1.1 Definitions :
Personal data : means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Anonymization of Personal data / anonymized Personal data :
"Anonymization" of Personal data means processing it with the aim of irreversibly preventing the identification of the individual to whom it relates. Data can be considered anonymized when it does not allow identification of the individuals to whom it relates, and it is not possible that any individual could be identified from the data by any further processing of that data or by processing it together with other information which is available or likely to be available. Anonymization shall be non-reversible.
1.2 General information
how We collect and process your personal data.
your rights, the way to exercise them and what We have done to help you exercising said rights.
The Services are addressed to users of an age of sixteen (16) or above (the activation of the Loyalty Points Collection being subject, for users under eighteen (18) years, to an authorization of the person(s) having the parental authority.)
[To be completed with the company name of the UR entity responsible for data collection and publication of apps/website as the data controller on local level (“Local Data Controller”) and Unibail Management S.A.S., 7 place du Chancelier Adenauer, 75016 Paris, France, registered with the Registry of Commerce and Companies of Paris under number 414878389 together as the data controller on group level (“Group Data Controller”) joint data controllers (“Data Controllers”), (“We” / “Us”) process your Personal data in the context of the provision the “Services”.
We place great emphasis on the protection of Personal data.
The Local Data Controller collects Personal data from you as a customer/visitor of the shopping centre and its website. It will process your data by informing you about specific offers and events of the respective shopping centre. The Group Data Controller has concluded several data processing agreements and service agreements with service providers to provide you with the technical opportunity to register you to the Loyalty Program or download and use the App. Furthermore, the Group Data Controller will negotiate with third parties special offers which will be accessible for loyalty members. These offers will be provided by the Local Data Controller. These third parties will not get access to your Personal data unless stipulated otherwise in Section 4 hereof. The Data Controllers will together analyse your customer behaviour to provide you with customised offers, including of third parties, and events you might be interested in, provided that We have obtained your prior consent (opt-in in the user interface).
Shopping Centre App (“App”): In our App you will find at first general information about the shopping centre (e.g. maps, shops, business hours). Additionally, you will have the opportunity to use our additional services (e.g. Smart Park).
As part of a special functionality of the Loyalty Program to activate, please note that you have the possibility to link your bank account with your Loyalty Account (hereinafter, the “Loyalty Points Collection”). Under the Loyalty Points Collection, you may be entitled to get cashbacks, depending upon purchases you make in the shopping centre. The activation of the Loyalty Points Collection is optional and you remain completely free to activate this feature of your Loyalty Program or not.
For the purposes of organizing, managing and implementing the cashback payments resulting from your transactions as well as analyzing the payment flows resulting from your use of the Loyalty Points Collection, please note that Transaction Connect (a French company with headquarters at 86, rue du faubourg St Denis 75010 Paris, and registered with the Registry of Commerce and Companies of Paris under number 822 619 185) alone shall be deemed acting as data controller with respect to the concerned processing of your Personal data. For sake of clarity, We are not acting as data controllers where your Personal data are processed by Transaction Connect for the purposes referred to under this paragraph.
Once you have activated the Loyalty Points Collection, the Data Controllers will receive confirmation thereof and the relevant purchases you conduct (see points 3.1.4.b and 4.2.1 below) within the shopping centre, so that the Data Controllers can manage and account your Loyalty Points to benefit thereof under the Loyalty Points Collection. Under no circumstances, We will have access to or receive any information related to you bank accounts, credit cards or any Personal data of financial nature.
1.3 How to register to the Loyalty Program and the Loyalty Points Collection
We offer you the following separable general services :
This is our customer retention scheme which will be offered for each shopping centre separately. The aim is to provide you with customized and personalized offers and information.
You may register (i) via a paper form at the customer desk or (ii) via the website of the shopping centre.
Your registration technically permits Us to offer you access to the services of the Loyalty Program and to commercial information.
Loyalty Points Collection
The activation of the Loyalty Points Collection will not be available at the customer desk, you need to register via the website of the shopping centre.
Local Data Controller processing your Personal data under the Loyalty Program and/or App:
Espace expansion SAS
7 place du Chancelier Adenauer - CS 31622 - 75772 Paris cedex 16
Phone : 01.47.73.17.33
fax : 01.47.76.36.72
email : firstname.lastname@example.org
website : fr.westfield.com/forumdeshalles
Group Data Controller processing your Personal data under the Loyalty Program and/or App:
Unibail Management S.A.S.
7 place du Chancelier Adenauer, 75016 Paris, France
3. Purpose of processing
3.1 How We collect Personal data
We collect your Personal data in different ways:
3.1.1 Registration information you provide Us with.
Some of our Services require you to sign up for an account, in particular our Loyalty Program and some features are available through our App. If you choose to create an account by completing the registration form, you will be asked to supply contact details and other Personal data (your title, first name, surname, date of birth, email address, mobile number, gender, password, license plate, your consent to receiving commercial information and any other relevant information necessary for the provision of our Services).
3.1.2 Registration information you allow third parties to transmit to Us.
Some of our Services require you to sign up for an account via a third party, in particular our promotional activities. If you choose to create an account via a third party within the scope of our Services, this third party will transmit Us the Personal data provided during the sign-up process (including first name, last name and e-mail address). In such a case, your supplementary privacy policies of the respective third parties which allow third parties to transfer your Personal data to us might apply to you as well.
3.1.3 Registration information you allow social networks to transmit to Us.
If you choose to create an account by using your social network account (i.e. Facebook or Google +), upon your prior consent, the relevant social network will transmit Us your Personal data (including e.g. first name, last name, username, profile picture, e-mail address, gender, date of birth, education, school, job title), your address information (Country, City, address, ZIP Code, phone), your “likes” (e.g. pages, favourite movies, favourite music, favourite TV Shows), posts, friend list and any other information which you qualified as publicly available.
3.1.4 Personal data collected from your use of our Services.
When you use the Loyalty Card, We collect and process:
information relating to your shopping profile;
the frequency and duration of your visits;
information relating to your purchasing and visit behaviour (esp. tracking); and
if you are registered to the Loyalty Program using your social network account, information related to your interactions with the loyalty Service on such social network.
b. When you use the Loyalty Points Collection, We collect the following Personal data:
- date of purchase,
- amount of the purchase and
- the store where the purchase was made
c. When you use our mobile application or website Services as authenticated user, We collect and process:
Above-mentioned information described in Section 3.1.4.a
Personal data that you add to your profile (e.g., username or nickname, profile picture and password);
Personal data included in the content that you post, upload, contribute to or otherwise make available on or through the Services, such as your timeline, likes, look books, wish list, contact list;
if you are connected to the Services using your social network account, information related to your interactions with the Services on such social network;
information about the frequency of your visits, your itineraries and location within the shopping centre provided that We have obtained your prior consent to collect these information. You can learn more about such use in Section “ (link to article geolocation]” below;
3.2 How your Personal data are used
3.2.1 General use
We use your Personal data to:
manage and provide the Services to you;
administer your registration;
analyse your use of the Services and, subject to your prior consent, combine your Personal data collected from the use of our different Services (i.e. the Loyalty Program, including eventually the Loyalty Points Collection, our mobile applications, our websites, our social media accounts and our promotional activities) to improve our understanding of your expectations and needs and develop new features and services;
provide you with customised information and promotional material. We do not want to bother you with information and promotions that may not be relevant to you. We therefore assess your purchase profile, i.e. information such as your earlier purchases, preferences and needs that We collect through your use of our Services, to send you only information and promotions We consider interesting or relevant to you. We will only use your Personal data for the purpose of sending you (i) information and offers relating to the Loyalty Program based on the contractual relationship entered with you, and/or (ii) commercial information based on your separate consent unless you decided to opt-out (see section 6 below);
measure, test, and monitor the metrics and the effectiveness of our Services;
for the use of our Services via an App you have to download the shopping centre App to your mobile device. If you have downloaded the shopping centre App you could decide if you want to use additional Services (specific use, Section 3.2.2) such as “Smart Park” and/or if you want to join the Loyalty Program. Those services will not be automatically activated;
ensure the technical operation of the Services and protect your Personal data against any theft, loss, damage or unauthorized access.
If you cancel the registration process, your Personal data will not be stored. We will delete your Personal data directly without any following processing. We may keep some minimum data necessary to evidence that your Personal data has been deleted and on which day.
3.2.2 Specific use
(i) General principle
Subject to your prior express consent, information related to your location within our shopping centre may be collected and processed by Us while you are authenticated on our mobile applications for the purposes of measuring the frequency of your visits and your itineraries within our shopping centre and/or providing location related services.
Geolocation will only take place if you have activated the additional services/specific function in the settings of your downloaded shopping centre App on your mobile device. You could deactivate those additional services at any time in the settings latter one at any time. You can use your shopping centre App to do so.
(ii) How We use your geolocation information
In order to be located within the shopping centre, you will be required to activate the Bluetooth feature on your mobile device. If you only want to check out the map and your contacts’ location through the location service, the activation of the Bluetooth feature is not required. Please note that We will not locate you outside our shopping centre and you will not be able to share your location outside our shopping centre through our location service. The location option is carried out by the Bluetooth beacons which are installed in the common areas of the shopping centre only.
The maximum period for which your geolocation data is stored is 12 months from the date of collection thereof.
We may also share your geolocation information with the recipients set out in “How We share and disclose your Personal data” below (Section 4.1).
(iii) How to manage your geolocation preferences on your mobile device
The first time that you authenticate on our mobile application, We will seek for your consent to enable the geolocation of your mobile device.
If you accept the geolocation of your mobile device, this will be effective immediately and for any further connections on our mobile application and for any further visits in our shopping centre.
You may disable the geolocation of your mobile device through your mobile settings at any time.
b. Additional services
We have developed the new Services “Smart Park” and “In & Out” in order to improve your experience when visiting our shopping centres.
When you log on to your user account in order to use the “Smart Park” service, We process Personal data in order to enable the geolocation of your car in the parking areas of our shopping centres as described in Section 3.2.2 lit. a); these data are not processed for any other purposes. If you do not log on to your user account, no Personal data will be processed. If you do log on to your user account, We will process your Personal data based on your consent.
When you want to benefit from the “In & Out” service, We process the Personal data you provided us with when you created your user account. In particular, the licence plate recognition feature and data processing enable the parking system to open the gate automatically when you enter or leave our shopping centre carpark.
In addition, We may process your Personal data as a result of using “Smart Park” and “In & Out” services, to inform you of any new services that We could develop and which may be of interest for you.
The Personal data is not shared with and/or made available to third parties or used for any other purposes than those abovementioned.
c. links to Other sites
We may propose hypertext links from the Services or communications you receive from the Services, to third-party websites or Internet sources. We do not control such third-party websites or Internet sources and cannot be held liable for third parties’ privacy practices and content on their websites. Please read their privacy policies carefully to find out how they collect and process your personal data.
3.3 Data processing in and outside the EEA
If you register to our Loyalty Program in a written form at our customer desk there will be a hostess service (“Hostess”) to help you enter your Personal data into the registration interface.
We use a service provider for account management during the registration process (“Registration Account Manager”) who will send you a registration e-mail. Therefore, you must provide at least your first name, last name, date of birth and e-mail-address. The Registration Account Manager will provide you with an initial password and will host your password settings.
We will use a service provider for CRM-Management (“CRM-Manager”). CRM-Manager will have full access to the Personal data you will enter into the Loyalty Program or App. CRM-Manager will combine other data you have provided to us (e.g. for WiFi-registration) to your data set.
c. Analysis of customer behavior:
We will use a service provider for analysis of your customer behavior (“Analysis-Manager”). Analysis-Manager will analyse your user behavior based on your settings, your Personal data and information of geolocation.
We will use service providers for customized e-mailing (“E-Mail-Manager”). If you register to our services, you will at first get a welcome e-mail which will be send by the Group Data Controller on behalf of the Local Data Controller.
Based on the analysis of your customer behavior by the Analysis-Manager you will get customized e-mails and push-notifications which are send out from the E-Mail-Manager on behalf of the Local Data Controller. Therefore, the E-Mail-Manager will get access to your e-mail-address, first name and last name.
e. Data storage:
We will use an external provider for data storage (“Data-Storage-Manager”). The Data-Storage-Manager is contractually forbidden to use your Personal data in any way. We simply use their services to store the CRM-database on an external server.
3.4 Note on RFID CHIPS
In order for you to benefit from our Loyalty Program, e.g., to use certain Services We offer, We use a RFID chip that is integrated into the loyalty card. Members of the Loyalty Program can use the RFID chip to register with the participating shopping centres and to use their Services.
RFID technology is based on chips that transmit information via radio. Transmission is not externally identifiable. The chip is integrated into the loyalty card. A reading device emits radio signals via a pre-set frequency, which is picked up by the RFID chip. The data stored on the chip is then transmitted to the reading device.
The RFID chip contains a Unique Identification Number (UID) that differs from the member number. UIDs are exclusively processed by local data controller. On its own, the data stored on the RFID chip does not reveal the identity of the card holder. In order for members to use our Services, the UID stored on the RFID chip is transmitted to us. The Services used are matched in our database and are transmitted to the RFID reader, using the UID. No other personal data is transmitted. The RFID chip is not used for any other reason than the aforementioned purpose.
We must be immediately notified in cases of loss or destruction of membership cards or chips. Upon such notification, We will immediately block the membership number stored on the RFID chip for utilization of the Loyalty Card Program and issue a new membership card with a new UID.
Information on bar codes
In order for you to benefit from our loyalty card, the loyalty card has been equipped with a bar code. The bar code is scanned at the participating shops for the purpose of authentication, e.g., to qualify for discounts. The lessees at the respective shopping centres see the confirmation on their displays that the loyalty card is active and that certain benefits can be granted. No Personal data is transmitted to the lessees.
The bar code scanner informs us that the loyalty card has been used. Combined with the scanner location, We can identify where the loyalty card has been used. We do not receive any further information, e.g., what products have been bought, what prices have been paid, or what discounts have been granted.
3.5 Data Security
Protecting your privacy and your Personal data is our priority. If, as a registered user, you receive a password, you should keep it confidential, limit access to your computer or mobile device, and sign off after having used the Services. Learn more about your responsibilities on [Link to T&C UR].
We take appropriate security measures esp. technical and organisational measures to protect your Personal data against any accidental loss, destruction, misuse, damage and unauthorised or unlawful access. However, please be aware that no information transmission over the Internet or storage technology can be guaranteed to be 100% secure.
The controllers have entered into a data processing agreement ensuring, in particular, appropriate security measures. [Local UR entity] is the controller responsible for compliance with your requirements towards whom you can exercise all your rights you have with respect to Us processing your Personal data.
4. Transfer and share of Personal data (recipients of Personal data)
4.1 How We Share and disclose your Personal data
We share the Personal data We collect through the Services as follows:
4.1.1 Sharing with third parties of the Personal data
We may share your Personal data with:
any company which is a corporate affiliate of Us in order to develop and test new services and features;
in an Anonymous way - it will no longer be possible to identify you - with partner brands of the shopping centre in order to allow them to deliver advertisements that they believe are of interest to you;
our advertising and marketing partners, in an Anonymised form i.e in a way that it is no longer possible to identify you;
our service providers as described in Section 3.3 above;
to respond to legal or regulatory requests, court orders, subpoena or legal process, if necessary to comply with applicable laws;
any transferee, when Personal data is transferred as part of the sale or otherwise transfer of all or part of our assets to another company.
4.1.2 Sharing with parties of your choice
Sharing with other users of the Services. Any information or content that you voluntarily disclose through our mobile application or website Services becomes available to those users of the Services which you give access. Such Services also enable you to share all or part of your content and Personal data, on an individual basis, to the users of your contact list by changing your share settings on the Services.
Sharing with social networks. If you choose to access the Services using your social network account (such as Facebook or Google+) or to click on one of the plug-in buttons or links of social networks (e.g., Facebook “Like” button or Google “+” button) available through the Services, your content and Personal data will be shared with the relevant social networks. You understand that such information may be published on your social network under your account.
4.2 How Transaction Connect shares with Us information obtained from your Personal data of financial nature.
Transaction Connect will transfer to Us Personal data obtained by analysis of the Personal data of financial nature related to the purchases you made inside our shopping centre, namely : the date of purchase, the amount and the store. Those informations will be pseudonymized during the transfer but We will then correlate them with your Loyalty Account.
Transaction Connect will transfer to Us aggregated and anonymized data obtained after analysis of the Personal data of financial nature related to purchases made outside our shopping centre, subject to your consent.
4.3 Transfer in case of change of ownership.
If Unibail-Rodamco-Westfield Group is involved in a merger, acquisition, dissolution, or sale of the shopping centre where you are registered as a Loyalty Program member, We reserve the right to transfer your Personal data. You will be notified if your Personal data is transferred to another entity as a result of a merger, acquisition, dissolution, or sale of the shopping centre.
5. Term of data storage
We process your personal data based on the consent you have granted Us for the period during which you use the Services.
Please note that We will delete or block your Personal data automatically for further use if you have not used our services under the Loyalty Program for more than 5 years (last contact with you or last use of the Services by you).
6. Your rights as a data subject
If you wish to exercise these rights and/or obtain all relevant information, please contact [●]., You will be asked to provide [some of the identification information that you submitted upon your registration]; this is necessary to verify that the request has really been sent by you. We will respond within 1 month after receipt of your request, but We retain the right to extend this period by 2 months. We will in any event inform you within 1 month after receipt of your request if We decide to extend the period to respond.
In accordance with applicable laws and as further detailed below, you have the right to request access to, rectification, erasure or portability (e.g. transfer of your Personal data to another service provider) of your Personal data We process, as well as to request restriction of such processing.
6.1 Rectification of your Personal data
According to applicable laws, you have the right to rectify Personal data you have shared with Us. Through your settings of the Services, you can update your account information, change your profile settings, subscribe/unsubscribe from communications you receive from Us and set your sharing preferences of the Services, including location-enabled functionalities.
Please note that if you wish to limit or change access to our sharing of your Personal data with a social network, you should update your settings on your account on that social network.
If you join our services in written form, please contact the above (Section 2) mentioned Data Controllers via written form or via e-mail to rectify your Personal data.
6.2 Accuracy of your Personal data
We take reasonable measures to ensure that you are able to keep your Personal data accurate and updated. You can always approach Us in order to obtain confirmation whether or not We still process your Personal data.
6.3 Erasure of your Personal data
You can ask Us to erase your Personal data at any time. If you approach Us with such a request, We will delete all your Personal data We have without undue delay, provided that your Personal data is no longer necessary for provision of the Services. We will also delete (and ensure deletion by the processors that We engage) all your Personal data in case you withdraw your consent or in the circumstances that the law requires Us to do so.
6.4 Restriction of processing
If you request Us to restrict the processing of your Personal data, e.g. in circumstances when you contest the accuracy, lawfulness or Our need to process your Personal data, We will limit processing of your Personal data to the necessary minimum (storage) and, if applicable, will process them only for the establishment, exercise or defence of legal claims or, where necessary, for protection of rights of another natural or legal person, or other limited reasons dictated by the applicable law. In case the restriction is lifted and We continue processing your Personal data, you will be informed accordingly without undue delay.
6.5 Objection to direct marketing
If you no longer wish to receive direct marketing commercial information, you can request that We cease the use of your Personal data for this purpose and We will do so without undue delay. In such case, you will no longer be able to benefit from some of Our Services or specific features for which this category of processing is essential (i.e. the receipt of (personalized) marketing and promotional materials).
If you only withdraw the specific consent you gave to get commercial information, you will not get any more commercial information of third parties unrelated to the Loyalty Program. Please be aware that you will only get commercial information related to the Loyalty Program, including events and offers from the Shopping Centre, which is an essential part of the Loyalty Program.
6.6 Objection to receive Loyalty Program information and offers
If you no longer wish to receive Loyalty Program information, you can request that We cease the use of your Personal data for these purposes and We will do so without undue delay. In such case, you will no longer be able to benefit from some of Our Services or specific features for which the processing of this category of Personal data is essential.
6.7 Portability of your Personal data
You have the right to receive the Personal data relating to you and which you have provided to Us. Upon request, your Personal data will be provided to you in commonly used and machine readable format without undue delay from receipt of your request. If you request so, your Personal data can be sent to a third party (another data controller) which you will identify in your request, unless such request would adversely affect rights or freedoms of others and was technically unfeasible.
6.8 Withdrawal of your consent(s)
If you no longer wish to receive communications, please refer to sections 6.5 and/or 6.6. If you no longer want to take part in the Loyalty Program and/or you do not longer want to benefit from the Loyalty Points Collection and/or do not longer want to use the App, you can withdraw your given consent(s) at any time without any reason. Please contact the relevant Data Controller via email or directly at the info/welcome desk in the Centre. We will block your Personal data for any further processing. Please note that the withdrawal of your consent does not affect lawfulness of any processing done on the understanding that you have given your consent before.
You will also have the possibility directly on your Loyalty Account to:
Deactivate your Loyalty Account
Please be aware that it is not possible to use the Loyalty Program Services or part of the Services, notably the Loyalty Points Collection if you withdraw your consent(s).
You can deactivate the additional services such as “Smart Park” and “In & Out” at the App-settings. A separate withdrawal of your consent is not needed in this case.
6.9 Complaint to a data protection Authority
You have the right to submit a complaint concerning the data processing activities to:
Commission Nationale de l’Informatique et des Libertés
3, place de Fontenoy
6.10 Right to specify guidelines regarding the use of your personal data after your death
Please note that you have the right to specify guidelines regarding the use of your Personal data after your death.
Please contact Us at the following address: email@example.com
7. Provision of Personal data
8. Automated decision making / profiling
There is currently no automated decision-making process or profiling which would legally affect you or otherwise significantly affects you. However, We will provide you with specific offers based on your individual Personal data and the analysis of your user behavior.