Mammut Shopping Centre

Privacy Policy

  • Privacy Policy

    • MEMORANDUM ON THE PROCESSING OF PERSONAL DATA

      In the commercial activity carried out by the Mammut Shopping Centre, there may be several situations in which we process your personal data. More details can be found below:

      We are Mammut Zrt. (registered seat: 1024 Budapest, Lövőház utca 2-6., Hungary; registration number: 01-10-047154, tax number: 23483853-2-41) and Tummam Kft.  (registered seat: 1024 Budapest, Lövőház utca 2-6., Hungary; registration number: 01-09-291814, tax number: 25836903-2-41; hereinafter jointly referred to as the “Controller”), part of the NEPI Rockcastle Group.

      In promoting Mammut Shopping Centre, we work with the following entities within the NEPI Rockcastle Group:

      • NE Property BV 7-29 Claude Debussylaan, Tribes Offices SOM Building, 3rd Floor, Amsterdam, The Netherlands, registered with the Dutch Chamber of Commerce under No. 34285470

      • NEPI Investment Management SRL Calea Floreasca 169A, Cladirea A, sectiunea 5.1, biroul 14, Sector 1, Bucharest, Romania, registered with the Commercial Register under No. J40/16378/2007, unique registration number (CUI) RO22342136

      From the perspective of how your personal data is processed for specific marketing purposes, the relationship between the Controller, NE Property BV, NEPI Investment Management SRL and Marketing Advisers SRL is that of Joint Controllers, according to Article (26) of the GDPR.

      Also for the purpose of promoting the Mammut Shopping Centre, NE Property BV makes the www.mammut.hu Website (the “Website”) available to users.

      This information notice is addressed to all data subjects who visit the Mammut Shopping Centre, access the Website, participate in promotional campaigns or similar events held on the premises of the shopping centre or online or represent suppliers/partners/collaborators or tenants in the conduct of the contractual relationship with Mammut Shopping Centre.

      The way we process your personal data differs depending on your relationship with Mammut Shopping Centre.

      In all cases, you have several rights that can be exercised, individually or cumulatively, with respect to personal data that Mammut Shopping Centre holds in relation to you. Information on these rights as well as how they can be exercised is available in the Rights of data subjects section .

      We undertake to process personal data in compliance with applicable legislation on the protection of personal data and good practices in this area. More information is available in the section on Data security and accuracy.

      In addition, a Data Protection Officer has been appointed at the NEPI Rockcastle Group level, who can be contacted should there be any concerns about the protection of personal data and the exercise of data protection rights. The Data Protection Officer can be contacted by written, dated and signed request, using the contact details mentioned below:

      • by mail, at: Calea Floreasca nr. 169A, Floreasca 169, Clădirea A, etajul 5, Sector 1, București/Bucharest, Romania

      • by email, at: Protection@nepirockcastle.com

  • 1. Visitors to the shopping centre website

    • 1.1 Personal data we process

      • Identification data, such as: first name and last name, date of birth

      • Account access data, such as: password

      • Contact details, such as: email address, phone number

      • Data on your preferences/interests, such as data on areas of interest - e.g., fashion, technology, pets, etc.

      • Data about your interaction with the Website, such as: information about the stores you searched for, the fact that you chose a series of products/services as favorites or that you selected a series of events that you want to participate in, as well as the recurrence with which you visit our Website/access the Account.

      • Demographic data, such as: gender, city and neighborhood where you live, whether you are married or not, whether you have children or not, the number of children and their age

      • Data on the participation in promotional campaigns and similar events, such as: prizes won, image

      • Financial data, such as: bank account number.

      • Data collected through cookies or other similar technical means (i.e., small text files that are stored on your computer, phone, tablet or mobile device, and contain information about your activity on those sites/applications), e.g.: sub-pages accessed, period spent on a specific page

      • Data from social networks, such as: the unique identification code provided by the Facebook network

      In the case of the Website, we also collect your IP, but this data is not processed or used for any subsequent purpose at this time.

    • 1.2 Use of personal data

      1.1.1      General purposes

      When you access the [Shopping Mall Name] website (the “Website”), certain personal data about you will be processed by NE Property BV, mainly in order to be able to provide you with the requested service, namely access to the Website.

      No.

      Purpose of processing personal data

      Legal basis of processing personal data

      1.    

      Carry out economic, financial and/or administrative management activities

      Legal obligation

      2.    

      Settlement of disputes, investigations or any other petitions/complaints to which NE Property BV is a party

      Legitimate interest in defending our rights in court/in front of any competent authority

      3.    

      Archiving

      Legal obligation

      4.    

      Conducting risk controls on NE Property BV procedures and processes, as well as conducting audits or investigations of NE Property BV

      Our legitimate interest to manage risks and ensure compliance with NE Property BV procedures and processes

      5.    

      Ensure a high level of security of information systems (e.g., applications, network, infrastructure, website)

      Our legitimate interest in ensuring the security of our computer systems

      6.    

      Provide you with support services when you request so

      Perform the contract concluded regarding the provision of our services (i.e., in accordance with the Terms and Conditions of the Website)

      1.1.2      Data processing for marketing purposes 

      In its work to promote the Mammut Shopping Centre, including through the Website, NE Property BV works together with the following entities within the NEPI Rockcastle Group: The Controller, as owner of the Shopping Centre, NEPI Investment Management SRL and Marketing Advisers SRL. Thus, from the perspective of how your personal data is processed for marketing purposes, the entities of the NEPI Rockcastle Group mentioned above (hereinafter collectively referred to as the “Joint Controllers” and individually as the “Joint Controller”) act as Joint Controllers, pursuant to Article (26) of the GDPR.

      In connection with the processing of personal data for marketing purposes, you have all the rights set out in Data subjects' rights. By virtue of the agreement entered into by the Joint Controllers regarding the processing of personal data for marketing purposes, they will cooperate and ensure that they fully respect your rights, regardless of the Joint Controller to whom you choose to send your request to exercise your rights.

      No.

      Purpose of processing personal data

      Legal basis of processing personal data

      1.    

      to contact you through the means of communication to provide you with information about the Website (i.e. non-marketing information),

      Perform the contract concluded regarding the provision of our services (i.e., in accordance with the Terms and Conditions of the Account)

      2.    

      Create and analyse profiles about you in order to present content tailored to your preferences and to improve our services

      Your consent

      3.    

      Send general or customised direct marketing messages (newsletter) via the e-mail provided when subscribing to the newsletter, in order to promote our activities, offers and products, the Group, but also the Partners

      Your consent

      4.    

      Organise raffles, competitions or other similar campaigns

      Perform the contract concluded (i.e., in accordance with the Regulation of the concerned raffle, competition or campaign)

      5.    

      Conduct direct marketing campaigns for specific regions or users

      Your consent

      6.    

      Manage and operate the accounts on the social networks of the shopping centre; conduct campaigns on social networks

      Your consent

      7.    

      Conduct surveys or other market research

      Our legitimate interest in promoting the shopping centre and better understanding the market demands

      8.    

      To perform internal analyses (including statistical analyses, reports) with respect to the customer portfolio, in order to improve and develop services, and to conduct market studies and researches to improve and develop the services of the Controller, of the Group and of their Partners,

      Our legitimate interest consists in market knowledge, strategic development, development and improvement of our services

      9.    

      Document your consent

      Legal obligation

      10. 

      Use of marketing cookies for the purpose of:

      -        conducting profiling activities, also called web profiling which involves the use of cookies to track online the general activity of a user in order to present content tailored to his preferences,

      -        conducting targeting and retargeting campaigns

      More information on cookies is available in the Cookie Policy 

      Your consent

      11. 

      Create statistics designed to provide information about the performance of the Website and the marketing campaigns displayed (e.g. the number of users who accessed the campaign page, the number of users who saw the campaign banner, etc.), made by using analysis cookies

      More information on cookies is available in the Cookie Policy 

      Our legitimate interest in (i) improving the content of the Website and the campaigns conducted on the Website as well as the better evaluation of the performance indicators (KPI) of the commercial campaigns carried out on the Website and (ii) ensuring the operation, access and technical use of the Website and providing you with the services you have explicitly requested

      12. 

      Use of cookies necessary to ensure the operation of the Website

      More information on cookies is available in the Cookie Policy

      Perform the contract regarding the provision of our services (i.e. ensuring access to the Website)

    • 1.3 Additional information on profiling

      The Joint Controllers will create and analyze your profiles based on the personal data we hold about you - data about your preferences/interests, data about your interaction with the Website, data collected through cookies. As a result of analyzing such data, we will be able to identify your preferences, interests and capabilities in terms of procurement, and thus relate them to the services we provide or to the products we promote.

      Then, through automated procedures, the Joint Controllers determine the content of the direct marketing materials to be sent to you. In the legal language these automated procedures are referred to as “automated individual process”.

      Thus, the direct marketing materials that we will send you will be as specific, convincing and applicable as possible to you, and as a consequence may influence you (i.e. in the sense of purchasing the product/service included in the marketing material), as the manage to correctly identify your preferences or characteristics.

      With regard to the processing of data by automated individual processes, you have several additional rights, i.e. you can (a) obtain human intervention, (b) express your point of view, (c) get explanations about the decision made and (d) contest that decision. In addition, you can withdraw consent at any time in the manner prescribed in this Memorandum in the section dedicated to Data subjects rights.

    • 1.4 Storage period

      The personal data processed are kept for the period of time necessary to comply with the legal obligations imposed on us by the regulations specific to our field of activity.

      With regard to the use of your personal data for direct marketing activities, it will be stored by the Joint Controllers from the time you have given us your consent for such processing until the date you have withdrawn it. Once you choose to withdraw your consent, your data will be stored by the Joint Controllers, for an additional period of 60 days, in the legitimate interest of the Joint Controllers to be able to access and provide the necessary documentation in the event of a potential legal claim, complaint, investigation (i.e., but not to be used for sending direct marketing materials).

    • 1.5 Third party access

      Access to your data will be provided only to those persons or entities with whom we collaborate in fulfilling the purposes of processing, and for whom we (we or the intended recipients) can justify a legitimate reason or if we have a legal obligation to provide your data.

      The following entities and their employees will have access to your data:

      • IT service providers (e.g., software maintenance and development, site maintenance and development),

      • CRM solution providers

      • Marketing service providers, including market research service providers, marketing communications service providers, online tool traffic and behavior monitoring service providers, various marketing customization service providers, providers of marketing services through social media resources, providers of services for the preparation of the content of marketing forms,

      • Group Companies (other than Joint Controllers)

      As both the Controller and the other Joint Controllers are part of the Nepi Rockcastle group of companies (the “Group”), your personal data will be processed for the purposes of consolidated management of the Group's activities, for audit purposes and in any other situation where the law requires or permits such processing, if we (the Controller, the Joint Controllers or the recipient companies in the Group) can justify a legitimate basis for doing so or if we obtain your consent to do so. The list of companies in the Group can be found at: www.nepirockcastle.com

      • Partners Mammut Shopping Cenre

      Your personal data will also be processed in relation to a number of third party partners (“Partners”). These are the Partners that the Joint Controllers promote in their relationship with you through direct marketing activities, and are usually represented by tenants of NEPI Rockcastle Group shopping centres. Partners do not have access to your personal data, unless NE Property BV or the Joint Controllers have obtained your prior consent in this respect. The full list of Partners for the Mammut Shopping Centre location is updated quarterly and can be found here - www.mammut.hu

      We will contractually require these entities, as well as their staff, to respect the confidentiality of this data, ensuring a high level of security for the processing of your data.

      We will also provide your personal data to judicial bodies, public institutions, or central and local public authorities, based on a duly substantiated request or legal obligation.

      As a rule, NE Property BV or, as the case may be, the Joint Controllers, will not transfer your personal data to third countries outside the European Economic Area. If such a transfer nevertheless takes place, NE Property BV and the Joint Controllers will take appropriate safeguards to ensure the protection of personal data transferred.

  • 2. Visitors and customers of the shopping centre

    • 2.1 Personal data we process

      • Identification data, such as: first name and last name, date of birth

      • Special identification data, that is personal identity number 

      • Contact details, such as: email address, phone number

      • Image

      • Data on the vehicle for which a parking space is granted in the car park of the shopping centre, e.g.: make, type and registration number

      • Data on access to the shopping center car park, e.g.: arrival time, departure time, length of stay

      • Device MAC (mobile, laptop, tablet)

      • Data on participation in promotional campaigns and similar events, e.g.: prizes won

      • Financial data, e.g.: bank account number

    • 2.2 Use of personal data

      2.2.1      General purposes

      When you visit the Mammut Shopping Centre, certain personal data about you will be processed by the Controller, mainly in order to be able to provide you with the services offered by the Controller or to fulfil our legal obligations.

      No.

      Purpose of processing personal data

      Legal basis of processing personal data

      1.    

      Video surveillance by means of the CCTV system installed inside the shopping centre, in the common areas, access roads, as well as car park areas

      Legitimate interest in ensuring the security of persons and property inside the shopping centre

      2.    

      Facilitate access to the car park of the shopping centre

      Perform the contract regarding the provision of our services (i.e. granting access to the facilities and services provided by the shopping centre)

      3.    

      Solve requests for data and information received from the competent authorities and institutions

      Legal obligation

      4.    

      Grant access to the free WiFi network

      Perform the contract regarding the provision of our services (i.e. granting access to the facilities and services provided by the shopping centre)

      5.    

      Management of notifications/complaints submitted within the shopping centre

      Our legitimate interest in resolving complaints sent to us and in maintaining good relations with visitors/customers of the shopping centre

      6.    

      Management of requests regarding lost objects, filed inside the shopping centre

      Perform the contract regarding the provision of our services (i.e. granting access to the facilities and services provided by the shopping centre)

      7.    

      Carry out economic, financial and/or administrative management activities

      Legal obligation

      8.    

      Settlement of disputes, investigations or any other petitions/complaints to which the Operator or [Shopping Mall Name] is a party

      Legitimate interest in defending our rights in court/in front of any competent authority

      9.    

      Archiving

      Legal obligation

      10. 

      Conducting risk controls on the Controller's procedures and processes, as well as conducting audits or investigations of the Controller

      Our legitimate interest in managing risk and ensuring compliance with the Controller's procedures and processes

      2.2.2      Data processing for marketing purposes 

      In its work to promote Mammut Shopping Centre, including through the Website, the Controller works with the following entities within the NEPI Rockcastle Group: NE Property BV, NEPI Investment Management SRL and Marketing Advisers SRL. Thus, from the perspective of how your personal data is processed for marketing purposes, the entities of the NEPI Rockcastle Group mentioned above (hereinafter collectively referred to as the “Joint Controllers” and individually as the “Joint Controller”) act as Joint Controllers, pursuant to Article (26) of the GDPR.

      In connection with the processing of personal data for marketing purposes, you benefit from all the rights set out in the section Data subjects' rights. By virtue of the agreement entered into by the Joint Controllers regarding the processing of personal data for marketing purposes, they will cooperate and ensure that they fully respect your rights, regardless of the Joint Controller to whom you choose to send your request to exercise your rights.

      No.

      Purpose of processing personal data

      Legal basis of processing personal data

      1.    

      Take and use photos (which also include your image) in order to promote the shopping centre

      Your consent

      2.    

      Organise raffles, competitions, events or marketing campaigns in the shopping centre, including handing out prizes won

      Perform the contract concluded (i.e., in accordance with the Regulation of the concerned raffle, competition or campaign)

      3.    

      Create statistical reports to streamline the activity of the shopping centre, and in time improve visitors’s experience through the Retail Analytics application

      The legitimate interest in gaining a better understanding of human trafficking within the shopping centre in order to develop the business and marketing strategy of the shopping centre, the services provided and to improve the organization of the shopping centre and the events organized inside the shopping centre

    • 2.3 Retail Analytics application

      Retail Analytics is an application that uses the shopping centre’s Wi-Fi system to process personal data in order to obtain statistical reports that streamline the activity of the shopping centre, while in time improving visitors’ experience.

      2.3.1      How does the Retail Analytics application work?

      The MAC (media access control) address of the electronic device is collected through an API (Application Programming Interface), by exposure to access points (Access Points), through a secure VPN (virtual private network), using an https protocol (HyperText Transfer Protocol Secure) and dedicated internet protocol (IP).

      The MAC address is anonymized by the API (Application Programming Interface) immediately after collection and prior to processing for statistical purposes, by applying a hash function.

      NOTE: "anonymization" means the processing of personal data in such a way that it can no longer be attributed to a specific data subject.

      The information resulting from the application of the hash function is saved in the database of the Retail Analytics application and is not reversible (i.e. the MAC address can no longer be identified).

      The personal data of the MAC device and the location are anonymized and cannot lead to the identification of the person.

      Depending on the device manufacturer, without our intervention it is possible that - although the WiFi connection of the device is not activated - the device is detected by our WiFi network, so we recommend that you check the WiFi connection of the device when visiting our shopping centre.

      NOTE:  :  You can deactivate the WiFi connection by accessing the device's “Settings” menu and disabling geolocation by accessing the Google geolocation service https://support.apple.com/en-us/HT207092 for iPhone, https://support.google.com/nexus/answer/3467281?hl=en for Android.

      2.3.2      Categories of personal data processed by the Retail Analytics application

      • MAC address (media access control) of the electronic device;

      • date and time of the visit(s);

      • identifier and coordinates of the access point to the WiFi network (AP identifier);

      • Wi-Fi signal strength;

      • WiFi network connection status (connected/disconnected).

      The MAC address captured through the API (Application Programming Interface) is the one that could lead to the identification of the person and the rest of the personal data highlighted above can only be collected with its help. The MAC address is anonymized by the API immediately after collection and prior to processing for statistical purposes.

      2.3.3      Purpose of the processing of personal data

      After anonymization, data is used exclusively for statistical purposes, the statistical reports generated by Retail Analytics being used for:

      • developing the business and marketing strategy of the shopping centre, increasing the value of the shopping centre, better organization of the shopping centre, events and campaigns hosted by it, while ensuring a more efficient management of the needs of visitors and tenants of the shopping centre;

      • improvement of the services offered by the shopping centre, correlated with a proper management of the periods and areas of maximum congestion, so as to obtain an improved shopping experience.

    • 2.4 Storage period:

      The personal data processed are kept for the period of time necessary to comply with the legal obligations imposed on us by the regulations specific to our field of activity.

      Depending on the context in which we process your personal data, the following rules for determining the storage period will apply:

      • CCTV system: Video recordings stored by the CCTV system are usually kept for a period of 30 (thirty) days, unless the extension of their processing period is required by law or justified by legal procedures.

      • WiFi network: The device’s MAC is only stored during the period when it uses our WiFi network.

      • Data processed for marketing purposes: data collected for marketing purposes will be processed until consent is withdrawn. Once you choose to withdraw your consent, your data will be stored by the Joint Controllers, for an additional period of 3 years, in the legitimate interest of the Joint Controllers to be able to access and provide the necessary documentation in the event of a potential legal claim, complaint, investigation (i.e., but not to be used for sending direct marketing materials).

      • Retail Analytics application: In the case of data processed through the Retail Analytics application, personal data is anonymised at the time of collection and is not retained by the Joint Controllers. After anonymisation, the information and statistical reports obtained shall be kept for a period of 1 year.

    • 2.5 Third party access:

      Access to your data will only be provided to those individuals or entities with whom we collaborate for processing purposes and for whom we (the new or the intended recipients) can justify a legitimate ground in accordance with the GDPR or if we have an obligation legal to provide your data.

      The following entities and their employees will have access to your data:

      • Security and security service providers - To ensure CCTV video surveillance and access control system in parking spaces, the Controller collaborates with specialised companies, authorised by law to carry out security and surveillance activities.

      • Other service providers - With regard to participation in campaigns and events, as well as the handling of complaints, grievances and/or requests regarding lost items addressed to the staff of the Info Desk offices within the shopping centres, the Controller usually collaborates with specialised service companies.

      • Group companies

      As both the Controller and the other Joint Controllers are part of the Nepi Rockcastle group of companies (the “Group”), your personal data will be processed for the purposes of consolidated management of the Group's activities, for audit purposes and in any other situation where the law requires or permits such processing, if we (the Controller, the Joint Controllers or the recipient companies in the Group) can justify a legitimate basis for doing so or if we obtain your consent to do so. The list of companies in the Group can be found at: www.nepirockcaste.com

      • Partners Mammut Shopping Centre

      Your personal data will also be processed in relation to a number of third party partners (“Partners”). These are the Partners that the Joint Controllers promote in their relationship with you through direct marketing activities, and are usually represented by Mammut Shopping Centre tenants. Partners do not have access to your personal data, unless the Controller or the Joint Controllers have obtained your prior consent to do so. The full list of Partners is updated quarterly and can be found here - www.mammut.hu

      • Property Manager Mammut Shopping Centre

      We will contractually require these entities and their staff to respect the confidentiality of this data, ensuring a high level of security for the processing of your data.

      We will also provide your personal data to judicial bodies, public institutions, or central and local public authorities, based on a duly substantiated request or legal obligation.

      As a rule, the Controller or, where applicable, the Joint Controllers, will not transfer your personal data to third countries outside the European Economic Area. If such a transfer nevertheless takes place, the Controller or the Joint Controllers will take appropriate safeguards to ensure the protection of personal data transferred.

  • 3. Representatives of the contractual partners (suppliers/tenants of shopping centres/collaborators)

    • 3.1 Personal data we process

      • Identification data, such as: first name and last name, date of birth

      • Contact details, such as: email address, phone number

      • Occupational data, such as: position held, company in which you are employed or which you represent

    • 3.2 Use of personal data

      No.

      Purpose of processing personal data

      Legal basis of processing personal data

      1.    

      Concluding and executing leases or other commercial contracts

      Legitimate interest in carrying out our activity and validly concluding commercial contracts agreements specific to our field of activity (i.e. commercial spaces lease agreements)

      2.    

      Contacting possible future tenants of the shopping centre (prospective tenants)

      Legitimate interest in promoting our business and promoting the shopping centre to potential tenants (prospective tenants)

      3.    

      Carry out know-your-customer (KYC) checks in relation to potential contractual partners

      Legal obligation

      4.    

      Carry out economic, financial and/or administrative management activities

      Legal obligation

      5.    

      Settlement of disputes, investigations or any other petitions/complaints to which the Operator is a party

      Legitimate interest in defending our rights in court/in front of any competent authority

      6.    

      Archiving

      Legal obligation

      7.    

      Conducting risk controls on the Controller's procedures and processes, as well as conducting audits or investigations of the Controller,

      Our legitimate interest in managing risk and ensuring compliance with the Controller's procedures and processes,

    • 3.3 Storage Period

      The personal data processed are kept for the period of time necessary to comply with the legal obligations imposed on us by the regulations specific to our field of activity.

    • 3.4 Third party access

      Access to your data will only be provided to those individuals or entities with whom we collaborate for processing purposes and for whom we (the new or the intended recipients) can justify a legitimate ground in accordance with the GDPR or if we have an obligation legal to provide your data.

      The following entities and their employees will have access to your data:

      • Group companies

      As the Controller is part of the Nepi Rockcastle group of companies ("Group"), your personal data will be processed for the purposes of consolidated management of the Group's activities, for audit purposes and in any other situation where the law requires or permits such processing, if we (the Controller or the recipient companies in the Group) can justify a legitimate basis for doing so or if we obtain your consent to do so. The list of companies in the Group can be found at: www.nepirockcastle.com

      We will contractually require these entities and their staff to respect the confidentiality of this data, ensuring a high level of security for the processing of your data.

      We will also provide your personal data to judicial bodies, public institutions, or central and local public authorities, based on a duly substantiated request or legal obligation.

      As a rule, the Operator will not transfer your personal data to third countries outside the European Economic Area. However, if such a transfer takes place, the Operator will take appropriate protection measures to ensure the protection of the personal data transferred.

  • 4. Staff of suppliers, collaborators or tenants of the shopping centre

    • 4.1 Personal data we process

      • Identification data, such as: first name and last name, date of birth

      • Contact details, such as: email address, phone number

      • Image

      Device MAC (mobile, laptop, tablet)

    • 4.2 Use of personal data

      No.

      Purpose of processing personal data

      Legal basis of processing personal data

      1.    

      Video surveillance by means of the CCTV system installed inside the shopping centre, in the common areas, access roads, as well as car park areas

      Legitimate interest in ensuring the security of persons and property inside the shopping centre

      2.    

      Legitimate interest in ensuring the security of persons and property inside the shopping centre

      Grant access to tenants’ staff inside the shopping area outside the hours when the shopping centre is open

      3.    

      Solve requests for data and information received from the competent authorities and institutions

      Legal obligation

      4.    

      Grant access to the free WiFi network

      Perform the contract regarding the provision of our services (i.e. granting access to the facilities and services provided by the shopping centre)

      5.    

      Management of notifications/complaints submitted within the shopping centre

      Our legitimate interest in resolving complaints sent to us and in maintaining good relations with visitors/customers of the shopping centre

      6.    

      Management of requests regarding lost objects, filed inside the shopping centre

      Our legitimate interest in resolving complaints sent to us and in maintaining good relations with visitors/customers of the shopping centre

      7.    

      Carry out know-your-customer (KYC) checks in relation to potential contractual partners

      Legal obligation

      8.    

      Carry out economic, financial and/or administrative management activities

      Legal obligation

      9.    

      Settlement of disputes, investigations or any other petitions/complaints to which the Operator is a party

      Legitimate interest in defending our rights in court/in front of any competent authority

      10. 

      Archiving

      Legal obligation

      11. 

      Conducting risk controls on the Controller's procedures and processes, as well as conducting audits or investigations of the Controller

      Our legitimate interest in managing risk and ensuring compliance with the Controller's procedures and processes

    • 4.3 Storage Period

      The personal data processed are kept for the period of time necessary to comply with the legal obligations imposed on us by the regulations specific to our field of activity.

      Depending on the context in which we process your personal data, the following rules for determining the storage period will apply:

      • CCTV system: Video recordings stored by the CCTV system are usually kept for a period of 30 (thirty) days, unless the extension of their processing period is required by law or justified by legal procedures.

      • WiFi network: The device’s MAC is only stored during the period when it uses our WiFi network.

    • 4.4 Third party access

      Access to your data will only be provided to those individuals or entities with whom we collaborate for processing purposes and for whom we (the new or the intended recipients) can justify a legitimate ground in accordance with the GDPR or if we have an obligation legal to provide your data.

      The following entities and their employees will have access to your data:

      • Security and security service providers - To ensure CCTV video surveillance and access control system in parking spaces, the landlord collaborates with specialised companies, authorised by law to carry out security and surveillance activities.

      • Other service providers - With regard to the handling of complaints, grievances and/or requests regarding lost items addressed to the staff of the Info Desk offices within the shopping centres, the Controller usually collaborates with specialised service companies.

      • Controller’s Property Manager.

      We will contractually require these entities and their staff to respect the confidentiality of this data, ensuring a high level of security for the processing of your data.

      We will also provide your personal data to judicial bodies, public institutions, or central and local public authorities, based on a duly substantiated request or legal obligation.

      As a rule, the Controller will not transfer your personal data to third countries outside the European Economic Area. However, if such a transfer takes place, the Operator will take appropriate protection measures to ensure the protection of the personal data transferred.

  • 5. Security and accuracy of personal data

    • We will take all necessary security measures to protect your personal data transmitted, stored or otherwise processed against destruction, loss, unlawful or accidental change, unauthorised disclosure or unauthorised access, as well as against any other unlawful processing. The security measures we implement with regard to your personal data can ensure the confidentiality, integrity, availability and continued resilience of processing systems and services, as well as the capacity to restore the availability of and access to personal data in a timely manner if a physical or technical incident occurs.

      All personal data will be processed through secure pages using the SSL encryption system, marked with a padlock symbol, located at the top of the browser window.

      For more information on security standards on the Website, go to the “Help” section.

      In addition, for the security of the data and the confidentiality of the information transmitted through the Account, it is password protected. The Controller, or where applicable the Joint Controllers, shall make every effort and use appropriate information technology to ensure the protection and security of the data you provide to us.

      In cases provided for by the GDPR in relation to personal data breaches, the Controller, or as the case may be, each of the Joint Controllers, will duly inform the competent authorities and relevant persons.

      The Controller or Joint Controllers process personal data that are accurate and have a procedure in place to update them. Thus, the Controller/Joint Controllers shall take all necessary steps to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

  • 6. Rights of the data subjects with respect to the processing of personal data:

    • (a)   Right of access - the right to request confirmation that the personal data are processed or not by us, and if so, the data subject may request access to the data, as well as certain information about such data. Upon request in this respect, we will also issue a copy of the processed personal data. Request for additional copies will be charged on the basis of the costs actually incurred.

      (b)   Right to rectification - the right to get the inaccurate personal data rectified, as well as to supplement incomplete data, including by providing additional information.

      (c)   Right to delete data ("the right to be forgotten") - in situations expressly regulated by law, the right to obtain from us the deletion of the data. Thus, the deletion of personal data can be requested if:

      • the data are no longer necessary for the purposes for which they were collected or processed;

      • withdrawal of the consent on the basis of which processing is carried out;

      • the data subject opposes to the processing under the right of opposition;

      • processing of personal data is illegal;

      • the data must be deleted for the purpose of complying with a legal obligation incumbent on us.

      (d)   Right to restrict processing - the right to request the restriction of processing of personal data in certain circumstances expressly regulated by the law, as follows:

      • the accuracy of the data is contested, for the period when the accuracy of the concerned data is checked;

      • the processing is unlawful and the data subject opposes to the deletion of data;

      • the data subject needs these data to establish, exercise or defend certain rights in court, and our company no longer needs such data;

      • the data subject opposes to the processing of personal data for the period in which we check if our legitimate interests prevail over their interests, rights and freedoms.

      In these circumstances, except for storage, the data will not be processed anymore.

      (e)   Right to object to the processing of personal data - the right to object at any time, for reasons related to the particular situation of the data subject, to the processing (including the creation of profiles) based on our legitimate interest.

      (f)    Right to data portability - the right to receive the personal data provided in a structured, automated readable format, and the right to request that the data be passed to another controller. This right applies only to personal data provided directly by the data subject to the controller, and only if the processing of personal data is done by automated means and is legally based on either the execution of a contract or the consent of that person,

      (g)   The right to lodge a complaint - the right to lodge a complaint in relation to the methods of personal data processing. The complaint will be submitted to the National Authority for the Supervision of Personal Data Processing (“ANSPDCP”) - details at dataprotection.ro.

      (h)   Right of withdrawal of consent - the right to withdraw, at any time, the consent to the processing of personal data in cases where processing is based on consent. Withdrawal of the consent will only have effect for the future, and processing prior to the withdrawal remains valid.

      (i)    Additional rights related to automated decisions used in the delivery of services - if automated decisions are made about personal data and these decisions significantly affect the data subject, the data subject can (a) obtain human intervention with respect to said processing, (b) express their point of views on such processing, (c) obtain explanations regarding the decision made and (d) contest such decision.

      These rights (except the right to contact ANSPDCP, which can be exercised under the conditions established by this authority - in this regard you can see the official website www.dataprotection.ro) may be exercised, anytime, either individually or by aggregation, sending a letter/message in the following ways:

      • by mail, at: Calea Floreasca nr. 169A, Floreasca 169, Cladirea A, etajul 5, Sector 1, București/Bucharest, Romania

      • by email, at: Protection@nepirockcastle.com

      You can exercise the right to withdraw your consent for the transmission of direct marketing messages (newsletter) by e-mail, by accessing the dedicated unsubscribe link (unsubscribe), included in each message of this kind.

  • 7. Rights to judicial remedy

    • If you believe that your rights have been injured by the processing of your personal data by the Controller, and your questions and comments regarding this have not been answered or have not been answered in time or properly, you are entitled to lodge a complaint to the competent supervisory authority.

      Data of the competent supervisory authority:

      Name:

      Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH) [National Authority for Data Protection and Freedom]

      Address:

      1125. Budapest, Szilágyi Erzsébet fasor 22c, Hungary

      e-mail:

      ugyfelszolgalat@naih.hu

      Telephone:

      +36 1 391 1400

      Further, you are entitled to turn to the courts with jurisdiction at your residence if you believe that the Controller processes your personal data in violation of the provisions of the relevant laws or the compulsory legal act of the European Union.

      If you plan to turn to the supervisory authority or court, please first contact the Controller as it is in possession of the information necessary to respond to your questions or request for judicial remedy.

      Our company is committed to complying with the principles of legitimate, transparent or fair data processing; therefore, in situations considered to violate your rights, we shall take immediate action to clarify any questions and remedy the established violation, and we shall inform you within a maximum of 1 month of the relevant actions taken and answer your questions about processing made to the Controller.

Navigate To Section