Privacy Policy for the Loyalty Program
The date of the last update of this privacy policy was in February 2021.
This Privacy Policy explains how the data controller (referred to in this Privacy Policy as the "Data Controller", "we", "us" or "our") stores and processes your personal data in the context of the provisions of our Loyalty Programme (including access to your loyalty account within the shopping centre website and applications, collectively, the "Services").
This Privacy Policy covers the following:
1/Contact details of the Data Controller
2/How do we collect your personal data?
3/Details on the processing of your personal data
4/How do we share your personal data?
5/How do we keep your personal data safe?
6/Do we transfer your personal data outside the European Economic Area?
7/Your rights in relation to your personal data
8/Geolocation
9/Automated decision-making/profiling
10/Transfer in case of change of ownership
11/Update of this Privacy Policy
1/Contact details of the Data Controller
The local Data Controller:
COMMUNITY OF OWNERS OF THE SHOPPING CENTER LA MAQUINISTA
PASSEIG DEL POTOSÍ nº2
Telephone: 93 360 89 71
E-mail: atencionalclientewestfield@lamaquinista.com
UNIBAIL RODAMCO SPAIN, S.L.U
C/José Abascal, nº 56. Madrid (CP 28003).
Phone: +34.91.700.65.00
Email in data.protection@urw.com
Responsible for the Treatment of the group:
Unibail Management
Simplified public limited company with a capital of € 20,000,000
With registered office at 7 place du Chancelier Adenauer 75016 Paris
Registered in the Paris Register under number 414878389
The Community of Owners and Unibail Rodamco Spain, S.L.U., as well as its DPO, can be contacted by email or by postal mail at the addresses indicated above. Unibail Management Data Privacy Team (including its DPO) can be contacted by email at data.protection@urw.com or by post at 7 place du Chancelier Adenauer 75116 PARIS.
In general, the Group Controller will process your personal data in order to assist the local Data Controller and ensure overall governance at group level.
Some functions are specifically assigned to the local Data Controller or the Group Controller as follows:
Functions of the local Data Controller:
The local Data Controller will process your personal data in order to send you communications to inform you about offers and events specific to the respective shopping centre, as well as to provide you with offers.
Functions of the Data Controller of the group:
The Data Controller of the group has signed various data processing and service contracts with service providers to provide you with the technical opportunity to register you in the Loyalty Program or download and use the Shopping Center application.
The Group Controller will also be responsible for the preparation of some communications, coordinated at group level, which will be sent by the local Data Controller. In addition, the Data Controller of the group will negotiate with third parties special offers that can be accessed by members of the Loyalty Program.
The Data Controller of the group will process your personal data in order to:
- Manage your registration in the Loyalty Program
- Analyze your behavior within the mall as more specifically detailed in the table below (3.1) to provide you with personalized offers and events that may interest you.
The local Data Controller and the Group Controller shall act as joint data controllers and hereinafter jointly referred to as "Data Controller", "we", "us" or "our".
2/ How do we collect your personal data?
We collect your personal data through the following means:
- directly from you; or
- your use of the Services
- a) When you use the Loyalty Card, including the virtual one, if it is scanned during your visit, we collect information related to the type of service for which your Loyalty Card was used (example: events, birthday gift) and, therefore, your presence within our shopping center.
- b) When you use our Mall App or visit our website as an authenticated user, we collect:
information about the frequency of your visits, your itineraries within the shopping center provided that we have obtained your prior consent to collect this information (only for the Shopping Center application - see article 8 Geolocation).
- c) When you use the website and accept the use of cookies, we collect the cookies you have accepted. You will find all the data about the uses and the cookies policy in the terms of use accessible by clicking on the following enlace: es.westfield.com/termsofuse
Details on the different ways of collecting your personal data can be found in the section "Processingof personal data" in the table in section 3 below.
3/ Details on the processing of your personal data
3.1 - In the following table you will find all the information related to:
- Why we are processing your personal data (specific purpose)
- What personal data is being processed (personal data processed)
- On what legal basis we are processing your personal data (Legal basis)
- How long we store your personal data (retention period)
- What rights you can exercise in relation to your personal data (Rights)
Specific purpose |
Personal data processed |
Legal basis |
Retention period |
Rights Available rights depend on the legal basis |
Management of your registration in the Loyalty Program |
Provided directly by you: Required: title, first name, last name, email address, date of birth Optional: telephone number, , information that the interested party is working in the area of the shopping center. Provided to us by a third party: N/A |
Execution of a contract (Terms of Use of the Loyalty Program) Article 6.1.b) GDPR |
3 years from the last digital contact or use of the Services |
Access Rectification Suppression Limitation of processing Portability |
Management of participation in events organized by the Shopping Center
Please note that we may send you a communication to allow you to participate in the event (for example: if the event requires you to have proof of registration to participate) |
Provided directly by you: email address, first name, last name, telephone number
Provided to us by a third party: N/A |
Legitimate interest of the Data Controller to offer the opportunity to the members of the Loyalty Program to participate in the events organized to their attention and guarantee the security of said event. Article 6.1.f) of the GDPR |
6 months from the course of the event |
Access Rectification Suppression Limitation of processing Portability |
Collection of loyalty points See data in section 3.2 |
Provided directly by you: N/A Provided by Transaction Connect: purchase amount, date and store of purchase |
Execution of a contract (Terms of Use of the Loyalty Program) |
3 years from the last digital contact or use of the Services |
Access Rectification Suppression Limitation of processing Portability |
Management of the offers and benefits of the Loyalty Program Free access to the services (under conditions detailed in the Terms of Use of the Loyalty Program): Toilets Loan of objects (strollers, umbrellas) Birthday gift |
Provided directly by you: Loyalty card number, barcode, first name, last name, date of birth Provided to us by a third party: N/A |
Execution of contract (Terms of Use of the Loyalty Program)
Article 6.1.b) GDPR |
There is no storage for the use of offers and benefits.
If the Loyalty Card is scanned (never for the use of the toilets) we may retain your date of visit and the type of services/offer used |
Access Rectification Suppression Limitation of processing Portability |
Participation in contests organized for members of the Loyalty Program |
Provided directly by you: Loyalty card number, name, surname, date of birth, personal information that may be contained in the contest itself (answers to questions)
Provided to us by a third party: N/A |
Contract execution (contest rules)
Article 6.1.b) GDPR |
1 month after the awards ceremony to the winners |
Access Rectification Suppression Limitation of processing Portability |
Delivery or sending of rewards to members of the Loyalty Program who have activated the loyalty points program (for example: prize awarded to a member chosen at random from among people who have spent at least [amount to be determined] euros for a certain time - a specific communication would be made to members within the corresponding scope) |
Provided by Transaction Connect: purchase amount, date and store of purchase |
Legitimate interest of the Data Controller to manage the program in order to increase its database and the amount spent in the shopping center and legitimate interest of the members to obtain prizes Article 6.1.f) of the GDPR |
No specific data is stored as the information is kept within the framework of the collection of loyalty points; see below |
Access Rectification Suppression Limitation of processing Objection to processing |
Management of communication for information purposes in relation to the Loyalty Program (for example: information about an event accessible only to members of the Loyalty Program) |
Provided directly by you: Loyalty card number, title, first name, last name, email address Phone number (optional) Provided to us by a third party: N/A |
Execution of a contract (Terms of Use of the Loyalty Program) Article 6.1.b) GDPR |
3 years from the last digital contact or use of the Services |
Access Rectification Suppression Limitation of processing Portability |
Management of commercial communication: By email and/or sms if you have provided us with your mobile phone number. These communications may or may not be personalized. Such Communications will include promotional information on products and services of the Shopping Center and third parties located in it (discounts on restaurants or other premises, new openings, etc.) |
Provided directly by you: e-mail address phone number (optional)
Provided to us by a third party: N/A |
Consent Article 6.1.a) of the GDPR |
3 years from the last digital contact or use of the Services or until the withdrawal of consent, whichever occurs first |
Access Rectification Suppression Limitation of processing Opposition to processing Portability |
Analysis of your information/use of the services:
Please note that, in this perspective, we will combine the personal data listed in the corresponding column to better understand your interests and habits.
This analysis will result in the assignment of certain interest segments. These interest segments will be assigned either after their own declaration (for example declaration of interest in "Sport") or may be deducted from any other interest declared or that can be deduced from the use of the Services (for example through the Loyalty Points Activation Program, the Data Controller will be aware that the members of the loyalty program usually go to sports stores and therefore assign them to the segment "Sport") In the event that you have not consented to the receipt of commercial communications, we will use such information to improve our services |
Obtained directly from you: all information that may be provided by you. Obtained from your activity: Behaviour on the website (cookies) Participation in events organized by the mall Your use of wifi: date of visit to the mall Your use of the points earned by the loyalty program When your Loyalty Card is scanned for the use of a service or in participation in an event at the Shopping Center
|
Legitimate interest of the Data Controller to better understand the customer and to be able to provide the appropriate services and/or offers and the legitimate interest of the loyalty members to receive personalized offers and services. Article 6.1.f) of the GDPR
Please note that: - cookies are installed only on the legal basis of your consent (Article 6.1.a) of the GDPR - information relating to your use of Wi-Fi is stored only on the legal basis of your consent (Article 6.1.a) GDPR => but the analysis of that information, as described herein, is carried out on the basis of legitimate interest (Article 6(1)(f) GDPR |
3 years from the last digital contact or use of the Services |
Access Rectification Suppression Limitation of processing Opposition to processing Portability |
Geolocation (only within the mall, through the Mall app) |
Provided directly by you: Provided by the use of the service: location data within the mall Provided to us by a third party: N/A |
Consent (granted through the Shopping Center app) Article 6.1.a) of the GDPR |
We will not store your geolocation. |
Access Rectification Suppression Limitation of processing Portability Opposition to processing |
Respond to member loyalty requests related to personal data |
Provided directly by you: Name, surname, email address, loyalty program member number or copy of id, if applicable
Provided to us by a third party: N/A |
Legal obligation Article 6.1.c) GDPR |
The calendar year of reception, plus 5 years
If your ID card is requested, it will be deleted immediately after verification of your identity |
Access Rectification Limitation of processing Suppression |
Getting your feedback on our services |
Provided directly by you: responses to a questionnaire regarding the assessment of the services provided by us. |
Legitimate interest of the Data Controller to better understand the customer and improve the services and provide services and/or offers that are adequate Article 6.1.f) of the GDPR |
3 years from the last digital contact or use of the Services |
Access Rectification Suppression Limitation of processing Opposition to processing |
Establishment, exercise or defense of legal claims (for example, where a law enforcement agency or regulatory body is investigating a crime or incident) |
Relevant personal data relating to the claim or dispute |
Legitimate interest of the Data Controller to ensure its defense; Article 6.1.f) of the GDPR |
Legal deadline according to the type of claim/litigation |
Access Rectification Suppression Limitation of processing Opposition to processing |
3.2 Specific provisions - Loyalty Points Program
As part of a special functionality within the Loyalty Program to be activated, please note that you have the possibility to subscribe to the Loyalty Points Program. Once the Loyalty Points Program is activated, you may be entitled to refunds based on purchases you make at the mall. Activation of the Loyalty Points Program is optional and remains completely free for you to activate this feature. For more information, please refer to the Loyalty Program Terms of Use: es.westfield.com/termsofuse
In order to organize, manage and implement the payment of refunds resulting from your transactions, as well as to analyze the payment flows resulting from the use of the Loyalty Points Program, please note that Transaction Connect (a French company with registered office located at 86, rue du faubourg St Denis 75010 Paris, and registered in the Paris Commercial and Companies Register under number 822 619185) will only be considered to act as an independent data controller with respect to the processing of your personal data in question. For clarity, both we and Transaction Connect act individually as controllers of your personal data with respect to the Loyalty Points Program.
You can find additional information about the processing activities implemented by Transaction Connect, including information about your rights as a data subject, by clicking on this link.
Please note that in any event we are not responsible for the data processing activities carried out by Transaction Connect when acting as an independent controller. Consequently, any claim or demand related to the processing of personal data carried out by Transaction Connect will be addressed to Transaction Connect directly in accordance with the provisions of its privacy policy es.westfield.com/privacypolicy and terms of use es.westfield.com/termsofuse, which you must read and accept when subscribing to the Loyalty Points Program.
Once you have activated the Loyalty Points Program, the data controllers will receive the confirmation and relevant purchases you make within the mall as detailed in the table above, so that the data controllers can manage and account for their Loyalty Points to benefit from them under the Loyalty Points Program. In no event will we have access to or receive information relating to your bank accounts, credit cards or any personal data of a financial nature.
4/ How do we share your personal data?
- your loyalty member number, or, if you don't have one,
- an identity document
We may share your personal data with:
- our current processors are listed in Annex 1. The list is updated periodically and includes the name of the company, the address of the company and the specific purpose of the service provider's processing;
- any competent authority or legal entity to respond to legal or regulatory claims, court orders, subpoenas or legal process, if necessary to comply with applicable law;
- any assignee, where personal data is transferred as part of the sale or transfer of all or part of our assets to another company;
5/ How do we keep your personal data safe?
We strictly assume the security of all personal data in our possession and are committed to protecting your personal data. To this end, we have put in place all the necessary technical and organizational security measures and have chosen our suppliers accordingly.
We have signed specific data processing contracts with each of the service providers listed in Annex 1 and have verified their general technical and organisational measures. Service providers are only authorized to process personal data as processors, in accordance with the provisions of this Privacy Policy, and only on our behalf and in accordance with our instructions.
However, we cannot control all the risks related to the use of the Internet, and the security of the data also depends on the vigilance of everyone and the proper use of these technologies, so we invite our customers to remain attentive to the possible risks inherent when using the Internet services.
6/ When do we transfer your personal data outside the European Economic Area?
We use third-party service providers who help us provide you with the Services and process your personal data on our behalf. Such third party service providers will always be subject to security and confidentiality obligations in accordance with this Privacy Policy and applicable legislation.
Please note that some of these third-party service providers are located outside the EEA (European Economic Area) and may therefore access and process your personal data from countries that do not provide an adequate level of data protection. In the event of such a transfer outside the EEA, we incorporate into the model clauses adopted by the European Commission to ensure that your personal data benefits from an adequate level of protection when accessed and processed from there. Our managers may also adhere to the Binding Corporate Rules.
If you need more information about this, please contact us by email at the address mentioned in section 7.5 below.
Information on the model clauses adopted by the European Commission can be found at this link.
You can find information about the Binding Corporate Rules at this link.
7/ Your rights in relation to your personal data
7.1 In accordance with all applicable regulations and, in accordance with the provisions of the table in section 3.1 above (column "Rights"), you have the right to*:
- Access your personal data: we will give you detailed information about the processing of your personal data;
- Obtain the rectification of your personal data: if the personal data we are processing is inaccurate;
- Obtain the deletion of your personal data: if you want us to delete some or all of your personal data;
- Object to the processing of your personal information: if you want us to stop the processing of your personal data until we demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
- In order to obtain the limitation of the processing of your personal information if you contest the accuracy, legality or our need to process your personal data, we will limit the processing of your personal data to a minimum (storage) and, if applicable, the processing only for the establishment, exercise or defense of legal claims or, where appropriate, for the protection of another natural or legal person, or other limited reason dictated by applicable laws.
- Receive your personal data in a structured and standardized format or to request the transmission of such information to another controller (portability).
Please note that the rights available depend on the legal basis of the processing. Please refer to the provisions of the table in section 3.1 above (column "Rights") to see the rights that you can exercise specifically through the processing activity.
7.2 Withdrawal of your consent. Where the legal basis for the processing is your consent, as detailed in the table shown in section 3.1 above (column "Legal basis"), you can withdraw your consent given at any time without giving any reason.
If you do so, we will stop any further processing based on this consent. Please note that the withdrawal of your consent will not affect the basis of legitimacy of any treatment carried out on the understanding that you have previously given your consent.
To withdraw your consent to receive commercial communications:
> send an email as described in the Exercising Your Rights section below
> directly change the settings in your loyalty account
> click on the unsubscribe link available in all our communications
7.3 Unsubscribe from commercial communication for informational purposes in relation to the Loyalty Program
As part of the Loyalty Program and, according to the execution of a contract between you and us as a basis for legitimizing the treatment (the Terms of Use of the Loyalty Program) we will send you commercial communications (which will only be about the Loyalty Program and that will not contain any commercial offer).
If you do not wish to receive such communications, you may ask us to stop sending them as follows:
> send an email as described in the Exercising Your Rights section below; or
> directly change the settings in your Loyalty account or,
> click on the unsubscribe link available in all our communications.
7.4 Deletion of your Loyalty Account
If you wish to delete your Loyalty Account, you may:
> delete directly in your Loyalty Account settings; or
> send an email as described in the Exercising Your Rights section below.
7.5 Exercising your rights
If you wish to exercise these rights and/or obtain all relevant information, please contact us at the following address: atencionalclientewestfield@lamaquinista.com
To ensure an effective exercise of your rights, please note that you can send your request to the aforementioned address for your inquiries and complaints regarding the processing for both controllers (local Data Controller and Group Controller).
To avoid infringing the rights of third parties, we reserve the right, in case of reasonable doubt, to proceed with the prior verification of your identity to ask you:
We will respond within 1 month after receiving your request but where necessary, and due to the complexity of your request, we will extend this period for a period of 2 months. In any case, we will inform you within 1 month of receiving your request if we decide to extend the deadline to respond.
If necessary, you can also address any questions at the welcome desk of your shopping center.
- Complaints
You have the right to lodge a complaint about the way we process your personal data with the Spanish Data Protection Agency.
8/ Geolocation
8.1 General principle
Subject to your prior express consent given in the mall request, information related to your location within our mall may be stored and processed by us while you are authenticated in our Mall Applications in order to measure the frequency of your visits and itineraries within our mall and/or provision of location-related services.
Geolocation will only take place if you have activated the additional services/specific function in the settings of your Shopping Center application downloaded to your mobile device. You may disable these additional services at any time in the latter's settings.
Please note that, once given, your consent will be effective immediately for any additional connections on our Mall App and for any additional visits to our mall within 12 months of the first connection, unless you withdraw your consent.
8.2 How to manage your geolocation preferences on your mobile device
To be located inside the mall, you will be prompted to turn on the Bluetooth feature on your mobile device.
If you only want to consult the map, you do not need to activate the Bluetooth function.
Please note that we will not locate you outside of our mall. The location option is made using the Bluetooth beacons that are installed in the common areas of the shopping center only.
You can disable the geolocation of your mobile device through your mobile device's settings at any time.
9/Automated decision-making/profiling
There is currently no automated decision-making or profiling process that legally affects you or significantly affects you. But we will provide you with specific offers based on your individual personal data and the analysis of your user behaviour.
In fact, as we do not want to bother you with information and promotions that may not be relevant to you, we evaluate your purchase profile, that is, information such as your previous purchases and preferences that we collect through the use of our Services as detailed in the table (section 3.1), to send you only information and promotions that we consider interesting or relevant to you.
10/ Transfer in case of change of ownership
If Unibail-Rodamco-Westfield Group is involved in a merger, acquisition, dissolution or sale of all or part of the shopping centre, or its management or owner company, where you are registered as a member of the Loyalty Programme, we reserve the right to transfer your personal data. You will be notified if such change requires notice or consent under applicable law, you will be notified, or you will be given the opportunity to give your consent.
11/ Update of this Privacy Policy
We may revise or update this Privacy Policy from time to time. Any changes to this Privacy Policy will be effective upon online posting on this website.
If such change requires notice or consent under applicable law, you will be notified or given the opportunity to give your consent.
Annex 1 – List of service providers
Registration Account Manager
Company |
Address |
Company Information |
Country (personal data) |
Gigya Inc. |
2513 East Charlestine Road Suite 200 Mountain View, CA 94043, USA |
A Delaware Corporation |
Israel / USA |
Cardiweb (card creation) |
14 rue auber 75009 Paris, France |
RCS Paris n° B 431809 508 |
France |
CRM-Manager (Customer Relationship Manager)
Company |
Address |
Company Information |
Country (personal data) |
Cardiweb |
14 rue auber 75009 Paris, France |
RCS Paris n° B 431809 508 |
France |
Salesforce EMEA Ltd |
Floor 26 Salesforce tower 110 bishopsgate, London EC2N 4AY United Kingdom |
Español company |
USA |
Lineup7 |
8 boulevard du Montparnasse, 75015 Paris |
SIREN 810386110 |
France |
Storage
Company |
Address |
Company Information |
Country (personal data) |
Amazon Web Services Inc. |
1200 12th Avenue South Suite 1200 Seattle, WA98144 United States |
Delaware Corporation |
Ireland/ USA |
Event Registration
Company |
Address |
Company Information |
Country (personal data) |
JRNI . |
150 Wharfedale Road, Winnersh Triangle, Berkshire, England RG41 5GB |
English Company |
Ireland and the United Kingdom (for maintenance) |
Customer satisfaction survey
Company |
Address |
Company Information |
Country (personal data) |
Myfeelback . |
6 chemin of Limayrac, 31500 TOULOUSE France |
French Company |
France |
Card wallet
Company |
Address |
Company Information |
Country (personal data) |
Carving labs |
44 rue Richer 75009 PARIS, France |
French Company |
France |
Reception
Company |
Address |
Company Information |
Country (personal data) |
Manpower |
Paseo de Gracia, 87, 2º, 08008 Barcelona, Spain |
Worldwide Corporation |
USA |
Organization in charge of the draws
Company |
Address |
Company Information |
Country (personal data) |
Comment Picker |
Haarlem, North Holland, Netherlands |
Dutch Company |
Holland |
Company |
Address |
Company Information |
Country (personal data) |
Qualifio |
Place de l'Université 25,1348 Louvain-la-NeuveBelgium |
Belgian company |
Belgium |
Company |
Address |
Company Information |
Country (personal data) |
Cocomood |
c/ Níspero 7, 47008 Valladolid |
Spanish company |
Spain |