PRIVACY NOTICE
When you access the SPOT mobile app (“App”), we undertake to process your personal data in accordance with data protection laws and principles (in particular the General Data Protection Regulation - “GDPR”) and to keep it secure.
We are NE Property B.V. with registered office at Claude Debussylaan 7, 1082 MC Amsterdam, The Netherlands, registered with the Netherlands Chamber of Commerce under number 818597392 and act as the controller of your personal data processed through the App (hereinafter we will refer to ourselves as either “Controller”, “we”, “us”, “our”), part of the NEPI Rockcastle Group.
As part of our marketing activities, we collaborate with: (i) NEPI Investment Management S.R.L., with registered office at Calea Floreasca 169A, building A, section 5.1, office 14, District 1, Bucharest, Romania, registered with the Trade Register under number J40/16378/2007, CUI RO22342136 ("NIM") and (ii) the NEPI Rockcastle Group company that manages the shopping center you have selected as your "preferred shopping center" ("Shopping Centre"). A complete list of NEPI Rockcastle Group companies that manage shopping centers and the shopping centers they manage is available at this link: https://nepirockcastle.com/portfolio/.
Depending on the "preferred shopping center" you selected when you created your SPOT account or later by changing the app settings:
- we will tailor the marketing messages we communicate to you (where you have consented to receive marketing messages) so that the messages sent will be targeted at either the shopping center in question or at events held nationally in all shopping centers in the NEPI Rockcastle Group portfolio;
- the NEPI Rockcastle Group company operating the respective shopping center will act as joint controller with Us and NIM in relation to the marketing activities carried out
From the perspective of how personal data is processed for specific marketing purposes, the relationship between the Controller, NIM and the Shopping Centre is joint controllers, according to Art. 26 GDPR (together, hereinafter referred to as "Joint Controllers").
This Privacy Notice is addressed to any person accessing and/or using the App (“User”, “You”, “Your”)
● Identification data, such as: first name and last name, date of birth
● Account access data, e.g. username, password
● Contact details, such as: email address, phone number
● Data on your preferences/interests, such as data on areas of interest - e.g., fashion, technology, pets, etc.
● Data about your interaction with the App, such as: information about the stores you searched for, the fact that you chose a series of products/services as favorites or that you selected a series of events that you want to participate in, as well as the recurrence with which you visit our Website/access the Account.
● Location data
● Demographic data, such as: gender, city/neighborhood where you live, whether you are married or not, whether you have children or not, the number of children and their age
● Data on the participation in promotional campaigns and similar events, such as: prizes won, image
● Purchase data, e.g., preferred shops, purchase amount, purchase date, etc.
● Financial data, such as: bank account number and bank card details
● Technical data: this data differs depends on how you access the App and includes: IP, device type and version, device manufacturer, time zone and location settings (country and city), operating system, screen size, mobile controller, language, Wi-Fi/Bluetooth settings, App version
● Data from social networks, such as: the unique identification code provided by the Facebook network or by case-to-case bases, unique code given for log in Apple/Google
● Data regarding any fraudulent activity performed in the App or otherwise in relation to the Loyalty Program provided through the App, such as: scanning fake or modified Receipts or other violations of the Terms and Conditions of the App
● The processing of personal data marked as mandatory fields in certain forms available in the App is necessary for the provision of services accessible through the App. Thus, it is necessary to communicate those personal data to the Company, because certain functions provided by the App can be operated with their help. Refusal to provide such data will make it impossible for the Company to provide you with the functions provided by the App.
The purposes and legal basis on which we are processing personal data:
· Facilitating access to the App - creating an account in the App based on the legal basis of performing the contract concluded regarding the provision of our services (i.e., in accordance with the Terms and Conditions of the App).
· Providing you with services provided by the App (e.g., use of the App’s features) based on the legal basis of performing the contract concluded regarding the provision of our services (i.e., in accordance with the Terms and Conditions of the App).
· In order to allow you to pay for services and products through the App (e.g. payment for parking, purchase of products and/or services) based on the legal basis of performing the contract concluded regarding the provision of our services (i.e., in accordance with the Terms and Conditions of the App.).
· Contacting you via available communication media for the purpose of providing information about your account or the App (i.e., not of a marketing nature) based on the legal basis of performing the contract concluded regarding the provision of our services (i.e., in accordance with the Terms and Conditions of the App).
· We process, together with NIM and the Shopping Centre, personal data for the purpose of sending direct marketing messages, through classic means of communication (e.g. e-mail, SMS, push notification), as well as by targeting marketing messages on your page(s) on social networks (targeted social media advertising) for the purpose of promoting shopping centers registered in the App, but also of the Controller's Partners (More information about our Partners is available in Section 5 below) based on your consent. Please note that the transmission of marketing messages can be done both as a result of creating and analyzing profiles, as well as independently of it. This data processing involves analyzing your user profile to determine what your preferences are, and thus which products and services best suit your style at the time of sending the information. For example, based on your shopping and browsing history (i.e., items clicked on in the App or prizes claimed), we will make suggestions to you about products or services that we think may be of interest to you.
· We process, together with NIM and the Shopping Center, personal data for the purpose of conducting surveys or other market studies based on our legitimate interest in promoting the shopping centers in the NEPI Rockcastle portfolio and obtaining a better knowledge of market requirements.
· Preventing fraudulent activity in the App or in relation to the Loyalty Program offered through the App, in accordance with the Terms and Conditions of the App, by recalculating the user’s loyalty points, blocking the Account of user suspected of fraudulent activity or by adding such users to the list of users without the right to participate in the Loyalty Program, based on our legitimate interest to prevent fraud or other types of misuse of our Loyalty Program.
· Carrying out economic, financial and/or administrative management activities based on our legal obligation.
· Settlement of disputes, investigations or any other petitions/complaints to which the Controller is a party based on our legitimate interest in defending our rights in court/in front of any competent authority.
· Archiving based on our legal obligation.
· Ensuring a high level of security of information systems (e.g., applications, network, infrastructure) based on our legitimate interest in ensuring the security of our information systems and the security of the App.
· Documenting your consent based on our legal obligation.
The personal data processed is kept for the period of time necessary to comply with the legal obligations imposed on us by the regulations specific to our field of activity.
If you have an account in the App, your personal data is processed and stored by the Controller from the moment you choose to create an Account on the App until the moment you choose to delete your Account.
If you do not use the App for a period of 24 months (i.e., you do not register in your SPOT account, you do not use any of the SPOT functions, etc.) your account will be automatically deactivated.
Once you choose to delete your account, your data will be stored by the Controller
- for an additional period of 3 years, in the Controllers legitimate interest to be able to access and provide the relevant documentation in case of a potential court claim, complaint or ongoing investigation.
- for the minimum storage period provided by the applicable financial accounting legislation.
Regarding the use of your personal data to carry out direct marketing activities, they will be stored by the Joint Controllers from the moment you have given us consent to this processing, until the date you have withdrawn it. Your data will be deleted immediately after you choose to withdraw your consent. We will keep the information proving that we have complied with your request to withdraw consent, namely the date when the request was fulfilled, the reference regarding the categories of data that were the subject of the request to withdraw consent and the user who responded to the request, for audit purposes. The latter are not personal data and will not lead to your identification.
Also, if you have requested the deletion of your personal data, we will respond to this request immediately, unless we have a legal basis to continue to keep your data (e.g., legitimate interest or compliance with legal obligations). Insofar as we do not have a legal basis for keeping your data, we will respond to the deletion request immediately. For the avoidance of doubt, in case of users whose Account was blocked and who were included in the list of users without the right to participate in the Loyalty Program, in accordance with the Terms and Conditions of the App, we will maintain the e-mail address and data regarding the fraudulent activity for a period of 12 months in order to prevent further access of the Loyalty Program by such users.
At the same time, we will keep the information proving that we have complied with your request, namely the date when the request was fulfilled, the reference regarding the categories of data that were the subject of the deletion request and the user who responded to the request, for audit purposes. The latter are not personal data and will not lead to your identification.
Access to your data will be provided only to those persons or entities with whom we collaborate in fulfilling the purposes of processing, and for whom we (or the intended recipients) can justify a legitimate reason or if we have a legal obligation to provide your data.
The following entities and their employees will have access to your data:
● IT service providers, such as Tremend Software Consulting SRL, Zen Parking, Symphopay and others which provide technical solutions, integrated services in the App, software development services, site maintenance and development, hosting, etc.,
● The provider of the CRM platform,
● Marketing service providers, which include market research service providers, service providers through which marketing communications are transmitted, providers of traffic and behavior monitoring services for users of online tools, providers of personalization services for various types of marketing, providers of marketing services through social media (e.g., Facebook), social media providers, marketing materials content design service providers,
● Payment service providers
● Transaction Connect, the independent data controller providing the Automatic Points Accrual functionality
● Group companies
The Controller is part of the NEPI Rockcastle group of companies (the “Group”). Your personal data may be transmitted to other companies in the Group, if they will act as processors of the Controller. The list of companies in the Group can be found at: https://nepirockcastle.com/portfolio/
· Controller’s Partners
Your personal data will also be processed in relation to a number of third-party partners (“Partners”). These are the Partners that the Controller promotes in its relationship with you through direct marketing activities and are usually represented by the tenants of the shopping centers registered in the App. The Partners do not have access to your personal data, except if the Controller obtained your prior consent to do so. The complete list of Partners is updated on a quarterly basis and can be found at the Annex 2 in Terms and Conditions document: https://myspot.space/mall-content/pages/articles/ro/terms-and-conditions or on the mall website.
We will contractually require these entities, as well as their staff, to respect the confidentiality of this data, ensuring a high level of security for the processing of your data.
We will also provide your personal data to judicial bodies, public institutions, or central and local public authorities, based on a duly substantiated request or legal obligation.
As a rule, the Controller, NIM and the Shopping Center will not transfer your personal data to third countries outside the European Economic Area. However, if such a transfer takes place, we will take appropriate protection measures to ensure the protection of the personal data transferred.
We will take all necessary security measures to protect your personal data transmitted, stored or otherwise processed against destruction, loss, unlawful or accidental change, unauthorized disclosure or unauthorized access, as well as against any other unlawful processing. The security measures we implement regarding your personal data can ensure the confidentiality, integrity, availability and continued resilience of processing systems and services, as well as the capacity to restore the availability of and access to personal data in a timely manner if a physical or technical incident occurs.
In addition, for the data security and confidentiality of the information sent via the App, your access to the account created in the App is password protected. The Controller makes all necessary efforts and uses appropriate IT technologies to ensure the protection and security of the data you provide us with.
In cases of a personal data security breach, as provided for inpeoplePR, the Controller/Joint Controllers will inform the competent authorities and relevant persons accordingly.
The Controller/Joint Controllers process personal data that are accurate, having implemented a procedure for updating them. Thus, the Controller, or the Joint Controllers, take all necessary steps to ensure that inaccurate personal data, in view of the processing purposes, are erased or rectified without delay.
(a) Right of access - the right to request confirmation that the personal data are processed or not by Us, and if so, the data subject may request access to the data, as well as certain information about such data. Upon request in this respect, we will also issue a copy of the processed personal data. Request for additional copies will be charged on the basis of the costs actually incurred.
(b) Right to rectification - the right to get the inaccurate personal data rectified, as well as to supplement incomplete data, including by providing additional information.
(c) Right to delete data ("the right to be forgotten") - in situations expressly regulated by law, the right to obtain from us the deletion of the data. Thus, the deletion of personal data can be requested if:
o The data is no longer necessary for the purposes for which they were collected or processed.
o withdrawal of the consent on the basis of which processing is carried out;
o the data subject opposes to the processing under the right of opposition;
o processing of personal data is illegal;
o the data must be deleted for the purpose of complying with a legal obligation incumbent on Us.
(d) Right to restrict processing - the right to request the restriction of processing of personal data in certain circumstances expressly regulated by the law, as follows:
o The accuracy of the data is contested, for the period when the accuracy of the concerned data is checked;
o the processing is unlawful and the data subject opposes to the deletion of data;
o the data subject needs these data to establish, exercise or defend certain rights in court, and our company no longer needs such data;
o the data subject opposes to the processing of personal data for the period in which we check if our legitimate interests prevail over their interests, rights and freedoms.
In these circumstances, except for storage, the data will not be processed anymore.
(e) Right to object to the processing of personal data - the right to object at any time, for reasons related to the particular situation of the data subject, to the processing (including the creation of profiles) based on our legitimate interest.
(f) Right to data portability - the right to receive the personal data provided in a structured, automated readable format, and the right to request that the data be passed to another controller. This right applies only to personal data provided directly by the data subject to the controller, and only if the processing of personal data is done by automated means and is legally based on either the execution of a contract or the consent of that person,
(g) The right to lodge a complaint - the right to lodge a complaint in relation to the methods of personal data processing. The complaint can be submitted to the national supervisory authorities, respectively National Authority for Surveillance of Personal Data Protection Autoritatea („ANSPDCP”) – details at dataprotection.ro.
(h) Right of withdrawal of consent - the right to withdraw, at any time, the consent to the processing of personal data in cases where processing is based on consent. Withdrawal of the consent will only have effect for the future, and processing prior to the withdrawal remains valid.
(i) Additional rights related to automated decisions used in the delivery of services – if automated decisions are made about personal data and these decisions significantly affect the data subject, the data subject can (a) obtain human intervention with respect to said processing, (b) express their point of views on such processing, (c) obtain explanations regarding the decision made and (d) contest such decision.
These rights (except the right to contact the competent data protection authority, which can be exercised under the conditions established by this authority - in this regard you can see the official website indicated at point (g) above) may be exercised, anytime, either individually or by aggregation, sending a letter/message in the following ways:
● by post, at: Calea Floreasca nr. 169A, Floreasca 169, Clădirea A, etajul 5, Sector 1, București, România
● by email, at: Data.Protection@nepirockcastle.com
A Data Protection Officer has been appointed at the NEPI Rockcastle Group level, who can be contacted should there be any concerns about the protection of personal data and the exercise of data protection rights. The Data Protection Officer can be contacted by written, dated and signed request, using the contact details mentioned above.
We reserve the right to change the content of this Privacy Notice ("Privacy Notice"). Any such changes will take effect only after the publication of the updated version of the Privacy Notice in the App. Thus, please check the Privacy Notice section because changes may have occurred since the last visit.
If the changes to the Privacy Notice concern aspects that are likely to have a significant impact on the way we process personal data (e.g. change in the purpose of the processing; change in the identity of the controller; or change in the exercise of rights in relation to regarding the processing of personal data), you will be expressly notified regarding them.
Effective from 20.09.2024.