Rodamco Handel AB, 556782-9311 as the data controller on local level (“Local Data Controller”) and Unibail Management S.A.S., 7 place du Chancelier Adenauer, 75016 Paris, France, registered with the Registry of Commerce and Companies of Paris under number 414878389 together as the data controller on group level (“Group Data Controller”) joint data controllers (“Data Controllers”), (“We” / “Us”) process your personal data in the context of the provision of our loyalty program and mobile applications (together, the “Services”) which may be accessed through various media or devices and made available by Us esp. via mobile applications, websites or in paper form. We place great emphasis on the protection of personal data. Personal data is any information, relating to an identified or identifiably individual.
The Local Data Controller collects personal data from you as a customer/visitor of the shopping centre, website or . He will process your data by informing you about specific offers and events of the respective shopping centre. The Group Data Controller has closed several data processing agreements and service agreements with service providers to provide you with the technical opportunity to register you to the loyalty card program or download and use the App. Furthermore the Group Data Controller will negotiate with third parties special offers which will be accessible for loyalty card members. These offers will be provides by the Local Data Controller. The Data Controllers will together analyse your customer behaviour to provide you with customised offers and events you might be interested in.
If you decide to register via paper form at the customer desk or via registration on website of the shopping centre, we could technical only offer you the services of the Loyalty Card Program and commercial information.
We offer you the following separable general services:
(i) Loyalty Card Program (“Loyalty Card Program”)
This is our customer retention scheme which will be offered for each Shopping Centre separately. The aim is to provide you with customized and personalized offers and information.
(ii) Shopping Centre App (“App”)
In our App you will find at first general information about the Shopping Centre (e.g. maps, shops, business hours). Additionally, you will have the opportunity to use our additional services (e.g. Smart Park).
(iii) Commercial information via e-mail or other channels such as push messages and notifications (“commercial information”).
As described above the Local Data Controller and/or Group Data Controller has negotiated with third parties several special conditions for its customers. These third parties will not get access to your personal data unless stipulated otherwise in Section 4 hereof. Based on Our analysis of your customer behavior we will provide you with these specific offers of third parties provided that We have obtained your prior consent (opt-in in the user interface).
(i) how We collect and process your personal data that you submit to Us or that disclose or will be collected by your accessing or using our Services and within the scope of these Services and
(ii) your rights, how you can exercise them and what We have done to help you with exercising your rights.
The Services are addressed to users of an age of sixteen (16) or above.
2. Data Controller
Local Data Controller for processing your personal data under the Loyalty Card Program and/or App:
Group Data Controller for processing your personal data under the Loyalty Card Program and/or App:
Unibail Management S.A.S.
7 place du Chancelier Adenauer, 75016 Paris, France
The Data Controller has appointed Maria Sjödin as Data Protection Officer. Please see contact information below:
Rodamco Sverige AB
103 98 Stockholm
Telephone: 08-586 230 00
E-mail address: DP.email@example.com
3. Purpose of processing
3.1 How we collect personal data
We collect your personal data in several different ways:
3.1.1 Registration information you provide Us with
Some of our Services require you to sign up for an account, in particular our loyalty program and some features available through our App. If you choose to create an account by completing the registration form, you will be asked to supply contact details and other personal data (your title, first name, surname, date of birth, postcode, email address, mobile number, gender, password, the fact if you like to receive commercial information and any other relevant information necessary for the provision of our Services).
3.1.2 Registration information you allow third parties to transmit to Us
Some of our Services require you to sign up for an account via a third party, in particular our promotional activities. If you choose to create an account via a third party within the scope of our Services, this third party will transmit Us the personal data provided during the sign-up process (including first name, last name and e-mail address). In such a case you supplementary privacy policies of the respective third parties which allow third parties to transfer your personal data to us might apply to you as well.
3.1.3 Registration information you allow social networks to transmit to Us
If you choose to create an account by using your social network account (i.e. Facebook or Google +), upon your prior consent, the relevant social network will transmit Us your personal data (including e.g. first name, last name, username, profile picture, e-mail address, gender, date of birth, education, school, job title), your address information (Country, City, address, ZIP Code, phone), your “likes” (e.g. pages, favourite movies, favourite music, favourite TV Shows), posts, friend list and any other information which you qualified as publicly available.
3.1.4 Personal data We collect from your use of our Services.
a) When you use the loyalty card, We collect and process:
• information relating to your shopping profile;
• the frequency and duration of your visits;
• information relating to your purchasing and visit behaviour (esp. tracking); and
• if you are registered to the loyalty program using your social network account, information related to your interactions with the loyalty Service on such social network.
b) When you use our mobile application or website Services as authenticated user, We collect and process:
&bull above (Sec. 3.1.4 a) mentioned information
&bull personal data that you add to your profile (e.g., username or nickname, profile picture and password);
&bull personal data included in the content that you post, upload, contribute to or otherwise make available on or through the Services, such as your timeline, likes, look books, wish list, contact list;
&bull if you are connected to the Services using your social network account, information related to your interactions with the Services on such social network;
&bull information about the frequency of your visits, your itineraries and location within the shopping centre provided that We have obtained your prior consent to. You can learn more about such use in Sections below;
&bull technical data.
3.1.5 When you use the website, there may be cookies which may process your personal data.
For details on cookies please click here.
3.1.6 Camera surveillance
The Shopping Centre has camera surveillance for the purpose of preventing and investigating crime as well as for public safety purposes. For these purposes, we process personal data of persons staying in the Shopping Centre and in some cases sensitive personal data and data regarding criminal offences. Through the camera surveillance deviating events are detected, such as crowds, disputes, alarms etc. A deviating event can also be a dangerous situation in connection with e.g. an evacuation where panic and crowding can occur.
The legal basis for the processing of the personal data is a balancing of interests, where our legitimate interest to maintain a high security level, both in terms of crime and serious events and accidents in the Shopping Centre, outweighs the individual’s interest of not being subject to camera surveillance, see article 6(1) (f) in the GDPR. The processing is further necessary for the establishment, exercise or defence of legal claims, see article 9(2) (f) in the GDPR. There are information signs in the areas that have camera surveillance.
3.2 How we use your personal data
3.2.1 General use
We use your personal data to:
&bull manage and provide the Services to you;
&bull administer your registration;
&bull analyse your use of the Services and, subject to your prior consent, combine your personal data collected from the use of our different Services (i.e. the loyalty card, our mobile applications, our websites, our social media accounts and our promotional activities) to improve our understanding of your expectations and needs and develop new features and services;
&bull provide customised information and promotional material to you. We do not want to bother you with information and promotions that may not be relevant to you. We therefore assess your purchase profile, i.e. information such as your earlier purchases, preferences and needs that we collect through your use of our Services, to send you only such information and promotions we consider interesting or relevant to you. We will only use your personal data for the purpose of sending you (i) information and offers relating to the loyalty program, and/or (ii) commercial information unless you decided to opt-out (see section 6 below);
&bull measure, test, and monitor the metrics and the effectiveness of our Services;
&bull for the use of our Services via an App you have to download the Shopping Centre App to your mobile device. If you have downloaded the Shopping Centre App you could decide if you want to use additional Services (specific use, Section 3.2.2) such as “Smart Park” and/or if you want to join the loyalty card program. Those services will not be automatically activated;
&bull ensure the technical operation of the Services and protect your personal data against any theft, loss, damage or unauthorized access.
If you cancel the registration process your personal data will not be stored. We will delete your personal data directly without any following processing. We may keep some minimum data necessary to evidence that your data has been deleted and on which day.
3.2.2 Specific use
(i) General principle
Subject to your prior express consent, information related to your location within our shopping centre may be collected and processed by Us while you are authenticated on our mobile applications for the purposes of measuring the frequency of your visits and your itineraries within our shopping centre and/or providing location related services.
Geolocation will only take place if you have activated the additional services/specific function in the settings of your downloaded Shopping Centre App on your mobile device. You could deactivate those additional services at any time in the settings latter one at any time. You can use your Shopping Centre App to do so.
(ii) How We use your geolocation information
In order to be located within the shopping centre, you will be required to activate the Bluetooth feature on your mobile device. If you only want to check out the map and your contacts’ location through the location service, the activation of the Bluetooth feature is not required. Please note that We will not locate you outside our shopping centre and you will not be able to share your location outside our shopping centre through our location service. The location option is carried out by the Bluetooth beacons which are installed in the common areas of the shopping centre only.
The maximum period for which your geolocation data is stored is 2 months.
We may also share your geolocation information with the recipients set out in “How We share and disclose your personal data” below (Section 4.1).
(iii) How to manage your geolocation preferences on your mobile device
The first time that you authenticate on our mobile application, We will seek for your consent to enable the geolocation of your mobile device.
If you accept the geolocation of your mobile device, this will be effective immediately and for any further connections on our mobile application and for any further visits in our shopping centre.
You may disable the geolocation of your mobile device through your mobile settings at any time.
b) Additional services
We have developed the new Services “Smart Park” and “In & Out” in order to improve your experience when visiting our shopping centres.
When you log on to your user account in order to use the “Smart Park” service, We process personal data in order to enable the geolocation as described in Section 4.2.2 lit. a) of your car in the parking areas of our shopping centres; these data are not processed for any other purposes. If you do not log on to your user account, no personal data will be processed. If you do log on to your user account, we will process your personal data based on your consent.
When you want to benefit from the “In & Out” service, We process the personal data you provided us with when you created your user account. In particular, the licence plate recognition feature and data processing enables the parking system to open the gate automatically when you enter or leave our shopping centre carpark.
In addition, we may process your personal data as a result of using “Smart Park” and “In & Out” services, to inform you of any new services that We could develop and which may be of interest for you.
The personal data is not shared with and/or made available to third parties or used for any other purposes than those abovementioned.
c) links to Other sites
We may propose hypertext links from the Services or communications you receive from the Services, to third-party websites or Internet sources. We do not control such third-party website or Internet sources and cannot be held liable for third parties’ privacy practices and content on their websites. Please read their privacy policies carefully to find out how they collect and process your personal data.
3.3 Data processing in and outside the EEA
We use the attached listed service providers for different and in the following described purposes:
If you register to our Loyalty Card Program in a written form at our customer desk there will be a hostess service (“Hostess”) which helps you to enter your personal data into the registration interface.
We use a service provider for account management during the registration process (“Registration Account Manager”) who will send you a registration e-mail. Therefore, you have to provide at least your first name, name, date of birth and e-mail-address. The Registration Account Manager will provide you with an initial password and will host your password settings.
We will use a service provider for CRM-Management (“CRM-Manager”). CRM-Manager will have full access to the personal data you will enter into the Loyalty Card Program or App. CRM-Manager will combine other data you have provided to us (e.g. for WiFi-registration) to your data set.
(iii) Analysis of customer behavior:
We will use a service provider for analysis of your customer behavior (“Analysis-Manager”). Analysis-Manager will analyse your user behavior based on your settings, your personal data and information of geolocation.
We will use service providers for customized e-mailing (“E-Mail-Manager”). If you register to our services you will at first get a welcome e-mail which will be send by the Group Data Controller on behalf of the Local Data Controller.
Based on the analysis of your customer behavior by the Analysis-Manager you will get customized e-mails and push-notifications which are send out from the E-Mail-Manager on behalf of the Local Data Controller. Therefore, the E-Mail-Manager will get access to your e-mail-address, first name and name.
(v) Data storage:
We will use an external provider for data storage (“Data-Storage-Manager”). The Data-Storage-Manager contractually not allowed to use your personal data at any way. We use the service to store the CRM-database on external server.
3.4 Note on RFID CHIPS
In order for you to benefit from our Loyalty Program, e.g., to use certain Services we offer, we use an RFID chip that is integrated into the loyalty card. Members of the loyalty program can use the RFID chip to register with the participating shopping centers and to use their Services.
RFID technology is based on chips that transmit information via radio. Transmission is not externally identifiable. The chip is integrated into the loyalty card. A reading device emits radio signals via a pre-set frequency, which is picked up by the RFID chip. The data stored on the chip is then transmitted to the reading device.
The RFID chip contains a Unique Identification Number (UID) that differs from the member number. UIDs are exclusively processed by local data controller. On its own, the data stored on the RFID chip does not reveal the identity of the card holder. In order for members to use our Services, the UID stored on the RFID chip is transmitted to us. The Services used are matched in our database and are transmitted to the RFID reader, using the UID. No other personal data is transmitted. The RFID chip is not used for any other reason than the aforementioned purpose.
We must be immediately notified in cases of loss or destruction of membership cards or chips. Upon such notification, we will immediately block the membership number stored on the RFID chip for utilization of the Loyalty Card Program and issue a new membership card with a new UID.
3.5 Information on bar codes
In order for you to benefit from our Loyalty Card Program, the loyalty card has been equipped with a bar code. The bar code is scanned at the participating shops for the purpose of authentication, e.g., to qualify for discounts. The lessees at the respective shopping center see the confirmation on their displays that the loyalty card is active and that certain benefits can be granted. No personal data is transmitted to the lessees.
The bar code scanner informs us that the loyalty card has been used. Combined with the scanner location, we can identify where the loyalty card has been used. We do not receive any further information, e.g., what products have been bought, what prices have been paid, or what discounts have been granted.
3.6 Data Security
Protecting your privacy and your personal data is our priority. If, as a registered user, you receive a password, you should keep it confidential, limit access to your computer or mobile device, and sign off after having used the Services. Learn more about your responsibilities on here.
We take appropriate security measures esp. technical and organisational measures to protect your personal data against any accidental loss, destruction, misuse, damage and unauthorised or unlawful access. However, please be aware that no information transmission over the Internet or storage technology can be guaranteed to be 100% secure.
The controllers have entered into a data processing agreement ensuring, in particular, appropriate security measures. Rodamco Handel AB is the controller responsible for compliance with your requirements towards whom you can exercise all your rights you have with respect to Us processing your personal data.
4. Transfer and share of personal data (recipients of personal data)
4.1 How we Share and disclose your personal data
We share the personal data We collect through the Services as follows:
4.1.1 Sharing with third parties
We may share your personal data with:
• any companies which is a corporate affiliate of Us in order to develop and test new services and features;
• in an anonymous way that it is no longer possible to identify you with partner brands of the shopping center in order to allow them to deliver advertisements that they believe are of interest to you;
• our advertising and marketing partners, in an anonymised form in a way that it is no longer possible to identify you;
• our service providers as described in Section 3.3 above
• footage from the camera surveillance may, after special request, be shared with the police and insurance companies in order to investigate an accident or a crime (e.g. theft). The camera surveillance is managed, on behalf of the data controller, by Nokas acting as data processor.
• to respond to legal or regulatory requests, court orders, subpoena or legal process, if necessary to comply with applicable laws;
• any transferee, when personal data is transferred as part of the sale or otherwise transfer of all or part of our assets to another company.
4.1.2 Sharing with parties of your choice
Sharing with other users of the Services. Any information or content that you voluntarily disclose through our mobile application or website Services becomes available to those users of the Services which you give access. Such Services also enable you to share all or part of your content and personal data, on an individual basis, to the users of your contact list by changing your share settings on the Services.
Sharing with social networks. If you choose to access the Services using your social network account (such as Facebook, Google+ or Twitter) or to click on one of the plug-in buttons or links of social networks (e.g., Facebook “Like” button or Google “+” button) available through the Services, your content and personal data will be shared with the relevant social networks. You understand that such information may be published on your social network under your account.
4.2 Transfer in case of change of ownership.
If Unibail-Rodamco Group is involved in a merger, acquisition, dissolution, or sale of the shopping centre where you are registered as a loyalty program member, we reserve the right to transfer your personal data. You will be notified if your data is transferred to another entity as a result of a merger, acquisition, dissolution, or sale of the shopping centre.
5. Term of data storage
We process your personal data based on the consent you have granted to Us for these purposes for the period in which you make use of our Services.
Please note We will delete or block your personal data automatically for further use if you have not used our services under the Loyalty Card Program for more than 5 years (last contact with you or last use of services by you).
The footage from the camera surveillance is stored in a safe (and password protected) way and is only reviewed when necessary (e.g. to investigate a crime or an accident) and in such case only by competent individuals. The personal data is erased after 30 days or, if a crime or an accident is being investigated or there is a legal claim, when the personal data no longer needs to be processed for such purpose.
6. Your rights as a data subject
If you wish to exercise these rights and/or obtain all relevant information, please contact DP.firstname.lastname@example.org. You will be asked to provide some of the identification information that you submitted upon your registration; this is necessary to verify that the request has been sent by you. We will respond within 1 month after receipt of your request, but we retain the right to extend this period with 2 months. We will in any event inform you within 1 month after receipt of your request if We decide to extend the period to respond
6.1 What you can request
In accordance with applicable laws and as further detailed below, you have the right to request access to, rectification, erasure or portability (e.g. transfer of your personal data to another service provider) of your personal data We process, as well as to request restriction of such processing.
6.2 Rectification of your personal data
According to applicable laws, you have the right to rectify your personal data you have shared with Us. Through your settings of the Services, you can update your account information, change your profile settings, subscribe/unsubscribe from communications you receive from Us, and set your sharing preferences of the Services, including location-enabled functionalities.
Please note that if you wish to limit or change access to or sharing of your personal data with a social network, please visit your account settings on that social network.
If you join our services in written form, please contact the above (Section 2) mentioned Data Controllers via written form or via e-mail to rectifiy your personal data.
6.3 Accuracy of your personal data
We take reasonable measures to ensure that you are able to keep your personal data accurate and updated. You can always approach Us in order to obtain confirmation whether or not We still process your personal data.
6.4 Erasure of your personal data
You can ask Us to erase your personal data at any time. If you approach Us with such a request, We will delete all your personal data We have without undue delay, provided that your personal data is no longer necessary for provision of the Services. We will also delete (and ensure deletion by the processors that we engage) all your personal data in case you withdraw your consent or in the circumstances that the law requires Us to do so.
6.5 Restriction of processing
If you request Us to restrict the processing of your personal data, e.g. in circumstances when you contest the accuracy, lawfulness or Our need to process your personal data, We will limit processing of your personal data to the necessary minimum (storage) and, if applicable, will process them only for the establishment, exercise or defence of legal claims or, where necessary, for protection of rights of another natural or legal person, or other limited reasons dictated by the applicable law. In case the restriction is lifted and We continue processing your personal data, you will be informed accordingly without undue delay.
6.6 Objection to direct marketing
If you no longer wish to receive direct marketing commercial information, you can request that We cease the use of your personal data for these purposes and We will do so without undue delay In such case, you will no longer be able to benefit from some of Our Services or specific features for which this category of processing is essential (i.e. the receipt of (personalised) marketing and promotional materials).
If you withdraw only your separate consent of getting commercial information, you will not get any commercial information of third parties unrelated to the loyalty program. Please be aware that you will only get commercial information on the loyalty program including events and offers of the Shopping Centre, which is essential part of the Loyalty Card Program.
6.7 Objection to receive loyalty program information and offers
If you no longer wish to receive loyalty program information, you can request that We cease the use of your personal data for these purposes and We will do so without undue delay. In such case, you will no longer be able to benefit from some of Our Services or specific features for which this category of processing is essential.
6.8 Portability of your personal data
You have the right to receive personal data relating to you and which you have provided to Us. If you approach us with such request, We will provide your personal data in commonly used and machine readable format to you without undue delay from receipt of your request. If you request so, We will send your personal data to a third party (another data controller) which you will identify in your request, unless such request would adversely affect rights or freedoms of others and where technically feasible.
6.9 Withdraw your consent
If you no longer wish to receive communications, please refer to sections 6.6 and/or 6.7. If you no longer want to take part in the Loyalty Card Program and/or you do not longer want to use the App, you can withdraw your given consent at any time without any reason. Please contact the Data Controllers via email or directly at the info/welcome desk in the Centre. We will block your personal data for any further processing. Please note that withdraw of your consent does not affect lawfulness of any processing done on the understanding that you have given your consent before
Please be aware that it is not possible to use the Loyalty Card Program Services or part of the Services if you withdraw your consent.
You can deactivate the additional services such as “Smart Park” and “In & Out” at the App-settings. A separate withdraw of your consent is not needed in this case.
If you withdraw your consent or deactivate your settings in the App the not withdrawn services can still be used anyhow.
6.10 Complaint to a data protection authority
You have the right to submit a complaint concerning Our data processing activities to
104 20 Stockholm
7. Provision of personal data
8. Automated decision making / profiling
There is currently no automated decision making process or profiling which would legally effect you or otherwise significantly affects you. But we will provide you with specific offers based on your individual personal data and analysis of your user behavior.