applies to all personal data relating to individuals. It defines ‘personal data’ broadly as including all and any information that could identify a living person. Generally speaking, personal information can include the following:

  • birth dates;
  • health data;
  • photographs;
  • biometric data; and 
  • phone numbers.  

In terms of car parks, personal data can also include licence plate numbers and car model details.

Any violation of GDPR rules concerning personal data can result in a fine of up to £17.5m from the ICO. As a UK business owner, you no doubt wish to avoid any financial penalties and the reputational damage caused by the online publication of the ICO fine.

The ICO

The Information Commissioner’s Office is an independent body that enforces data protection legislation against UK organisations.

Whilst the ICO assists UK businesses through its helpful online guidance on the GDPR and Data Protection Act, it also regularly fines UK companies for breaches of data protection law.  The ICO believes businesses will be motivated to follow data protection rules to avoid substantial financial penalties.

Front page of publication
Startup Manual

LegalVision’s Startup Manual is essential reading material for any startup founder looking to launch and grow a successful startup.

Download Now
Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

GDPR and a Company’s Car Park

The GDPR requires your business to record, process and store personal data safely and securely.  Therefore, any personal information within your company car park is caught by the GDPR. It does not matter whether you own or lease the car park land. Some examples of personal information are the following:

  1. vehicle registration marks;
  2. arrival and departure times of vehicles;
  3. ANPR cameras which are automatic numberplate recognition systems;
  4. any parking ticket rules.  
  5. vehicle model and colour; and 
  6. a desire to issue a parking charge notice, which records personal information to ensure only staff use your car park or that non-staff pay for the privilege 

These things likely constitute personal information because they can identify an individual. So, for example, your organisation can identify a staff member from their vehicle registration plate through CCTV footage of them leaving the vehicle. If your CCTV system is high definition, as most now are, the actual images of individuals’ faces will constitute photographic information concerning them.

 Most businesses also record vehicle registration plates to ensure only staff use the car park, which also constitutes personal data.

GDPR and the Use of Personal Data

As your company will likely handle a lot of personal information relating to its car park, there are GDPR obligations you need to comply with. Some of the main ones include:

  1. placing CCTV warning signs around the car park to warn of video recording;
  2. ensuring all CCTV recordings are stored safely and preferably encrypted; 
  3. password-protecting documents linking vehicle registration numbers to individuals; and
  4. deleting information about vehicle entry and departure into the company car park when no longer relevant.

These requirements relate to various GDPR compliance principles, which include:

  1. limiting the storage of information to the minimum period for it to meet its purpose;
  2. only recording information which is truly required for your company to function correctly;
  3. keeping all data in a safe and secure place (to guard against theft or unauthorised use); and
  4. only processing information for lawful purposes.

Key Takeaways

The ICO’s website stresses that UK businesses must protect personally identifiable information.  Therefore, your organisation must follow GDPR rules when handling data that could identify a living person. This includes details of their vehicle, their arrival and leaving times concerning your car park and images of them within CCTV systems. It is essential to follow GDPR rules to avoid a hefty fine of up to £17.5m from the ICO.  These rules include providing signs to warn of CCTV use, automatic numberplate recognition systems (ANPR cameras), and parking ticket rules.  Therefore, your business needs to be transparent about monitoring systems and handle information obtained through those systems with care.

If you need help safely processing and recording information relating to a company car park, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.  

Frequently Asked Questions

Does it matter whether the business owns or leases the car park?

No, the ICO only cares whether your business records personal data or not, rather than the ownership of the land.

What personal information may relate to my company car park for the purposes of the GDPR?

A variety of personal information may relate to your company car park for the purpose of the GDPR, such as number plates and times of people coming and going from the car park.

Register for our free webinars

How to Prevent and Manage a Data Breach in Your Business

Online
Learn to prevent and manage data breaches in your business. Register for our free webinar today.
Register Now

Refunds, Returns and Repairs: Your Business’ Legal Obligations

Online
Understand your business’ obligations to provide a refund, return or repair. Register for our free webinar today.
Register Now

Sweat Equity: Helping Your Startup Grow

Online
Discover how sweat equity can support your startup’s growth. Register for our free webinar today.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

4 Common Challenges Your Company Will Face With the GDPR in the UK

Five Steps to Ensure My Business is GDPR Compliant?

Four GDPR Myths for Your Company to Avoid in England

Four Ways a Lawyer Can Help Your Business in England Comply With the GDPR 

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards