The General Data Protection Regulation (GDPR) (EU) 2016/679
I. Introductory remarks
- This policy regulates the rights and obligations of both service providers and service users, as well as the procedure for the protection of personal data of Landvetter Parkering Service AB users.
- All rights listed and protected by this Act are guaranteed and contained in The General Data Protection Regulation (GDPR) (EU) 2016/679 (hereinafter: GDPR), as well as in the applicable national laws of the Kingdom of Sweden in the situations where they apply.
- All rights of the data subject shall be exercised in appropriate out-of-court, judicial or administrative proceedings in accordance with the applicable national regulations or the regulations of the European Union, in the situations in which they are applied.
- Every action taken by the user on the Landvetter Parkering Service AB web site is recorded and stored as evidence of undertaken actions in the form of an electronic record. Records of actions undertaken by the data subjects are used exclusively by the employees of Landvetter Parkering Service AB, and serves as evidence of undertaken actions in order to exercise the rights and obligations of both Landvetter Parkering Service AB and Data Subject and will not be used for other purposes, nor will these data be transferred to third parties, other than the competent state authorities, in cases provided by law.
II. Scope of application
III. Principles of data processing
Personal data are:
- Collected legally, fairly and transparently;
- Collected for specified, explicitly stated and legitimate purposes and are not processed further on in any way that is contrary to the initial reason they were collected. Data can be used again only for permitted, prescribed needs (archiving, public interest, statistics, etc.) and the use in this way will not be considered inadmissible.
- Collected in an adequate, relevant and limited manner, on the required quantitative and qualitative level, in accordance with the principle of minimization.
- Collected in a way to be accurate and up-to-date, with the application of reasonable measures to achieve this goal.
- Kept in a form that allows identification of the data subject for a period of three years from the last taken action. Evidence of the undertaken activities is kept in the form of an electronic record of the undertaken activities, in terms of the reason and purpose for which the data were collected.
- Processed with the application of adequate, reasonable measures of technical and organizational protection against unauthorized access, data theft, loss of data, unauthorized processing, etc.
- For the purpose of detecting technical difficulties in the functioning of all services provided through electronic means of communication, the data controller also collects data on the user's IP address and User Agent, that is, the technical data about the Internet browser used by the user or the data subject at the time of using the service, or through which he used the service. The data subject will be considered to be familiar and consentient with this provision upon using any of the services provided by the data controller.
IV .Legality of processing
- Legal basis of data processing
Landvetter Parkering Service AB collects data based on:
- The data subject's consent, which will be considered implicitly given when registering and creating a user account, when checking the corresponding checkbox(es), or using the services that are available without the necessary registration;
- The necessity of collecting data for the fulfilment of obligations under the contract, in accordance with Article 6, paragraph 1, point (b) of the GDPR;
- The execution of the legal rights and obligations of the controller;
- The protection of the vital interests of data subject or other natural person;
- The task of a controller entrusted to him in the public interest, or the conferred public authorization;
- The protection of the legitimate interests of the controller or of a third party, with respect to exceptions provided for in Article 6, paragraph 1, point (f) of the GDPR.
During additional data processing for which there is no explicit consent of the data subject, or an appropriate provision of a national law permitting the data processing, if circumstances so require - the controller shall take into account the following when assessing whether the additional processing is compatible with the initial purpose for which the data were collected:
- The link between the reason for which the data were collected and the reason for which the data is further processed;
- Context in which the data were initially collected;
- Type and nature of the data collected;
- Possible consequences of further data processing;
- Existence of adequate security measures (for example: encryption and pseudonymization).
V. Conditions for consent
Landvetter Parkering Service AB, as a data controller, will be able to prove the existence of consent for data processing. Any form of physical or electronic record from which it may be concluded, or at least make it probable that the requested consent is given, will be considered as evidence. An electronic record (log) that will contain the information about the action done by the data subject which implies the given consent, shall in particular be considered as evidence (click on the button, checkbox check, record of completed registration by clicking on the link in the verification email, etc.). The data subject has the right to withdraw the consent for data processing at any time. Withdrawal of consent does not produce a legal effect on the actions and effects of data processing made and occurred prior to the consent withdrawal, including a reasonable time in which withdrawal of consent is registered by the controller, and appropriate technical actions are taken, corresponding the legal effects of the expressed will of the data subject. Before giving consent, the data subject will be informed of the possibility of withdrawing it.
Withdrawal of consent is made to be easily accessible, and possible simply by sending notification email on email@example.com to the controller, as well as identification data of the person who is withdrawing the consent. All data processing operations will be terminated as soon as possible, without delay, after a denial of consent was registered, within two working days at the latest.
The collection of requested data by the controller is considered necessary in order to fulfil the contractual obligations, i.e. to provide the contracted service, with which both parties (the controller and the data subject) are acquainted and agreed.
VI. Consent of minors
Consent of minors for data processing shall be legal if the minor, who has given consent, is at least 16 years old, or not less than 13 years old, if the limit below 16 years of age is prescribed by the national law of the Member State. By ticking a special checkbox, the data subject declares that he is old enough to make a valid declaration of will. A parental right holder is able to validate a declaration of will made by a person under the age of 16, or at least 13 years old, if so prescribed by the national law of the Member State. Controller - Landvetter Parkering Service AB, in case of doubt, undertakes technical measures to determine whether the consent is given by a competent or authorized person, using the technology available to him with reasonable efforts.
VII. Processing of specific data categories
Landvetter Parkering Service AB does not collect special information from which racial and ethnic origin, political opinions, religious or philosophical beliefs, membership of a trade union, any biometric or genetic data, health data or data relating to sexual orientation can be revealed. Also, data on convictions and other offenses are not collected or processed.
VIII. Processing that does not require identification
Landvetter Parkering Service AB, as a controller, is not obligated to store the data of a data subject which is no longer required for the performance of the contract, or fulfilment of contractual obligations. The controller will notify the person that he does not own and process his personal information, after receiving his explicit request.
Rights of data subject
IX. Transparency of information, communication and the exercise of data subject rights
All information related to the collection and processing of information about him, the data subject shall receive in a verbal or written manner (including the possibility of electronic notification), on a personal request or request from the person he authorized for that purpose.
The controller will not refuse to act upon the requirements of the data subject, except in the case of being unable to identify the data subject, or the in the cases where the requests of a data subject are apparently unfounded, excessive, inappropriate or repeated.
The controller will provide the requested information no later than 7 days from the date of receipt of the request. The deadline may be extended for another 15 days if the request is complex and if there are more than one request. In case of extension of the deadline in the above manner, the controller will notify the data subject within 7 days stating the reasons for extending the deadline.
If the request is submitted electronically, it will be answered electronically, unless the data subject explicitly requests otherwise.
If the controller does not act upon the request of the data subject, he will notify him about this within 7 days giving him the instruction on legal remedy in the form of judicial or administrative legal protection.
All information and communication regarding the exercise of a data subject rights are free of charge.
If the requests of a data subject are apparently unfounded, excessive, inappropriate or repeated, the controller reserves the right to:
- Charge a reasonable fee;
- Refuse to act on the request.
The controller will be able to prove, that is to demonstrate, the likelihood of unfounded, unjustified, excessive (quantitative and qualitative inadequacy) claims, as well as the existence of any other form of abuse of rights, or the use of rights contrary to the purpose for which they were established.
The controller reserves the right to request additional evidence in order to confirm the identity of the data subject.
X. Information for the data subject regarding the collection and processing of data
- Information about the controller - Landvetter Parkering Service AB and its representative;
- Contact details of the data protection officer;
- Purpose of data processing and its legal basis;
- Data recipients (if any);
- The intention to transfer data to third countries (if any);
- The period of data storage, or the criteria for determining that period;
- The existence of the right to access stored personal data, as well as the right to update, delete, ban further processing and the right to transfer them;
- The existence of the right to withdraw consent;
- The right to appeal to the competent authority;
- 10. Legal, contractual or other necessity (for the purpose of realisation of the contract) to provide the requested data, is there an obligation to do so, or it is voluntary, and what are the consequences of not providing the requested data.
- Another purpose for which the controller or its designated processor intends to use the data (if any);
- The categories of data collected (if a classification is required);
- If the data is not collected from the person to whom it relates, that person will be informed no later than within a month;
- If the data is used for the communication with data subject, this will be pointed out to him during (at the moment of) first communication;
- If the data are disclosed to a third party, no later than at the time of the first disclosure.
Exceptions to the above-mentioned are in place in cases:
- When the data subject already has the information;
- When it is not possible to provide such information, or it is disproportionately difficult and requires extraordinary efforts, or if the provision of such information would make the purpose of processing meaningless;
- When it is already regulated in an adequate way by the national law of the EU Member State;
- Where there is an obligation to protect professional secrecy, prescribed by the national law of the EU Member State.
XI. The right of access
The data subject has the right to receive information, on request, from the controller related to personal data about him that has been processed, as well as information related to:
- Purpose of data processing;
- Data category;
- Details about users (third parties) to whom these data will be disclosed and available;
- The period, or the criterion by which the period of data storage will be determined;
- The existence of the right to request rectification, or erasure of personal data, as well as restriction on further data processing, or the right to object to such processing;
- The right to object to the competent supervisory authority;
- Source details, when data were not collected from the person (data subject) to whom they relate;
- The existence of an automatic decision-making (if any);
- The right to information on the protection of his data if the data were sent to third countries, or transmitted to international organizations.
The controller will provide the data subject, on request, a copy of the data being processed. For additional copies, a reasonable fee may be required. The data subject's requests sent in electronic form can be answered electronically by the usual means of communication.
XII. The right to rectification
The data subject has the right to rectify any incorrect data processed by the controller. The right to rectification is exercised on a personal request, and if the controller detects obvious data errors. The rectification will be made without delay, within a reasonable time that is required by the controller to register an error and make the necessary corrections. Supplement to incomplete data will also be considered as correction. The users themselves are also able to make the required corrections electronically through a dedicated user account interface.
XIII. The right of erasure
The data subject has the right to request erasure of data, and the controller is obliged to delete the data without delay, if one of the following conditions is met:
- Data are no longer necessary for the purpose of which they were collected or processed;
- The data subject withdrew his consent to the data processing, and there is no other legal ground for processing;
- The data subject is opposing to data processing, and there is no prevalent interest in continuing processing;
- There was an illegitimate data processing;
- The data must be erased in order to comply with the legal obligation of the EU Member State, whose data protection laws apply to the controller;
- Information is collected for, or in connection with the provision of information society services.
If the controller publicly released personal information and is obliged to erase them, the controller shall, using the available technology and with reasonable effort, notify other controllers (that are processing this information) that the data subject has requested the erasure of data, as well as any data links, copies or replicas available to them (Right to be forgotten).
The foregoing shall not apply if:
- It violates the freedom of expression and information;
- Processing is mandatory by the national law of a Member State, or is related to a work that is done in the public interest or as public authority of the controller;
- It is permitted for statistical purposes in accordance with provisions stated by GDPR;
- There is public interest in the field of public health protection;
- It is related to establishing, practicing and/or implementation of legal claims.
XIV. Right to restriction of processing
The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
- The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
- The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- The data subject has objected to processing pursuant, but the verification whether the legitimate grounds of the controller override those of the data subject is pending.
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.
The data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.
XV. Notification obligation
The controller shall communicate any rectification or erasure of personal data or restriction of processing of such data to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.
XVI. Right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
- The processing is based on consent or on a contract pursuant to the provisions of GDPR;
- The processing is carried out by automated means.
Where technically feasible, the data subject shall have the right to have the personal data transmitted directly from one controller to another, in accordance with an expressly submitted request.
XVII. Right to object to data processing
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time, to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
In the context of the use of information society services, the data subject may exercise his or her right to object by automated means using technical specifications.
Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
XVIII. Automated individual decision-making and profiling
The data subject shall have the right not to be subject to a decision based solely on automated processing (including profiling), which produces legal effects concerning him or her or similarly significantly affects him or her.
Paragraph 1 shall not apply if the decision:
- Is necessary for entering into, or performance of, a contract between the data subject and a data controller;
- Is authorised by the European Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
- Is based on the data subject's explicit consent
Under national laws of the Kingdom of Sweden, as the country of the headquarters of the controller - Landvetter Parkering Service AB, as well as other EU Member States, it is possible to restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
- National security;
- Public security;
- The prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
- Other important objectives of general public interest, as prescribed by the national laws of the EU Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security;
- The protection of judicial independence and judicial proceedings;
- The prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
- Monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority;
- The protection of the data subject or the rights and freedoms of others;
- The enforcement of civil law claims.
In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to:
- The purposes of the processing or categories of processing;
- The categories of personal data;
- The scope of the restrictions introduced;
- The safeguards to prevent abuse or unlawful access or transfer;
- The specification of the controller or categories of controllers;
- The storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;
- The risks to the rights and freedoms of data subjects;
- The right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.
XIX. “Privacy by default” compliance
The controller - Landvetter Parkering Service AB, shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. Such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.
Any authorised processor designated by the controller - Landvetter Parkering Service AB, shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor:
- Processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
- Ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- Takes all measures required pursuant to Article 32 of GDPR;
- Respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;
- Taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III;
- Assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;
- At the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
- Makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
With regard to point (h) of the first subparagraph, the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.
Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Regulation. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor's obligations.
The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.
XXI. Records of processing activities
Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:
- The name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer;
- The purposes of the processing;
- A description of the categories of data subjects and of the categories of personal data;
- The categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
- Where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
- Where possible, the envisaged time limits for erasure of the different categories of data;
- Where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:
- The name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or the processor's representative, and the data protection officer;
- The categories of processing carried out on behalf of each controller;
- Where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
- Where possible, a general description of the technical and organisational security measures referred to in Article 32(1) of GDPR.
The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.
The controller or the processor and, where applicable, the controller's or the processor's representative, shall make the record available to the supervisory authority on request.
XXII. Notification of personal data breach
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55 of GDPR, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
The notification referred to in paragraph 1 shall at least:
- Describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
- Describe the likely consequences of the personal data breach;
- Describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with Article 33 of GDPR.
XXIII. Communication of a personal data breach to the data subject
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
The communication to the data subject shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3) of GDPR.
The communication to the data subject shall not be required if any of the following conditions are met:
- The controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
- The controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;
- It would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
XXIV. Designation of the data protection officer
The controller and the processor shall designate a data protection officer that can be reached via e-mail: firstname.lastname@example.org.
A group of undertakings may appoint a single data protection officer, provided that a data protection officer is easily accessible from each establishment.
The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.
The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.
XXV. Transfers of personal data to third countries or international organisations
In the case of transfer of personal data to third countries, outside of the EU, or the transfer of personal data to international organizations, Landvetter Parkering Service AB shall take all prescribed protection measures and respect all rights of the data subject provided for in Article 46 paragraph 1 to 5 of GDPR. In the case of transfer of data in the special situations prescribed in Article 49 of the GDPR, the rules explicitly referred to in that Article shall apply, which relate to the transfer of personal data in situations where there is no appropriate decision on adequacy or security measures, subject to the following conditions:
- The data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
- The transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;
- The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
- The transfer is necessary for important reasons of public interest;
- The transfer is necessary for the establishment, exercise or defence of legal claims;
- The transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
- The transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.
XXVI. The right to complain and other forms of protection of rights
Every data subject shall have the right to lodge a complaint with the competent supervisory authority, in charge of the protection of personal data, as well as the right to judicial protection from the decision of the supervisory authority. In case of judicial proceedings, the court in whose territory the competent authority for protection of personal data is located shall have jurisdiction. Regardless of administrative protection, each data subject retains the right to judicial protection in situations in which he considers his rights violated by illegal processing of personal data. The competent court will be the court of the country in which the controller has its seat. The data subject has the right to entrust the protection of his rights to a non-profit organization, association or other body, established in accordance with the law of the EU Member State, in accordance with Article 80 of the GDPR. Landvetter Parkering Service AB, as a data controller, will be held responsible for compensation of any damages determined by judicial decisions.