Privacy Policy for the Loyalty Program

The date of the last update of this privacy policy was in February 2021.


This Privacy Policy explains how the data controller (referred to in this Privacy Policy as the "Data Controller", "we", "us" or "our") stores and processes your personal data in the context of the provisions of our Loyalty Programme (including access to your loyalty account within the shopping centre website and applications,  collectively, the "Services").

This Privacy Policy covers the following:

1/Contact details of the Data Controller

2/How do we collect your personal data?

3/Details on the processing of your personal data

4/How do we share your personal data?

5/How do we keep your personal data safe?

6/Do we transfer your personal data outside the European Economic Area?

7/Your rights in relation to your personal data

8/Geolocation

9/Automated decision-making/profiling

10/Transfer in case of change of ownership

11/Update of this Privacy Policy

1/Contact details of the Data Controller

The local Data Controller:

COMMUNITY OF OWNERS OF THE SHOPPING CENTER LA MAQUINISTA

PASSEIG DEL POTOSÍ nº2

Telephone: 93 360 89 71

E-mail: atencionalclientewestfield@lamaquinista.com

UNIBAIL RODAMCO SPAIN, S.L.U

C/José Abascal, nº 56. Madrid (CP 28003).

Phone: +34.91.700.65.00

Email in data.protection@urw.com

Responsible for the Treatment of the group:

Unibail Management

Simplified public limited company with a capital of € 20,000,000

With registered office at 7 place du Chancelier Adenauer 75016 Paris

Registered in the Paris Register under number 414878389

The Community of Owners and Unibail Rodamco Spain, S.L.U., as well as its DPO, can be contacted by email or by postal mail at the addresses indicated above. Unibail Management Data Privacy Team (including its DPO) can be contacted by email at data.protection@urw.com or by post at 7 place du Chancelier Adenauer 75116 PARIS.

In general, the Group Controller will process your personal data in order to assist the local Data Controller and ensure overall governance at group level.

Some functions are specifically assigned to the local Data Controller or the Group Controller as follows:

Functions of the local Data Controller:

The local Data Controller will process your personal data in order to send you communications to inform you about offers and events specific to the respective shopping centre, as well as to provide you with offers.

Functions of the Data Controller of the group:

The Data Controller of the group has signed various data processing and service contracts with service providers to provide you with the technical opportunity to register you in the Loyalty Program or download and use the Shopping Center application.

The Group Controller will also be responsible for the preparation of some communications, coordinated at group level, which will be sent by the local Data Controller. In addition, the Data Controller of the group will negotiate with third parties special offers that can be accessed by members of the Loyalty Program.

The Data Controller of the group will process your personal data in order to:

  • Manage your registration in the Loyalty Program
  • Analyze your behavior within the mall as more specifically detailed in the table below (3.1) to provide you with personalized offers and events that may interest you.

The local Data Controller and the Group Controller shall act as joint data controllers and hereinafter jointly referred to as "Data Controller", "we", "us" or "our".

2/ How do we collect your personal data?

We collect your personal data through the following means:

- directly from you; or

- your use of the Services

  • a) When you use the Loyalty Card, including the virtual one, if it is scanned during your visit, we collect information related to the type of service for which your Loyalty Card was used (example: events, birthday gift) and, therefore, your presence within our shopping center.
  • b) When you use our Mall App or visit our website as an authenticated user, we collect:

information about the frequency of your visits, your itineraries within the shopping center provided that we have obtained your prior consent to collect this information (only for the Shopping Center application - see article 8 Geolocation).

  • c) When you use the website and accept the use of cookies, we collect the cookies you have accepted. You will find all the data about the uses and the cookies policy in the terms of use accessible by clicking on the following enlace: es.westfield.com/termsofuse

Details on the different ways of collecting your personal data can be found in the section "Processingof personal data" in the table in section 3 below.

3/ Details on the processing of your personal data

3.1 - In the following table you will find all the information related to:

  • Why we are processing your personal data (specific purpose)
  • What personal data is being processed (personal data processed)
  • On what legal basis we are processing your personal data (Legal basis)
  • How long we store your personal data (retention period)
  • What rights you can exercise in relation to your personal data (Rights)

 

Specific purpose

Personal data processed

Legal basis

Retention period

Rights

Available rights depend on the legal basis

Management of your registration in the Loyalty Program

Provided directly by you:

Required: title, first name, last name, email address, date of birth

Optional: telephone number, , information that the interested party is working in the area of the shopping center.

Provided to us by a third party:

N/A

Execution of a contract (Terms of Use of the Loyalty Program)

Article 6.1.b) GDPR

3 years from the last digital contact or use of the Services

Access

Rectification

Suppression

Limitation of processing

Portability

Management of participation in events organized by the Shopping Center

 

Please note that we may send you a communication to allow you to participate in the event (for example: if the event requires you to have proof of registration to participate)

Provided directly by you:

email address, first name, last name, telephone number

 

Provided to us by a third party:

N/A

Legitimate interest of the Data Controller to offer the opportunity to the members of the Loyalty Program to participate in the events organized to their attention and guarantee the security of said event.

Article 6.1.f) of the GDPR

6 months from the course of the event

 

Access

Rectification

Suppression

Limitation of processing

Portability

Collection of loyalty points

See data in section 3.2

Provided directly by you: N/A

Provided by Transaction Connect: purchase amount, date and store of purchase

Execution of a contract (Terms of Use of the Loyalty Program)

3 years from the last digital contact or use of the Services

Access

Rectification

Suppression

Limitation of processing

Portability

Management of the offers and benefits of the Loyalty Program

Free access to the services (under conditions detailed in the Terms of Use of the Loyalty Program):

Toilets

Loan of objects (strollers, umbrellas)

Birthday gift

Provided directly by you:

Loyalty card number, barcode, first name, last name, date of birth

Provided to us by a third party:

N/A

Execution of contract (Terms of Use of the Loyalty Program)

 

Article 6.1.b) GDPR

There is no storage for the use of offers and benefits.

 

If the Loyalty Card is scanned (never for the use of the toilets) we may retain your date of visit and the type of services/offer used

Access

Rectification

Suppression

Limitation of processing

Portability

Participation in contests organized for members of the Loyalty Program

Provided directly by you:

Loyalty card number, name, surname, date of birth, personal information that may be contained in the contest itself (answers to questions)

 

Provided to us by a third party:

N/A

Contract execution (contest rules)

 

Article 6.1.b) GDPR

1 month after the awards ceremony to the winners

Access

Rectification

Suppression

Limitation of processing

Portability

Delivery or sending of rewards to members of the Loyalty Program who have activated the loyalty points program (for example: prize awarded to a member chosen at random from among people who have spent at least [amount to be determined] euros for a certain time - a specific communication would be made to members within the corresponding scope)

Provided by Transaction Connect: purchase amount, date and store of purchase

Legitimate interest of the Data Controller to manage the program in order to increase its database and the amount spent in the shopping center and legitimate interest of the members to obtain prizes

Article 6.1.f) of the GDPR

No specific data is stored as the information is kept within the framework of the collection of loyalty points; see below

Access

Rectification

Suppression

Limitation of processing

Objection to processing

Management of communication for information purposes in relation to the Loyalty Program

(for example: information about an event accessible only to members of the Loyalty Program)

Provided directly by you:

Loyalty card number, title, first name, last name, email address

Phone number (optional)

Provided to us by a third party:

N/A

Execution of a contract (Terms of Use of the Loyalty Program)

Article 6.1.b) GDPR

3 years from the last digital contact or use of the Services

Access

Rectification

Suppression

Limitation of processing

Portability

Management of commercial communication:

By email and/or sms if you have provided us with your mobile phone number. These communications may or may not be personalized.

Such Communications will include promotional information on products and services of the Shopping Center and third parties located in it (discounts on restaurants or other premises, new openings, etc.)

Provided directly by you:

e-mail address

phone number (optional)

 

Provided to us by a third party:

N/A

Consent

Article 6.1.a) of the GDPR

3 years from the last digital contact or use of the Services or until the withdrawal of consent, whichever occurs first

Access

Rectification

Suppression

Limitation of processing

Opposition to processing

Portability

Analysis of your information/use of the services:

  • to offer you personalized offers; and
  • to improve our understanding of your expectations and needs and develop new features and services.

Please note that, in this perspective, we will combine the personal data listed in the corresponding column to better understand your interests and habits.

 

This analysis will result in the assignment of certain interest segments. These interest segments will be assigned either after their own declaration (for example declaration of interest in "Sport") or may be deducted from any other interest declared or that can be deduced from the use of the Services (for example through the Loyalty Points Activation Program, the Data Controller will be aware that the members of the loyalty program usually go to sports stores and therefore assign them to the segment "Sport")

In the event that you have not consented to the receipt of commercial communications, we will use such information to improve our services

Obtained directly from you: all information that may be provided by you.

Obtained from your activity:

Behaviour on the website (cookies)

Participation in events organized by the mall

Your use of wifi: date of visit to the mall

Your use of the points earned by the loyalty program

When your Loyalty Card is scanned for the use of a service or in participation in an event at the Shopping Center

 

Legitimate interest of the Data Controller to better understand the customer and to be able to provide the appropriate services and/or offers and the legitimate interest of the loyalty members to receive personalized offers and services.

Article 6.1.f) of the GDPR

 

Please note that:

- cookies are installed only on the legal basis of your consent (Article 6.1.a) of the GDPR

- information relating to your use of Wi-Fi is stored only on the legal basis of your consent (Article 6.1.a) GDPR

=> but the analysis of that information, as described herein, is carried out on the basis of legitimate interest (Article 6(1)(f) GDPR

3 years from the last digital contact or use of the Services

Access

Rectification

Suppression

Limitation of processing

Opposition to processing

Portability

Geolocation (only within the mall, through the Mall app)

Provided directly by you:

Provided by the use of the service: location data within the mall

Provided to us by a third party: N/A

Consent (granted through the Shopping Center app)

Article 6.1.a) of the GDPR

We will not store your geolocation.

Access

Rectification

Suppression

Limitation of processing

Portability

Opposition to processing

Respond to member loyalty requests related to personal data

Provided directly by you:

Name, surname, email address, loyalty program member number or copy of id, if applicable

 

Provided to us by a third party:

N/A

Legal obligation

Article 6.1.c) GDPR

The calendar year of reception, plus 5 years

 

If your ID card is requested, it will be deleted immediately after verification of your identity

Access

Rectification

Limitation of processing

Suppression

Getting your feedback on our services

Provided directly by you: responses to a questionnaire regarding the assessment of the services provided by us.

Legitimate interest of the Data Controller to better understand the customer and improve the services and provide services and/or offers that are adequate

Article 6.1.f) of the GDPR

3 years from the last digital contact or use of the Services

Access

Rectification

Suppression

Limitation of processing

Opposition to processing

Establishment, exercise or defense of legal claims

(for example, where a law enforcement agency or regulatory body is investigating a crime or incident)

Relevant personal data relating to the claim or dispute

Legitimate interest of the Data Controller to ensure its defense;

Article 6.1.f) of the GDPR

Legal deadline according to the type of claim/litigation

Access

Rectification

Suppression

Limitation of processing

Opposition to processing


 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

3.2 Specific provisions - Loyalty Points Program

As part of a special functionality within the Loyalty Program to be activated, please note that you have the possibility to subscribe to the Loyalty Points Program. Once the Loyalty Points Program is activated, you may be entitled to refunds based on purchases you make at the mall. Activation of the Loyalty Points Program is optional and remains completely free for you to activate this feature. For more information, please refer to the Loyalty Program Terms of Use: es.westfield.com/termsofuse

In order to organize, manage and implement the payment of refunds resulting from your transactions, as well as to analyze the payment flows resulting from the use of the Loyalty Points Program, please note that Transaction Connect (a French company with registered office located at 86, rue du faubourg St Denis 75010 Paris,  and registered in the Paris Commercial and Companies Register under number 822 619185) will only be considered to act as an independent data controller with respect to the processing of your personal data in question. For clarity, both we and Transaction Connect act individually as controllers of your personal data with respect to the Loyalty Points Program.

You can find additional information about the processing activities implemented by Transaction Connect, including information about your rights as a data subject, by clicking on this link.

Please note that in any event we are not responsible for the data processing activities carried out by Transaction Connect when acting as an independent controller. Consequently, any claim or demand related to the processing of personal data carried out by Transaction Connect will be addressed to Transaction Connect directly in accordance with the provisions of its privacy policy es.westfield.com/privacypolicy and terms of use es.westfield.com/termsofuse, which you must read and accept when subscribing to the Loyalty Points Program.

Once you have activated the Loyalty Points Program, the data controllers will receive the confirmation and relevant purchases you make within the mall as detailed in the table above, so that the data controllers can manage and account for their Loyalty Points to benefit from them under the Loyalty Points Program. In no event will we have access to or receive information relating to your bank accounts, credit cards or any personal data of a financial nature.

4/ How do we share your personal data?

  • your loyalty member number, or, if you don't have one,
  • an identity document

We may share your personal data with:

  • our current processors are listed in Annex 1. The list is updated periodically and includes the name of the company, the address of the company and the specific purpose of the service provider's processing;
  • any competent authority or legal entity to respond to legal or regulatory claims, court orders, subpoenas or legal process, if necessary to comply with applicable law;
  • any assignee, where personal data is transferred as part of the sale or transfer of all or part of our assets to another company;

5/ How do we keep your personal data safe?

We strictly assume the security of all personal data in our possession and are committed to protecting your personal data. To this end, we have put in place all the necessary technical and organizational security measures and have chosen our suppliers accordingly.

We have signed specific data processing contracts with each of the service providers listed in Annex 1 and have verified their general technical and organisational measures. Service providers are only authorized to process personal data as processors, in accordance with the provisions of this Privacy Policy, and only on our behalf and in accordance with our instructions.

However, we cannot control all the risks related to the use of the Internet, and the security of the data also depends on the vigilance of everyone and the proper use of these technologies, so we invite our customers to remain attentive to the possible risks inherent when using the Internet services.

6/ When do we transfer your personal data outside the European Economic Area?

We use third-party service providers who help us provide you with the Services and process your personal data on our behalf. Such third party service providers will always be subject to security and confidentiality obligations in accordance with this Privacy Policy and applicable legislation.

Please note that some of these third-party service providers are located outside the EEA (European Economic Area) and may therefore access and process your personal data from countries that do not provide an adequate level of data protection. In the event of such a transfer outside the EEA, we incorporate into the model clauses adopted by the European Commission to ensure that your personal data benefits from an adequate level of protection when accessed and processed from there. Our managers may also adhere to the Binding Corporate Rules.

If you need more information about this, please contact us by email at the address mentioned in section 7.5 below.

Information on the model clauses adopted by the European Commission can be found at this link.

You can find information about the Binding Corporate Rules at this link.

7/ Your rights in relation to your personal data

7.1 In accordance with all applicable regulations and, in accordance with the provisions of the table in section 3.1 above (column "Rights"), you have the right to*:

  • Access your personal data: we will give you detailed information about the processing of your personal data;
  • Obtain the rectification of your personal data: if the personal data we are processing is inaccurate;
  • Obtain the deletion of your personal data: if you want us to delete some or all of your personal data;
  • Object to the processing of your personal information: if you want us to stop the processing of your personal data until we demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
  • In order to obtain the limitation of the processing of your personal information if you contest the accuracy, legality or our need to process your personal data, we will limit the processing of your personal data to a minimum (storage) and, if applicable, the processing only for the establishment, exercise or defense of legal claims or, where appropriate, for the protection of another natural or legal person,  or other limited reason dictated by applicable laws.
  • Receive your personal data in a structured and standardized format or to request the transmission of such information to another controller (portability).

Please note that the rights available depend on the legal basis of the processing. Please refer to the provisions of the table in section 3.1 above (column "Rights") to see the rights that you can exercise specifically through the processing activity.

7.2 Withdrawal of your consent. Where the legal basis for the processing is your consent, as detailed in the table shown in section 3.1 above (column "Legal basis"), you can withdraw your consent given at any time without giving any reason.

If you do so, we will stop any further processing based on this consent. Please note that the withdrawal of your consent will not affect the basis of legitimacy of any treatment carried out on the understanding that you have previously given your consent.

To withdraw your consent to receive commercial communications:

> send an email as described in the Exercising Your Rights section below

> directly change the settings in your loyalty account

> click on the unsubscribe link available in all our communications

7.3 Unsubscribe from commercial communication for informational purposes in relation to the Loyalty Program

As part of the Loyalty Program and, according to the execution of a contract between you and us as a basis for legitimizing the treatment (the Terms of Use of the Loyalty Program) we will send you commercial communications (which will only be about the Loyalty Program and that will not contain any commercial offer).

If you do not wish to receive such communications, you may ask us to stop sending them as follows:

> send an email as described in the Exercising Your Rights section below; or

> directly change the settings in your Loyalty account or,

> click on the unsubscribe link available in all our communications.

7.4 Deletion of your Loyalty Account

If you wish to delete your Loyalty Account, you may:

> delete directly in your Loyalty Account settings; or

> send an email as described in the Exercising Your Rights section below.

7.5 Exercising your rights

If you wish to exercise these rights and/or obtain all relevant information, please contact us at the following address: atencionalclientewestfield@lamaquinista.com

To ensure an effective exercise of your rights, please note that you can send your request to the aforementioned address for your inquiries and complaints regarding the processing for both controllers (local Data Controller and Group Controller).

To avoid infringing the rights of third parties, we reserve the right, in case of reasonable doubt, to proceed with the prior verification of your identity to ask you:

We will respond within 1 month after receiving your request but where necessary, and due to the complexity of your request, we will extend this period for a period of 2 months. In any case, we will inform you within 1 month of receiving your request if we decide to extend the deadline to respond.

If necessary, you can also address any questions at the welcome desk of your shopping center.

  1. Complaints

You have the right to lodge a complaint about the way we process your personal data with the Spanish Data Protection Agency.

8/ Geolocation

8.1 General principle

Subject to your prior express consent given in the mall request, information related to your location within our mall may be stored and processed by us while you are authenticated in our Mall Applications in order to measure the frequency of your visits and itineraries within our mall and/or provision of location-related services.

Geolocation will only take place if you have activated the additional services/specific function in the settings of your Shopping Center application downloaded to your mobile device. You may disable these additional services at any time in the latter's settings.

Please note that, once given, your consent will be effective immediately for any additional connections on our Mall App and for any additional visits to our mall within 12 months of the first connection, unless you withdraw your consent.

8.2 How to manage your geolocation preferences on your mobile device

To be located inside the mall, you will be prompted to turn on the Bluetooth feature on your mobile device.

If you only want to consult the map, you do not need to activate the Bluetooth function.

Please note that we will not locate you outside of our mall. The location option is made using the Bluetooth beacons that are installed in the common areas of the shopping center only.

You can disable the geolocation of your mobile device through your mobile device's settings at any time.

9/Automated decision-making/profiling

There is currently no automated decision-making or profiling process that legally affects you or significantly affects you. But we will provide you with specific offers based on your individual personal data and the analysis of your user behaviour.

In fact, as we do not want to bother you with information and promotions that may not be relevant to you, we evaluate your purchase profile, that is, information such as your previous purchases and preferences that we collect through the use of our Services as detailed in the table (section 3.1), to send you only information and promotions that we consider interesting or relevant to you.

10/ Transfer in case of change of ownership

If Unibail-Rodamco-Westfield Group is involved in a merger, acquisition, dissolution or sale of all or part of the shopping centre, or its management or owner company, where you are registered as a member of the Loyalty Programme, we reserve the right to transfer your personal data. You will be notified if such change requires notice or consent under applicable law, you will be notified, or you will be given the opportunity to give your consent.

11/ Update of this Privacy Policy

We may revise or update this Privacy Policy from time to time. Any changes to this Privacy Policy will be effective upon online posting on this website.

If such change requires notice or consent under applicable law, you will be notified or given the opportunity to give your consent.

Annex 1 – List of service providers

Registration Account Manager

Company

Address

Company Information

Country (personal data)

Gigya Inc.

2513 East Charlestine Road Suite 200 Mountain View, CA 94043, USA

A Delaware Corporation

Israel / USA

Cardiweb (card creation)

14 rue auber 75009 Paris, France

RCS Paris n° B 431809 508

France

CRM-Manager (Customer Relationship Manager)

 

Company

Address

Company Information

Country (personal data)

Cardiweb

14 rue auber 75009 Paris, France

RCS Paris n° B 431809 508

France

Salesforce EMEA Ltd

Floor 26 Salesforce tower 110 bishopsgate, London EC2N 4AY United Kingdom

Español company

USA

Lineup7

8 boulevard du Montparnasse, 75015 Paris

SIREN 810386110

France

Storage

Company

Address

Company Information

Country (personal data)

Amazon Web Services Inc.

1200 12th Avenue South

Suite 1200

Seattle, WA98144

United States

Delaware Corporation

Ireland/ USA

Event Registration

Company

Address

Company Information

Country (personal data)

JRNI .

150 Wharfedale Road,

Winnersh Triangle,

Berkshire, England

RG41 5GB

English Company

Ireland and the United Kingdom (for maintenance)

Customer satisfaction survey

Company

Address

Company Information

Country (personal data)

Myfeelback .

6 chemin of Limayrac,

31500 TOULOUSE

France

French Company

France

Card wallet

Company

Address

Company Information

Country (personal data)

Carving labs

44 rue Richer

75009 PARIS,

France

French Company

France

Reception

Company

Address

Company Information

Country (personal data)

Manpower

Paseo de Gracia, 87, 2º, 08008 Barcelona, Spain

Worldwide Corporation

USA

Organization in charge of the draws

Company

Address

Company Information

Country (personal data)

Comment Picker

Haarlem, North Holland, Netherlands

Dutch Company

Holland

Company

Address

Company Information

Country (personal data)

Qualifio

Place de l'Université 25,1348 Louvain-la-NeuveBelgium

Belgian company

Belgium

Company

Address

Company Information

Country (personal data)

Cocomood

c/ Níspero 7, 47008 Valladolid

Spanish company

Spain