PRIVACY NOTICE FOR SHOPPERS
1. WHO ARE WE?
We are Gallions Reach Shopping Park, 3 Armada Way, London, E6 7ER, UK.
We want to reach out to our customers and hear what they’re saying –whether it’s by giving us feedback or comments, agreeing to receive ournewsletter or services or taking part in our competitions or competitions we’rerunning - we’re thrilled you’re joining the conversation.
You can use our online services to benefit from our services (such aswifi), take part in campaigns which we might run from time to time, complete asurvey, join our mailing list to receive our ezine and emails so we can tellyou about what’s happening and/or to benefit from deals and discounts we’reoffering
2. WHAT IS THIS NOTICE?
When you interact with us, you may give us Personal Data about you. Personal Data means data which can beused to identify an individual. The individual who can be identified from thePersonal Data is known as the DataSubject.
In respect of any such Personal Data, we are acting as a Controller (which means we are thebusiness responsible for making the decision to collect the Personal Data inthe first place, and deciding what to collect and how to use it). To help us to connect with our customers andrun some of our marketing services, we use a marketing agency. Currently we usea company called Velocity Worldwide UK Ltd (Velocity) to manage our marketing services for us. This means thatthey may handle Personal Data as a Processor(they are acting on our behalf and authorised to use the Personal Data inaccordance with our instructions).
This notice deals with our marketing activity and sets out whatPersonal Data we collect from you when you interact with our marketing agencyand what we do with it.
If you have any questions relating to how we use Personal Data aboutyou, please contact us at the address above or by email at email@example.com
3. WHAT INFORMATION DO WE COLLECT AND STORE?
We may collect and process the following data about you, some of whichmay include Personal Data:
i. INFORMATION WHICH YOU PROVIDE US WITH WHEN YOU USE INTERACTWITH US ONLINE: for example if you use our services (such as wifi), take part incampaigns which we might run from time to time, complete a survey, join ourmailing list to receive our ezine and emails so we can tell you about events,and you can benefit from deals and discounts we’re offering). This may include:
· your name,address and phone number
· where you comefrom
· your gender
· online contactinformation
· payment details(if you want to decide to take advantage of any discounted goods or servicesoffered as part of our campaigns)
· any opinions orpreferences which you express (including your likes and dislikes)
· details aboutyour location
ii. TRANSACTIONAL DATA: that is, information which we might collect if you use a voucher, loyaltycard, discount code or take part in a promotion which we are running. This willhelp us to learn about:
· your shoppingpreferences, interests, hobbies and habits
· your health,well-being and lifestyle choices
iii. TRAFFIC DATA:that is, information about which websites you access or offers you click onwhen you’re using our services.
iv. LOCATION DATA:we may collect information about your location from time to time if you haveprovided us with certain information. For example, we may use the followingtechnologies to recognise you when you come into our shopping centre:
· i-beacons, whichenable us to communicate with your device using bluetooth
· wi-fi, whichenables us to communicate with your device
4. HOW DO WE USE THE DATA WE COLLECT ABOUT YOU AND WHAT’SOUR LEGAL BASIS?
We may usethe data we collect about you in the following ways:
(i) TO CREATE A PROFILE ABOUT YOU TO INFORM OUR MARKETINGDECISIONS: We might do this to makesure we send you information which we think might be of interest to you, about campaignswe’re running and other events or discounts we’re offering (including surveysand information about goods and services which we think you’ll like and whichseem to tie in with your interests). To do this, we may need to undertakeanalysis of your purchase habits and preferences. Once an account has been setup, profiling is an automated process which enables us to learn things aboutyou. We set up the account on the basis thatyou have agreed we can use the information you provide us with for marketingpurposes. You may ask us to delete your account at any time and we willpromptly comply. You may set up a new account at any time.
(ii) TO SEND YOU MARKETING COMMUNICATIONS: contacting you by email, SMS, push notifications inour app, social media (and potentially by other communication channels whichmay become available in the future) to provide you with competitions, deals andinformation about products and events). Weare relying on you signifying your consent to us. You are entitled to withdrawyour consent to all marketing or marketing via particular channels at any timeand we will promptly comply with your request.
(iii) TO PROVIDE SERVICES: for example, if you have provided us with your details so that you canreceive particular services from us (such as signing in to wifi, taking part ina campaign, benefiting from a discount or taking part in a competition), we willuse your Personal Data in order to make that happen. For certain campaigns andcompetitions, this may include transferring Personal Data related to you to athird providing the prize or whose goods or services are being promoted. If a transferof this nature is required, we will publish the name of the third partyrecipient and let you know that the transfer is required before we do so. In this case, we are relying on the factthat such use of your Personal Data is required to provide you with theservices you have requested. This may be a contractual obligation or based onyou giving us your consent. You may let us know at any time if you want to pullout of a competition or stop receiving our services and we will promptly complywith your request.
(iv) INTERNAL BUSINESS REQUIREMENTS: we may use your Personal Data in accordance with ourinternal business requirements. For example we may need to retain back-upcopies of data to make sure we have adequate safeguards in place to preventloss of the data we hold; we may need to use your data to resolve disputes. In this instance, we are relying on thefact that such use is essential to protect a legitimate interest to enable usto run our business successfully. Any copies of the data held will be heldsecurely and no further use shall be made of such data save as set out herein.We believe that such use would be generally anticipated by data subjects and ishighly unlikely to cause any damage to or be considered by data subjects to beinvasive of their privacy.
(v) STATISTICAL ANALYSIS: we may collect and use aggregate data, forinternal market research, statistical analysis and data mining purposes and wemay transfer this data at will to third parties. This data will be anonymisedand you will not be identifiable from it.
5. WILL PERSONAL DATA ABOUT YOU BE DISCLOSED TO ANYONEELSE?
i. We will not pass Personal Data about you to thirdparties for marketing purposes unless you have expressly consented to it.
ii. We may disclose yourPersonal Data to third parties for the following purposes:
· to our licensors, employees and third parties who arecontracted to provide services to help us to carry out our business. Any employees and/or data processors (including Velocity)contracted by us will be subject to strict contractual requirements only to useyour personal data in accordance with our instructions.
· If we sell or buy any business or assets. We will never sell Personal Data as a sole asset.
iii. We may discloseaggregate data to third parties for analysis and market research purposes. Anydata so disclosed will not contain Personal Data.
6. WHAT SECURITY PROCEDURES DO WE HAVE IN PLACE?
6.1 It is our policyto ensure that all Personal Data held by us (or any Processors we use) ishandled correctly and appropriately according to the nature of the information,the risk associated with mishandling the data, including the damage that couldbe caused to an individual as a result of loss, corruption and/or accidentaldisclosure of any such data, and in accordance with any applicable legalrequirements.
6.2 We undertakeregular security and risk reviews and we monitor all of the controls that wehave in place to ensure the security, accuracy and integrity of the PersonalData we hold. We also endeavour to ensure that such data is only accessed byauthorised personnel for a legitimate purpose (in accordance with our privacynotice).
6.3 We have aset of formal procedures that must be adhered to within our organisation toensure that security standards are maintained and that data privacy isrespected.
6.4 Ourmarketing agent, Velocity (which manages any data it collects for marketingpurposes) is ISO27001 accredited by the BSI.
6.5 There are some steps you can take tohelp make sure that your data is protected. For example:
(a) ifyou are contacting us with a query or complaint, only ever give us your workdetails rather than your personal contact details;
(b) if you are sending any financial detailsor sensitive information, consider sending it in separate emails or encrypted,password protected documents; and
(c) makesure that you keep any passwords associated with your DARIUS account secure.
7. WHERE DO WE STORE THE PERSONAL DATA WE COLLECT?
We only use servers in the EU (and Britain). Our current host serversare provided by Amazon Web Services, whose servers are based in Dublin.
8. FOR HOW LONG DO WE STORE PERSONAL DATA ABOUT YOU?
8.1 We will retain and use Personal Data which we collect for marketingpurposes in accordance with the following provisions:
· We will holdidentity and contact data until asked by you to delete the data or cease suchprocessing. In order to make sure that we are doing this transparently, we willgive you the option to opt out in every communication we send. If we haven’theard from you or had any interaction with you for over 2 years, we willcontact you and ask you if you would like to be removed from our database.
9. WHATRIGHTS DO YOU HAVE IN RESPECT OF ANY PERSONAL DATA WE HOLD ABOUT YOU?
9.1 DataSubjects have the following rights in respect of Personal Data relating to themwhich can be enforced against the Controller:
(a) Right to be informed: the right to be informed about whatPersonal Data the Controller collects and stores about you and how it’s used.
(b) Right of access: the right to request a copy of thePersonal Data held, as well as confirmation of:
(i) thepurposes of the processing;
(ii) thecategories of personal data concerned;
(iii) therecipients to whom the personal data has/will be disclosed;
(iv) for howlong it will be stored; and
(v) if datawasn’t collected directly from the Data Subject, information about the source.
(c) Right of rectification: the right to require the Controllerto correct any Personal Data held about the Data Subject which is inaccurate or incomplete.
(d) Right to be forgotten: in certain circumstances, the rightto have the Personal Data held about theData Subject erased fromthe Controller’s records.
(e) Right to restriction of processing: the right to request the Controllerto restrict the processing carried out in respect of Personal Data relating to the Data Subject. You might want to do this, forinstance, if you think the data held by the Controller is inaccurate and youwould like to restrict processing the data has been reviewed and updated ifnecessary.
(f) Right of portability: the right to have the Personal Dataheld by the Controller about theData Subject transferredto another organisation, to the extent it was provided in a structured,commonly used and machine-readable format.
(g) Right to object to direct marketing: the right to object where processingis carried out for direct marketing purposes (including profiling in connectionwith that purpose).
(h) Right to object to automatedprocessing: theright not to be subject to a decision based solely on automated processing(including profiling) which produces legal effects (or other similarsignificant effects) on the Data Subject.
Wemay need to ask you for further information and identification to help us tocomply with this request.
10. WHODO YOU COMPLAIN TO IF YOU’RE NOT HAPPY WITH HOW WE PROCESS YOUR PERSONAL DATA?
If you have any questions or concerns about how we areusing Personal Data about you, please contact our Data Protection Officerimmediately at our registered address (see clause 1.1 above) or by email to firstname.lastname@example.org
If you wish to make a complaint about how we havehandled Personal Data about you, you may lodge a complaint with the InformationCommissioner’s Office by following this link: https://ico.org.uk/concerns/.