When you access the PROMENADA SPOT mobile app ("App"), we undertake to process your personal data in accordance with data protection laws and principles (in particular Law on Personal Data Protection (Official Gazette no. 87/2018)) and to keep it secure.

We are NEPI Real Estate Project One d.o.o. Novi Sad Promenada Novi Sad ("Promenada Novi Sad"), part of the NEPI Rockcastle Group with its registered of-fice in Bulevar oslobođenja 119, Novi Sad, registered with the Trade Registry Office under no. 21165719, with Tax Registration Code 109345294 and act as the controller of your personal data processed through the App (hereinafter we will refer to ourselves as either "Controller", "We", "Us", "Our"), part of the NEPI Rockcastle Group.

As part of the marketing activities we carry out, we collaborate with:

(i)         NEPI Investment Management S.R.L., with registered office in Calea Floreasca 169A, building A, section 5.1, office 14, Sector 1, Bucharest, Romania, registered at the Trade Register under no. J40/16378/2007, CUI RO22342136 ("NIM") and

(ii)         the NEPI Rockcastle Group company that manages the shopping center you have selected as your "preferred mall" ("Promenada Novi Sad"). The full list of NEPI Rockcastle Group companies that manage shopping centers and the shopping centers they manage is available as Annex 1 to this Privacy Notice.

Depending on the "preferred mall" selected when you created your account in the SPOT mobile app or later by changing the application settings:


- the NEPI Rockcastle Group company that manages that shopping center will act as an associated operator together with Us and NIM in terms of the marketing activities carried out.

From the perspective of how personal data is processed for specific marketing purposes, the relationship between the Operator, NIM and the Commercial Center is that of associated operators, according to art. 26 of the GDPR (together, hereinafter referred to as "Joint Controllers").

This Privacy Information Notice is addressed to any person accessing and/or using the App.

1      Personal data we process

·        Identification data, such as: first name and last name, date of birth

·        Account access data, e.g. username, password

·        Contact details, such as: email address, phone number

·        Data on your preferences/interests, such as data on areas of interest - e.g., fashion, technology, pets, etc.

·        Data about your interaction with the App, such as: information about the stores you searched for, the fact that you chose a series of products/services as favourites or that you selected a series of events that you want to participate in, as well as the recurrence with which you visit our Website/access the Account.

·        Location data

·        Demographic data, such as: gender, city/neighbourhood where you live, whether you are married or not, whether you have children or not, the number of children and their age

·        Data on the participation in promotional campaigns and similar events, such as: prizes won, image

·        Purchase data, e.g., preferred shops, purchase amount, purchase date, etc.

·        Financial data, such as: bank account number.

·        Technical data: this data differs depends on how you access the App and includes: IP, device type and version, device manufacturer, time zone and location settings (country and city), operating system, screen size, mobile operator, language, Wi-Fi/Bluetooth settings, App version

·        Data from social networks, such as: the unique identification code provided by the Facebook network

·        The processing of personal data marked as mandatory fields in certain forms available in the App is considered to be necessary for the provision of services accessible through the App. Thus, it is necessary to communicate those personal data to the Company, because certain functions provided by the App can be operated with their help. Refusal to provide such data will make it impossible for the Company to provide you with the functions provided by the App.

2      Use of personal data

The purposes and legal basis on which we are processing personal data:

·        Facilitating access to the App - creating an account in the App based on our legal basis of performing the contract concluded regarding the provision of our services (i.e., in accordance with the Terms and Conditions of the App)

·        Providing you with services provided by the Application (e.g., use of the Application’s features) based on our legal basis of performing the contract concluded regarding the provision of our services (i.e., in accordance with the Terms and Conditions of the App)

·        Possibility to pay for services and products via the App (e.g., pay for parking, purchase products and/or services)

·        Contacting you via media for the purpose of letting you know information about your account or the App (i.e., not of a marketing nature) based on our legal basis of performing the contract concluded regarding the provision of our services (i.e., in accordance with the Terms and Conditions of the App)

·        Sending direct marketing messages via communication means for which you have given your consent (e.g., e-mail, SMS, push notification) for the purpose of promoting the shopping centre Promenada Novi Sad registered in the App.

·        Please note that marketing messages can be sent both as a result of profiling activities, and independently.

·        This data processing involves analysing your user profile to determine what your preferences are and thus which products and services best suit your style at the time of sending the information. For example, based on your shopping and browsing history (i.e., based on items you have clicked on in the PROMENADA SPOT mobile app or prizes claimed), we will make suggestions about products or services we think might be of interest to you.

·        Conduct surveys or other market research based on our legitimate interest in promoting the shopping centres and better understanding the market demands.

·        Carry out economic, financial and/or administrative management activities based on our legal obligation.

·        Settlement of disputes, investigations or any other petitions/complaints to which the Operator is a party based on our legitimate interest in defending our rights in court/in front of any competent authority

·        Archiving based on our legal obligation

·        Ensure a high level of security of information systems (e.g., applications, network, infrastructure) based on our legitimate interest in ensuring the security of our information systems and the security of the App

·        Document your consent based on our legal obligation.

3      Storage period

The personal data processed are kept for the period of time necessary to comply with the legal obligations imposed on us by the regulations specific to our field of activity.

If you do not use the app for a period of 36 months (i.e. do not log into your SPOT account, do not use any of the SPOT features, etc.) your account will be automatically deactivated.

If you have an account in the App, your personal data is processed and stored by the Operator from the moment you choose to create an account on the App until the moment you choose to delete your Account or the account is deactivated. Once you choose to delete your account, your data will be stored by the Operator:

-        for an additional period of 3 years, in the legitimate interest of the Operator to be able to access and provide the necessary documentation in the event of a potential court claim, complaint, investigation conducted.

-        for a period of 10 years for financial-accounting purposes.

As regards the use of your personal data for direct marketing activities, they will be stored by the Joint Controllers from the moment you gave us your consent for this processing until the date you withdrew it. After the moment you choose to withdraw your consent, your data will be stored by the Operator, for an additional period of 3 years, in the legitimate interest of the Operator so that it is able to access and provide the necessary documentation in case of a potential lawsuit, complaints, investigations carried out (i.e., but not used for the transmission of direct marketing materials).

4      Third party access

Access to your data will be provided only to those persons or entities with whom we collaborate in fulfilling the purposes of processing, and for whom we (we or the intended recipients) can justify a legitimate reason or if we have a legal obligation to provide your data.

The following entities and their employees will have access to your data:

·         SC Tremend Software Consulting SRL - IT service providers (e.g., software maintenance and development, site maintenance and development),

·         Placewise, CRM provider/platform

·         Group companies

The Operator is part of the Nepi Rockcastle group of companies (the "Group"). Your personal data may be transmitted to other companies in the Group, if they act as processors of the Operator. The list of companies in the Group can be found at:

·        Operator’s Partners

Your personal data will also be processed in relation to a number of third-party partners ("Partners"). These are the Partners that the Operator promotes in its relationship with you through direct marketing activities and are usually represented by the tenants of the shopping centre Promenada Novi Sad registered in the Application. The partners do not have access to your personal data, except if the Operator obtained your prior agreement in this respect. The complete list of Partners is updated on a quarterly basis and can be consulted in Annex 2 of the Terms and Conditions regulation.

We will contractually require these entities, as well as their staff, to respect the confidentiality of this data, ensuring a high level of security for the processing of your data.

We will also provide your personal data to judicial bodies, public institutions, or central and local public authorities, based on a duly substantiated request or legal obligation.

As a rule, the Joint Controllers will not transfer your personal data to third countries outside the Republic of Serbia. However, if such a transfer takes place, the Operator will take appropriate protection measures to ensure the protection of the personal data transferred.

5      Security and accuracy of personal data

We will take all necessary security measures to protect your personal data transmitted, stored or otherwise processed against destruction, loss, unlawful or accidental change, unauthorised disclosure or unauthorised access, as well as against any other unlawful processing. The security measures we implement with regard to your personal data can ensure the confidentiality, integrity, availability and continued resilience of processing systems and services, as well as the capacity to restore the availability of and access to personal data in a timely manner if a physical or technical incident occurs.

In addition, for your data security and confidentiality of the information sent via the App, your access to the account created in the App is password protected. The Operator makes all necessary efforts and uses appropriate IT technologies to ensure the protection and security of the data you provide us.

In cases of a personal data security breach, as provided for in the law and GDPR, the Joint Controllers shall duly inform the competent authorities and relevant persons.

The Joint Controllers process personal data that is accurate and has an updated procedure in place. Thus, the Join Controllers take all necessary steps to ensure that inaccurate personal data, in view of the processing purposes, are erased or rectified without delay.

6      Rights of the data subjects with respect to the processing of personal data:

(a)   Right of access - the right to request confirmation that the personal data are processed or not by us, and if so, the data subject may request access to the data, as well as certain information about such data. Upon request in this respect, we will also issue a copy of the processed personal data. Request for additional copies will be charged on the basis of the costs actually incurred.

(b)   Right to rectification - the right to get the inaccurate personal data rectified, as well as to supplement incomplete data, including by providing additional information.

(c)   Right to delete data ("the right to be forgotten") - in situations expressly regulated by law, the right to obtain from us the deletion of the data. Thus, the deletion of personal data can be requested if:

o    the data are no longer necessary for the purposes for which they were collected or processed;

o    withdrawal of the consent on the basis of which processing is carried out;

o    the data subject opposes to the processing under the right of opposition;

o    processing of personal data is illegal;

o    the data must be deleted for the purpose of complying with a legal obligation incumbent on us.

(d)  Right to restrict processing - the right to request the restriction of processing of personal data in certain circumstances expressly regulated by the law, as follows:

o    the accuracy of the data is contested, for the period when the accuracy of the concerned data is checked;

o    the processing is unlawful and the data subject opposes to the deletion of data;

o    the data subject needs these data to establish, exercise or defend certain rights in court, and our company no longer needs such data;

o    the data subject opposes to the processing of personal data for the period in which we check if our legitimate interests prevail over their interests, rights and freedoms.

In these circumstances, except for storage, the data will not be processed anymore.

(e)  Right to object to the processing of personal data - the right to object at any time, for reasons related to the particular situation of the data subject, to the processing (including the creation of profiles) based on our legitimate interest.

(f)   Right to data portability - the right to receive the personal data provided in a structured, automated readable format, and the right to request that the data be passed to another controller. This right applies only to personal data provided directly by the data subject to the controller, and only if the processing of personal data is done by automated means and is legally based on either the execution of a contract or the consent of that person,

(g)  The right to lodge a complaint - the right to lodge a complaint in relation to the methods of personal data processing. The complaint can be submitted to the respective supervisory authorities, such as the Commissioner for Personal Data Protection - details at

(h)  Right of withdrawal of consent - the right to withdraw, at any time, the consent to the processing of personal data in cases where processing is based on consent. Withdrawal of the consent will only have effect for the future, and processing prior to the withdrawal remains valid.

(i)    Additional rights related to automated decisions used in the delivery of services - if automated decisions are made about personal data and these decisions significantly affect the data subject, the data subject can (a) obtain human intervention with respect to said processing, (b) express their point of views on such processing, (c) obtain explanations regarding the decision made and (d) contest such decision.

These rights (except the right to contact Commissioner for Personal Data Protection, which can be exercised under the conditions established by this authority - in this regard you can see the official website may be exercised, anytime, either individually or by aggregation, sending a letter/message in the following ways:

·         by mail, at: Bulevar oslobođenja 119, 21000 Novi Sad, Republika Srbija

·         by email, at:

A Data Protection Officer has been appointed at the NEPI Rockcastle Group level, who can be contacted should there be any concerns about the protection of personal data and the exercise of data protection rights. The Data Protection Officer can be contacted by written, dated and signed request, using the contact details mentioned above.

We reserve the right to change the content of this Privacy Notice ("Privacy Notice"). Any such changes will take effect only after the publication of the updated version of the Privacy Notice in the Application. Thus, please check the Privacy Notice section because changes may have occurred since the last visit.

If the changes to the Privacy Notice concern aspects that are likely to have a significant impact on the way we process personal data (e.g. change in the purpose of the processing; change in the identity of the controller; or change in the exercise of rights in relation to regarding the processing of personal data), you will be expressly notified regarding them.

Effective starting with 19.02.2023.