Last updated: 18th October 2017
mfi Immobilien Marketing GmbH, Klaus-Bungert-Straße 1, 40468 Düsseldorf, Deutschland, Amtsgericht Düsseldorf, HR B 75970, as the local level data con-troller (“Local Data Controller”) and Unibail Management S.A.S., 7 place du Chancelier Adenauer, 75016 Paris, France, registered with the Paris Register of Commerce and Companies, no. 414878389, as the Group level data controller (“Group Data Controller”); as joint data controllers (“Data Controllers”), we (“We” / “Us”) process your personal data within the context of the provisions of our loyalty program and mobile applications (jointly referred to as “Services”), which may be accessed via various media or devices and made available by us, in particular, via mobile applications, websites, or in hardcopy format. We place great emphasis on the protection of personal data. Personal data includes any information relating to an identified or identifiable individual.
The Local Data Controller collects personal data relating to shopping center, website, or application customers/visitors. They process your data in order to inform you about specific offers and events pertaining to the respective shopping center. The Group Data Controller has concluded various data processing agreements and service agreements with service providers to provide you with the technical means to register for the Loyalty Card Program or download and use the App. Furthermore, the Group Data Controller negotiates special offers for Loyalty Card holders with third parties. These offers are provided by the Local Data Controller. The Data Controllers analyze your customer behavior in order to provide you with customized offers and inform you about events you might be interested in.
If you register in writing at the customer desk or via the shopping center website, we can only offer Loyalty Card Program services and commercial information due to technical reasons.
We offer the following general services, which can be used independently:
(i) Loyalty Card Program (“Loyalty Card Program”)
This program includes our loyalty card, which is available for each indi-vidual shopping center. It aims at providing you with customized infor-mation.
(ii) Shopping Center App (“App”): Our App provides general information about the Shopping Center (e.g., maps, shops, business hours). You also have the opportunity to use the Additional Services (e.g., Smart Park).
(iii) Commercial information via e-mail (“Commercial Information”):
As described above, the Local Data Controller and/or Group Data Con-troller has negotiated special conditions for its customers with various third parties. These third parties only have access to your personal data to the extent stipulated in Section 5 hereof. Based on our analysis of your customer behavior, we provide you with these specific third-party offers, provided that we have obtained your prior consent (opt-in in the user interface).
(i) how we collect and process the personal data that you submit or disclose to us or that is collected via your access or use of our Services and within the scope of these Services, and
(ii) your rights, including how you can exercise them and what we can do to assist you in the exercising of your rights.
The Services are intended for users aged sixteen (16) and older.
2. Data Controller
The Local Data Controller for the processing of your personal data under the Loyalty Card Program and/or App is:
mfi Immobilien Marketing GmbH
Klaus-Bungert-Straße 1, 40468 Düsseldorf, Germany
Tel.: 0049 (0) 211 302 310
Fax: 0049 (0) 211 302 31 111
The Group Data Controller for the processing of your personal data under the Loyalty Card Program and/or App is:
Unibail Management S.A.S.
7 place du Chancelier Adenauer, 75016 Paris, France
3. Data Protection Officer
The Local Data Controller has appointed Mr. Torsten Weirich, LL.M. as the Data Protection Officer. Please find his contact details below:
Torsten Weirich, LL.M.
Unibail-Rodamco Germany GmbH
Klaus-Bungert-Straße 1, 40468 Düsseldorf, Deutschland
Tel.: 0049 (0) 211 302 31 105
Fax: 0049 (0) 211 302 31 111
4. Purpose of processing
How we collect personal data
We collect your personal data in different ways:
4.1.1 Registration information you provide to us
Some of our Services require you to create an account, in particular, our Loyalty Card Program and some of the features available via our App. If you create an account via the completion of the registration form, you will be asked to provide your contact details and other personal data (title, first name, last name, date of birth, postcode, e-mail address, mobile number, gender, password, your agreement to receive commercial information, and any other information necessary for the provision of our Services).
4.1.2 Registration information you allow third parties to transmit to us
Some of our Services require you to create an account via a third party, in par-ticular, our promotional activities. If you create an account via a third party, within the scope of our Services, this third party will submit the personal data provided during the sign-up process to us (including first name, last name, and e-mail address). In this event, the supplementary privacy policies established by the respective third parties, under which you authorize third parties to transfer your personal data to us, may apply to you as well.
4.1.3 Registration information you allow social networks to transmit to us
If you create an account via your social network account (i.e., Facebook, Google+, or Twitter), upon your prior consent, the relevant social network will submit your personal data to us (including first name, last name, user name, profile picture, e-mail address, gender, date of birth, education, school, job title), your address (country, city, street address, post code, phone number), your “likes” (e.g., websites, favorite movies, favorite music, favorite TV shows), posts, friend lists, and any other information you qualify as publicly available.
4.1.4 Personal data we collect when you use our Services.
a)When you use the loyalty card, we collect and process
• information relating to your shopping profile;
•the frequency and duration of your visits;
•information relating to your purchasing and visitor behavior (espe-cially tracking); and
•if you registered for the Loyalty Card Program via your social network account, information related to your interactions with the Loyalty Card Program on such social network.
b)When you use our mobile application or website Services as a registered user, we collect and process:
•the information detailed above (Sec. 4.1.4 a)
•personal data that you add to your profile (e.g., user name or nick-name, profile picture, and password);
•personal data included in the content that you post, upload, contribute to, or otherwise make available on or via the Services, such as your timeline, likes, look books, wish lists, or contact lists;
•if you are connected to the Services via a social network account, in-formation related to your interactions with the Services on such social network;
•information about the frequency of your visits, your movements, and your location within the shopping center, provided that we have obtained your prior consent. Please refer to Section 4.2.2 a) below for further details; and
4.2 HOW WE USE YOUR PERSONAL DATA
4.2.1 General use
We use your personal data to
•manage and provide the Services to you;
•manage your registration;
•analyze your use of the Services and, subject to your prior consent, combine the personal data collected from the use of different Services (the loyalty card, our mobile applications, our websites, our social media accounts, and our promotional activities) to improve our understanding of your expectations and needs and to develop new features and services;
•provide customized information and promotional material to you. We will only use your personal data for the purpose of sending promotional material relating to the Loyalty Card Program if you do not choose to opt out;
•measure, test, and monitor the metrics and the effectiveness of our Ser-vices;
•to use our Services via an App, you have to download the Shopping Center App to your mobile device. Once you have downloaded the Shopping Center App, you can decide whether you want to use the Additional Services (cf. Specific Use, Section 4.2.2), such as “Smart Park”, and whether you want to join the Loyalty Card Program. Those services will not be automatically activated; and
•ensure the technical operability of the Services and protect your personal data against any theft, loss, damage, or unauthorized access.
If you cancel the registration process, your personal data will not be stored. We will delete your personal data immediately, without any fur-ther processing. We may keep a minimal amount of data, if necessary to substantiate that your data has been deleted and when.
Subject to your express prior consent, information related to your location within our shopping center may be collected and processed by us while you are logged in to our mobile applications in order to measure the frequency of your visits as well as your movements within our shopping center and/or to provide the “Meet My Friends” Service.
Geo-tracking only takes place if you activate the Additional Services/specific use option in the settings of your Shopping Center App. You can deactivate the use of the Additional Services in the settings at any time via your Shopping Center App.
(ii)How we use your geo-tracking information
In order to be tracked within the shopping center, you will be required to activate the Bluetooth feature on your mobile device. If you only want to view the map and your contacts’ locations via the “Meet My Friends” Service, activation of the Bluetooth feature will not be required. Please note that we will not track you outside our shopping center and you will not be able to share your location via the “Meet My Friends” Service outside our shopping center. Geo-tracking is carried out via the Bluetooth beacons, which are only installed in the shopping center common areas.
(iii)What is the “Meet My Friends” Service?
The “Meet My Friends” Service allows you to share your location within our shopping center with other users of the Service or only with friends who also use the Service, depending on your settings. Thus, when you visit the shopping center, you know your friends’ locations within the shopping center and can meet them at specific locations or suggest meeting places.
(iv)How your geo-tracking information is shared on “Meet My Friends”
For the purpose of the provision of the “Meet My Friends” Service, some fea-tures may require that your geo-tracking data be shared with your contacts, depending on your settings.
If you used your Facebook, Google, or Twitter account to create your account with us, you will be able to locate your contacts from such social network, provided that it also uses the “Meet My Friends” Service, and ask them to share their respective locations.
We may also share your geo-tracking information with the recipients named in “How we share and disclose your personal data” section below (Section 5.1).
(v)How to manage your geo-tracking preferences
(v.i)Via your mobile settings
When you first log in via your mobile device, we will ask for your permission to activate the geo-tracking function.
If you agree to the activation of geo-tracking on your mobile device, this function will be effective immediately and will be enabled for any future connections to our mobile application as well as for any future visits to our shopping center.
You may disable geo-tracking on your mobile device via your mobile settings at any time.
v.ii)Via “Meet My Friends”
Upon your first connection to the “Meet My Friends” Service, we will ask for your permission to enable the geo-tracking function on your mobile device and share your geo-tracking data.
If you agree to the activation of geo-tracking on your mobile device and the sharing of your geo-tracking data, this function will be effective immediately and will be enabled for any future connections, unless you deactivate map visibility and, thus, temporarily modify your geo-tracking settings. You may also permanently deactivate geo-tracking in your profile settings at any time.
You can configure your location-sharing settings by selecting one of the fol-lowing options:
•visible to all users of the “Meet My Friends” Service; or
•visible only to your contacts; or
•not visible to any users of the “Meet My Friends” Service. This is the default setting.
The visibility parameters that you select will be stored and applicable each time you use the mobile application. In addition, you will be able to directly access the visibility settings on the map at any time and temporarily change your settings for the duration of that particular session.
We have developed the “Smart Park” and “In & Out” Services to improve your experience when visiting our shopping centers.
When you log in to your user account to use the “Smart Park” Service, we will process your personal data in order to activate geo-tracking of your car within the parking areas of our shopping centers, as described in Section 4.2.2 lit. a); this data will not be processed for any other purpose. If you do not log in to your user account, no personal data will be processed. If you log in to your user account, we will process your personal data as authorized.
If you wish to benefit from the “In & Out” Service, we will process the personal data you provided when creating your user account. In particular, the license plate recognition feature and data processing enable the parking system to automatically open the gate when you enter or leave our shopping center parking garage.
In addition, we may process the personal data provided as a result of your use of the “Smart Park” and “In & Out” Services to inform you about any new ser-vices that we develop that may be of interest to you.
Your personal data will not be shared with or made available to third parties or used for any other purposes than the aforementioned “Meet My Friends” and AdditionalServices.
c)Links to other websites
We may provide hypertext links from the Services or communications you receive via the Services to third-party websites or Internet sources. We do not control such third-party websites or Internet sources and cannot be held liable for third-party privacy policies or web content. Please read the respective third-party privacy policies carefully to find out how your personal data is collected and processed.
4.3 Data processing within and outside the EEA
We use the service providers listed on the attachment [link] for various purposes, as described below:
If you register for our Loyalty Card Program in writing at our customer desk, a hostess service (“Customer Information”) will be available to help you enter your personal data.
We use a service provider, who will send you a registration e-mail, for account management during the registration process (“Registration Ac-count Manager”). At a minimum, you must provide your first name, last name, date of birth, and e-mail address. The Registration Account Man-ager will provide you with an initial password and will manage your password settings.
(ii)CRM (Customer Relationship Management):
We use a service provider for CRM Management (“CRM Manager”). The CRM Manager has full access to the personal data you enter into the Loyalty Card Program or App. The CRM Manager combines other data you provide to us (e.g., for Wi-Fi registration) in your data set.
(iii)Analysis of customer behavior:
We use a service provider for the analysis of your customer behavior (“Analysis Manager”). The Analysis Manager analyzes your user behavior based on your settings, your personal data, and your geo-tracking information.
We use service providers for customized e-mailing (“E-mail Manager”). If you register for the use of our services, the Group Data Controller will send you a welcome e-mail on behalf of the Local Data Controller.
Based on the analysis of your customer behavior by the Analysis Manager, you will receive personalized e-mails and push messages from the E-mail Manager on behalf of the Local Data Controller. Accordingly, the E-mail Manager will have access to your e-mail-address, first name, and last name.
We use an external provider for data storage (“Data Storage Manager”). The Data Storage Manager is not allowed to use your personal data in any manner. We use this service to store our CRM database on an external server.
4.4.Note on RFID CHIPS
In order for you to benefit from our Loyalty Program, e.g., to use certain Services we offer, we use an RFID chip that is integrated into the loyalty card. Members of the loyalty program can use the RFID chip to register with the participating shopping centers and to use their Services.
RFID technology is based on chips that transmit information via radio. Transmission is not externally identifiable. The chip is integrated into the loyalty card. A reading device emits radio signals via a pre-set frequency, which is picked up by the RFID chip. The data stored on the chip is then transmitted to the reading device.
The RFID chip contains a Unique Identification Number (UID) that differs from the member number. UIDs are exclusively processed by URG GmbH. On its own, the data stored on the RFID chip does not reveal the identity of the card holder. In order for members to use our Services, the UID stored on the RFID chip is transmitted to us. The Services used are matched in our database and are transmitted to the RFID reader, using the UID. No other personal data is transmitted. The RFID chip is not used for any other reason than the aforementioned purpose.
We must be immediately notified in cases of loss or destruction of membership cards or chips. Upon such notification, we will immediately block the member-ship number stored on the RFID chip for utilization of the Loyalty Card Program and issue a new membership card with a new UID.
4.5Information on bar codes
In order for you to benefit from our Loyalty Card Program, the loyalty card has been equipped with a bar code. The bar code is scanned at the participating shops for the purpose of authentication, e.g., to qualify for discounts. The lessees at the respective shopping center see the confirmation on their displays that the loyalty card is active and that certain benefits can be granted. No personal data is transmitted to the lessees.
The bar code scanner informs us that the loyalty card has been used. Combined with the scanner location, we can identify where the loyalty card has been used. We do not receive any further information, e.g., what products have been bought, what prices have been paid, or what discounts have been granted.
Protecting your privacy and your personal data is our priority. If, as a registered user, you receive a password, you should keep it confidential, limit access to your computer or mobile device, and sign off after using the Services. Learn more about your responsibilities here: [link]
We take appropriate security measures, especially technical and organizational measures, to protect your personal data against any accidental loss, destruction, misuse, damage, or unauthorized or unlawful access. However, please be aware that no information transmission via the Internet or storage technology can be guaranteed to be 100% secure.
The controllers have entered into a data processing agreement ensuring, in particular, appropriate security measures. mfi Immobilien Marketing GmbH is the controller responsible for compliance with your requirements, with whom you may exercise all your rights with respect to our processing of your personal data.
5.Transfer and sharing of personal data (recipients of personal data)
5.1 HOW WE SHARE AND DISCLOSE YOUR PERSONAL DATA
We share the personal data we collect through the Services as follows:
5.1.1 Sharing with third parties
We may share your personal data with the following third parties:
•any companies that are affiliated with us within the meaning of Art. 15 et seq. AktG (German Stock Corporation Act) in order to develop and test new services and features;
•in an anonymized format, ensuring you cannot be identified, with partner brands located in our shopping center in order to allow them to send you advertisements that they believe may be of interest to you;
•in an anonymized format, ensuring you cannot be identified, with our advertising and marketing partners;
•our service providers, as described in Section 4.3 above
•to meet legal or regulatory requests, court orders, subpoenas, or legal processes, if required under applicable law;
•any transferee, when personal data is submitted as part of the sale or other transfer of all or part of our assets to another company.
5.1.2 Sharing with parties of your choice
•Sharing with other users of the Services. Any information or content that you voluntarily disclose via our mobile application or website Services becomes available to users of the Services that have been previously authorized. Such Services enable you to share all or part of your content and personal data, on an individual basis, to the users of your contact list by changing your share settings within the Services.
•Sharing with social networks. If you access the Services via your social network account (such as Facebook, Google+, or Twitter) or click on one of the social network plug-in buttons or links (e.g., Facebook “Like” button or Google “+” button) available through the Services, your content and personal data will be shared with the relevant social networks. You understand that such information may be published on your social network under your account.
6.Term of data storage
We process your personal data based on the consent you grant to us for these purposes for the period during which you make use of our Services.
Please note: We will automatically delete or block your personal data from further use if you have not used our Services under the Loyalty Card Program for more than 3 years (last contact with you or last use of services by you).
7.Your rights as a data subject
If you wish to exercise these rights and/or obtain all relevant information, please contact the Local Data Controller or the Data Protection Officer. You will be asked to provide some of the identification information that you submitted upon your registration; this is necessary to verify that the request has been sent by you. We will respond within 1 month after receipt of your request, but we reserve the right to extend this period by 2 months. We will, in any event, inform you within 1 month after receipt of your request if we decide to extend the response period.
7.1What you may request
In accordance with applicable law and as detailed below, you have the right to request access to, correction, deletion, or portability of (e.g., transfer of your personal data to another service provider) your personal data, as well as to request restriction of such processing.
7.2Correction of your personal data
Under applicable law, you have the right to correct the personal data you have shared with us. Via your settings in the Services, you can update your account information, change your profile settings, subscribe to/unsubscribe from com-munication you receive from us, and set your Services sharing preferences, including location-based functionalities.
Please note that if you wish to limit or change access to or sharing of your per-sonal data with a social network, you must change your account settings on that social network.
If you registered for our Services in written format, please contact the Data Controllers detailed in Section 2 above in writing or via e-mail to correct your personal data.
7.3Accuracy of your personal data
We will take adequate steps to ensure that you are able to keep your personal data up to date. You may contact us at any time and request confirmation regarding whether or not we still process your personal data.
7.4Deletion of your personal data
You may ask us to delete your personal data at any time. If you approach us with such a request, we will delete all your personal data without undue delay, provided that your personal data is no longer necessary for provision of the Services. We will also delete (and ensure deletion by the processors that we engage) all your personal data if you withdraw your consent or if we are required to do so under applicable law.
7.5Restriction of processing
If you ask us to restrict the processing of your personal data, e.g., when you contest the accuracy, lawfulness, or our need to process your personal data, we will limit processing of your personal data to the necessary minimum (storage) and, if applicable, will only process it for the establishment, exercise, or defense of legal claims or, where necessary, for the protection of the rights of another natural or legal person, or other limited reasons dictated by applicable law. Once the restriction is lifted and we continue processing your personal data, you will be informed accordingly without undue delay.
7.6Objection to direct marketing
If you no longer wish to receive commercial information and/or no longer wish to take part in the Loyalty Card Program and/or no longer wish to use the App or no longer want your personal data to be used to analyze your customer be-havior as related to such marketing or promotional activities, you may request that we cease the use of your personal data for these purposes, and we will do so without undue delay. You may also only object to profiling. In such case, you will no longer be able to benefit from some of our Services or specific features for which this category of processing is essential (i.e., the receipt of [personalized] marketing and promotional materials).
If you withdraw your consent to receiving commercial information, you will not receive any third-party commercial information. Please be aware that you will receive commercial information concerning Shopping Center events and offers, which forms an essential part of the Loyalty Card Program.
7.7Portability of your personal data
You have the right to receive the personal data that you provide to us. Upon receipt of your request, we will submit your personal data in a commonly used and machine-readable formatwithout undue delay. Upon request, we will send your personal data to any third party (data controller) that you identify in your request, unless such request would adversely affect the rights or freedoms of others, and where technically feasible.
7.8Withdrawal of your consent
You may withdraw your consent at any time, without indication of reason. Please contact the Data Controllers or Data Protection Officer via e-mail or in writing. We will block your personal data from any further processing. Please note that withdrawing your consent will not affect the lawfulness of any pro-cessing done during the period of prior consent.
Please be aware that it will not be possible to use the Loyalty Card Program Services or part of the Services if you withdraw your consent.
You can deactivate the Additional Services, such as “Smart Park” and “In & Out”, in the App settings. You need not withdraw your consent in this case.
If you withdraw your consent or deactivate your settings in the App, the Services not affected thereby can still be used.
7.9Complaint to a data protection authority
You have the right to submit a complaint concerning our data processing activities. Please address your complaint to:
Landesbeauftragter für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Kavalleriestraße 2-4, 40213 Düsseldorf, Germany
Phone: 0049 (0) 211 38 424 0
Fax: 0049 (0) 211 38 421 10
8. Provision of your personal data
9.Automated decision-making / profiling
Currently, there is no automated decision-making process or profiling that would legally or otherwise affect you. However, we will provide you with specific offers based on your individual personal data and analysis of your user behavior. You may object to profiling as stated in Section 7.6 above.