Privacy notice

When you access the Arena SPOT mobile app (“App”), we undertake to process your personal data in accordance with data protection laws and principles (in particular the Data Protection Regulation (“GDPR”)) and to keep it secure.

We are NE Property B.V. with registered office at Claude Debussylaan 7, 1082 MC Amsterdam, The Netherlands, registered with the Netherlands Chamber of Commerce under number 818597392 and act as the controller of your personal data processed through the App (hereinafter we will refer to ourselves as either “Controller”, “We”, “Us”, “Our”).

As part of the marketing activities we carry out, we collaborate with:

(i) NEPI Investment Management S.R.L., with registered office in Calea Floreasca 169A, building A, section 5.1, office 14, Sector 1, Bucharest, Romania, registered at the Trade Register under no. J40/16378/2007, CUI RO22342136 ("NIM")

(ii) the NEPI Rockcastle Group company/companies that manages the shopping center you have selected as your "preferred mall" ("Shopping Center"). The full list of NEPI Rockcastle Group companies that manage shopping centers and the shopping centers they manage is available at this

Depending on the "preferred mall" selected when you created your account in Arena SPOT or later by changing the application settings:

-         we will personalize the marketing messages that we will communicate to you (where you have expressed your consent to receive marketing messages) so that the messages sent will either target the shopping center in question or nationally organized events in all shopping centers from the NEPI Rockcastle Group portfolio;

-         the NEPI Rockcastle Group company that manages that shopping center will act as an associated controller together with Us and NIM in relation to the marketing activities carried out.

From the perspective of how personal data is processed for specific marketing purposes, the relationship between the Controller, NIM and the Commercial Center is that of associated controllers, according to art. 26 of the GDPR (together, hereinafter referred to as "Associated Controllers").

This Privacy Notice is addressed to any person accessing and/or using the App.

1       Personal data we process

·        Identification data, such as: first name and last name, date of birth

·        Account access data, e.g., username, password

·        Contact details, such as: email address, phone number

·        Data on your preferences/interests, such as data on areas of interest - e.g., fashion, technology, pets, etc.

·        Data about your interaction with the App, such as: information about the stores you searched for, the fact that you chose a series of products/services as favorites or that you selected a series of events that you want to participate in, as well as the recurrence with which you visit our Website/access the Account.   

·        Location data

·        Demographic data, such as: gender, city/neighborhood where you live, whether you have children or not

·        Data on the participation in promotional campaigns and similar events, such as: prizes won, image

·        Purchase data, e.g., preferred shops, purchase amount, purchase date, etc.

·        Financial data, such as: bank account number.

·        Technical data: this data differs depends on how you access the App and includes: IP, device type and version, device manufacturer, time zone and location settings (country and city), operating system, screen size, mobile Controller, language, Wi-Fi/Bluetooth settings, App version

·        Data from social networks, such as: the unique identification code provided by the Facebook network

The processing of personal data marked as mandatory fields in certain forms available in the App is necessary for the provision of services accessible through the App. Thus, it is necessary to communicate those personal data to the Company, because certain functions provided by the App can be operated with their help. Refusal to provide such data will make it impossible for the Company to provide you with the functions provided by the App.

2       Use of personal data

The purposes and legal basis on which we are processing personal data:

·        Facilitating access to the App - creating an account in the App based on our legal basis of performing the contract concluded regarding the provision of our services (i.e., in accordance with the Terms and Conditions of the App)

·        Providing you with services provided by the Application (e.g., use of the Application’s features) based on our legal basis of performing the contract concluded regarding the provision of our services (i.e., in accordance with the Terms and Conditions of the App) and handing over the rewards

·        Possibility to pay for services and products via the App (e.g., purchase products and/or services)

·        Contacting you for the purpose of letting you know information about your account or the App (i.e., not of a marketing nature) based on our legal basis of performing the contract concluded regarding the provision of our services (i.e., in accordance with the Terms and Conditions of the App)

·        Sending direct marketing messages via communication means for which you have given your consent (e.g., e-mail, SMS, push notification) for the purpose of promoting the shopping centres registered in the App and the shopping centers’ Partners (more information about our Partners is available in Section 4 below.)

·        Please note that marketing messages can be sent both as a result of profiling activities, and independently.

·        This data processing involves analysing your user profile to determine what your preferences are and thus which products and services best suit your style at the time of sending the information. For example, based on your shopping and browsing history (i.e., based on items you have clicked on in the Arena SPOT mobile app or rewards claimed), we will make suggestions about products or services we think might be of interest to you.

·        Conduct surveys or other market research based on our legitimate interest in promoting the shopping centres and better understanding the market demands.

·        Carry out economic, financial and/or administrative management activities based on our legal obligation.

·        Settlement of disputes, investigations or any other petitions/complaints to which the Controller is a party based on our legitimate interest in defending our rights in court/in front of any competent authority.

·        Archiving based on our legal obligation

·        Ensure a high level of security of information systems (e.g., applications, network, infrastructure) based on our legitimate interest in ensuring the security of our information systems and the security of the App

·        Document your consent based on our legal obligation.

3       Storage period

The personal data processed are kept for the period of time necessary to comply with the legal obligations imposed on us by the regulations specific to our field of activity.

If you have an account in the App, your personal data is processed and stored by the Controller from the moment you choose to create an Account on the App until the moment you choose to delete your Account.

If you do not use the app for a period of 36 months (i.e. do not log into your Arena SPOT account, do not use any of the Arena SPOT features, etc.), your account will be automatically deactivated.

Once you choose to delete your account, your data will be stored by the Controller:

·        for an additional period of 3 years, in the legitimate interest of the Controller to be able to access and provide the necessary documentation in the event of a potential court claim, complaint, investigation conducted.

·        for a period of 10 years for financial-accounting purposes.

With regards to the use of your personal data for direct marketing activities, it will be stored by the Controller from the moment you give us your consent for this processing until the date you withdraw it. After you choose to withdraw your consent, your data will be stored by the Controller, for an additional period of 3 years, in the legitimate interest of the Controller so that it is able to access and provide the necessary documentation in case of a potential lawsuit, complaints, investigations carried out (i.e., but not used for the transmission of direct marketing materials).

4       Third party access

Access to your data will be provided only to those persons or entities with whom we collaborate in fulfilling the purposes of processing, and for whom we (we or the intended recipients) can justify a legitimate reason or if we have a legal obligation to provide your data.

The following entities and their employees will have access to your data:

- Tremend Software Consulting SRL – the development agency for the Arena SPOT mobile app

- Boostcom B.V – the CRM platform provider

- Bilić-Erić d.o.o. – agency in charge of the reward handover

- Euroart 93 d.o.o. – agency in charge of the communication with the customers

- Poilabs

- Group companies

The Controller is part of the NEPI Rockcastle group of companies (the “Group”). Your personal data may be transmitted to other companies in the Group, if they act as processors of the Controller. The list of companies in the Group can be found at:

Controller’s Partners

Your personal data will also be processed in relation to a number of third-party partners (“Partners”). These are the Partners that the Controller promotes in its relationship with you through direct marketing activities and are usually represented by the tenants of the shopping centres registered in the Application. The partners do not have access to your personal data, except if the Controller obtained your prior agreement in this respect. The complete list of Partners is updated on a quarterly basis and can be consulted in Annex 2 of the Terms and Conditions regulation.

We will contractually require these entities, as well as their staff, to respect the confidentiality of this data, ensuring a high level of security for the processing of your data.

We will also provide your personal data to judicial bodies, public institutions, or central and local public authorities, based on a duly substantiated request or legal obligation.

As a rule, the Controller will not transfer your personal data to third countries outside the European Economic Area. However, if such a transfer takes place, the Controller will take appropriate protection measures to ensure the protection of the personal data transferred.

5       Security and accuracy of personal data

We will take all necessary security measures to protect your personal data transmitted, stored or otherwise processed against destruction, loss, unlawful or accidental change, unauthorized disclosure or unauthorized access, as well as against any other unlawful processing. The security measures we implement with regard to your personal data can ensure the confidentiality, integrity, availability and continued resilience of processing systems and services, as well as the capacity to restore the availability of and access to personal data in a timely manner if a physical or technical incident occurs.

In addition, for your data security and confidentiality of the information sent via the App, your access to the account created in the App is password protected. The Controller makes all necessary efforts and uses appropriate IT technologies to ensure the protection and security of the data you provide to us.

In cases of a personal data security breach, as provided for in the GDPR, the Controller shall duly inform the competent authorities and relevant persons.

The Controller processes personal data that is accurate and has an updated procedure in place. Thus, the Controller takes all necessary steps to ensure that inaccurate personal data, in view of the processing purposes, are erased or rectified without delay.

6       Rights of the data subjects with respect to the processing of personal data

(a) Right of access - the right to request confirmation whether the personal data is processed by us or not, and if yes, the data subject may request access to the data, as well as certain information about such data. Upon request in this respect, we will also issue a copy of the processed personal data. Request for additional copies will be charged based on the costs actually incurred.

(b) Right to rectification - the right to get the inaccurate personal data rectified, as well as to supplement incomplete data, including by providing additional information.

(c) Right to delete data ("the right to be forgotten") - in situations expressly regulated by law, the right to obtain from us the deletion of the data. Thus, the deletion of personal data can be requested if:

·        the data are no longer necessary for the purposes for which they were collected or processed;

·        withdrawal of the consent on the basis of which processing is carried out;

·        the data subject opposes to the processing under the right of opposition;

·        processing of personal data is illegal;

·        the data must be deleted for the purpose of complying with a legal obligation incumbent on us.

(d) Right to restrict processing - the right to request the restriction of processing of personal data in certain circumstances expressly regulated by the law, as follows:

the accuracy of the data is contested, for the period when the accuracy of the concerned data is checked;

·        the processing is unlawful, and the data subject opposes the deletion of data;

·        the data subject needs these data to establish, exercise or defend certain rights in court, and our company no longer needs such data;

·        the data subject is opposed to the processing of personal data for the period in which we check if our legitimate interests prevail over their interests, rights and freedoms.

In these circumstances, except for storage, the data will not be processed anymore.

(e) Right to object to the processing of personal data - the right to object at any time, for reasons related to the particular situation of the data subject, to the processing (including the creation of profiles) based on our legitimate interest.

(f) Right to data portability - the right to receive the personal data provided in a structured, automated readable format, and the right to request that the data be passed to another controller. This right applies only to personal data provided directly by the data subject to the controller, and only if the processing of personal data is done by automated means and is legally based on either the execution of a contract or the consent of that person,

(g) Right to lodge a complaint - the right to lodge a complaint in relation to the methods of personal data processing. The complaint can be submitted to the respective supervisory authorities, such as the Agency for Personal Data Protection in Croatia (“AZOP”) - details at

(h) Right of withdrawal of consent - the right to withdraw, at any time, the consent to the processing of personal data in cases where processing is based on consent. Withdrawal of the consent will only have effect for the future, and processing prior to the withdrawal remains valid.

(i) Additional rights related to automated decisions used in the delivery of services - if automated decisions are made about personal data and these decisions significantly affect the data subject, the data subject can (a) obtain human intervention with respect to said processing, (b) express their point of view on such processing, (c) obtain explanations regarding the decision made and (d) contest such decision.

These rights (except the right to contact AZOP, which can be exercised under the conditions established by this authority - in this regard you can see the official website may be exercised, anytime, either individually or by aggregation, by sending a letter/message to the following:

·        by mail, at: Calea Floreasca nr. 169A, Floreasca 169, Cladirea A, etajul 5, Sector 1, București/Bucharest, Romania

·        by email, at:

A Data Protection Officer has been appointed at the NEPI Rockcastle Group level, who can be contacted should there be any concerns about the protection of personal data and the exercise of data protection rights. The Data Protection Officer can be contacted by written, dated and signed request, using the contact details mentioned above.

We reserve the right to change the content of this Privacy Notice ("Privacy Notice"). Any such changes will take effect only after the publication of the updated version of the Privacy Notice in the Application. Thus, please check the Privacy Notice section because changes may have occurred since the last visit.

If the changes to the Privacy Notice concern aspects that are likely to have a significant impact on the way we process personal data (e.g., change in the purpose of the processing; change in the identity of the controller; or change in the exercise of rights in relation to regarding the processing of personal data), you will be expressly notified regarding them.


Effective starting in March 2024