PRIVACY NOTICE
When you access the SPOT mobile app (“App”), we undertake to process your personal data in accordance with data protection laws and principles (in particular the Data Protection Regulation (“GDPR”)) and to keep it secure.
We are NE Property B.V. with registered office at Claude Debussylaan 7, 1082 MC Amsterdam, The Netherlands, registered with the Netherlands Chamber of Commerce under number 818597392 and act as the controller of your personal data processed through the App (hereinafter we will refer to ourselves as either “Controller”, “We”, “Us”, “Our”), part of the NEPI Rockcastle Group.
As part of our marketing activities, we collaborate with: (i) NEPI Investment Management S.R.L., with registered office at Calea Floreasca 169A, building A, section 5.1, office 14, District 1, Bucharest, Romania, registered with the Trade Register under number J40/16378/2007, CUI RO22342136 ("NIM") and (ii) the NEPI Rockcastle Group company that manages the shopping centre you have selected as your "preferred shopping centre" ("Shopping Centre"). A complete list of NEPI Rockcastle Group companies that manage shopping centers and the shopping centers they manage is available at this <link>.
Depending on the "preferred shopping centre" you selected when you created your SPOT account or later by changing the app settings:
This Memorandum is addressed to any person accessing and/or using the App.
From the perspective of how personal data is processed for specific marketing purposes, the relationship between the Controller, NIM and the Shopping Center is joint controllers, according to Art. 26 GDPR (together, hereinafter referred to as "Joint Controllers").
This Privacy Notice is addressed to any person accessing and/or using the App (“User”, “You”, “Your”)
1 Personal data we process
● Identification data, such as: first name and last name, date of birth
● Account access data, e.g. username, password
● Contact details, such as: email address, phone number
● Data on your preferences/interests, such as data on areas of interest - e.g., fashion, technology, pets, etc.
● Data about your interaction with the App, such as: information about the stores you searched for, the fact that you chose a series of products/services as favourites or that you selected a series of events that you want to participate in, as well as the recurrence with which you visit our Website/access the Account.
● Location data
● Demographic data, such as: gender, city/neighbourhood where you live, whether you are married or not, whether you have children or not, the number of children and their age
● Data on the participation in promotional campaigns and similar events, such as: prizes won, image
● Purchase data, e.g., preferred shops, purchase amount, purchase date, etc.
● Financial data, such as: bank account number, and bank card details.
● Technical data: this data differs depends on how you access the App and includes: IP, device type and version, device manufacturer, time zone and location settings (country and city), operating system, screen size, mobile Controller, language, Wi-Fi/Bluetooth settings, App version
● Data from social networks, such as: the unique identification code provided by the Facebook network
● The processing of personal data marked as mandatory fields in certain forms available in the App is considered to be necessary for the provision of services accessible through the App. Thus, it is necessary to communicate those personal data to the Company, because certain functions provided by the App can be operated with their help. Refusal to provide such data will make it impossible for the Company to provide you with the functions provided by the App.
● in order to manage the User's Account in connection with the manual addition of Receipts or Automatic Points Accrual, the Controller additionally processes the data obtained by the Controller from the User in the case of manual addition of Receipts or from Transaction Connect (the third party providing the Automatic Points Accrual functionality, acting as an independent controller)) in the case of Automatic Points Accrual, in the form of the amount and subject of the purchase indicated by the Receipt, the date on which the Receipt was issued (i.e. the date of the Purchase), the date on which the Receipt was registered in the Application, the Premises where the User made the purchase (i.e. the identification of the Vendor) and additionally in the case of Automatic Points Accrual in the form of the number of Accounts synchronized, the name of the bank, the expiry date of the synchronization consent, data relating to complaints addressed to Transaction Connect in the form of recognition status, individual User ID number, the amount of the Purchase, the Vendor, the date of the Purchase, and the date on which the complaint was registered.
● in order to better understand the customer base, only in the case of active Automatic Points Accrual Transaction Connect processes the data concerning any transactions on the synchronized Accounts during the period of 90 days prior to the date on which the consent was granted until the date on which the withdrawal of consent/liquidation of the User's Account takes place (throughout the synchronization period) for the purpose of creating aggregated statistical reports, which they provide to the Controller. Such reports do not contain personal data and are strictly limited to statistic information.
2 Use of personal data
The purposes and legal basis on which we are processing personal data:
• Facilitating access to the App - creating an account in the App based on our legal basis of performing the contract concluded regarding the provision of our services (i.e., in accordance with the Terms and Conditions of the App)
• Providing you with services provided by the Application (e.g., use of the Application’s features) based on our legal basis of performing the contract concluded regarding the provision of our services (i.e., in accordance with the Terms and Conditions of the App)
• In order to be able for you to pay for services and products through the App (e.g., payment for parking, purchase of products and/or services) based on the legal basis for the performance of the contract concluded regarding the provision of our services (i.e., in accordance with the Terms and Conditions of the App).
• Contacting you via media for the purpose of letting you know information about your account or the App (i.e., not of a marketing nature) based on our legal basis of performing the contract concluded regarding the provision of our services (i.e., in accordance with the Terms and Conditions of the App)
• We process, together with NIM and the Shopping Center, personal data for the purpose of sending direct marketing messages through classic means of communication (e.g., e-mail, SMS, push notification) as well as by targeting marketing messages on your page(s) on social networks (targeted social media advertising) for the purpose of promoting shopping centers registered in the Application, but also of the Controller's’ Partners (More information about our Partners is available in Section 5 below based on your consent. Please note that the transmission of marketing messages can be done both as a result of creating and analyzing profiles, as well as independently of it. This data processing involves analyzing your user profile to determine what your preferences are and thus which products and services best suit your style at the time of sending the information. For example, based on your shopping and browsing history (i.e., items clicked on in the App or prizes claimed), we will make suggestions to you about products or services that we think may be of interest to you. .)
• Please note that marketing messages can be sent both as a result of profiling activities, and independently. This data processing involves analysing your user profile to determine what your preferences are and thus which products and services best suit your style at the time of sending the information. For example, based on your shopping and browsing history (i.e., based on items you have clicked on in the SPOT mobile app or prizes claimed), we will make suggestions about products or services we think might be of interest to you.
• We process, together with NIM and the Shopping Center, personal data for the purpose of conductingsurveys or other market studies based the basis of on our legitimate interest in promoting the shopping centres and better understanding the market demands.
• Carry out economic, financial and/or administrative management activities based on our legal obligation.
• Settlement of disputes, investigations or any other petitions/complaints to which the Controller is a party based on our legitimate interest in defending our rights in court/in front of any competent authority
• Archiving based on our legal obligation
• Ensure a high level of security of information systems (e.g., applications, network, infrastructure) based on our legitimate interest in ensuring the security of our information systems and the security of the App
• Document your consent based on our legal obligation.
3 Automatic Points Accrual
1. As part of the Loyalty Program, the User has the choice of a special Loyalty Program functionality consisting of the possibility of subscribing to Automatic Loyalty Points Accrual - across all participating shopping centers listed in Annex 1 of the “My SPOT” LOYALTY REGULATIONS. Upon activation, this functionality allows Points from purchases made across all participating shopping centers in the country to be automatically accrued to one account. User consent will be required for this scope . Activation of this functionality is not obligatory in order to participate in the Loyalty Program; thus, the User has full freedom of choice as to whether to activate this functionality.
Activation of the functionality results in a change of the form of charging points from manual scanning of receipts for automatic accrual. In order for the Points for purchases made to accrue automatically without scanning, the User must give their consent to the third party providing this functionality, Transaction Connect, to access their bank account or card account details, thus the following data shall be processed:
a) branch name / account type / User bank identifier / User bank account code,
b) Access ID (and, if applicable, the User's password) that the User uses to connect to the web interface of the entity that maintains their account,
c) The User's payment data is displayed in the web interface of the entity maintaining the account,
d) including the amount, date and Premises where the purchase was made. It is compulsory in order to use Automatic Points Accrual to consent to the collection, collection and analysis of data relating to transactions.
The rules of the Automatic Points Accrual functionality are described in the Loyalty Program Regulations.
For the purposes of the organization, operation, and implementation of Automatic Points Accrual, the independent data controller with respect to the processing of the User's personal data is exclusively Transaction Connect, a company under French law with its registered office at 86, Rue du Faubourg St Denis, 75010 Paris, registered in the commercial register of companies in Paris under number 822 619 185 (‘Transaction Connect’).
Information on the processing activities carried out by Transaction Connect, including information on your rights as a data subject, is available at https://tc-front.transactionconnect.com/resources/bcc/pl/POLICY.pdf.
The processing of data by Transaction Connect is carried out on the basis of the Terms of Use of Transaction Connect, therefore if the User wishes to activate Automatic Points Accrual, they must additionally accept the Terms of Use of Transaction Connect and undertake to comply with them.
Under no circumstances shall the Controller be held liable for the processing activities carried out by Transaction Connect, acting as data controller exclusively in this regard. The two entities indicated are independent and autonomous data controllers.
Under no circumstances will the Controller have access to your bank account information, credit card information or any other personal data of a financial nature, including access to bank accounts.
Any claims or requests relating to the processing of personal data carried out by Transaction Connect must be addressed directly to Transaction Connect on the basis of its privacy policy and terms of use, which you will be required to read and accept when subscribing to Automatic Loyalty Points Accrual. Contact Transaction Connect via email address: dataprotection@transactionconnect.com
4 Storage period
The personal data processed are kept for the period of time necessary to comply with the legal obligations imposed on us by the regulations specific to our field of activity.
If you have an account in the App, your personal data is processed and stored by the Controller from the moment you choose to create an Account on the App until the moment you choose to delete your Account.
- If you do not use the App for a period of 24 months (i.e., you do not register in your SPOT account, you do not use any of the SPOT functions, etc.) your account will be automatically deactivated. Once you choose to delete your account, your data will be stored by the Controller to the extent required by law or for the legitimate interest of the administrator to implement data to the extent specified in point 2 above.
.
Regarding the use of your personal data to carry out direct marketing activities, they will be stored by the Joint Controllers from the moment you have given us consent to this processing, until the date you have withdrawn it. Your data will be deleted immediately after you choose to withdraw your consent. We will keep the information proving that we have complied with your request to withdraw consent, namely the date when the request was fulfilled, the reference regarding the categories of data that were the subject of the request to withdraw consent and the user who responded to the request, for audit purposes. The latter are not personal data and will not lead to your identification.
Also, if you have requested the deletion of your personal data, we will respond to this request immediately, unless we have a legal basis to continue to keep your data (e.g., legitimate interest or compliance with legal obligations). Insofar as we do not have a legal basis for keeping your data, we will respond to the deletion request immediately. At the same time, we will keep the information proving that we have complied with your request, namely the date when the request was fulfilled, the reference regarding the categories of data that were the subject of the deletion request and the user who responded to the request, for audit purposes. The latter are not personal data and will not lead to your identification.
5 Third party access
Access to your data will be provided only to those persons or entities with whom we collaborate in fulfilling the purposes of processing, and for whom we (we or the intended recipients) can justify a legitimate reason or if we have a legal obligation to provide your data.
The following entities and their employees will have access to your data:
● IT service providers, such as Tremend Software Consulting SRL, which provide technical solutions, integrated services in the App, software development services, site maintenance and development, hosting, etc.
● Placewise,CRM provider/platform
● Marketing service providers, which include market research service providers, service providers through which marketing communications are transmitted, providers of traffic and behavior monitoring services for users of online tools, providers of personalization services for various types of marketing, providers of marketing services through social media (e.g., Facebook), social media providers, content design service providers, marketing materials
● Golden Rocket Agency Dawid Prymas
● Payment service providers
● Transaction Connect, the independent data controller providing the Automatic Points Accrual functionality
● Group companies
The Controller is part of the Nepi Rockcastle group of companies (the “Group”). Your personal data may be transmitted to other companies in the Group, if they act as processors of the Controller. The list of companies in the Group can be found at: https://nepirockcastle.com/portfolio/
• Controller’s Partners
Your personal data will also be processed in relation to a number of third-party partners (“Partners”). These are the Partners that the Controller promotes in its relationship with you through direct marketing activities and are usually represented by the tenants of the shopping centres registered in the Application. The partners do not have access to your personal data, except if the Controller obtained your prior consent to do so. The complete list of Partners is updated on a quarterly basis and can be consulted in Annex 2 of the Terms and Conditions regulation.
We will contractually require these entities, as well as their staff, to respect the confidentiality of this data, ensuring a high level of security for the processing of your data.
We will also provide your personal data to judicial bodies, public institutions, or central and local public authorities, based on a duly substantiated request or legal obligation.
As a rule, the Controller, NIM and the Shopping Center will not transfer your personal data to third countries outside the European Economic Area. However, if such a transfer takes place, we will take appropriate protection measures to ensure the protection of the personal data transferred.
6 Security and accuracy of personal data
We will take all necessary security measures to protect your personal data transmitted, stored or otherwise processed against destruction, loss, unlawful or accidental change, unauthorised disclosure or unauthorised access, as well as against any other unlawful processing. The security measures we implement with regard to your personal data can ensure the confidentiality, integrity, availability and continued resilience of processing systems and services, as well as the capacity to restore the availability of and access to personal data in a timely manner if a physical or technical incident occurs.
In addition, for your data security and confidentiality of the information sent via the App, your access to the account created in the App is password protected. The Controller makes all necessary efforts and uses appropriate IT technologies to ensure the protection and security of the data you provide us.
In cases of a personal data security breach, as provided for in the GDPR, the Controller or Joint Controllers will inform the competent authorities and relevant persons accordingly.
The Controller/Joint Controllers process personal data that are accurate, having implemented a procedure for updating them. Thus, the Controller, or as the case may be the Joint Controllers, take all necessary steps to ensure that inaccurate personal data, in view of the processing purposes, are erased or rectified without delay.
7 Rights of the data subjects with respect to the processing of personal data:
(a) Right of access - the right to request confirmation that the personal data are processed or not by Us, and if so, the data subject may request access to the data, as well as certain information about such data. Upon request in this respect, we will also issue a copy of the processed personal data. Request for additional copies will be charged on the basis of the costs actually incurred.
(b) Right to rectification - the right to get the inaccurate personal data rectified, as well as to supplement incomplete data, including by providing additional information.
(c) Right to delete data ("the right to be forgotten") - in situations expressly regulated by law, the right to obtain from Us the deletion of the data. Thus, the deletion of personal data can be requested if:
o the data are no longer necessary for the purposes for which they were collected or processed;
o withdrawal of the consent on the basis of which processing is carried out;
o the data subject opposes to the processing under the right of opposition;
o processing of personal data is illegal;
o the data must be deleted for the purpose of complying with a legal obligation incumbent on us.
(d) Right to restrict processing - the right to request the restriction of processing of personal data in certain circumstances expressly regulated by the law, as follows:
o the accuracy of the data is contested, for the period when the accuracy of the concerned data is checked;
o the processing is unlawful and the data subject opposes to the deletion of data;
o the data subject needs these data to establish, exercise or defend certain rights in court, and our company no longer needs such data;
o the data subject opposes to the processing of personal data for the period in which we check if our legitimate interests prevail over their interests, rights and freedoms.
In these circumstances, except for storage, the data will not be processed anymore.
(e) Right to object to the processing of personal data - the right to object at any time, for reasons related to the particular situation of the data subject, to the processing (including the creation of profiles) based on our legitimate interest.
(f) Right to data portability - the right to receive the personal data provided in a structured, automated readable format, and the right to request that the data be passed to another controller. This right applies only to personal data provided directly by the data subject to the controller, and only if the processing of personal data is done by automated means and is legally based on either the execution of a contract or the consent of that person,
(g) The right to lodge a complaint - the right to lodge a complaint in relation to the methods of personal data processing. The complaint can be submitted to the respective supervisory authorities, such as the President of the Data Protection Office (“UODO”) - details at uodo.gov.pl .
(h) Right of withdrawal of consent - the right to withdraw, at any time, the consent to the processing of personal data in cases where processing is based on consent. Withdrawal of the consent will only have effect for the future, and processing prior to the withdrawal remains valid.
(i) Additional rights related to automated decisions used in the delivery of services - if automated decisions are made about personal data and these decisions significantly affect the data subject, the data subject can (a) obtain human intervention with respect to said processing, (b) express their point of views on such processing, (c) obtain explanations regarding the decision made and (d) contest such decision.
These rights (except the right to contact UODO, which can be exercised under the conditions established by this authority - in this regard you can see the official website uodo.gov.pl) may be exercised, anytime, either individually or by aggregation, sending a letter/message in the following ways:
● by email, at: Data.Protection@nepirockcastle.com
A Data Protection Officer has been appointed at the NEPI Rockcastle Group level, who can be contacted should there be any concerns about the protection of personal data and the exercise of data protection rights. The Data Protection Officer can be contacted by written, dated and signed request, using the contact details mentioned above.
We reserve the right to change the content of this Privacy Notice ("Privacy Notice"). Any such changes will take effect only after the publication of the updated version of the Privacy Notice in the Application. Thus, please check the Privacy Notice section because changes may have occurred since the last visit.
If the changes to the Privacy Notice concern aspects that are likely to have a significant impact on the way we process personal data (e.g. change in the purpose of the processing; change in the identity of the controller; or change in the exercise of rights in relation to regarding the processing of personal data), you will be expressly notified regarding them.
Effective from 25th July 2024