Data protection with the Arivo digital parking system

Arivo's licence plate recognition and parking management software have been developed in compliance with the GDBR. Thus, Arivo's digital parking system meets all technical requirements to fully comply with the European Union's General Data Protection Regulation!

Von Arivo eingesetzte Kamera zur Kennenzeichenerkennung bei Parkflächen
Digital & data protection compliant

How does Arivo comply with the GDPR?

GDPR-compliant licence plate recognition

Obligation to provide information on licence plate recognition
for compliance with the lawfulness pursuant to Article 5 para 1 lit a GDPR

  • According to the obligation to inform under Article 13 GDPR and § 13 (5) GDPR, potential parking customers must be informed that the license plate of the vehicle they are driving will be captured when the barrier is approached.
  • An example / template for possible signage can be found here.


Anonymisation of license plates after contract fulfilment
to comply with data minimisation pursuant to Article 5 (1) (c) GDPR

  • After contract fulfilment, licence plates are automatically anonymised by our system.
  • The anonymisation of the licence plates takes place after the last recorded action: 
    • After entry, if no exit is recorded.
    • After the exit;
    • After the payment of outstanding parking fees.
  • The stored image is completely pixelated and the stored licence plate is anonymized (*****AB).


Time limits for deleting recorded data
to comply with the storage limitation pursuant to Article 5 para 1 lit e GDPR

  • The individual time limits for deleting data can be set in the parking system settings for each user group.
  • The data protection-compliant periods for deleting data are pre-set in the system.
  • Our system identifies configurations that violate data protection regulations and alerts you if the retention period exceeds the specified limits.


Data processing contract

  • In order to process the data collected from parking areas equipped with the Arivo system, a Data Processing Agreement (DPA) in accordance with Art. 28 GDPR must be concluded.
  • Car park operators are responsible within the meaning of Article 4(7) GDPR.
  • Arivo is a data processor within the meaning of Article 4(8) GDPR.
  • Download the Data Processing Agreement (DPA) with Arivo according to Article 28 GDPR, including the technical and organizational measures, here.

General information on data protection for garage and parking operators

In the next section, you'll find a detailed explanation of the key conduct rules for garages and parking companies from the Professional Association of Garages, Petrol Stations, and Service Companies of the Austrian Economic Chambers (WKO) for parking areas equipped with a digital parking system and license plate recognition.


Short-term parking

Contract of use with customers, which is concluded with the help of an automated system when customers enter the car park by recording their number plate (e.g. use of an NFC card, use of an authorised medium as a registered customer, e.g. number plate, QR code). The contract ends after the exit has been paid for.

Registered short-term parkers receive a collective invoice at the end of the month.

Long-term parking

Customers acquire the right to use a parking space by concluding a usage contract. The contract of use is created and concluded online via the Arivo software.

Licence plate recognition

The licence plate is converted into text symbols via optical image processing and entered into a database.

Vehicle registration number

The vehicle registration number is an indirectly personal data in the sense of Art. 4 Z 1 GDPR, i.e. information that relates to an identified or identifiable natural person. The licence plate is used as a parking authorisation medium.

Parking permit medium

Medium that authorises access to a garage (incl. parking areas), e.g. use of an NFC-enabled credit or debit card, QR code or customer card or vehicle registration number.


Data Processor & Responsible Party

Operators of a public garage process personal data of customers. Since operators decide on the purposes and means of processing personal data, they are data controllers in the sense of Article 4(7) of the GDPR.

Should the owner of the garage transfer the operation (management) to an external company as manager, the manager is considered a processor and the owner of the garage is a data controller.

In accordance with the definitions in Article 4 GDPR, Arivo acts in this context as a processor within the meaning of Section 8 and fulfils the obligations as a processor regulated in Article 28 GDPR.


Data acquisition

The Arivo parking system consists of a local processing unit (Intel Nuc) and at least one camera. No permanent video recording is made by the camera. A single image is only recorded as soon as a vehicle enters the detection range (which can be freely defined) of the camera. All areas outside the licence plate are rendered unrecognisable (pixelated) and therefore neither persons nor vehicle type can be recognised. In order to detect whether a vehicle is moving forwards or backwards, several images are taken and processed every second. The camera itself does not store any data, but sends the video image to the computer unit. This records the number plate and checks whether an authorisation (e.g. in the form of a long-term parking contract) exists. indirectly personal data in the sense of Art. 4 Z 1 GDPR and is subject to the strict requirements of the GDPR.


Legal basis of the processing of data

The lawfulness of the processing is based on the variants apparent in Article 6 (1) of the GDPR, depending on the application: For the sector at hand, consent pursuant to lit a leg cit may be decisive, taking into account the conditions for consent in Article 7 GDPR. Furthermore, data processing may also be justified by lit b leg cit, provided that the fulfilment of the contract constitutes the given lawfulness. Finally, the lawfulness can also exist due to the legitimate interest of the controller according to lit f leg cit. With regard to the corresponding legitimation, we refer to point 5 (short-term parkers) and point 6 (long-term parkers) of the approved rules of conduct of the WKO. A distinction must be made between the cases of application listed there.


Processing personal data for short-term parking

Operators of a public garage collect the registration number of the entering motor vehicle via number plate recognition. The permissibility of the processing of the vehicle registration number results from Art. 6 Para. 1 lit. f GDPR. The legitimate interest of the parking operator lies in the economic interest of ensuring simple, rapid and efficient initiation and processing of parking contracts.

Through the technical and organisational measures, the operator shall ensure that

  • the personal data which are processed within the scope of the registration licence plate recognition
    (specifically: the licence plate number) is used exclusively for the purpose of processing the hiring contract
    be used,
  • the data will be collected and processed to the minimum extent possible,
  • use for other purposes is prevented.

The vehicle registration number is used as a parking authorisation medium. With the entry camera, the licence plate number is recorded as a pseudonymised data element and stored with the entry date and time. This data is the basis for the correct billing of the parking process. 
parking process. In the case of chargeable garages or time overruns, the applicable tariff can be paid before the vehicle leaves the garage. In the case of FreeFlow facilities (without barriers), a holder data query can be carried out in the event of a breach of contract (non-payment of open parking fees) and an invoice sent to the holder. Alternatively, depending on the design of the garage, the parking customer can pay the parking fee at a machine or online.

If the (potential) customer does not wish to have his number plate registered, he can prevent the registration of his number plate by not driving up to the garage (there is no obligation to contract on the part of the garage operator).

The car registration number is only evaluated for billing purposes or if there is a breach of contract. Furthermore, the licence plate recognition prevents the repeated use of a free parking time.
When using the licence plate recognition as a parking authorisation medium, it is also possible to check whether the ticket number of the vehicle entered at the exit matches the assigned number plate. If this is not the case, the exit barrier does not open and the possible theft of a vehicle can be prevented. 
the possible theft of a vehicle can be prevented.

Further information can be found in point 5.4 of the Code of Conduct for Garage and Car Park Operators of the Professional Association of Garages, Petrol Stations and Service Companies of the WKO.


Processing of personal data in long-term parking

If the parking operator has already concluded a parking contract with the customer, the following rules apply:
Personal data is only processed for registered customers. Depending on the parking authorisation medium, the transaction data of the individual parking processes are linked to the accruing tariffs and invoiced at the end of the billing period (mostly one month). Depending on the contractual agreement, payment is made with the means of payment deposited with Arivo. In the case of long-term parking, the licence plate number also serves as the parking authorisation medium.

In all cases where personal data are processed on the basis of an existing contract, the processing is carried out as follows:

For customers who are not entrepreneurs within the meaning of § 1 para 2 KSchG (private customers) the following applies:

Long-term parking customers conclude a long-term parking contract in the webshop provided by Arivo. In doing so, the long-term parking customer explicitly consents to the processing of his personal data within the meaning of this point. In addition, the garage operator refers to the privacy policy.

The following applies to customers who are entrepreneurs within the meaning of § 1 para 2 KSchG (corporate customers):

The customer has the option of creating user authorisations for himself or for his own employees (e.g. adding further licence plates within the scope of the contract). If the garage operator does not have any personal data about the individual user (no personalisation of the usage authorisation), no further measures are necessary. 

The data processing of the registration number is based on the explicit consent of the respective data subject within the meaning of Art. 6 para. 1 lit. a GDPR:
DThe data subject has given consent to the processing of personal data concerning him or her for one or more specific purposes;
as well as § 12 para. 2 no. 2 GDPR
Image recording is......permissible if the data subject has consented to the processing of his or her personal data,


Data protection impact assessment of licence plate recognition

A data protection impact assessment for license plate recognition is not necessary due to the rationale presented below.

With regard to the processed identifiers, there is no risk to the rights and freedoms of natural persons as a consequence, since the prescribed technical measures are designed in such a way that unauthorised access is virtually impossible and - should this nevertheless occur - the data obtained here
inadmissibly obtained data would not represent any added value. It can therefore be concluded that hacking attacks on number plate recognition systems are highly unlikely. Therefore, a data protection impact assessment does not have to be carried out for number plate recognition because the requirements of Article 35 of the GDPR are not met.

General information on data protection for parking customers

The following information provides details about the processing of personal data of parking customers. We process all personal data with care and provide comprehensive information about the types of data processed, the purposes, and the duration of processing.


Who is Arivo?

Arivo offers complete solutions for the digital management of parking spaces. With our parking system, both short-term and long-term parkers can conveniently drive in, park and drive out again using licence plate recognition. Various modern payment options offer short-stay parkers a convenient way to pay their parking fees.

Which data is processed and why?

The following table provides an overview of the categories of personal data that we collect and share with service providers and third parties.

Category of personal data Example When and why does Arivo collect this information Which third parties do we share information with and for what business purposes?

Contact details

Name, telephone, e-mail, customer number, address

When registering as a long-term parker.
The data is required for the fulfilment of the contract.

Individual data may be passed on to third parties in order to fulfil the services. Third parties only receive the data required to fulfil the respective tasks. Therefore, the third parties never gain access to the totality of the data provided.

Licence plate data

Car licence plate, car model

When registering as a long-term/short-term parker or when entering as an unregistered short-term parker.
The licence plate is used as a medium for parking authorisation.

In the case of unpaid parking, a holder data query may be carried out depending on the operator.

Transaction data

Pictures of licence plates at entry and exit, log data of entry and exit

When entering and leaving a garage equipped with the Arivo system.
With the help of the movement data, the amount of the parking fee can be calculated. In addition, the utilisation of the garage can be calculated.

The movement data is used to determine the parking fees and is not passed on to third parties.

Bank details

Debit/credit card information, amount of transaction, date and time of transaction

When registering and paying parking fees via Cashless payment terminal; card payment when exiting; payment via web app.
The data is used for cashless settlement of outstanding parking fees.

The outstanding parking fees are collected via the payment service provider Stripe. Only necessary information (amount, name, account number) is transmitted to Stripe.

Online data


When visiting the Arivo website. 
The data is collected for marketing and sales purposes.

The data may be shared with IT providers, CRM providers, and social media providers. More details can be found in our privacy policy.


How long do we keep the data?

We will only retain data for as long as we need it for the purposes stated above.

The above retention periods may be extended if we are required to retain the data longer by applicable law or for the administration of our business.

How do we protect the data?

We protect all personal data and have taken appropriate technical and organisational measures to prevent unauthorised access to this data.

Where do we transfer the data?

We use the services of global companies and therefore the data may also be stored in any country where these companies provide services if this is necessary for the above purposes. We have put in place appropriate safeguards to protect the data when it is transferred outside the EEA.

What rights do I have?

Every data subject has the following rights towards us in connection with the processing of personal data:

  • Right of access to stored data (Art. 15 GDPR)
  • Right to rectification of incomplete or incorrect data (Art. 16 GDPR)
  • Right to erasure of data (Art 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR)
  • Right to lodge a complaint with a supervisory authority (

Downloads on the subject of data protection for garage and parking operators

AVV Arivo 

Agreement on com­missioned pro­cessing
accor­ding to Art 28 GDPR


Template for signage indicating licence plate recognition

WKO Code of Conduct

WKO rules of conduct for garage and parking operators 


List of all sub-processors
(incl. DPA)

Ines Schnur von Arivo Parking Solutions

Any questions?

Astrid Pfeiler

Mag. Ines Schnur
Data Protection Officer
+43 316 375 018-11