Compliance

We aim to comply with national and European laws and regulations regarding our industry. Our risk management policy states that we are averse to the risk of non-compliance with relevant laws or regulations, and to non-compliance with our own codes, contractual agreements, and covenants.

In 2019 we continued to update our Compliance Programme. This included completing the analysis of our risks and further improvement of our risk management mechanisms throughout the organisation.

We had previously mapped our compliance areas in a risk matrix and defined improvement actions related to our high priority compliance areas. GDPR (EU General Data Protection Regulation), PCI DSS (Payment Card Industry Data Security Standard), ethics and integrity continue to be our high priority areas.

Figure 26 Map of compliance areas


Compliance matrix

GDPR

Our GDPR team continues to monitor all aspects of the GDPR. Although GDPR is now in the operational phase, it still requires ongoing attention to ensure compliance with:

  • data retention periods and clean systems
  • data processor agreements at corporate and country level

In addition, we will continue our awareness and training programme regarding information security policies and guidelines.

PCI DSS

PCI DSS is the worldwide Payment Card Industry Data Security Standard that was established to help businesses process card payments securely and reduce card fraud. Compliance with the standard is required from all organisations that handle branded credit cards from Visa, Mastercard and AMEX. PCI DSS is intended to protect sensitive cardholder data. Validation of compliance is performed annually.

Figure 27 PCI DSS compliant


PCI DSS compliant

Organisations that store and process credit card information must comply with PCI DSS guidelines, regardless of the size of the organisation and regardless of the number of transactions. The guidelines are widely defined and include detailed measures at both business and ICT levels. Policies, procedures and technical measures are all part of the package.

PCI DSS distinguishes between transactions (expressed in levels). The greater the number of transactions an organisation processes annually, the higher the level and the stricter the measures. These may vary from fines per incident to termination of the contract.

As cashless payments at parking facilities continue to increase, Q-Park relies considerably on card transactions. Compliance to these standards is therefore critical to our operations.

Ethics and integrity

As a provider of high-calibre parking services, Q-Park considers compliance to high ethical and integrity standards very important.

In 2019, the Compliance Programme team continued work on the ethics and integrity project plan drawn up during the previous year. The Q-Park Integrity Policy was fully revised and a Trade Sanctions Policy was also drawn up. In the coming year the team will continue its work, culminating in a training and awareness programme to raise awareness of the importance of this compliance area and to make improvement actions sustainable.

Results

  • We completed our risk analysis and implemented improvements to our risk management mechanisms throughout the organisation.
  • The GDPR procedures in place in all Q-Park countries were monitored.
  • Compliance with PCI DSS was validated.
  • Q-Park Integrity Policy developed and published.
  • Q-Park Trade Sanctions Policy developed.