Compliance

We aim to comply with national and European laws and regulations regarding our industry. Our risk management policy states that we are averse to the risk of non-compliance with relevant laws or regulations, and to non-compliance with our own codes, contractual agreements, and covenants.

In 2018 we initiated a Compliance Programme to analyse our risks and to improve our risk management mechanisms throughout the organisation.

We mapped our compliance areas in a risk matrix and defined improvement actions related to our high priority compliance areas. We defined GDPR (EU General Data Protection Regulation), PCI DSS (Payment Card Industry Data Security Standard), ethics and integrity as high priority areas.

Figure 30 Map of compliance areas


Compliance matrix

GDPR

Our GDPR team, consisting of Q-Park country and corporate privacy officers with external support, had the necessary procedures in place in all Q-Park countries in time for 25 May 2018, the date GDPR came into force.

Although GDPR has transitioned from a project to the operational phase, this area requires ongoing attention to ensure compliance with:

  • data retention periods and clean systems
  • data processor agreements at corporate and country level

In addition, we will continue our awareness and training programme regarding information security policies and guidelines.

PCI DSS

PCI DSS is the worldwide Payment Card Industry Data Security Standard that was set up to help businesses process card payments securely and reduce card fraud. Compliance with the standard is required from all organisations that handle branded credit cards from Visa, Mastercard and AMEX. PCI DSS is intended to protect sensitive cardholder data. Validation of compliance is performed annually.

Figure 31 PCI DSS compliant


PCI DSS compliant

Organisations that store and process credit card information must comply with PCI DSS guidelines, regardless of the size of the organisation and regardless of the number of transactions. The guidelines are widely set up and include detailed measures at both business and ICT levels. Policies, procedures and technical measures are all part of the package.

PCI DSS distinguishes between transactions (expressed in levels). The greater the number of transactions an organisation processes annually, the higher the level and the stricter the measures. These may vary from fines per incident to termination of the contract.

As cashless payments at parking facilities continue to increase, Q-Park relies considerably on card transactions. Compliance to these standards are therefore critical to our operations.

Ethics and integrity

As a provider of high-calibre parking services, Q-Park considers compliance to high ethical and integrity standards very important.

In 2018, the Compliance Programme team prepared an ethics and integrity project plan which includes a statement of the project objectives, approach and deliverables - including the Q-Park Integrity Policy. In the coming year the team will continue its work, culminating in a training and awareness programme to raise awareness of the importance of this compliance area and to make improvement actions sustainable.

Results

  • We developed a strategic Compliance Programme to analyse our risks and to improve our risk management mechanisms throughout the organisation.
  • For GDPR, all necessary procedures in place in all Q-Park countries in time for 25 May 2018.
  • Validation of compliance with PCI DSS.
  • Q-Park Integrity Policy developed and published.