Privacy Policy

  • Who We Are

    Who We Are 


    The International Parking Community (“IPC”) is a trading name of United Trade and Industry Limited, company number 08248531, registered in England and Wales. Our registered address is Cromwell House, Royal Court, Brook Street, Macclesfield, SK11 7AE. 


    United Trade and Industry Limited also uses the following trading names: 


    - The Independent Parking Committee; 

    - International Parking Community; 


    This Privacy Policy explains how the IPC collects, uses and shares personal data in connection with its functions as an Accredited Trade Association, membership body, compliance body, complaints handler, training provider and related services. 


    We process personal data in accordance with the UK General Data Protection Regulation, the Data Protection Act 2018 and other applicable data protection legislation. 

  • What We Do

    Trade Association 


    The IPC is an Accredited Trade Association. Our members are private parking operators and related organisations. Members of the IPC may be able to request registered keeper data from the Driver and Vehicle Licensing Agency (“DVLA”) where they have reasonable cause to do so. 


    We oversee member compliance with the IPC Code of Practice and related requirements. As part of this role, we may receive and process personal data relating to individuals who have received a parking charge, made a complaint, submitted an enquiry, or otherwise contacted us about the conduct of an IPC member.


    Complaints and Enquiries 


    The IPC handles complaints and enquiries about IPC members, parking charge processes, Code compliance and related matters. 


    When you submit a complaint or enquiry to the IPC, we may process the information you provide, together with information provided by the relevant IPC member, the DVLA, public authorities, regulators, or other relevant third parties where necessary.


    Member Information 


    We hold information relating to our members and their employees, representatives and contractors where this is necessary for carrying out our activities as a trade association, compliance body and membership organisation. 


    The Legal Position 


    This Privacy Policy explains: 


    - the lawful basis on which we process your personal data; 

    - the categories of personal data we process; 

    - what we use personal data for; 

    - who we may share personal data with; 

    - how long we keep personal data; 

    - your rights under data protection law; 

    - how to contact us or make a complaint. 


    Your Rights 


    You have the following rights under data protection law: 


    - the right to be informed; 

    - the right of access; 

    - the right to rectification; 

    - the right to erasure; 

    - the right to restrict processing; 

    - the right to data portability; 

    - the right to object; 

    - rights relating to automated decision-making and profiling, where applicable. 


    These rights are not absolute and may not apply in every circumstance. Where you make a request, we will consider it in accordance with applicable data protection law and respond within the relevant statutory timeframe. 


    Right of Access 


    You have the right to request a copy of the personal data we hold about you. This is known as a Subject Access Request. 


    You can make a Subject Access Request by emailing our Data Protection Officer at: 


    dpo@theipc.info 


    We may need to verify your identity before providing information. 


    If you have created an account on the IPC website, you may also be able to access some information by logging into your account.


    Our Lawful Basis for Processing Your Personal Data 


    We process personal data where we have a lawful basis to do so. Depending on the circumstances, this may include:


    Legitimate interests 

    We may process personal data where it is necessary for our legitimate interests, provided those interests are not overridden by your rights and freedoms. 


    Our legitimate interests include: 


    - operating as an Accredited Trade Association; 

    - overseeing member compliance with the IPC Code of Practice; 

    - investigating complaints and enquiries; 

    - communicating with motorists, members, regulators and other relevant parties; 

    - protecting the integrity of private parking processes; 

    - maintaining records of complaints, enquiries, compliance action and member conduct; 

    - protecting our legal position and the legal position of others


    The Categories of Personal Data We Process 


    The personal data we process may include: 


    - name; 

    - address; 

    - email address; 

    - telephone number; 

    - vehicle registration mark; 

    - parking charge reference; 

    - date, time and location of a parking event; 

    - correspondence relating to a complaint or enquiry; 

    - information about a parking charge; 

    - information provided by an IPC member; 

    - information provided by the DVLA, regulators, public authorities or other relevant third parties; 

    - account login and website usage information; 

    - member contact details; 

    - training, event or membership information; 

    - any other information relevant to a complaint, enquiry, membership matter, compliance matter or service you have requested. 


    How Long We Keep Your Personal Data 


    We will keep personal data only for as long as reasonably necessary for the purpose for which it was collected. 


    Personal data relating to complaints, enquiries or parking charge-related matters will normally be retained for up to 2 years after the dispute, complaint or issue has been resolved, unless a longer retention period is necessary because of legal, regulatory, audit, dispute-resolution, compliance or legitimate business reasons. 


    Member, training, contractual and compliance records may be retained for longer where necessary for legal, regulatory, audit or business purposes.


    Are We a Data Controller or Processor? 


    In most cases, the IPC acts as a data controller for the personal data it processes. This includes personal data provided to us by motorists, members, complainants, enquirers, regulators, public authorities or other third parties in connection with IPC complaints, enquiries, membership, compliance, training or trade association functions. 


    In some limited circumstances, the IPC may act as a processor where it processes personal data on behalf of another controller under written instructions.


    Sharing Your Personal Data 


    We may share personal data where it is necessary and lawful to do so. This may include sharing information with: 


    - IPC members, where a complaint, enquiry or issue relates to that member; 

    - external software providers and IT support providers; 

    - the DVLA; 

    - government departments; 

    - regulators and oversight bodies; 

    - legal advisers, auditors, insurers or professional advisers; 

    - law enforcement or public authorities, where required or permitted by law; 

    - another person authorised by you to act on your behalf. 


    We will only share personal data where there is a lawful basis to do so and where the sharing is necessary and proportionate.


    International Transfers 


    We do not routinely transfer personal data outside the United Kingdom. 


    Where personal data is transferred outside the United Kingdom, we will ensure that appropriate safeguards are in place in accordance with applicable data protection law. 


    When Will We Contact You? 


    We will contact you where necessary in connection with the purpose for which we hold your personal data. This may include contacting you about: 


    - a complaint or enquiry; 

    - a membership matter; 

    - a compliance matter; 

    - a training or event booking; 

    - a request you have made; 

    - a legal, regulatory or operational issue; 

    - information relevant to IPC members or services. 


    If you are a member, we may contact you with advisory, compliance, operational or membership information which we believe is relevant to you.


    Changes to This Privacy Policy 


    We may update this Privacy Policy from time to time to reflect changes in how we process personal data, changes in our organisational structure, changes in law, or changes in regulatory requirements. 


    Where changes are material, we will take reasonable steps to bring them to the attention of affected individuals where appropriate. 


    This Privacy Policy was last updated on: 02/06/2026


    Contact Us 


    If you have any questions about this Privacy Policy or how the IPC processes your personal data, you can contact our Data Protection Officer: 


    Email: dpo@theipc.info 

    Post: Data Protection Officer, International Parking Community, Cromwell House, Royal Court, Brook Street, Macclesfield, SK11 7AE 


    You may also contact us by registering an account at: 


    https://theipc.info/complaints 


    and logging a complaint or enquiry with us.


    Complaints About the Processing of Data 


    If you are unhappy with how we have handled your personal data, please contact us first so that we can try to resolve the matter. 


    You also have the right to complain to the Information Commissioner’s Office, which is the UK supervisory authority for data protection matters. 


    You can contact the ICO through its website: 


    www.ico.org.uk 

  • Data Protection Complaints Handling Policy

     1. Purpose 


    The purpose of this policy is to set out how the International Parking Community Limited (“IPC”, “we”, “us” or “our”) receives, records, investigates, and responds to complaints about the way we process personal data. 


    The IPC is committed to handling personal data lawfully, fairly, transparently, and securely. Where an individual raises a concern about our processing of their personal data, we will treat that concern seriously, investigate it proportionately, and respond without undue delay. 


    This policy supports compliance with the UK GDPR, the Data Protection Act 2018, and the data protection complaints process requirements introduced by the Data (Use and Access) Act 2025, which come into force on 19 June 2026. 


    2. Scope 


    This policy applies to complaints about personal data processed by the IPC in connection with its functions and activities, including: 


    - membership and accreditation activities; 

    - audits, compliance monitoring, investigations, and sanction processes; 

    - communications with motorists, members, landowners, public bodies, regulators, and other stakeholders; 

    - complaints and enquiries handled by the IPC; 

    - training, events, and member services; 

    - website, portal, and online account services; 

    - supplier, contractor, and business contact management; 

    - employment, recruitment, and internal administration. 


    This policy applies to complaints raised by individuals whose personal data is processed by the IPC, including motorists, vehicle keepers , complainants, member representatives, landowners, employees, contractors, suppliers, and other stakeholders. 


    3. What is a Data Protection Complaint? 


    A data protection complaint is any expression of dissatisfaction about the way the IPC has collected, used, stored, shared, retained, secured, or otherwise processed personal data. 


    A person does not need to refer to data protection law, the UK GDPR, the Data Protection Act 2018, the Data (Use and Access) Act 2025, or use any specific legal wording for their concern to be treated as a data protection complaint. 


    Examples of data protection complaints may include concerns about: 


    - how the IPC obtained personal data; 

    - how the IPC used personal data; 

    - the accuracy of personal data held by the IPC; 

    - the lawful basis relied on by the IPC; 

    - the handling of a subject access request or other data subject rights request; 

    - the sharing of personal data with members, service providers, regulators, public bodies, or other third parties; 

    - the retention of personal data; 

    - the security of personal data; 

    - the clarity of privacy information provided by the IPC 

    - the handling of personal data during audits, investigations, complaints, administration, or compliance activity. 


    4. Matters Outside this Policy 


    This policy applies only to complaints about the IPC’s processing of personal data. 


    It does not replace or override other IPC processes, including: 


    - complaints about an IPC member’s conduct; 

    - complaints about signage, landowner authority, enforcement practices, or parking terms; 

    - appeals against parking charges; 

    - complaints about how an IPC member has processed personal data; 

    - requests for general advice or information. 


    Where correspondence relates to a matter outside this policy, the IPC will direct the individual to the appropriate route where possible. 


    Where correspondence raises both a data protection complaint and a non-data protection matter, the IPC may handle each issue under the relevant process. 


    For example, a complaint about an operator’s use of ANPR data may need to be considered by the operator as data controller. A complaint about how the IPC handled personal data during its own review, audit, investigation, or correspondence may fall within this policy. 


    5. How to Make a Data Protection Complaint 


    A data protection complaint can be made to the IPC using the following contact details: 


    Email: dpo@theipc.info 


    Postal address: Cromwell House, Royal Court, Macclesfield, SK11 7AE 


    Complaints do not have to be made using a specific form or particular wording. Where a data protection complaint is received through another IPC contact route, we will accept it and ensure it is passed to the appropriate person or team. 


    Where a complaint is received through social media or another public channel, the IPC will avoid discussing personal data publicly and may ask the complainant to provide a suitable private contact method.


    6. Responsibility for Handling Data Protection Complaints 


    Responsibility for oversight of this policy rests with the IPC’s designated data protection lead, Data Protection Officer where appointed, or other senior person with responsibility for data protection compliance. 


    The responsible person or team will ensure that data protection complaints are: 


    - recognised and recorded; 

    - acknowledged within the required timeframe; 

    - investigated appropriately 

    - escalated where necessary; 

    - responded to without undue delay; 

    - used to identify lessons learned where appropriate. 


    IPC staff who may receive complaints, enquiries, or correspondence from individuals should be made aware of this policy and should know how to identify and escalate a potential data protection complaint. 


    7. Acknowledging Complaints 


    The IPC will acknowledge receipt of a data protection complaint within 30 calendar days of receiving it. 


    - The acknowledgement may include: 

    - confirmation that the complaint has been received; 

    - a reference number; 

    - confirmation of the issue or issues being considered; 

    - a request for clarification where the complaint is unclear; 

    - a request for evidence of identity; 

    - a request for evidence of authority where the complaint is made on behalf of another person; 

    - an indication of the next steps. 


    The IPC may begin its investigation before issuing a formal acknowledgement where it is appropriate to do so. 


    8. Identity and Authority Checks 


    Before disclosing personal data or discussing case-specific information, the IPC may need to verify the identity of the complainant. 


    Where a complaint is made by someone acting on behalf of another person, the IPC must be satisfied that the representative has authority to act. This may include requesting suitable evidence, such as written authority, solicitor authority, power of attorney, or another appropriate form of confirmation. 


    The IPC will only request information that is reasonable and necessary for the purpose of confirming identity or authority.


    9. Investigation Process 


    The IPC will investigate data protection complaints fairly, proportionately, and without undue delay.


    Depending on the nature of the complaint, the investigation may include: 


    - reviewing the complaint and any supporting information; 

    - identifying the relevant IPC processing activity; 

    - reviewing relevant records, correspondence, system logs, complaint files, audit records, appeal administration records, or case notes; 

    - considering applicable privacy notices, policies, retention rules, lawful bases, and data sharing arrangements; 

    - consulting relevant IPC staff or service providers; 

    - considering whether the IPC followed its own policies and procedures; 

    - assessing whether the processing was lawful, fair, transparent, necessary, proportionate, accurate, and secure; 

    - identifying whether corrective action is required. 


    The IPC is not required to take steps that would be unreasonable or disproportionate, but it should be able to explain the steps taken and the reasons for its conclusions. 


    10. Keeping the Complainant Informed 


    The IPC will keep the complainant informed without undue delay, particularly where the complaint is complex, requires input from more than one team, or is likely to take longer than expected. 


    Updates may include: 


    - confirmation that the complaint remains under review; 

    - an explanation of any delay; 

    - a revised expected response timeframe; 

    - a request for further information; 

    - details of the appropriate contact point. 


    11. Outcome Response 


    Once the investigation has been completed, the IPC will tell the complainant the outcome without undue delay. 


    The outcome response should explain, where appropriate: 


    - what complaint points were considered; 

    - what enquiries were made; 

    - the conclusion reached; 

    - whether the complaint is upheld, partially upheld, or not upheld; 

    - the reasons for the conclusion; 

    - any action taken or proposed; 

    - any corrective measures implemented; 

    - whether the complainant may raise the matter with the Information Commissioner’s Office if they remain dissatisfied. 


    Where the complaint includes matters that are outside the scope of this policy, the IPC’s response should make clear which issues have been considered as data protection complaints and which issues fall under another process or outside the IPC’s remit. 


    12. Corrective Action 


    Where a complaint identifies a problem with the IPC’s processing of personal data, the IPC will consider appropriate corrective action. 


    This may include: 


    - correcting inaccurate personal data; 

    - updating privacy information; 

    -  changing internal procedures; 

    - improving staff guidance or training; 

    - reviewing retention arrangements; 

    - reviewing data sharing arrangements; 

    - improving security controls; 

    - reviewing processor arrangements; 

    - issuing an apology where appropriate; 

    - taking steps to prevent recurrence. 


    Corrective action should be proportionate to the issue identified and the risk to individuals.


     13. Complaints Involving IPC Members or Other Third Parties 


    Some complaints may involve both the IPC and an IPC member, service provider, landowner, public body, regulator, or another third party. 


    Where the complaint concerns personal data processed by an IPC member as controller, the individual may need to raise the complaint directly with that member. The IPC may signpost the complainant to the relevant organisation where appropriate. 


    Where the complaint concerns personal data processed by the IPC, or by a processor acting on behalf of the IPC, the complaint will be handled under this policy. 


    Where information needs to be shared with a third party to investigate or respond to a complaint, the IPC will only share information where it is lawful, necessary, and proportionate to do so. 


    14. Record Keeping 


    The IPC will maintain a record of data protection complaints, including: 


    - the date the complaint was received; 

    - the complainant’s details, where appropriate; 

    - the nature of the complaint; 

    - the date and method of acknowledgement; 

    - any identity or authority checks completed; 

    - the enquiries made; 

    - the evidence reviewed; 

    - the outcome reached; 

    - the date of the outcome response; 

    - any corrective action taken; 

    - any lessons learned. 


    Complaint records will be retained in accordance with the IPC’s retention schedule and will not be kept for longer than necessary. 


    Complaint records may be used to demonstrate compliance to the Information Commissioner’s Office or another relevant body where appropriate. 


    15. Governance and Continuous Improvement 


    The IPC will periodically review data protection complaints to identify recurring issues, risks, and opportunities for improvement. 


    Lessons learned from complaints may be used to improve: 


    - IPC privacy information; 

    - staff training; 

    - internal procedures; 

    - member communications; 

    - complaint handling; 

    - audit and compliance processes; 

    - data sharing arrangements; 

    - processor oversight; 

    - retention practices; 

    - system security. 


    This policy should be reviewed periodically and updated where necessary to reflect changes in law, ICO guidance, IPC processes, or IPC data processing activities. 


    Policy owner: Head of compliance 


    Date approved: 08/06/2026 


    Next review date: 08/06/2027