Last updated: 29/09/2017
Espace Expansion as the data controller on local level (“Local Data Controller”) and Unibail Management S.A.S., 7 place du Chancelier Adenauer, 75016 Paris, France, registered with the Registry of Commerce and Companies of Paris under number 414878389 together as the data controller on group level (“Group Data Controller”) joint data controllers (“Data Controllers”), (“We” / “Us”) process your personal data in the context of the provision of our loyalty program and mobile applications (together, the “Services”) which may be accessed through various media or devices and made available by Us esp. via mobile applications, websites or in paper form. We place great emphasis on the protection of personal data. Personal data is any information, relating to an identified or identifiably individual.
The Local Data Controller collects personal data from you as a customer/visitor of the shopping centre, website or . He will process your data by informing you about specific offers and events of the respective shopping centre. The Group Data Controller has closed several data processing agreements and service agreements with service providers to provide you with the technical opportunity to register you to the loyalty card program or download and use the App. Furthermore the Group Data Controller will negotiate with third parties special offers which will be accessible for loyalty card members. These offers will be provides by the Local Data Controller. The Data Controllers will together analyse your customer behaviour to provide you with customised offers and events you might be interested in.
If you decide to register via paper form at the customer desk or via registration on website of the shopping centre, we could technical only offer you the services of the Loyalty Card Program and commercial information.
We offer you the following separable general services:
(i) Loyalty Card Program (“Loyalty Card Program”)
This is our customer retention scheme which will be offered for each Shopping Centre separately. The aim is to provide you with customized and personalized offers and information.
(ii) Shopping Centre App (“App”):In our App you will find at first general infor-mation about the Shopping Centre (e.g. maps, shops, business hours). Addi-tionally, you will have the opportunity to use our additional services (e.g. Smart Park).
(iii) Commercial information via e-mail (“commercial information ») :
As described above the Local Data Controller and/or Group Data Controller has negotiated with third parties several special conditions for its customers. These third parties will not get access to your personal data unless stipulated otherwise in Section 4 hereof. Based on Our analysis of your customer behavior we will provide you with these specific offers of third parties provided that We have obtained your prior consent (opt-in in the user interface).
(i) how We collect and process your personal data that you submit to Us or that disclose or will be collected by your accessing or using our Services and within the scope of these Services and
(ii) your rights, how you can exercise them and what We have done to help you with exercising your rights.
The Services are addressed to users of an age of sixteen (16) or above.
2. DATA CONTROLLER
Local Data Controller for processing your personal data under the Loyalty Card Program and/or App:
Espace expansion SAS
7 place du Chancelier Adenauer
phone : +33 (0) 1 43 16 47 10
email : firstname.lastname@example.org
website : http://carrouseldulouvre.com
Group Data Controller for processing your personal data under the Loyalty Card Program and/or App:
Unibail Management S.A.S.
7 place du Chancelier Adenauer, 75016 Paris, France
3. PURPOSE OF PROCESSING
3.1 How we collect personal data
We collect your personal data in several different ways:
3.1.1 Registration information you provide Us with. Some of our Services require you to sign up for an account, in particular our loyalty program and some features available through our App.
If you choose to create an account by completing the registration form, you will be asked to supply contact details and other personal data (your title, first name, surname, date of birth, postcode, email address, mobile number, gender, password, the fact if you like to receive commercial information and any other relevant information necessary for the provision of our Services).
3.1.2 Registration information you allow third parties to transmit to Us.
Some of our Services require you to sign up for an account via a third party, in particular our promotional activities. If you choose to create an account via a third party within the scope of our Services, this third party will transmit Us the personal data provided during the sign-up process (including first name, last name and e-mail address). In such a case you supplementary privacy policies of the respective third parties which allow third parties to transfer your personal data to us might apply to you as well.
3.1.3 Registration information you allow social networks to transmit to Us.
If you choose to create an account by using your social network account (i.e., Facebook, Google + or Twitter), upon your prior consent, the relevant social network will transmit Us your personal data (including e.g. first name, last name, username, profile picture, e-mail address, gender, date of birth, education, school, job title), your address information (Country, City, address, ZIP Code, phone), your “likes” (e.g. pages, favourite movies, favourite music, favourite TV Shows), posts, friend list and any other information which you qualified as publicly available.
3.1.4 Personal data We collect from your use of our Services.
a) When you use the loyalty card, We collect and process:
• information relating to your shopping profile;
• the frequency and duration of your visits;
• information relating to your purchasing and visit behaviour (esp. tracking); and
• if you are registered to the loyalty program using your social network ac-count, information related to your interactions with the loyalty Service on such social network.
b) When you use our mobile application or website Services as authenticated user, We collect and process:
• above (Sec. 3.1.4 a) mentioned information
• personal data that you add to your profile (e.g., username or nickname, profile picture and password);
• personal data included in the content that you post, upload, contribute to or otherwise make available on or through the Services, such as your timeline, likes, look books, wish list, contact list;
• if you are connected to the Services using your social network account, information related to your interactions with the Services on such social network;
• information about the frequency of your visits, your itineraries and location within the shopping centre provided that We have obtained your prior consent to. You can learn more about such use in Section “3.2.2 a) ” below;
• technical data.
3.2 How we use your personal data
3.2.1 General use
We use your personal data to:
• manage and provide the Services to you;
• administer your registration;
• analyse your use of the Services and, subject to your prior consent, combine your personal data collected from the use of our different Services (i.e. the loyalty card, our mobile applications, our websites, our social media accounts and our promotional activities) to improve our understanding of your expectations and needs and develop new features and services;
• provide customised information and promotional material to you. We will only use your personal data for the purpose of sending promotional material relating to the loyalty program unless you decided to opt-out;
• measure, test, and monitor the metrics and the effectiveness of our Services;
• for the use of our Services via an App you have to download the Shopping Centre App to your mobile device. If you have downloaded the Shopping Centre App you could decide if you want to use additional Services (specific use, Section 3.2.2) such as “Smart Park” and/or if you want to join the loyalty card program. Those services will not be automatically activated;
• ensure the technical operation of the Services and protect your personal data against any theft, loss, damage or unauthorized access.
If you cancel the registration process your personal data will not be stored. We will delete your personal data directly without any following processing. We may keep some minimum data necessary to evidence that your data has been deleted and on which day.
3.2.2 Specific use
(i) General principle
Subject to your prior express consent, information related to your location within our shopping centre may be collected and processed by Us while you are authenticated on our mobile applications for the purposes of measuring the frequency of your visits and your itineraries within our shopping centre and/or providing the Meet My Friends Service.
Geolocation will only take place if you have activated the additional services/specific use in the settings of your downloaded Shopping Centre App. You could deactivate those additional services at any time in the settings latter one at any time. You can use your Shopping Centre App to do so.
(ii) How We use your geolocation information
In order to be located within the shopping centre, you will be required to activate the Bluetooth feature on your mobile device. If you only want to check out the map and your contacts’ location through Meet My Friends Service, the activation of the Bluetooth feature is not required. Please note that We will not locate you outside our shopping centre and you will not be able to share your location outside our shopping centre through Meet My Friends Service. The location option is carried out by the Bluetooth beacons which are installed in the common areas of the shopping centre only.
The maximum period for which your geolocation data is stored is 12 months.
(ii) What is Meet My Friends Service
Meet My Friends Service allows you to share your location within our shopping centre with the users of the Service or only your friends who are also using the Service, depending on your preferences in the settings. Thus, you can visit the shopping centre knowing your friends’ location in the shopping centre and meet them up at a specific location or suggest a meeting place.
(iv) How your geolocation information is shared on Meet My Friends
For the purpose of the provision of the “Meet My Friends” Service, some features of the Service may require that your geolocation data will be shared with your contacts depending on the way you have configured the settings.
In addition, if you have used your Facebook, Google or Twitter account to create your account with Us, you will be able to locate your contacts from such social network who are also using the “Meet My Friends” Service and ask them to share their respective location.
We may also share your geolocation information with the recipients set out in “How We share and disclose your personal data” below (Section 4.1).
(v) How to manage your geolocation preferences
v.ii) On your mobile settings
The first time that you authenticate on our mobile application, We will seek for your consent to enable the geolocation of your mobile device.
If you accept the geolocation of your mobile device, this will be effective immediately and for any further connections on our mobile application and for any further visits in our shopping centre.
You may disable the geolocation of your mobile device through your mobile settings at any time.
v.iii) On Meet My Friends Service
The first time that you connect to the “Meet My Friends” Service, We will seek for your consent to enable the geolocation of your mobile device and the sharing of your geolocation data.
If you accept the geolocation of your mobile device and the sharing of your geolocation data, this will be effective immediately and for any further connections, except if you use the “visible/non visible” feature available directly on the map to modify temporarily your geolocation settings. You may also disable permanently geolocation in your profile settings at any time.
You can configure your location-sharing settings on the Service by choosing one of the following options:
• to be visible to all other users of the “Meet My Friends” Service; or
• to be visible to your contacts only; or
• not to be visible to any users of the “Meet My Friends” Service. This would be the initial setting.
The visibility parameters that you have set up will be registered and applicable each time you use the mobile application. In addition, at any time, you will have a direct access to a “visible/invisible” option directly on the map in order to change temporarily the confidentiality settings for the duration of the current session.
b) ADDITIONAL SERVICES
We have developed the new Services “Smart Park” and “In & Out” in order to improve your experience when visiting our shopping centres.
When you log on to your user account in order to use the “Smart Park” service, We process personal data in order to enable the geolocation as described in Section 4.2.2 lit. a) of your car in the parking areas of our shopping centres; these data are not processed for any other purposes. If you do not log on to your user account, no personal data will be processed. If you do log on to your user account, we will process your personal data based on your consent.
When you want to benefit from the “In & Out” service, We process the personal data you provided us with when you created your user account. In particular, the licence plate recognition feature and data processing enables the parking system to open the gate automatically when you enter or leave our shopping centre carpark.
In addition, we may process your personal data as a result of using “Smart Park” and “In & Out” services, to inform you of any new services that We could develop and which may be of interest for you.
The personal data is not shared with and/or made available to third parties or used for any other purposes than those abovementioned from Meet My Friends and Additional Services.
c) LINKS TO OTHER SITES
We may propose hypertext links from the Services or communications you receive from the Services, to third-party websites or Internet sources. We do not control such third-party website or Internet sources and cannot be held liable for third parties’ privacy practices and content on their websites. Please read their privacy policies carefully to find out how they collect and process your personal data.
3.3 Data processing in and outside the EEA
We use the attached listed http://carrouseldulouvre.com/providers service providers for different and in the following described purposes:
If you register to our Loyalty Card Program in a written form at our customer desk there will be a hostess service (“Hostess”) which helps you to enter your personal data into the registration interface.
We use a service provider for account management during the registration process (“Registration Account Manager”) who will send you a registration e-mail. Therefore, you have to provide at least your first name, name, date of birth and e-mail-address. The Registration Account Manager will provide you with an initial password and will hoste your password settings.
We will use a service provider for CRM-Management (“CRM-Manager”). CRM-Manager will have full access to the personal data you will enter into the Loyalty Card Program or App. CRM-Manager will combine other data you have provided to us (e.g. for WiFi-registration) to your data set.
(iii) Analysis of customer behavior:
We will use a service provider for analysis of your customer behavior (“Analysis-Manager”). Analysis-Manager will analyse your user behavior based on your settings, your personal data and information of geolocation.
We will use service providers for customized e-mailing (“E-Mail-Manager”). If you register to our services you will at first get a welcome e-mail which will be send by the Group Data Controller on behalf of the Local Data Controller.
Based on the analysis of your customer behavior by the Analysis-Manager you will get customized e-mails and push-notifications which are send out from the E-Mail-Manager on behalf of the Local Data Controller. Therefore, the E-Mail-Manager will get access to your e-mail-address, first name and name.
(v) Data storage:
We will use an external provider for data storage (“Data-Storage-Manager”). The Data-Storage-Manager contractually not allowed to use your personal data at any way. We use the service to store the CRM-database on external server.
3.4 Data Security
Protecting your privacy and your personal data is our priority. If, as a registered user, you receive a password, you should keep it confidential, limit access to your computer or mobile device, and sign off after having used the Services. Learn more about your responsibilities on http://carrouseldulouvre.com/mentions-legales
We take appropriate security measures esp. technical and organisational measures to protect your personal data against any accidental loss, destruction, misuse, damage and unauthorised or unlawful access. However, please be aware that no information transmission over the Internet or storage technology can be guaranteed to be 100% secure.
The controllers have entered into a data processing agreement ensuring, in particular, appropriate security measures. Espace Expansion is the controller responsible for compliance with your requirements towards whom you can exercise all your rights you have with respect to Us processing your personal data.
4. TRANSFER AND SHARE OF PERSONAL DATA
4.1 How we Share and disclose your personal data
We share the personal data We collect through the Services as follows:
4.1.1 Sharing with third parties
We may share your personal data with:
• any companies which is a corporate affiliate of Us in order to develop and test new services and features;
• in an anonymous way that it is no longer possible to identify you with partner brands of the shopping center in order to allow them to deliver advertisements that they believe are of interest to you;
• our advertising and marketing partners, in an anonymised form in a way that it is no longer possible to identify you;
• our service providers as described in Section 3.3 above
• to respond to legal or regulatory requests, court orders, subpoena or legal process, if necessary to comply with applicable laws;
• any transferee, when personal data is transferred as part of the sale or otherwise transfer of all or part of our assets to another company.
4.1.2 Sharing with parties of your choice
• Sharing with other users of the Services. Any information or content that you voluntarily disclose through our mobile application or website Services becomes available to those users of the Services which you give access. Such Services also enable you to share all or part of your content and personal data, on an individual basis, to the users of your contact list by changing your share settings on the Services.
• Sharing with social networks. If you choose to access the Services using your social network account (such as Facebook, Google+ or Twitter) or to click on one of the plug-in buttons or links of social networks (e.g., Facebook “Like” button or Google “+” button) available through the Services, your content and personal data will be shared with the relevant social networks. You understand that such information may be published on your social network under your account.
5. TERM OF DATA STORAGE
We process your personal data based on the consent you have granted to Us for these purposes for the period in which you make use of our Services.
Please note We will delete or block your personal data automatically for further use if you have not used our services under the Loyalty Card Program for more than 3 years (last contact with you or last use of services by you).
6. YOUR RIGHTS AS A DATA SUBJECT
If you wish to exercise these rights and/or obtain all relevant information, please contact email@example.com. You will be asked to provide some of the identification information that you submitted upon your registration; this is necessary to verify that the request has been sent by you. We will respond within 1 month after receipt of your request, but we retain the right to extend this period with 2 months. We will in any event inform you within 1 month after receipt of your request if We decide to extend the period to respond
6.1 What you can request
In accordance with applicable laws and as further detailed below, you have the right to request access to, rectification, erasure or portability (e.g. transfer of your personal data to another service provider) of your personal data We process, as well as to request restriction of such processing.
6.2 Rectification of your personal data
According to applicable laws, you have the right to rectify your personal data you have shared with Us. Through your settings of the Services, you can update your account information, change your profile settings, subscribe/unsubscribe from communications you receive from Us, and set your sharing preferences of the Services, including location-enabled functionalities.
Please note that if you wish to limit or change access to or sharing of your personal data with a social network, please visit your account settings on that social network.
If you join our services in written form, please contact the above (Section 2) mentioned Data Controllers via written form or via e-mail to rectifiy your personal data.
6.3 Accuracy of your personal data
We take reasonable measures to ensure that you are able to keep your personal data accurate and updated. You can always approach Us in order to obtain confirmation whether or not We still process your personal data.
6.4 Erasure of your personal data
You can ask Us to erase your personal data at any time. If you approach Us with such a request, We will delete all your personal data We have without undue delay, provided that your personal data is no longer necessary for provision of the Services. We will also delete (and ensure deletion by the processors that we engage) all your personal data in case you withdraw your consent or in the circumstances that the law requires Us to do so.
6.5 Restriction of processing
If you request Us to restrict the processing of your personal data, e.g. in circumstances when you contest the accuracy, lawfulness or Our need to process your personal data, We will limit processing of your personal data to the necessary minimum (storage) and, if applicable, will process them only for the establishment, exercise or defence of legal claims or, where necessary, for protection of rights of another natural or legal person, or other limited reasons dictated by the applicable law. In case the restriction is lifted and We continue processing your personal data, you will be informed accordingly without undue delay.
6.6 Objection to direct marketing
If you no longer wish to receive commercial information and/or you do not longer want to take part in the Loyalty Card Program and/or you do not longer want to use the App or you do not wish that your personal data is used to analyze of your customer behavior as related to such marketing or promotional activities, you can request that We cease the use of your personal data for these purposes and We will do so without undue delay. You may also object to profiling only. In such case, you will no longer be able to benefit from some of Our Services or specific features for which this category of processing is essential (i.e. the receipt of (personalised) marketing and promotional materials).
If you withdraw your separate consent of getting commercial information, you will not get any commercial information of third parties. Please be aware that you will get commercial information of events and offers of the Shopping Centre, which is essential part of the Loyalty Card Program.
6.7 Portability of your personal data
You have the right to receive personal data relating to you and which you have provided to Us. If you approach us with such request, We will provide your personal data in commonly used and machine readable format to you without undue delay from receipt of your request. If you request so, We will send your personal data to a third party (another data controller) which you will identify in your request, unless such request would adversely affect rights or freedoms of others and where technically feasible.
6.8 Withdraw your consent
You can withdraw your given consent at any time without any reason. Please contact the Data Controllers via email or written letter. We will block your personal data for any further processing. Please note that withdraw of your consent does not affect lawfulness of any processing done on the understanding that you have given your consent before
Please be aware that it is not possible to use the Loyalty Card Program Services or part of the Services if you withdraw your consent.
You can deactivate the additional services such as “Smart Park” and “In & Out” at the App-settings. A separate withdraw of your consent is not needed in this case.
If you withdraw your consent or deactivate your settings in the App the not withdrawn services can still be used anyhow.
6.9 Complaint to a data protection authority
You have the right to submit a complaint concerning Our data processing activities to Commission Nationale de l’Informatique et des Libertés, 3 Place de Fontenoy, 75007 Paris.
6.10 right to specify guidelines regarding the use of your personal data after your death
Please note that you have the right to specify guidelines regarding the use of your personal data after your death.
7. PROVISION OF PERSONAL DATA
8. AUTOMATED DECISION MAKING / PROFILING
There is currently no automated decision making process or profiling which would legally effect you or otherwise significantly affects you. But we will provide you with specific offers based on your individual personal data and analysis of your user behavior. You may object to profiling as stated in Section 6.6 above.