Loyalty program Privacy Policy

The date this privacy policy was last revised was February 2021.


This Privacy Policy explains how the data controllers [referred to in this Privacy Policy as the Data Controller, we, us or our] (as defined below)collects and process your personal data in the context of the provision of our Loyalty Program (including the access to your loyalty account within the website and shopping center applications, together, the “Services”).

 

This Privacy Policy covers the following:

1/ Contact details of the Data Controller

2/  How do we collect your personal data

3/  Details about the processing of your personal data

4/ How do we share your personal data

5/ How do we keep your personal data secure

6/ Do we transfer your personal data outside the European Economic Area

7/ Your rights in relation to your personal data

8/ Geolocation

9/ Automated decision making / profiling

10/Transfer in case of change of ownership.

11/Update of this Privacy Policy

12/Parking system

 

1/ Contact details of the Data Controller

The local Data Controllers:

  • Rodamco Sverige AB (556201-8654) (parent company)
  • URW Fisketorvet A/S (40081534), Havneholmen 5, 1561, København V, Danmark (Owner of Fisketorvet Copenhagen Mall)

all with the registered address Box 7846, 103 98 Stockholm, Sweden and Denmark.

 

The local Data Controllers will process your personal data in the context set out below.

The group Data Controller:

Unibail Management

Simplified joint stock company with a capital of 20 000 000€                                                                                                        

Having its registered office at 7 place du Chancelier Adenauer 75016 Paris, France  

Registered within the Paris Register under number 414 878 389

Espace Expansion and Unibail Management Data Privacy Team (including its DPO) may be contacted by email at data.protection@urw.com or via post at 7 place du Chancelier Adenauer 75116 PARIS.

In a general manner, the group data controller will process your personal data in order to assist the local Data Controllers and to ensure a general governance at group level.

Some roles are specifically assigned to the local Data Controllers or the group Data Controller as follows:

Role of the local Data Controllers:

The local Data Controllers will process your personal data in order to send you communication to inform you about specific offers and events of the respective shopping centre and to provide you with offers. The local Data Controllers consist of Rodamco Sverige AB, the parent company of the Nordic organization. Rodamco Sverige AB is strategically and operationally responsible for the data processing activities carried out in the Nordics and employs most of the staff.

Its subsidiaries (owner of each respective shopping center), may process personal data specifically related to its respective shopping center. Such personal data could include names and contact information in relation to entering into a contract with the subsidiary as the contracting party and to some extent CCTV-footage.

Rodamco Sverige AB and its subsidiaries are wholly owned subsidiaries and part of the Unibail-Rodamco-Westfield company group.

 

Role of the group Data Controller:

The group Data Controller has concluded several data processing agreements and service agreements with service providers to provide you with the technical opportunity to register you to the Loyalty Program or download and use the shopping center application.

The group Data Controller will also handle the preparation of some communication, coordinated at group level, that will be sent by local Data Controllers. Furthermore, the group Data Controller will negotiate with third parties special offers which will be accessible for loyalty members.

The group Data Controller will process your personal data in order to:

  • Manage your registration to the Loyalty Program
  • analyse your behaviour within the shopping center as further detailed in the table below (3.1) to provide you with customised offers and events you might be interested in.

The local Data Controllers and the group data controller are acting as joint data controllers and will hereinafter be referred to together as “Data Controller”, “we”, “us” or “our”.

 

2/ How do we collect your personal data

We collect personal data about you through the following means:

  • directly from you; and/or
  • from your use of the Services

           a) When you use the Loyalty Card, including the virtual one, if scanned during your visit, we collect information related to the type of service your Loyalty Card was used for (example: events, birthday present) and therefore your presence within our shopping center.

          b)    When you use our shopping center application or website as authenticated user, we collect information about the frequency of your visits, your itineraries within the shopping centre provided that we have obtained your prior written consent to collect these information (only for shopping center application - see article 8 Geolocation).

           c) When you use the website and accept the use of cookies, we collect the cookies you have accepted. You will find all details about cookies uses and policy in the Terms of Use accessible by clicking on the following link: https://www.fisketorvet.dk/termsofuse.

Details about the different ways of collection are given in section “Personal data involved” in the table presented in article 3 below.

 

3/ Details about the processing of your personal data

3.1 - You will find in the table below all information in relation with:

  • Why we are processing your personal data (Specific purpose)
  • Which personal data is involved (Personal data involved)
  • On which legal basis we are processing your personal data (Legal basis)
  • How long we are storing your personal data (Retention period)
  • What rights you can exercise in relation to your personal data (Rights)

Specific purpose

Personal data involved

Legal basis

Retention period

Rights

The available rights depend on the legal basis

Management of your registration to the Loyalty Program

Directly provided by you:

Mandatory: Title, Name, surname, e-mail address, birth date

Optional : phone number, license plate, information regarding the fact that the data subject is working in the shopping centre area.

Provided to us by a third party:

N/A

 

Execution of a contract (Terms of Use of theLoyalty Program)

GDPR Article 6(1) b

3 years from last digital contact or use of the Services

 

Access

Rectification

Deletion

Limitation of the processing

Portability

Management of the participation to events organized by the shopping Centre

 

Please note that we might send you communication to allow you to participate to the event (example : if the event requires you to have a proof of registration to enter it)

Directly provided by you:

e-mail address, name, surname, phone number

 

Provided to us by a third party:

N/A

Legitimate interest of the data controller to offer the opportunity for the members of the Loyalty Program to participate to events organized to their attention and ensure the security of such event

GDPR Article 6(1)f

6 months after the event

Access

Rectification

Deletion

Limitation of the processing

Objection to the processing

Facilitate your access in the shopping centre parking

Directly provided by you:

Licence plate

Provided to us by a third party: N/A

Execution of a contract (ToU loyalty program)

GDPR Article 6(1) b

3 years from last digital contact or use of the Services

Access

Rectification

Deletion

Limitation of the processing

Portability

Loyalty Points Collection (only applicable to Westfield Mall of Scandinavia and Täby Centrum)

See details in article 3.2

Directly provided by you: N/A

Provided by Transaction Connect: amount, date and shop of purchase

Execution of a contract (Terms of Use Loyalty Program)

3 years from last digital contact or use of the Services

Access

Rectification

Deletion

Limitation of the processing

Portability

 

Management of the offers and benefits of the Loyalty Program

free access to services (in conditions detailed in the Terms of Use of the Loyalty Program):

parking

loan of objects (strollers, umbrella)

birthday present

Directly provided by you:

Loyalty card number, bar code, name, surname, birthdate

Provided to us by a third party:

N/A

Execution of a contract (Terms of Use Loyalty Program)

 

GDPR Article 6(1) b

No storage for the use of the offers and benefit.

 

If the Loyalty Card is scanned we may retain your date of visit and type of services/offer used

Access

Rectification

Deletion

Limitation of the processing

Portability

Participation in contests organized for loyalty members

Directly provided by you:

Loyalty card number, name, surname, birthdate, Personal information that may be contained in the contest itself (answers to questions)

 

Provided to us by a third party:

N/A

Execution of a contract (Rules of contest)

 

GDPR Article 6(1) b

1 month after delivery of the prizes to the winner(s)

Access

Rectification

Deletion

Limitation of the processing

Portability

Granting of rewards for loyalty members who have activated the Loyalty Point Collection (only applicable to Westfield Mall of Scandinavia and Täby Centrum)

(example: prize granted to a member randomly chosen among the persons who have spent at least [amount to be determined] euros during a given time – specific communication to members within the scope would be made)

Provided by Transaction Connect: amount, date and shop of purchase

Legitimate interest of the Data Controller to manage the program in order to increase its database and the amount spent in the shopping center and legitimate interest of the members to win prizes

GDPR Article 6(1) f

No specific data retention as the information are retained in the framework of the Loyalty point collection – see below

Access

Rectification

Deletion

Limitation of the processing

Objection to the processing

Management of the communication for information purpose in relation with the Loyalty Program

(example: information about an event accessible only to the loyalty members)

 

Directly provided by you:

Loyalty card number , title, name, surname, e-mail address

Phone number (optional)

Provided to us by a third party:

N/A

Execution of a contract (Terms of Use Loyalty Program)

GDPR Article 6(1)b

3 years from last digital contact or use of the Services

Access

Rectification

Deletion

Limitation of the processing

Portability

Management of commercial communication:

By e-mail and/or sms if you have provided us with your mobile phone number

Directly provided by you:

e-mail address

phone number (optional)

 

Provided to us by a third party:

N/A

Consent

GDPR Article 6(1) a

 

 

3 years from last digital contact or use of the Servicesor until withdrawal of the consent, whatever occurs first

Access

Rectification

Deletion

Limitation of the processing

Objection to the processing

Portability

Withdrawal of consent

Analysis of your information/use of the services:

Ø to provide you with personalized offers; and

Ø to improve our understanding of your expectations and needs and develop new features and services

Please note in this perspective, we will combine the personal data listed in the relevant column.

Obtained directly from you: all information that may be provided by you.

Obtained from your activity:

Behaviour on the website (cookies)

Participation to events organized by the shopping centre,

Your use of the wifi: date of visit of the shopping center

Your use of the Loyalty Point Collection

When your Loyalty Card is scanned for the use of a service or the participation in an event in the Shopping Center

 

 

Legitimate interest of the Data Controller to better understand the customer in order to deliver appropriate services and/or offers and legitimate interest of the loyalty members to receive personalized offers and services.

GDPR Article 6(1) f

 

please note that:

- cookies are only collected on the legal basis of your consent (GDPR Article 6(1)(a)

- information related to your use of the wifi is only collected on the legal basis of your consent (GDPR Article 6(1)(a)

The analysis of the information described here is however made on the basis of legitimate interest (GDPR Article 6(1)(f)

3 years from last digital contact or use of the Services

Access

Rectification

Deletion

Limitation of the processing

Objection to the processing

Portability

Geolocation (within the shopping center only – via the Shopping center application)

Directly provided by you:

Provided by the use of the service: location data inside the shopping centre

Provided to us by a third party: N/A

Consent (given via Shopping Center application)

GDPR Article 6(1) a

No storage of your geolocation will be made by Us.

 

Access

Rectification

Deletion

Limitation of the processing

Portability

Withdrawal of consent

Answer to the loyalty members requests related to personal data

Directly provided by you:

Name, surname, e-mail address, number of loyalty member or copy of ID Card, if applicable

 

Provided to us by a third party:

N/A

Legal obligation

GDPR Article 6(1), c

5 years

 

If your ID card is requested, it will be deleted right after the check of your identity

Access

Rectification

Limitation of the processing

Deletion

Obtain feedback from you on our services

Directly provided by you: answers to questionnaires in respect to the appreciation of the services provided by us.

Legitimate interest of the data controller to better understand the customer and improve the servicesand deliver appropriate services and/or offers

GDPR Article 6(1) f)

3 years from last digital contact or use of the Services

Access

Rectification

Deletion

Limitation of the processing

Objection to the processing

Establishment, exercise or defence of legal claims

(for example where a law enforcement body or regulatory body is investigating a crime or incident)

Relevant personal data related to the claim or litigation.

Legitimate interest of the data controller to ensure its defence;

GDPR Article 6(1), f)

 

Legal time limit depending on the type of claim/litigation

Access

Rectification

Deletion

Limitation of the processing

Objection to the processing

 

 

 

 

 

 

 

4/ How do we share your personal data?

We may share your personal data with:

  • our processors as listed in Appendix 1; The list of our current third-party processors is published in Appendix 1 below. The list is regularly updated and includes company-name, company-address, specific of purpose of processing of service provider.
  • any competent authority or legal entity to answer to legal or regulatory requests, court orders, subpoena or legal process, if necessary to comply with applicable laws;
  • any transferee, when personal data is transferred as part of the sale or otherwise transfer of all or part of our assets to another company
  • with our insurers, lawyers, other advisers and courts when enforcing claims and/or defending our position

 

5/ How do we keep your personal data secure?

We take the security of all the personal data we hold very seriously and we are committed to protecting your personal data. We have therefore implemented all the necessary technical and organizational security measures, and have chosen our providers accordingly.


We have entered into specific data processing agreements with each service provider listed in Appendix 1 and have checked their general technical and organizational measures. The service providers are only authorized to process the data, as data processor, in compliance with the provision of this Privacy Policy, only on our behalf and according to our instructions.

 

However, we cannot control all the risks related to the use of the Internet, and data security also relies on everyone's vigilance and good use of these technologies, therefore we invite our customers to remain vigilant on potential inherent risks while using Internet services.

 

6/ When do we transfer your personal data outside the European Economic Area?

We use third party service providers that help us provide the Services to you and process your personal data on our behalf. Such third party service providers will always be subject to security and confidentiality obligations consistent with this Privacy Policy and the applicable law.

Note that some third party service providers are located outside the EEA (European Economic Area) and thus may access and process your Personal data from countries which do not provide an adequate level of data protection. In case of such transfer outside the EEA, we enter into the model clauses adopted by the European Commission to ensure that your personal data benefits from an adequate level of protection when accessed and processed from there. Our processors may also rely on Binding Corporate Rules.

If you need further information on this, please contact us by e-mail at the address mentioned in article 7.5 below.

Information on the model clauses can be found here: https://ec.europa.eu/info/law/law-topic/data-protection_en.

 

Information on the Binding Corporate Rules can be found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/binding-corporate-rules-bcr_en.

 

7/ Your rights in relation to your personal data

7.1 Pursuant to all applicable laws, and in accordance with the provisions of the table of article 3.1 above (column “Rights”) you have the right:

  • to access your personal data: we will give you detailed information about your personal data being processed.
  • to obtain rectification of your personal data: if the personal data we are processing is inaccurate;
  • to obtain erasure of your personal data: if you want us to erase some or all of your personal data;
  • to object to the processing of your personal data: if you want us  to stop the processing of your personal data until we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
  • to obtain the restriction of the processing of your personal information: if you contest the accuracy, lawfulness or our need to process your personal data, we will limit the processing of your personal data to the minimum (storage) and, if applicable, will process them only for the establishment, exercise or defence of legal claims or, where necessary, for protection of another natural or legal person, or other limited reason dictated by applicable laws.
  • to receive your personal data in a structured and standard format or to ask for the transmission of such information to other controller (portability)

 

Please note that the available rights depend on the legal basis of the processing. See provisions of the table of article 3.1 above (column “Rights”) to see the rights you can exercise specifically by processing activity.

7.2  Withdrawal of your consent(s) When the legal basis of the processing is your consent, as detailed in the table displayed in article 3.1 above (column “Legal basis”), you may withdraw your given consent(s) at any time without any reason.

If you do so, we will stop any further processing based on this consent. Please note that the withdrawal of your consent does not affect lawfulness of any processing done on the understanding that you have given your consent before.

To withdraw your consent to receive commercial communication:

  • send an e-mail as described in the section Exercise of your rights below or
  • directly change the setting in your loyalty account or
  • click on the unsubscribe link available in all our communication

7.3 Unsubscribing to communication for information purposes in relation to the Loyalty Program

As part of the Loyalty Program and based on the legal basis of the execution of a contract formed between us (the terms of Use of the Loyalty Program) we will send you communication (that will only be about the Loyalty Program and that will not contain any commercial offers).

If you do not want to receive this kind of communication, you can ask us to stop sending it by:

  • sending an e-mail as described in the section Exercise of your Rights below; or,
  • directly changing the setting in your Loyalty account or,
  • clicking on unsubscribe link available in all our communication.

7.4 Deletion of your Loyalty Account

If you want to delete your Loyalty Account, you can either:

  • delete it directly in the setting of your Loyalty Account; or,
  • send an e-mail as described in the section Exercise of your rights below.

 

7.5 Exercise of your Rights

If you wish to exercise these rights and/or obtain all relevant information, please contact us at the following address: dp.nordics@urw.com.

To ensure an effective exercise of your rights, please note that you can send your request at the above mentioned address for your questions and demands in relation to processing to both data controllers (local Data Controllers and group Data Controller).

In order to avoid infringing third party rights, we reserve the right, in case of reasonable  doubt, to proceed to prior verification of your identity by asking you to provide:

  • your loyalty member number, or, if you do not have it,
  • an ID Document

We will respond within 1 month after receipt of your request, but We retain, when necessary due to the complexity of your request,  the right to extend this period by 2 months. We will in any event inform you within 1 month after receipt of your request if We decide to extend the period to respond.

If needed, you can also address any question at the welcome desk of your shopping centre.

7.6   Complaints

You have the right to make  a complaint about the way We process your Personal data to the local data protection authority.

 

Sweden: Integritetsskyddsmyndigheten (imy@imy.se, 08-657 61 00).

Denmark: Datatilsynet (dt@datatilsynet.dk, 33 19 32 00).

 

 

8/ Geolocation

 

8.1 General principle

Subject to your prior express consent given in the shopping center application, information related to your location within our shopping centre may be collected and processed by Us while you are authenticated on our shopping center Applications for the purposes of measuring the frequency of your visits and your itineraries within our shopping centre and/or providing location related services.

 

Geolocation will only take place if you have activated the additional services/specific function in the settings of your downloaded shopping centre application on your mobile device. You could deactivate those additional services at any time in the settings latter one at any time.

 

Please note that when given, your consent will be effective immediately for any further connections on our shopping center Application and for any further visits in our shopping centre within 12 months from first connection, unless you withdraw your consent.

 

 

 8.2   How to manage your geolocation preferences on your mobile device

 

In order to be located within the shopping centre, you will be required to activate the Bluetooth feature on your mobile device.

 

 If you only want to check out the map the activation of the Bluetooth feature is not required.

 

Please note that we will not locate you outside our shopping centre. The location option is carried out by the Bluetooth beacons which are installed in the common areas of the shopping centre only.

 

You may disable the geolocation of your mobile device through your mobile settings at any time.

 

 

 

9/ Automated decision making/profiling

 

There is currently no automated decision-making process or profiling which would legally affect you or otherwise significantly affect you. But we will provide you with specific offers based on your individual Personal data and analysis of your user behavior.

Since we do not want to bother you with information and promotions that may not be relevant to you, we assess your purchase profile, i.e. information such as your earlier purchases and preferences that we collect through your use of our Services as detailed in table (article 3.1), to only send you information and promotions we consider interesting or relevant to you.

 

10/ Transfer in case of change of ownership

 

If the Unibail-Rodamco-Westfield  Group is involved in a merger, acquisition, dissolution, or sale of all or part of the shopping centre, or its managing company or owner, where you are registered as a Loyalty Program member, we reserve the right to transfer your personal data. If such change requires notification or consent under applicable law, you will be notified or given the opportunity to consent.

 

 

 

11 / Update of this Privacy Policy

 

We may revise or update this Privacy Policy from time to time. Any change to this Privacy Policy will become effective upon online publication on this website. If such change requires notification or consent under applicable law, you will be notified or given the opportunity to consent.

 

 

12/ Parking system

Our parking system makes it easy to park at Fisketorvet. The parking system scans the license plate of the vehicle when you enter and exit our parking facilities (parking house or parking roof) and the period for which you have parked is recorded. When arrived, you do not have to do anything - just remember the license plate of the vehicle which you will need for payment after your visit.

When you park in Our parking facilities We collect and process information about the vehicle license plate and the time of entry and exit. In case of due payment have not been made, We also collect and process information about the name and the address of the registered user of the vehicle. The legal basis for Our processing is the principle of “legitimate interests” in article 6(1)(f) of the General Data Protection Regulation, as we pursue a legitimate interest in providing a parking service that is operational and convenient for our visitors and minimizes the number of unexpected expenses. Furthermore, if payment is not made for parking in accordance with the terms and conditions, we process the personal data as necessary for the legal claim to be established, enforced or defended, cf. article 9(2)(f) of the General Data Protection Regulation.

The personal data process using Our parking system is stored until the vehicle leaves the parking facilities (P-house or P-roof) after which personal data is deleted unless payment for the parking has not been made in accordance with the terms and conditions. In the latter case, the personal data is processed in order to establish, enforce or defend the legal claim and deleted 90 days after the case has been finalized.

 

Appendix 1 – List of service providers