Loyalty program Privacy Policy
The date this privacy policy was last revised was February 2021.
This Privacy Policy explains how the data controllers [referred to in this Privacy Policy as the Data Controller, we, us or our] (as defined below)collects and process your personal data in the context of the provision of our Loyalty Program (including the access to your loyalty account within the website and shopping center applications, together, the “Services”).
This Privacy Policy covers the following:
1/ Contact details of the Data Controller
2/ How do we collect your personal data
3/ Details about the processing of your personal data
4/ How do we share your personal data
5/ How do we keep your personal data secure
6/ Do we transfer your personal data outside the European Economic Area
7/ Your rights in relation to your personal data
9/ Automated decision making / profiling
10/Transfer in case of change of ownership.
11/Update of this Privacy Policy
1/ Contact details of the Data Controller
The local Data Controllers:
all with the registered address Box 7846, 103 98 Stockholm, Sweden and Denmark.
The local Data Controllers will process your personal data in the context set out below.
The group Data Controller:
Unibail Management
Simplified joint stock company with a capital of 20 000 000€
Having its registered office at 7 place du Chancelier Adenauer 75016 Paris, France
Registered within the Paris Register under number 414 878 389
Espace Expansion and Unibail Management Data Privacy Team (including its DPO) may be contacted by email at data.protection@urw.com or via post at 7 place du Chancelier Adenauer 75116 PARIS.
In a general manner, the group data controller will process your personal data in order to assist the local Data Controllers and to ensure a general governance at group level.
Some roles are specifically assigned to the local Data Controllers or the group Data Controller as follows:
Role of the local Data Controllers:
The local Data Controllers will process your personal data in order to send you communication to inform you about specific offers and events of the respective shopping centre and to provide you with offers. The local Data Controllers consist of Rodamco Sverige AB, the parent company of the Nordic organization. Rodamco Sverige AB is strategically and operationally responsible for the data processing activities carried out in the Nordics and employs most of the staff.
Its subsidiaries (owner of each respective shopping center), may process personal data specifically related to its respective shopping center. Such personal data could include names and contact information in relation to entering into a contract with the subsidiary as the contracting party and to some extent CCTV-footage.
Rodamco Sverige AB and its subsidiaries are wholly owned subsidiaries and part of the Unibail-Rodamco-Westfield company group.
Role of the group Data Controller:
The group Data Controller has concluded several data processing agreements and service agreements with service providers to provide you with the technical opportunity to register you to the Loyalty Program or download and use the shopping center application.
The group Data Controller will also handle the preparation of some communication, coordinated at group level, that will be sent by local Data Controllers. Furthermore, the group Data Controller will negotiate with third parties special offers which will be accessible for loyalty members.
The group Data Controller will process your personal data in order to:
The local Data Controllers and the group data controller are acting as joint data controllers and will hereinafter be referred to together as “Data Controller”, “we”, “us” or “our”.
2/ How do we collect your personal data
We collect personal data about you through the following means:
a) When you use the Loyalty Card, including the virtual one, if scanned during your visit, we collect information related to the type of service your Loyalty Card was used for (example: events, birthday present) and therefore your presence within our shopping center.
b) When you use our shopping center application or website as authenticated user, we collect information about the frequency of your visits, your itineraries within the shopping centre provided that we have obtained your prior written consent to collect these information (only for shopping center application - see article 8 Geolocation).
c) When you use the website and accept the use of cookies, we collect the cookies you have accepted. You will find all details about cookies uses and policy in the Terms of Use accessible by clicking on the following link: https://www.fisketorvet.dk/termsofuse.
Details about the different ways of collection are given in section “Personal data involved” in the table presented in article 3 below.
3/ Details about the processing of your personal data
3.1 - You will find in the table below all information in relation with:
Specific purpose |
Personal data involved |
Legal basis |
Retention period |
Rights The available rights depend on the legal basis |
Management of your registration to the Loyalty Program |
Directly provided by you: Mandatory: Title, Name, surname, e-mail address, birth date Optional : phone number, license plate, information regarding the fact that the data subject is working in the shopping centre area. Provided to us by a third party: N/A
|
Execution of a contract (Terms of Use of theLoyalty Program) GDPR Article 6(1) b |
3 years from last digital contact or use of the Services
|
Access Rectification Deletion Limitation of the processing Portability |
Management of the participation to events organized by the shopping Centre
Please note that we might send you communication to allow you to participate to the event (example : if the event requires you to have a proof of registration to enter it) |
Directly provided by you: e-mail address, name, surname, phone number
Provided to us by a third party: N/A |
Legitimate interest of the data controller to offer the opportunity for the members of the Loyalty Program to participate to events organized to their attention and ensure the security of such event GDPR Article 6(1)f |
6 months after the event |
Access Rectification Deletion Limitation of the processing Objection to the processing |
Facilitate your access in the shopping centre parking |
Directly provided by you: Licence plate Provided to us by a third party: N/A |
Execution of a contract (ToU loyalty program) GDPR Article 6(1) b |
3 years from last digital contact or use of the Services |
Access Rectification Deletion Limitation of the processing Portability |
Loyalty Points Collection (only applicable to Westfield Mall of Scandinavia and Täby Centrum) See details in article 3.2 |
Directly provided by you: N/A Provided by Transaction Connect: amount, date and shop of purchase |
Execution of a contract (Terms of Use Loyalty Program) |
3 years from last digital contact or use of the Services |
Access Rectification Deletion Limitation of the processing Portability
|
Management of the offers and benefits of the Loyalty Program free access to services (in conditions detailed in the Terms of Use of the Loyalty Program): parking loan of objects (strollers, umbrella) birthday present |
Directly provided by you: Loyalty card number, bar code, name, surname, birthdate Provided to us by a third party: N/A |
Execution of a contract (Terms of Use Loyalty Program)
GDPR Article 6(1) b |
No storage for the use of the offers and benefit.
If the Loyalty Card is scanned we may retain your date of visit and type of services/offer used |
Access Rectification Deletion Limitation of the processing Portability |
Participation in contests organized for loyalty members |
Directly provided by you: Loyalty card number, name, surname, birthdate, Personal information that may be contained in the contest itself (answers to questions)
Provided to us by a third party: N/A |
Execution of a contract (Rules of contest)
GDPR Article 6(1) b |
1 month after delivery of the prizes to the winner(s) |
Access Rectification Deletion Limitation of the processing Portability |
Granting of rewards for loyalty members who have activated the Loyalty Point Collection (only applicable to Westfield Mall of Scandinavia and Täby Centrum) (example: prize granted to a member randomly chosen among the persons who have spent at least [amount to be determined] euros during a given time – specific communication to members within the scope would be made) |
Provided by Transaction Connect: amount, date and shop of purchase |
Legitimate interest of the Data Controller to manage the program in order to increase its database and the amount spent in the shopping center and legitimate interest of the members to win prizes GDPR Article 6(1) f |
No specific data retention as the information are retained in the framework of the Loyalty point collection – see below |
Access Rectification Deletion Limitation of the processing Objection to the processing |
Management of the communication for information purpose in relation with the Loyalty Program (example: information about an event accessible only to the loyalty members)
|
Directly provided by you: Loyalty card number , title, name, surname, e-mail address Phone number (optional) Provided to us by a third party: N/A |
Execution of a contract (Terms of Use Loyalty Program) GDPR Article 6(1)b |
3 years from last digital contact or use of the Services |
Access Rectification Deletion Limitation of the processing Portability |
Management of commercial communication: By e-mail and/or sms if you have provided us with your mobile phone number |
Directly provided by you: e-mail address phone number (optional)
Provided to us by a third party: N/A |
Consent GDPR Article 6(1) a
|
3 years from last digital contact or use of the Servicesor until withdrawal of the consent, whatever occurs first |
Access Rectification Deletion Limitation of the processing Objection to the processing Portability Withdrawal of consent |
Analysis of your information/use of the services: Ø to provide you with personalized offers; and Ø to improve our understanding of your expectations and needs and develop new features and services Please note in this perspective, we will combine the personal data listed in the relevant column. |
Obtained directly from you: all information that may be provided by you. Obtained from your activity: Behaviour on the website (cookies) Participation to events organized by the shopping centre, Your use of the wifi: date of visit of the shopping center Your use of the Loyalty Point Collection When your Loyalty Card is scanned for the use of a service or the participation in an event in the Shopping Center
|
Legitimate interest of the Data Controller to better understand the customer in order to deliver appropriate services and/or offers and legitimate interest of the loyalty members to receive personalized offers and services. GDPR Article 6(1) f
please note that: - cookies are only collected on the legal basis of your consent (GDPR Article 6(1)(a) - information related to your use of the wifi is only collected on the legal basis of your consent (GDPR Article 6(1)(a) The analysis of the information described here is however made on the basis of legitimate interest (GDPR Article 6(1)(f) |
3 years from last digital contact or use of the Services |
Access Rectification Deletion Limitation of the processing Objection to the processing Portability |
Geolocation (within the shopping center only – via the Shopping center application) |
Directly provided by you: Provided by the use of the service: location data inside the shopping centre Provided to us by a third party: N/A |
Consent (given via Shopping Center application) GDPR Article 6(1) a |
No storage of your geolocation will be made by Us.
|
Access Rectification Deletion Limitation of the processing Portability Withdrawal of consent |
Answer to the loyalty members requests related to personal data |
Directly provided by you: Name, surname, e-mail address, number of loyalty member or copy of ID Card, if applicable
Provided to us by a third party: N/A |
Legal obligation GDPR Article 6(1), c |
5 years
If your ID card is requested, it will be deleted right after the check of your identity |
Access Rectification Limitation of the processing Deletion |
Obtain feedback from you on our services |
Directly provided by you: answers to questionnaires in respect to the appreciation of the services provided by us. |
Legitimate interest of the data controller to better understand the customer and improve the servicesand deliver appropriate services and/or offers GDPR Article 6(1) f) |
3 years from last digital contact or use of the Services |
Access Rectification Deletion Limitation of the processing Objection to the processing |
Establishment, exercise or defence of legal claims (for example where a law enforcement body or regulatory body is investigating a crime or incident) |
Relevant personal data related to the claim or litigation. |
Legitimate interest of the data controller to ensure its defence; GDPR Article 6(1), f)
|
Legal time limit depending on the type of claim/litigation |
Access Rectification Deletion Limitation of the processing Objection to the processing |
4/ How do we share your personal data?
We may share your personal data with:
5/ How do we keep your personal data secure?
We take the security of all the personal data we hold very seriously and we are committed to protecting your personal data. We have therefore implemented all the necessary technical and organizational security measures, and have chosen our providers accordingly.
We have entered into specific data processing agreements with each service provider listed in Appendix 1 and have checked their general technical and organizational measures. The service providers are only authorized to process the data, as data processor, in compliance with the provision of this Privacy Policy, only on our behalf and according to our instructions.
However, we cannot control all the risks related to the use of the Internet, and data security also relies on everyone's vigilance and good use of these technologies, therefore we invite our customers to remain vigilant on potential inherent risks while using Internet services.
6/ When do we transfer your personal data outside the European Economic Area?
We use third party service providers that help us provide the Services to you and process your personal data on our behalf. Such third party service providers will always be subject to security and confidentiality obligations consistent with this Privacy Policy and the applicable law.
Note that some third party service providers are located outside the EEA (European Economic Area) and thus may access and process your Personal data from countries which do not provide an adequate level of data protection. In case of such transfer outside the EEA, we enter into the model clauses adopted by the European Commission to ensure that your personal data benefits from an adequate level of protection when accessed and processed from there. Our processors may also rely on Binding Corporate Rules.
If you need further information on this, please contact us by e-mail at the address mentioned in article 7.5 below.
Information on the model clauses can be found here: https://ec.europa.eu/info/law/law-topic/data-protection_en.
Information on the Binding Corporate Rules can be found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/binding-corporate-rules-bcr_en.
7/ Your rights in relation to your personal data
7.1 Pursuant to all applicable laws, and in accordance with the provisions of the table of article 3.1 above (column “Rights”) you have the right:
Please note that the available rights depend on the legal basis of the processing. See provisions of the table of article 3.1 above (column “Rights”) to see the rights you can exercise specifically by processing activity.
7.2 Withdrawal of your consent(s) When the legal basis of the processing is your consent, as detailed in the table displayed in article 3.1 above (column “Legal basis”), you may withdraw your given consent(s) at any time without any reason.
If you do so, we will stop any further processing based on this consent. Please note that the withdrawal of your consent does not affect lawfulness of any processing done on the understanding that you have given your consent before.
To withdraw your consent to receive commercial communication:
7.3 Unsubscribing to communication for information purposes in relation to the Loyalty Program
As part of the Loyalty Program and based on the legal basis of the execution of a contract formed between us (the terms of Use of the Loyalty Program) we will send you communication (that will only be about the Loyalty Program and that will not contain any commercial offers).
If you do not want to receive this kind of communication, you can ask us to stop sending it by:
7.4 Deletion of your Loyalty Account
If you want to delete your Loyalty Account, you can either:
7.5 Exercise of your Rights
If you wish to exercise these rights and/or obtain all relevant information, please contact us at the following address: dp.nordics@urw.com.
To ensure an effective exercise of your rights, please note that you can send your request at the above mentioned address for your questions and demands in relation to processing to both data controllers (local Data Controllers and group Data Controller).
In order to avoid infringing third party rights, we reserve the right, in case of reasonable doubt, to proceed to prior verification of your identity by asking you to provide:
We will respond within 1 month after receipt of your request, but We retain, when necessary due to the complexity of your request, the right to extend this period by 2 months. We will in any event inform you within 1 month after receipt of your request if We decide to extend the period to respond.
If needed, you can also address any question at the welcome desk of your shopping centre.
7.6 Complaints
You have the right to make a complaint about the way We process your Personal data to the local data protection authority.
Sweden: Integritetsskyddsmyndigheten (imy@imy.se, 08-657 61 00).
Denmark: Datatilsynet (dt@datatilsynet.dk, 33 19 32 00).
8.1 General principle
Subject to your prior express consent given in the shopping center application, information related to your location within our shopping centre may be collected and processed by Us while you are authenticated on our shopping center Applications for the purposes of measuring the frequency of your visits and your itineraries within our shopping centre and/or providing location related services.
Geolocation will only take place if you have activated the additional services/specific function in the settings of your downloaded shopping centre application on your mobile device. You could deactivate those additional services at any time in the settings latter one at any time.
Please note that when given, your consent will be effective immediately for any further connections on our shopping center Application and for any further visits in our shopping centre within 12 months from first connection, unless you withdraw your consent.
8.2 How to manage your geolocation preferences on your mobile device
In order to be located within the shopping centre, you will be required to activate the Bluetooth feature on your mobile device.
If you only want to check out the map the activation of the Bluetooth feature is not required.
Please note that we will not locate you outside our shopping centre. The location option is carried out by the Bluetooth beacons which are installed in the common areas of the shopping centre only.
You may disable the geolocation of your mobile device through your mobile settings at any time.
9/ Automated decision making/profiling
There is currently no automated decision-making process or profiling which would legally affect you or otherwise significantly affect you. But we will provide you with specific offers based on your individual Personal data and analysis of your user behavior.
Since we do not want to bother you with information and promotions that may not be relevant to you, we assess your purchase profile, i.e. information such as your earlier purchases and preferences that we collect through your use of our Services as detailed in table (article 3.1), to only send you information and promotions we consider interesting or relevant to you.
10/ Transfer in case of change of ownership
If the Unibail-Rodamco-Westfield Group is involved in a merger, acquisition, dissolution, or sale of all or part of the shopping centre, or its managing company or owner, where you are registered as a Loyalty Program member, we reserve the right to transfer your personal data. If such change requires notification or consent under applicable law, you will be notified or given the opportunity to consent.
11 / Update of this Privacy Policy
We may revise or update this Privacy Policy from time to time. Any change to this Privacy Policy will become effective upon online publication on this website. If such change requires notification or consent under applicable law, you will be notified or given the opportunity to consent.
12/ Parking system
Our parking system makes it easy to park at Fisketorvet. The parking system scans the license plate of the vehicle when you enter and exit our parking facilities (parking house or parking roof) and the period for which you have parked is recorded. When arrived, you do not have to do anything - just remember the license plate of the vehicle which you will need for payment after your visit.
When you park in Our parking facilities We collect and process information about the vehicle license plate and the time of entry and exit. In case of due payment have not been made, We also collect and process information about the name and the address of the registered user of the vehicle. The legal basis for Our processing is the principle of “legitimate interests” in article 6(1)(f) of the General Data Protection Regulation, as we pursue a legitimate interest in providing a parking service that is operational and convenient for our visitors and minimizes the number of unexpected expenses. Furthermore, if payment is not made for parking in accordance with the terms and conditions, we process the personal data as necessary for the legal claim to be established, enforced or defended, cf. article 9(2)(f) of the General Data Protection Regulation.
The personal data process using Our parking system is stored until the vehicle leaves the parking facilities (P-house or P-roof) after which personal data is deleted unless payment for the parking has not been made in accordance with the terms and conditions. In the latter case, the personal data is processed in order to establish, enforce or defend the legal claim and deleted 90 days after the case has been finalized.