Privacy Policy

Last updated: 18th October 2017

1.     General

mfi Immobilien Marketing GmbH, Klaus-Bungert-Straße 1, 40468 Düsseldorf, Deutschland, Amtsgericht Düsseldorf, HR B 75970, as the local level data con-troller (“Local Data Controller”) and Unibail Management S.A.S., 7 place du Chancelier Adenauer, 75016 Paris, France, registered with the Paris Register of Commerce and Companies, no. 414878389, as the Group level data controller (“Group Data Controller”); as joint data controllers (“Data Controllers”), we (“We” / “Us”) process your personal data within the context of the provisions of our loyalty program and mobile applications (jointly referred to as “Services”), which may be accessed via various media or devices and made available by us, in particular, via mobile applications, websites, or in hardcopy format. We place great emphasis on the protection of personal data. Personal data includes any information relating to an identified or identifiable individual.

The Local Data Controller collects personal data relating to shopping center, website, or application customers/visitors. They process your data in order to inform you about specific offers and events pertaining to the respective shopping center. The Group Data Controller has concluded various data processing agreements and service agreements with service providers to provide you with the technical means to register for the Loyalty Card Program or download and use the App. Furthermore, the Group Data Controller negotiates special offers for Loyalty Card holders with third parties. These offers are provided by the Local Data Controller. The Data Controllers analyze your customer behavior in order to provide you with customized offers and inform you about events you might be interested in.

If you register in writing at the customer desk or via the shopping center website, we can only offer Loyalty Card Program services and commercial information due to technical reasons.

We offer the following general services, which can be used independently:
(i)      Loyalty Card Program (“Loyalty Card Program”)
         This program includes our loyalty card, which is available for each indi-vidual shopping center. It aims at providing you with customized infor-mation.
(ii)     Shopping Center App (“App”): Our App provides general information about the Shopping Center (e.g., maps, shops, business hours). You also have the opportunity to use the Additional                    Services (e.g., Smart Park).
(iii)    Commercial information via e-mail (“Commercial Information”):
         As described above, the Local Data Controller and/or Group Data Con-troller has negotiated special conditions for its customers with various third parties. These third parties only have access          to your personal data to the extent stipulated in Section 5 hereof. Based on our analysis of your customer behavior, we provide you with these specific third-party offers, provided that we have          obtained your prior consent (opt-in in the user interface).

The purpose of this privacy policy (“Privacy Policy”) is to inform you about
(i)      how we collect and process the personal data that you submit or disclose to us or that is collected via your access or use of our Services and within the scope of these Services, and
(ii)     your rights, including how you can exercise them and what we can do to assist you in the exercising of your rights.

We encourage you to read this Privacy Policy carefully. By using the Services and providing your personal data to us, you acknowledge that you have been informed of our use of your personal data as set out in this Privacy Policy. If you do not wish for your personal data to be used by us as set out in this Privacy Policy, please do not provide us with your personal data. Please note that in such case, you may not have access to or be able to use all the Services features (such as customized discounts, options, and preferences).

The Services are intended for users aged sixteen (16) and older.

2.     Data Controller

The Local Data Controller for the processing of your personal data under the Loyalty Card Program and/or App is:

mfi Immobilien Marketing GmbH
Klaus-Bungert-Straße 1, 40468 Düsseldorf, Germany
Tel.: 0049 (0) 211 302 310
Fax: 0049 (0) 211 302 31 111

The Group Data Controller for the processing of your personal data under the Loyalty Card Program and/or App is:

Unibail Management S.A.S.
7 place du Chancelier Adenauer, 75016 Paris, France

3.     Data Protection Officer

The Local Data Controller has appointed Mr. Torsten Weirich, LL.M. as the Data Protection Officer. Please find his contact details below:

Torsten Weirich, LL.M.
Unibail-Rodamco Germany GmbH
Klaus-Bungert-Straße 1, 40468 Düsseldorf, Deutschland
Tel.: 0049 (0) 211 302 31 105
Fax: 0049 (0) 211 302 31 111

4.     Purpose of processing
How we collect personal data

We collect your personal data in different ways:

4.1.1 Registration information you provide to us
Some of our Services require you to create an account, in particular, our Loyalty Card Program and some of the features available via our App. If you create an account via the completion of the registration form, you will be asked to provide your contact details and other personal data (title, first name, last name, date of birth, postcode, e-mail address, mobile number, gender, password, your agreement to receive commercial information, and any other information necessary for the provision of our Services).

4.1.2 Registration information you allow third parties to transmit to us
Some of our Services require you to create an account via a third party, in par-ticular, our promotional activities. If you create an account via a third party, within the scope of our Services, this third party will submit the personal data provided during the sign-up process to us (including first name, last name, and e-mail address). In this event, the supplementary privacy policies established by the respective third parties, under which you authorize third parties to transfer your personal data to us, may apply to you as well.

4.1.3 Registration information you allow social networks to transmit to us
If you create an account via your social network account (i.e., Facebook, Google+, or Twitter), upon your prior consent, the relevant social network will submit your personal data to us (including first name, last name, user name, profile picture, e-mail address, gender, date of birth, education, school, job title), your address (country, city, street address, post code, phone number), your “likes” (e.g., websites, favorite movies, favorite music, favorite TV shows), posts, friend lists, and any other information you qualify as publicly available.

4.1.4 Personal data we collect when you use our Services.
    a)When you use the loyalty card, we collect and process
         • information relating to your shopping profile;
         •the frequency and duration of your visits;
         •information relating to your purchasing and visitor behavior (espe-cially tracking); and
         •if you registered for the Loyalty Card Program via your social network account, information related to your interactions with the Loyalty Card Program on such social network.
    b)When you use our mobile application or website Services as a registered user, we collect and process:
         •the information detailed above (Sec. 4.1.4 a)
         •personal data that you add to your profile (e.g., user name or nick-name, profile picture, and password);
         •personal data included in the content that you post, upload, contribute to, or otherwise make available on or via the Services, such as your timeline, likes, look books, wish lists, or contact lists;
         •if you are connected to the Services via a social network account, in-formation related to your interactions with the Services on such social network;
         •information about the frequency of your visits, your movements, and your location within the shopping center, provided that we have obtained your prior consent. Please refer to Section 4.2.2 a) below for further details; and
 •technical data.


4.2.1 General use
We use your personal data to
    •manage and provide the Services to you;
    •manage your registration;
    •analyze your use of the Services and, subject to your prior consent, combine the personal data collected from the use of different Services (the loyalty card, our mobile applications, our websites, our social media accounts, and our promotional activities) to improve our understanding of your expectations and needs and to develop new features and services;
    •provide customized information and promotional material to you. We will only use your personal data for the purpose of sending promotional material relating to the Loyalty Card Program if you do not choose to opt out;
    •measure, test, and monitor the metrics and the effectiveness of our Ser-vices;
    •to use our Services via an App, you have to download the Shopping Center App to your mobile device. Once you have downloaded the Shopping Center App, you can decide whether you want to use the Additional Services (cf. Specific Use, Section 4.2.2), such as “Smart Park”, and whether you want to join the Loyalty Card Program. Those services will not be automatically activated; and
    •ensure the technical operability of the Services and protect your personal data against any theft, loss, damage, or unauthorized access.

If you cancel the registration process, your personal data will not be stored. We will delete your personal data immediately, without any fur-ther processing. We may keep a minimal amount of data, if necessary to substantiate that your data has been deleted and when.

As described in Sec. 4.1.4 above, we use your personal data to analyze your customer behavior; however, such analysis of your customer behavior does not have any legal impact on or otherwise significantly affect you. Information about how you use the Services is used solely to customize our promotional materials for you, so we can offer you services and products that match your preferences and needs. The sole purpose of profiling is to provide you with tailored benefits and options. The profiled data is not used in any other manner and is not shared with any third parties not explicitly named in this Privacy Policy, unless we use the following service providers [link] to perform our services. We assure you that the analysis of your customer behavior will not have any negative impact on you.

4.2.2Specific use

    (i)General principle
    Subject to your express prior consent, information related to your location within our shopping center may be collected and processed by us while you are logged in to our mobile applications in     order to measure the frequency of your visits as well as your movements within our shopping center and/or to provide the “Meet My Friends” Service.
    Geo-tracking only takes place if you activate the Additional Services/specific use option in the settings of your Shopping Center App. You can deactivate the use of the Additional Services in the     settings at any time via your Shopping Center App.
    (ii)How we use your geo-tracking information
    In order to be tracked within the shopping center, you will be required to activate the Bluetooth feature on your mobile device. If you only want to view the map and your contacts’ locations via the     “Meet My Friends” Service, activation of the Bluetooth feature will not be required. Please note that we will not track you outside our shopping center and you will not be able to share your location     via the “Meet My Friends” Service outside our shopping center. Geo-tracking is carried out via the Bluetooth beacons, which are only installed in the shopping center common areas.
    (iii)What is the “Meet My Friends” Service?
    The “Meet My Friends” Service allows you to share your location within our shopping center with other users of the Service or only with friends who also use the Service, depending on your     settings. Thus, when you visit the shopping center, you know your friends’ locations within the shopping center and can meet them at specific locations or suggest meeting places.
(iv)How your geo-tracking information is shared on “Meet My Friends”
For the purpose of the provision of the “Meet My Friends” Service, some fea-tures may require that your geo-tracking data be shared with your contacts, depending on your settings.
If you used your Facebook, Google, or Twitter account to create your account with us, you will be able to locate your contacts from such social network, provided that it also uses the “Meet My Friends” Service, and ask them to share their respective locations.
We may also share your geo-tracking information with the recipients named in “How we share and disclose your personal data” section below (Section 5.1).
(v)How to manage your geo-tracking preferences
(v.i)Via your mobile settings
When you first log in via your mobile device, we will ask for your permission to activate the geo-tracking function.
If you agree to the activation of geo-tracking on your mobile device, this function will be effective immediately and will be enabled for any future connections to our mobile application as well as for any future visits to our shopping center.
You may disable geo-tracking on your mobile device via your mobile settings at any time.
v.ii)Via “Meet My Friends”
Upon your first connection to the “Meet My Friends” Service, we will ask for your permission to enable the geo-tracking function on your mobile device and share your geo-tracking data.
If you agree to the activation of geo-tracking on your mobile device and the sharing of your geo-tracking data, this function will be effective immediately and will be enabled for any future connections, unless you deactivate map visibility and, thus, temporarily modify your geo-tracking settings. You may also permanently deactivate geo-tracking in your profile settings at any time.
You can configure your location-sharing settings by selecting one of the fol-lowing options:
•visible to all users of the “Meet My Friends” Service; or
•visible only to your contacts; or
•not visible to any users of the “Meet My Friends” Service. This is the default setting.
The visibility parameters that you select will be stored and applicable each time you use the mobile application. In addition, you will be able to directly access the visibility settings on the map at any time and temporarily change your settings for the duration of that particular session.
b)Additional Services
We have developed the “Smart Park” and “In & Out” Services to improve your experience when visiting our shopping centers.
When you log in to your user account to use the “Smart Park” Service, we will process your personal data in order to activate geo-tracking of your car within the parking areas of our shopping centers, as described in Section 4.2.2 lit. a); this data will not be processed for any other purpose. If you do not log in to your user account, no personal data will be processed. If you log in to your user account, we will process your personal data as authorized.
If you wish to benefit from the “In & Out” Service, we will process the personal data you provided when creating your user account. In particular, the license plate recognition feature and data processing enable the parking system to automatically open the gate when you enter or leave our shopping center parking garage.
In addition, we may process the personal data provided as a result of your use of the “Smart Park” and “In & Out” Services to inform you about any new ser-vices that we develop that may be of interest to you.
Your personal data will not be shared with or made available to third parties or used for any other purposes than the aforementioned “Meet My Friends” and AdditionalServices.
c)Links to other websites
We may provide hypertext links from the Services or communications you receive via the Services to third-party websites or Internet sources. We do not control such third-party websites or Internet sources and cannot be held liable for third-party privacy policies or web content. Please read the respective third-party privacy policies carefully to find out how your personal data is collected and processed.

4.3 Data processing within and outside the EEA

We use third-party service providers to provide the Services to you and to pro-cess your personal data on our behalf. Such third-party service providers are always subject to security and confidentiality obligations consistent with this Privacy Policy and applicable law. Please note that some third-party service providers are located outside the EEA (European Economic Area) and, thus, access and process your personal data from such locations. In the case of such transfer outside the EEA, we utilize the model clauses adopted by the European Commission to ensure that your personal data is subjected to an adequate level of protection when accessed and processed from such locations, or we/the third-party service providers use other acknowledged means to process personal data outside the EEA, such as Binding Corporate Rules or the EU/US Privacy Shield. Information on the model clauses can be found here. Information on the EU/US Privacy Shield can be found here. The list of the current third-party service providers that we engage for data processing is published at [link]. The list is regularly updated and includes company names, company addresses, and specific processing by the service providers, if they have access to your personal data.

We have entered into specific data processing agreements with each service provider listed above and have reviewed their general technical and organizational measures. The service providers are only authorized to process data under the regulations of this Privacy Policy, only on our behalf, and according to our instructions. No additional processing, use, or sub-data processing is allowed without our knowledge with regard to data transferred outside the EEA.

We use the service providers listed on the attachment [link] for various purposes, as described below:

If you register for our Loyalty Card Program in writing at our customer desk, a hostess service (“Customer Information”) will be available to help you enter your personal data.

We use a service provider, who will send you a registration e-mail, for account management during the registration process (“Registration Ac-count Manager”). At a minimum, you must provide your first name, last name, date of birth, and e-mail address. The Registration Account Man-ager will provide you with an initial password and will manage your password settings.

(ii)CRM (Customer Relationship Management):
We use a service provider for CRM Management (“CRM Manager”). The CRM Manager has full access to the personal data you enter into the Loyalty Card Program or App. The CRM Manager combines other data you provide to us (e.g., for Wi-Fi registration) in your data set.

(iii)Analysis of customer behavior:
We use a service provider for the analysis of your customer behavior (“Analysis Manager”). The Analysis Manager analyzes your user behavior based on your settings, your personal data, and your geo-tracking information.

We use service providers for customized e-mailing (“E-mail Manager”). If you register for the use of our services, the Group Data Controller will send you a welcome e-mail on behalf of the Local Data Controller.

Based on the analysis of your customer behavior by the Analysis Manager, you will receive personalized e-mails and push messages from the E-mail Manager on behalf of the Local Data Controller. Accordingly, the E-mail Manager will have access to your e-mail-address, first name, and last name.

(v)Data storage:
We use an external provider for data storage (“Data Storage Manager”). The Data Storage Manager is not allowed to use your personal data in any manner. We use this service to store our CRM database on an external server.

4.4.Note on RFID CHIPS

In order for you to benefit from our Loyalty Program, e.g., to use certain Services we offer, we use an RFID chip that is integrated into the loyalty card. Members of the loyalty program can use the RFID chip to register with the participating shopping centers and to use their Services.
RFID technology is based on chips that transmit information via radio. Transmission is not externally identifiable. The chip is integrated into the loyalty card. A reading device emits radio signals via a pre-set frequency, which is picked up by the RFID chip. The data stored on the chip is then transmitted to the reading device.
The RFID chip contains a Unique Identification Number (UID) that differs from the member number. UIDs are exclusively processed by URG GmbH. On its own, the data stored on the RFID chip does not reveal the identity of the card holder. In order for members to use our Services, the UID stored on the RFID chip is transmitted to us. The Services used are matched in our database and are transmitted to the RFID reader, using the UID. No other personal data is transmitted. The RFID chip is not used for any other reason than the aforementioned purpose.
We must be immediately notified in cases of loss or destruction of membership cards or chips. Upon such notification, we will immediately block the member-ship number stored on the RFID chip for utilization of the Loyalty Card Program and issue a new membership card with a new UID.

4.5Information on bar codes
In order for you to benefit from our Loyalty Card Program, the loyalty card has been equipped with a bar code. The bar code is scanned at the participating shops for the purpose of authentication, e.g., to qualify for discounts. The lessees at the respective shopping center see the confirmation on their displays that the loyalty card is active and that certain benefits can be granted. No personal data is transmitted to the lessees.
The bar code scanner informs us that the loyalty card has been used. Combined with the scanner location, we can identify where the loyalty card has been used. We do not receive any further information, e.g., what products have been bought, what prices have been paid, or what discounts have been granted.

4.6Data Security

Protecting your privacy and your personal data is our priority. If, as a registered user, you receive a password, you should keep it confidential, limit access to your computer or mobile device, and sign off after using the Services. Learn more about your responsibilities here: [link]
We take appropriate security measures, especially technical and organizational measures, to protect your personal data against any accidental loss, destruction, misuse, damage, or unauthorized or unlawful access. However, please be aware that no information transmission via the Internet or storage technology can be guaranteed to be 100% secure.
The controllers have entered into a data processing agreement ensuring, in particular, appropriate security measures. mfi Immobilien Marketing GmbH is the controller responsible for compliance with your requirements, with whom you may exercise all your rights with respect to our processing of your personal data.

5.Transfer and sharing of personal data (recipients of personal data)


We share the personal data we collect through the Services as follows:
5.1.1 Sharing with third parties
We may share your personal data with the following third parties:
•any companies that are affiliated with us within the meaning of Art. 15 et seq. AktG (German Stock Corporation Act) in order to develop and test new services and features;
•in an anonymized format, ensuring you cannot be identified, with partner brands located in our shopping center in order to allow them to send you advertisements that they believe may be of interest to you;
•in an anonymized format, ensuring you cannot be identified, with our advertising and marketing partners;
•our service providers, as described in Section 4.3 above
•to meet legal or regulatory requests, court orders, subpoenas, or legal processes, if required under applicable law;
•any transferee, when personal data is submitted as part of the sale or other transfer of all or part of our assets to another company.
5.1.2 Sharing with parties of your choice
•Sharing with other users of the Services. Any information or content that you voluntarily disclose via our mobile application or website Services becomes available to users of the Services that have been previously authorized. Such Services enable you to share all or part of your content and personal data, on an individual basis, to the users of your contact list by changing your share settings within the Services.
•Sharing with social networks. If you access the Services via your social network account (such as Facebook, Google+, or Twitter) or click on one of the social network plug-in buttons or links (e.g., Facebook “Like” button or Google “+” button) available through the Services, your content and personal data will be shared with the relevant social networks. You understand that such information may be published on your social network under your account.
You understand and agree that the use of your personal data, in-cluding information shared with social networks via the Services, by social networks is governed by their respective privacy policies. If you do not want social networks to collect information about you, please review the privacy policy of the relevant social network and/or log out of the relevant social network before using our Services.

6.Term of data storage

We process your personal data based on the consent you grant to us for these purposes for the period during which you make use of our Services.
Please note: We will automatically delete or block your personal data from further use if you have not used our Services under the Loyalty Card Program for more than 3 years (last contact with you or last use of services by you).

7.Your rights as a data subject

If you exercise any of your rights, pursuant to this section or pursuant to applicable law, we will communicate any correction or deletion of your personal data or restriction of processing carried out in accordance with your request to each recipient to whom the personal data has been disclosed, pursuant to Section 5 of this Privacy Policy, unless such communication proves impossible or involves disproportionate effort.

If you wish to exercise these rights and/or obtain all relevant information, please contact the Local Data Controller or the Data Protection Officer. You will be asked to provide some of the identification information that you submitted upon your registration; this is necessary to verify that the request has been sent by you. We will respond within 1 month after receipt of your request, but we reserve the right to extend this period by 2 months. We will, in any event, inform you within 1 month after receipt of your request if we decide to extend the response period.

7.1What you may request

In accordance with applicable law and as detailed below, you have the right to request access to, correction, deletion, or portability of (e.g., transfer of your personal data to another service provider) your personal data, as well as to request restriction of such processing.

7.2Correction of your personal data

Under applicable law, you have the right to correct the personal data you have shared with us. Via your settings in the Services, you can update your account information, change your profile settings, subscribe to/unsubscribe from com-munication you receive from us, and set your Services sharing preferences, including location-based functionalities.
Please note that if you wish to limit or change access to or sharing of your per-sonal data with a social network, you must change your account settings on that social network.
If you registered for our Services in written format, please contact the Data Controllers detailed in Section 2 above in writing or via e-mail to correct your personal data.

7.3Accuracy of your personal data

We will take adequate steps to ensure that you are able to keep your personal data up to date. You may contact us at any time and request confirmation regarding whether or not we still process your personal data.
If you find that the personal data processed is inaccurate or incomplete and you are unable to update your personal data according to Section 7.2 of this Privacy Policy, you may ask us to update your personal data. We will verify your identity and update your personal data.

7.4Deletion of your personal data

You may ask us to delete your personal data at any time. If you approach us with such a request, we will delete all your personal data without undue delay, provided that your personal data is no longer necessary for provision of the Services. We will also delete (and ensure deletion by the processors that we engage) all your personal data if you withdraw your consent or if we are required to do so under applicable law.

7.5Restriction of processing

If you ask us to restrict the processing of your personal data, e.g., when you contest the accuracy, lawfulness, or our need to process your personal data, we will limit processing of your personal data to the necessary minimum (storage) and, if applicable, will only process it for the establishment, exercise, or defense of legal claims or, where necessary, for the protection of the rights of another natural or legal person, or other limited reasons dictated by applicable law. Once the restriction is lifted and we continue processing your personal data, you will be informed accordingly without undue delay.

7.6Objection to direct marketing

If you no longer wish to receive commercial information and/or no longer wish to take part in the Loyalty Card Program and/or no longer wish to use the App or no longer want your personal data to be used to analyze your customer be-havior as related to such marketing or promotional activities, you may request that we cease the use of your personal data for these purposes, and we will do so without undue delay. You may also only object to profiling. In such case, you will no longer be able to benefit from some of our Services or specific features for which this category of processing is essential (i.e., the receipt of [personalized] marketing and promotional materials).

If you withdraw your consent to receiving commercial information, you will not receive any third-party commercial information. Please be aware that you will receive commercial information concerning Shopping Center events and offers, which forms an essential part of the Loyalty Card Program.

7.7Portability of your personal data

You have the right to receive the personal data that you provide to us. Upon receipt of your request, we will submit your personal data in a commonly used and machine-readable formatwithout undue delay. Upon request, we will send your personal data to any third party (data controller) that you identify in your request, unless such request would adversely affect the rights or freedoms of others, and where technically feasible.

7.8Withdrawal of your consent

You may withdraw your consent at any time, without indication of reason. Please contact the Data Controllers or Data Protection Officer via e-mail or in writing. We will block your personal data from any further processing. Please note that withdrawing your consent will not affect the lawfulness of any pro-cessing done during the period of prior consent.

Please be aware that it will not be possible to use the Loyalty Card Program Services or part of the Services if you withdraw your consent.

You can deactivate the Additional Services, such as “Smart Park” and “In & Out”, in the App settings. You need not withdraw your consent in this case.

If you withdraw your consent or deactivate your settings in the App, the Services not affected thereby can still be used.

7.9Complaint to a data protection authority

You have the right to submit a complaint concerning our data processing activities. Please address your complaint to:
Landesbeauftragter für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Kavalleriestraße 2-4, 40213 Düsseldorf, Germany
Phone: 0049 (0) 211 38 424 0
Fax: 0049 (0) 211 38 421 10

8. Provision of your personal data

You provide your personal data to us on a voluntary basis, which you consented to during registration and as part of a contractual requirement to use the Services. If you do not provide us with your personal data, you may not have access to and/or use of all the features of the Services (such as tailored discounts, options, and preferences). By providing your personal data to us, you can benefit from all the Services features and personalized offers we may send you from time to time; you can also help us improve our Services and analysis of your data, as described in this Privacy Policy.

9.Automated decision-making / profiling
Currently, there is no automated decision-making process or profiling that would legally or otherwise affect you. However, we will provide you with specific offers based on your individual personal data and analysis of your user behavior. You may object to profiling as stated in Section 7.6 above.

10. Updates of Privacy Policy

We may revise or update this Privacy Policy from time to time. Any changes to this Privacy Policy will become effective upon the posting of the revised Privacy Policy via the Services. If we make changes we consider significant and that require your consent under applicable law, we will inform you via the Services and seek your consent where applicable.