Privacy Policy Newsletter
The date this privacy policy was last revised was 07-04-2022.
This Privacy Policy explains how the data controllers [referred to in this Privacy Policy as the Data Controller, we, us or our (as defined below) collects and process your personal data in the context of the provision of the personalized newsletter,(hereinafter referred to as the “Newsletter”).
This Privacy Policy covers the following:
1. Contact details of the Data Controller
The local Data Controller:
URW Nederland Winkels 2 B.V.
Schiphol Boulevard 371 Toren H
1118 BJ Schiphol, Nederland
The local Data Controller will process your personal data in the context set out below.
The group Data Controller:
Unibail Management
Simplified joint stock company with a capital of 20 000 000€
Having its registered office at 7 place du Chancelier Adenauer 75016 Paris
Registered within the Paris Register under number 414 878 389
URW Nederland Winkels 2 B.V. and Unibail Management Data Privacy Team (including its DPO) may be contacted by email at data.protection@urw.com or via post at 7 place du Chancelier Adenauer 75116 PARIS.
In a general manner, the group data controller will process your personal data in order to assist the local data controller and to ensure a general governance at group level.
Some roles are specifically assigned to the local Data Controller or the group Data Controller as follows
Role of the local Data Controller:
The local Data Controller will process your personal data in order to send you the Newsletter.
Role of the group Data Controller:
The group Data Controller has concluded several data processing agreements and service agreements with service providers to provide you with the technical opportunity to subscribe to the Newsletter of the shopping centre.
The group Data Controller will process your personal data in order to:
- Manage your registration to the Newsletter
- define the customised offers and events you might be interested in that will be included in the Newsletter
The local data controller and the group data controller are acting as joint data controllers and will hereinafter be referred to together as “Data Controller”, “we”, “us” or “our”.
2. How do we collect your personal data
2.1 We collect personal data directly from you:
- Upon subscription: when you fulfil the form to receive the Newsletter
- After this subscription: if you decide to share with us additional information. In this situation, those additional information are used to personalised our communication
Details about those different way of collection are given in section “Personal data involved” in the table reproduced in article 3 below. Please note that your provision of this data is voluntary. However, the information that are followed by a star when you are fulfilling the registered form are mandatory, if you do not provide those mandatory data, you will not be able to benefit from the Newsletter.
2.2 We collect personal data indirectly, from your use of the Newsletter:
When you open, or not, the Newsletter.
3. Details about the processing of your personal data
3.1 You will find in the table below all information in relation with:
- Why we are processing your personal data (Specific purpose)
- Which personal data are involved (Personal data involved)
- On which legal basis we are processing your personal data (Legal basis)
- How long we are storing your personal data (Retention period)
- What rights you can exercise in relation to your personal data (Rights)
|
Specific purpose |
Personal data involved |
Legal basis |
Retention period |
Rights The available rights depend on the legal basis |
|
Provide you with our Personalized Newsletter |
Directly provided by you: Mandatory: e-mail address, first name, salutation Optional: all information that may be provided by you. What kind of information we may ask?
Indirectly: The fact that you have opened or not our Newsletter
Provided to us by a third party: N/A |
Consent the GDPR Article 6(1) a |
3 years from last digital contact or use of the Services |
Access Rectification Erasure Limitation of the processing Objection to the processing Portability Withdrawal of consent |
|
Answer to the data subjects requests related to personal data |
Directly provided by you: Name, surname, e-mail address, copy of ID Card, if applicable
Provided to us by a third party: N/A |
Legal obligation the GDPR Article 6(1), c |
The civil year of reception, plus 5 years
If your ID card is requested, it will be deleted right after the check of your identity |
Access Rectification Limitation of the processing |
|
Establishment, exercise or defence of legal claims (for example where a law enforcement body or regulatory body are investigating a crime or incident) |
Relevant personal data related to the claim or litigation |
Legitimate interest of the data controller to ensure its defence; the GDPR Article 6 (1), f |
Legal time limit depending on the type of claim/litigation |
Access Rectification Limitation of the processing |
5. How do we keep your personal data secure?
We take the security of all the personal data we hold very seriously and we are committed to protecting your personal data. We have therefore implemented all the necessary technical and organizational security measures, and have chosen our providers accordingly.
We have entered into specific data processing agreements with each service provider listed in Appendix 1 and have checked their general technical and organizational measures. The service providers are only authorized to process the data, as data processor, in compliance with the provision of this Privacy Policy, only on our behalf and according to our instructions.
However, we can't control all the risks related to the use of the Internet, and data security also relies on everyone's vigilance and good use of these technologies, therefore we invite our customers to remain vigilant on potential inherent risks while using Internet services.
6. When do we transfer your personal data outside the European Economic Area?
We use third party service providers that help us provide the Services to you and process your personal data on our behalf. Such third party service providers will always be subject to security and confidentiality obligations consistent with this Privacy Policy and the applicable law.
Note that some third party service providers are located outside the EEA (European Economic Area) and thus may access and process your Personal data from countries which do not provide an adequate level of data protection. In case of such transfer outside the EEA, we enter into the model clauses adopted by the European Commission to ensure that your personal data benefits from an adequate level of protection when accessed and processed from there. Our processors may also rely on Binding Corporate Rules.
If you need further information on this, please contact us by e-mail at the address mentioned in article 7.5 below.
Information on the model clauses can be found here.
Information on the Binding Corporate Rules can be found here.
7. Your rights in relation to your personal data
7.1 Pursuant to all applicable laws, and in accordance with the provisions of the table of article 3.1 above (column “Rights”) you have the right*:
- to access to your personal data: we will give you detailed information about your personal data being processed.
- to obtain rectification your personal data: if the personal data we are processing are inaccurate;
- to obtain erasure of your personal data: if you want us to erase some or all of your personal data;
- to object to the processing of your personal information: if you want us to stop the processing of your personal data until we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
- to obtain the restriction of the processing of your personal information: if you contest the accuracy, lawfulness or our need to process your personal data, we will limit the processing of your personal data to the minimum (storage) and, if applicable, will process them only for the establishment, exercise or defence of legal claims or, where necessary, for protection of another natural or legal person, or other limited reason dictated by applicable laws.
- to receive your personal data in a structured and standard format or to ask for the transmission of such information to other controller (portability)
Please note that the available rights depend on the legal basis of the processing. See provisions of the table of article 3.1 above (column “Rights”) to see the rights you can exercise specifically by processing activity.
7.2 Withdrawal of your consent(s) When the legal basis of the processing is your consent, as detailed in the table displayed in article 3.1 above (column “Legal basis”), you may withdraw your given consent(s) at any time without any reason.
If you do so, we will stop any further processing based on this consent. Please note that the withdrawal of your consent does not affect lawfulness of any processing done on the understanding that you have given your consent before.
To withdraw your consent to receive our Newsletter you can:
- click on the unsubscribing link available in all our communication
or;
- send an e-mail as described in the section Exercise of your rights below
7.3 Exercise of your Rights
If you wish to exercise these rights and/or obtain all relevant information, please contact us at the following address: info@westfieldmallofthenetherlands.nl.
To ensure an effective exercise of your rights, please note that you can send your request at the above mentioned address for your questions and demands in relation with processing to both data controllers (local Data Controller and group Data Controller).
In order to avoid to infringe third party rights, we reserve the right, in case of reasonable doubt, to proceed to prior verification of your identity in asking you an ID Document:
We will respond within 1 month after receipt of your request, but We retain, when necessary due to the complexity of your request, the right to extend this period by 2 months. We will in any event inform you within 1 month after receipt of your request if We decide to extend the period to respond.
7.4 Complaints
You have the right to make a complaint about the way We process your Personal data to the Autoriteit Persoonsgegevens (tel. +31 88 1805 250 or https://autoriteitpersoonsgegevens.nl/nl/meldingsformulier-klachten
8. Transfer in case of change of ownership
If Unibail-Rodamco-Westfield Group is involved in a merger, acquisition, dissolution, or sale all or part of the shopping centre, or its managing company or owner, for which Newsletter you have subscribe, we reserve the right to transfer your personal data. You will be notified if such change requires notification or consent under applicable law, you will be notified or given the opportunity to consent.
9. Update of this Privacy Policy
We may revise or update this Privacy Policy from time to time. Any change to this Privacy Policy will become effective upon online publication on this website.
If such change requires notification or consent under applicable law, you will be notified or given the opportunity to consent.
Appendix 1 – List of service providers
Susbcription:
- Cardiweb
- Critizr
CRM-Management:
- Cardiweb
- Salesforce
- Lineup7
Data storage:
- Amazon
