Privacy policy Website terms and conditions

MEMORANDUM ON THE PROCESSING OF PERSONAL DATA

 

In the commercial activity carried out by the Promenada Novi Sad, there may be several situations in which we process your personal data. More details can be found below:

We are NEPI Real Estate Project One d.o.o. Novi Sad a Serbian company, with registered seat at Bulevar oslobođenja 119, Novi Sad, identification number 21165719, Tax Identification Number (TIN): 109345294, (hereinafter the “Controller”), part of the NEPI Rockcastle Group.

In promoting Promenada Novi Sad, we work with the following entities within the NEPI Rockcastle Group:

  • NE Property BV 7-29 Claude Debussylaan, Tribes Offices SOM Building, 3rd Floor, Amsterdam, The Netherlands, registered with the Dutch Chamber of Commerce under No. 34285470
  • NEPI Investment Management SRL Calea Floreasca 169A, Cladirea A, sectiunea 5.1, biroul 14, Sector 1, Bucharest, Romania, registered with the Commercial Register under No. J40/16378/2007, unique registration number (CUI) RO22342136
  • Marketing Advisers SRL Calea Floreasca 169A, Cladirea A, Sectiunea A5.1, biroul 37, Sector 1, Bucharest, Romania, registered with the Commercial Register under No. J40/50498/2014, unique registration number (CUI) RO33099670

From the perspective of how your personal data is processed for specific marketing purposes, the relationship between the Controller, NE Property BV, NEPI Investment Management SRL and Marketing Advisers SRL is that of Joint Controllers, according to Article (26) of the GDPR and according to the Article 43 of the Personal Data Protection Law (“Official Gazette RS” no. 87/2018).

Also for the purpose of promoting the Promenada Novi Sad, NE Property BV makes thepromenadanovisad.rs Website (the “Website”) available to users.

This information notice is addressed to all data subjects who visit the Promenada Novi Sad, access the Website, participate in promotional campaigns or similar events held on the premises of the shopping centre or online or represent suppliers/partners/collaborators or tenants in the conduct of the contractual relationship with Promenada Novi Sad.

The way we process your personal data differs depending on your relationship with [Promenada Novi Sad. To receive more information choose the category below that is applicable to you:

I am a visitor or customer of the shopping centre

I am a user of the shopping centre website

I am the legal representative or contact person of a supplier, collaborator or tenant of the shopping centre

I am part of the staff of suppliers, collaborators or tenants of the shopping centre

In all cases, you have several rights that can be exercised, individually or cumulatively, with respect to personal data that Promenada Novi Sad holds in relation to you. Information on these rights as well as how they can be exercised is available in the Rights of data subjects section .

We undertake to process personal data in compliance with applicable legislation on the protection of personal data and good practices in this area. More information is available in the section on Data security and accuracy.

In addition, a Data Protection Officer has been appointed at the NEPI Rockcastle Group level, who can be contacted should there be any concerns about the protection of personal data and the exercise of data protection rights. The Data Protection Officer can be contacted by written, dated and signed request, using the contact details mentioned below:

Visitors to the shopping centre website

1.1      Personal data we process

  • Identification data, such as: first name and last name, date of birth
  • Account access data, such as: password
  • Contact details, such as: email address, phone number
  • Data on your preferences/interests, such as data on areas of interest – e.g., fashion, technology, pets, etc.
  • Data about your interaction with the Website, such as: information about the stores you searched for, the fact that you chose a series of products/services as favorites or that you selected a series of events that you want to participate in, as well as the recurrence with which you visit our Website/access the Account.
  • Demographic data, such as: gender, city and neighborhood where you live, whether you are married or not, whether you have children or not, the number of children and their age
  • Data on the participation in promotional campaigns and similar events, such as: prizes won, image
  • Financial data, such as: bank account number.
  • Data collected through cookies or other similar technical means (i.e., small text files that are stored on your computer, phone, tablet or mobile device, and contain information about your activity on those sites/applications), e.g.: sub-pages accessed, period spent on a specific page
  • Data from social networks, such as: the unique identification code provided by the Facebook network

In the case of the Website, we also collect your IP, but this data is not processed or used for any subsequent purpose at this time.

1.2      Use of personal data

1.2.1     General purposes

When you access the Promenada Novi Sad website (the “Website”), certain personal data about you will be processed by NE Property BV, mainly in order to be able to provide you with the requested service, namely access to the Website.

 

No. Purpose of processing personal data Legal basis of processing personal data
1. Carry out economic, financial and/or administrative management activities Legal obligation
2. Settlement of disputes, investigations or any other petitions/complaints to which NE Property BV is a party Legitimate interest in defending our rights in court/in front of any competent authority
3. Archiving Legal obligation
4. Conducting risk controls on NE Property BV procedures and processes, as well as conducting audits or investigations of NE Property BV Our legitimate interest to manage risks and ensure compliance with NE Property BV procedures and processes
5. Ensure a high level of security of information systems (e.g., applications, network, infrastructure, website) Our legitimate interest in ensuring the security of our computer systems
6. Provide you with support services when you request so Perform the contract concluded regarding the provision of our services (i.e., in accordance with the Terms and Conditions of the Website)

1.2.2   Data processing for marketing purposes

In its work to promote the Promenada Novi Sad, including through the Website, NE Property BV works together with the following entities within the NEPI Rockcastle Group: The Controller, as owner of the Shopping Centre, NEPI Investment Management SRL and Marketing Advisers SRL. Thus, from the perspective of how your personal data is processed for marketing purposes, the entities of the NEPI Rockcastle Group mentioned above (hereinafter collectively referred to as the “Joint Controllers” and individually as the “Joint Controller”) act as Joint Controllers, pursuant to Article (26) of the GDPR and according to the Article 43 of the Personal Data Protection Law (“Official Gazette RS” no. 87/2018).

In connection with the processing of personal data for marketing purposes, you have all the rights set out in Data subjects’ rights. By virtue of the agreement entered into by the Joint Controllers regarding the processing of personal data for marketing purposes, they will cooperate and ensure that they fully respect your rights, regardless of the Joint Controller to whom you choose to send your request to exercise your rights.

 

No. Purpose of processing personal data Legal basis of processing personal data
1. to contact you through the means of communication to provide you with information about the Website (i.e. non-marketing information), Perform the contract concluded regarding the provision of our services (i.e., in accordance with the Terms and Conditions of the Account)
2. Create and analyse profiles about you in order to present content tailored to your preferences and to improve our services

See more details on how to identify your preferences, section 1.3 below>

Your consent
3. Send general or customized direct marketing messages (newsletter) via the e-mail provided when subscribing to the newsletter, in order to promote our activities, offers and products, the Group, but also the Partners Your consent
4. Organize raffles, competitions or other similar campaigns Perform the contract concluded (i.e., in accordance with the Regulation of the concerned raffle, competition or campaign)
5. Conduct direct marketing campaigns for specific regions or Waze users Your consent
6. Manage and operate the accounts on the social networks of the shopping center; conduct campaigns on social networks Your consent
7. Conduct surveys or other market research Our legitimate interest in promoting the shopping center and better understanding the market demands
8. To perform internal analyses (including statistical analyses, reports) with respect to the customer portfolio, in order to improve and develop services, and to conduct market studies and researches to improve and develop the services of the Controller, of the Group and of their Partners,

More information about the Controller’s Group and Partners Promenada Novi Sad section 1.5. below>

Our legitimate interest consists in market knowledge, strategic development, development and improvement of our services
9. Document your consent Legal obligation
10. Use of marketing cookies for the purpose of:

– conducting profiling activities, also called web profiling which involves the use of cookies to track online the general activity of a user in order to present content tailored to his preferences,

– conducting targeting and retargeting campaigns

More information on cookies is available in the Cookie Policy 

Your consent
11. Create statistics designed to provide information about the performance of the Website and the marketing campaigns displayed (e.g. the number of users who accessed the campaign page, the number of users who saw the campaign banner, etc.), made by using analysis cookies

More information on cookies is available in the Cookie Policy 

Our legitimate interest in (i) improving the content of the Website and the campaigns conducted on the Website as well as the better evaluation of the performance indicators (KPI) of the commercial campaigns carried out on the Website and (ii) ensuring the operation, access and technical use of the Website and providing you with the services you have explicitly requested
12. Use of cookies necessary to ensure the operation of the Website

More information on cookies is available in the Cookie Policy 

Perform the contract regarding the provision of our services (i.e. ensuring access to the Website)

1.3      Additional information on profiling

The Joint Controllers will create and analyze your profiles based on the personal data we hold about you – data about your preferences/interests, data about your interaction with the Website, data collected through cookies. As a result of analyzing such data, we will be able to identify your preferences, interests and capabilities in terms of procurement, and thus relate them to the services we provide or to the products we promote.

Then, through automated procedures, the Joint Controllers determine the content of the direct marketing materials to be sent to you. In the legal language these automated procedures are referred to as “automated individual process”.

Thus, the direct marketing materials that we will send you will be as specific, convincing and applicable as possible to you, and as a consequence may influence you (i.e. in the sense of purchasing the product/service included in the marketing material), as the manage to correctly identify your preferences or characteristics.

With regard to the processing of data by automated individual processes, you have several additional rights, i.e. you can (a) obtain human intervention, (b) express your point of view, (c) get explanations about the decision made and (d) contest that decision. In addition, you can withdraw consent at any time in the manner prescribed in this Memorandum in the section dedicated to Data subjects rights, section 6 below.

1.4      Storage period

The personal data processed are kept for the period of time necessary to comply with the legal obligations imposed on us by the regulations specific to our field of activity.

  • With regard to the use of your personal data for direct marketing activities, it will be stored by the Joint Controllers from the time you have given us your consent for such processing until the date you have withdrawn it. Once you choose to withdraw your consent,
  • (i) marketing consents  – will be deleted immediately upon request, though deletion date, a reference to the category of info that has been deleted and the user who operates the change should be kept for audit trail purposes
  • (ii) data subject’s change request – data are to be replaced/amended, according to the request (e.g. contact details, email, phone number etc.), though deletion date, a reference to the category of info that has been deleted and the user who operates the change should be kept for audit trail purposes
  • (iii) data subject’s data deletion request – data are deleted , immediately upon request, unless we rely on a different ground for protection, e.g. legitimate interest (3 years), legal obligation (e.g. 10 years for accounting purposes) etc. – also, deletion date, a reference to the category of info that has been deleted and the user who operates the change should be kept for audit trail purposes.

 

1.5      Third party access

Access to your data will be provided only to those persons or entities with whom we collaborate in fulfilling the purposes of processing, and for whom we (we or the intended recipients) can justify a legitimate reason or if we have a legal obligation to provide your data.

The following entities and their employees will have access to your data:

  • IT service providers (e.g., software maintenance and development, site maintenance and development),
  • CRM solution providers
  • Marketing service providers, including market research service providers, marketing communications service providers, online tool traffic and behavior monitoring service providers, various marketing customization service providers, providers of marketing services through social media resources, providers of services for the preparation of the content of marketing forms,
  • Group Companies (other than Joint Controllers)

As both the Controller and the other Joint Controllers are part of the Nepi Rockcastle group of companies (the “Group”), your personal data will be processed for the purposes of consolidated management of the Group’s activities, for audit purposes and in any other situation where the law requires or permits such processing, if we (the Controller, the Joint Controllers or the recipient companies in the Group) can justify a legitimate basis for doing so or if we obtain your consent to do so. The list of companies in the Group can be found at: www.nepirockcastle.com

  • Partners Promenada Novi Sad

Your personal data will also be processed in relation to a number of third party partners (“Partners”). These are the Partners that the Joint Controllers promote in their relationship with you through direct marketing activities, and are usually represented by tenants of NEPI Rockcastle Group shopping centers. Partners do not have access to your personal data, unless NE Property BV or the Joint Controllers have obtained your prior consent in this respect. The full list of Partners for the Promenada Novi Sad location is updated quarterly and can be found here –

https://megamallbucuresti.ro/magazine/, https://megamallbucuresti.ro/categorie_unitate/divertisment/ and https://megamallbucuresti.ro/servicii/

We will contractually require these entities, as well as their staff, to respect the confidentiality of this data, ensuring a high level of security for the processing of your data.

We will also provide your personal data to judicial bodies, public institutions, or central and local public authorities, based on a duly substantiated request or legal obligation.

As a rule, NE Property BV or, as the case may be, the Joint Controllers, will not transfer your personal data to third countries outside the European Economic Area. If such a transfer nevertheless takes place, NE Property BV and the Joint Controllers will take appropriate safeguards to ensure the protection of personal data transferred.

Visitors and customers of the shopping centre

2.1      Personal data we process

  • Identification data, such as: first name and last name, date of birth
  • Special identification data, that is personal identity number
  • Contact details, such as: email address, phone number
  • Image
  • Data on the vehicle for which a parking space is granted in the car park of the shopping centre, e.g.: make, type and registration number
  • Data on access to the shopping center car park, e.g.: arrival time, departure time, length of stay
  • Device MAC (mobile, laptop, tablet)
  • Data on participation in promotional campaigns and similar events, e.g.: prizes won
  • Financial data, e.g.: bank account number

2.2      Use of personal data

2.2.1     General purposes

When you visit the Promenada Novi Sad, certain personal data about you will be processed by the Controller, mainly in order to be able to provide you with the services offered by the Controller or to fulfil our legal obligations.

 

No. Purpose of processing personal data Legal basis of processing personal data
1. Video surveillance by means of the CCTV system installed inside the shopping centre, in the common areas, access roads, as well as car park areas Legitimate interest in ensuring the security of persons and property inside the shopping centre
2. Facilitate access to the car park of the shopping centre Perform the contract regarding the provision of our services (i.e. granting access to the facilities and services provided by the shopping centre)
3. Solve requests for data and information received from the competent authorities and institutions Legal obligation
4. Grant access to the free WiFi network Perform the contract regarding the provision of our services (i.e. granting access to the facilities and services provided by the shopping centre)
5. Management of notifications/complaints submitted within the shopping centre Our legitimate interest in resolving complaints sent to us and in maintaining good relations with visitors/customers of the shopping centre
6. Management of requests regarding lost objects, filed inside the shopping centre Perform the contract regarding the provision of our services (i.e. granting access to the facilities and services provided by the shopping centre)
7. Carry out economic, financial and/or administrative management activities Legal obligation
8. Settlement of disputes, investigations or any other petitions/complaints to which the Operator or Promenada Novi Sad is a party Legitimate interest in defending our rights in court/in front of any competent authority
9. Archiving Legal obligation
10. Conducting risk controls on the Controller’s procedures and processes, as well as conducting audits or investigations of the Controller Our legitimate interest in managing risk and ensuring compliance with the Controller’s procedures and processes

2.2.2    Data processing for marketing purposes 

In its work to promote Promenada Novi Sad, including through the Website, the Controller works with the following entities within the NEPI Rockcastle Group: NE Property BV, NEPI Investment Management SRL and Marketing Advisers SRL. Thus, from the perspective of how your personal data is processed for marketing purposes, the entities of the NEPI Rockcastle Group mentioned above (hereinafter collectively referred to as the “Joint Controllers” and individually as the “Joint Controller”) act as Joint Controllers, pursuant to Article (26) of the GDPR and according to the Article 43 of the Personal Data Protection Law (“Official Gazette RS” no. 87/2018).

In connection with the processing of personal data for marketing purposes, you benefit from all the rights set out in the section Data subjects’ rights. By virtue of the agreement entered into by the Joint Controllers regarding the processing of personal data for marketing purposes, they will cooperate and ensure that they fully respect your rights, regardless of the Joint Controller to whom you choose to send your request to exercise your rights.

 

No. Purpose of processing personal data Legal basis of processing personal data
1. Take and use photos (which also include your image) in order to promote the shopping centre Your consent
2. Organise raffles, competitions, events or marketing campaigns in the shopping centre, including handing out prizes won Perform the contract concluded (i.e., in accordance with the Regulation of the concerned raffle, competition or campaign)

 

2.3.      Retail Analytics application

Retail Analytics is an application that uses the shopping centre’s Wi-Fi system to process personal data in order to obtain statistical reports that streamline the activity of the shopping centre, while in time improving visitors’ experience.

2.3.1     How does the Retail Analytics application work?

The MAC (media access control) address of the electronic device is collected through an API (Application Programming Interface), by exposure to access points (Access Points), through a secure VPN (virtual private network), using an https protocol (HyperText Transfer Protocol Secure) and dedicated internet protocol (IP).

The MAC address is anonymized by the API (Application Programming Interface) immediately after collection and prior to processing for statistical purposes, by applying a hash function.

NOTE: “anonymization” means the processing of personal data in such a way that it can no longer be attributed to a specific data subject.

The information resulting from the application of the hash function is saved in the database of the Retail Analytics application and is not reversible (i.e. the MAC address can no longer be identified).

The personal data of the MAC device and the location are anonymized and cannot lead to the identification of the person.

Depending on the device manufacturer, without our intervention it is possible that – although the WiFi connection of the device is not activated – the device is detected by our WiFi network, so we recommend that you check the WiFi connection of the device when visiting our shopping centre.

NOTE:  You can deactivate the WiFi connection by accessing the device’s “Settings” menu and disabling geolocation by accessing the Google geolocation service:  https://support.apple.com/ro-ro/HT207092  for iPhone, https://support.google.com/nexus/answer/3467281?hl=ro for Android, https://www.tenforums.com/tutorials/13225-turn-off-location-services-windows-10-a.html for Windows phones

2.3.2     Categories of personal data processed by the Retail Analytics application

  • MAC address (media access control) of the electronic device;
  • date and time of the visit(s);
  • identifier and coordinates of the access point to the WiFi network (AP identifier);
  • Wi-Fi signal strength;
  • WiFi network connection status (connected/disconnected).

The MAC address captured through the API (Application Programming Interface) is the one that could lead to the identification of the person and the rest of the personal data highlighted above can only be collected with its help. The MAC address is anonymized by the API immediately after collection and prior to processing for statistical purposes.

2.3.3     Purpose of the processing of personal data

After anonymization, data is used exclusively for statistical purposes, the statistical reports generated by Retail Analytics being used for:

  • developing the business and marketing strategy of the shopping centre, increasing the value of the shopping centre, better organization of the shopping centre, events and campaigns hosted by it, while ensuring a more efficient management of the needs of visitors and tenants of the shopping centre;
  • improvement of the services offered by the shopping centre, correlated with a proper management of the periods and areas of maximum congestion, so as to obtain an improved shopping experience.

2.4      Storage period:

The personal data processed are kept for the period of time necessary to comply with the legal obligations imposed on us by the regulations specific to our field of activity.

Depending on the context in which we process your personal data, the following rules for determining the storage period will apply:

  • CCTV system: Video recordings stored by the CCTV system are usually kept for a period of 30 (thirty) days, unless the extension of their processing period is required by law or justified by legal procedures.
  • WiFi network: The device’s MAC is only stored during the period when it uses our WiFi network.
  • Data processed for marketing purposes: data collected for marketing purposes will be processed until consent is withdrawn. Once you choose to withdraw your consent,
  • (i) marketing consents – will be deleted immediately upon request, though deletion date, a reference to the category of info that has been deleted and the user who operates the change should be kept for audit trail purposes
  • (ii) data subject’s change request – data are to be replaced/amended, according to the request (e.g. contact details, email, phone number etc.), though deletion date, a reference to the category of info that has been deleted and the user who operates the change should be kept for audit trail purposes
  • (iii) data subject’s data deletion request – data are deleted , immediately upon request, unless we rely on a different ground for protection, e.g. legitimate interest (3 years), legal obligation (e.g. 10 years for accounting purposes) etc. – also, deletion date, a reference to the category of info that has been deleted and the user who operates the change should be kept for audit trail purposes.
  • Retail Analytics application: In the case of data processed through the Retail Analytics application, personal data is anonymised at the time of collection and is not retained by the Joint Controllers. After anonymisation, the information and statistical reports obtained shall be kept for a period of 1 year.

2.5      Third party access:

Access to your data will only be provided to those individuals or entities with whom we collaborate for processing purposes and for whom we (the new or the intended recipients) can justify a legitimate ground in accordance with the GDPR or if we have an obligation legal to provide your data.

The following entities and their employees will have access to your data:

  • Security and security service providers – To ensure CCTV video surveillance and access control system in parking spaces, the Controller collaborates with specialised companies, authorised by law to carry out security and surveillance activities.
  • Other service providers – With regard to participation in campaigns and events, as well as the handling of complaints, grievances and/or requests regarding lost items addressed to the staff of the Info Desk offices within the shopping centres, the Controller usually collaborates with specialised service companies.
  • Group companies

As both the Controller and the other Joint Controllers are part of the Nepi Rockcastle group of companies (the “Group”), your personal data will be processed for the purposes of consolidated management of the Group’s activities, for audit purposes and in any other situation where the law requires or permits such processing, if we (the Controller, the Joint Controllers or the recipient companies in the Group) can justify a legitimate basis for doing so or if we obtain your consent to do so. The list of companies in the Group can be found at: www.nepirockcaste.com

  • Partners [Shopping Mall Name]

Your personal data will also be processed in relation to a number of third party partners (“Partners”). These are the Partners that the Joint Controllers promote in their relationship with you through direct marketing activities, and are usually represented by [Shopping Mall Name] tenants. Partners do not have access to your personal data, unless the Controller or the Joint Controllers have obtained your prior consent to do so. The full list of Partners is updated quarterly and can be found here –

https://megamallbucuresti.ro/magazine/, https://megamallbucuresti.ro/categorie_unitate/divertisment/ and https://megamallbucuresti.ro/servicii/

  • Property Manager Promenada Novi Sad

We will contractually require these entities and their staff to respect the confidentiality of this data, ensuring a high level of security for the processing of your data.

We will also provide your personal data to judicial bodies, public institutions, or central and local public authorities, based on a duly substantiated request or legal obligation.

As a rule, the Controller or, where applicable, the Joint Controllers, will not transfer your personal data to third countries outside the European Economic Area. If such a transfer nevertheless takes place, the Controller or the Joint Controllers will take appropriate safeguards to ensure the protection of personal data transferred.

Representatives of the contractual partners

3.1      Personal data we process

  • Identification data, such as: first name and last name, date of birth
  • Contact details, such as: email address, phone number
  • Occupational data, such as: position held, company in which you are employed or which you represent

3.2      Use of personal data

No. Purpose of processing personal data Legal basis of processing personal data
1. Concluding and executing leases or other commercial contracts Legitimate interest in carrying out our activity and validly concluding commercial contracts agreements specific to our field of activity (i.e. commercial spaces lease agreements)
2. Contacting possible future tenants of the shopping centre (prospective tenants) Legitimate interest in promoting our business and promoting the shopping centre to potential tenants (prospective tenants)
3. Carry out know-your-customer (KYC) checks in relation to potential contractual partners Legal obligation
4. Carry out economic, financial and/or administrative management activities Legal obligation
5. Settlement of disputes, investigations or any other petitions/complaints to which the Operator is a party Legitimate interest in defending our rights in court/in front of any competent authority
6. Archiving Legal obligation
7. Conducting risk controls on the Controller’s procedures and processes, as well as conducting audits or investigations of the Controller, Our legitimate interest in managing risk and ensuring compliance with the Controller’s procedures and processes,

3.3      Storage Period

The personal data processed are kept for the period of time necessary to comply with the legal obligations imposed on us by the regulations specific to our field of activity.

3.4      Third party access

Access to your data will only be provided to those individuals or entities with whom we collaborate for processing purposes and for whom we (the new or the intended recipients) can justify a legitimate ground in accordance with the GDPR or if we have an obligation legal to provide your data.

The following entities and their employees will have access to your data:

  • Group companies

As the Controller is part of the Nepi Rockcastle group of companies (“Group“), your personal data will be processed for the purposes of consolidated management of the Group’s activities, for audit purposes and in any other situation where the law requires or permits such processing, if we (the Controller or the recipient companies in the Group) can justify a legitimate basis for doing so or if we obtain your consent to do so. The list of companies in the Group can be found at: www.nepirockcastle.com

We will contractually require these entities and their staff to respect the confidentiality of this data, ensuring a high level of security for the processing of your data.

We will also provide your personal data to judicial bodies, public institutions, or central and local public authorities, based on a duly substantiated request or legal obligation.

As a rule, the Operator will not transfer your personal data to third countries outside the European Economic Area. However, if such a transfer takes place, the Operator will take appropriate protection measures to ensure the protection of the personal data transferred.

Staff of suppliers, collaborators or tenants of the shopping center

4.1      Personal data we process

  • Identification data, such as: first name and last name, date of birth
  • Contact details, such as: email address, phone number
  • Image

Device MAC (mobile, laptop, tablet)

 

4.2      Use of personal data

No. Purpose of processing personal data Legal basis of processing personal data
1. Video surveillance by means of the CCTV system installed inside the shopping center, in the common areas, access roads, as well as car park areas Legitimate interest in ensuring the security of persons and property inside the shopping center
2. Legitimate interest in ensuring the security of persons and property inside the shopping center Grant access to tenants’ staff inside the shopping area outside the hours when the shopping center is open
3. Solve requests for data and information received from the competent authorities and institutions Legal obligation
4. Grant access to the free WiFi network Perform the contract regarding the provision of our services (i.e. granting access to the facilities and services provided by the shopping center)
5. Management of notifications/complaints submitted within the shopping center Our legitimate interest in resolving complaints sent to us and in maintaining good relations with visitors/customers of the shopping center
6. Management of requests regarding lost objects, filed inside the shopping center Our legitimate interest in resolving complaints sent to us and in maintaining good relations with visitors/customers of the shopping center
7. Carry out know-your-customer (KYC) checks in relation to potential contractual partners Legal obligation
8. Carry out economic, financial and/or administrative management activities Legal obligation
9. Settlement of disputes, investigations or any other petitions/complaints to which the Operator is a party Legitimate interest in defending our rights in court/in front of any competent authority
10. Archiving Legal obligation
11. Conducting risk controls on the Controller’s procedures and processes, as well as conducting audits or investigations of the Controller Our legitimate interest in managing risk and ensuring compliance with the Controller’s procedures and processes

 

4.3      Storage Period

The personal data processed are kept for the period of time necessary to comply with the legal obligations imposed on us by the regulations specific to our field of activity.

Depending on the context in which we process your personal data, the following rules for determining the storage period will apply:

 

  • CCTV system: Video recordings stored by the CCTV system are usually kept for a period of 30 (thirty) days, unless the extension of their processing period is required by law or justified by legal procedures.

 

  • WiFi network: The device’s MAC is only stored during the period when it uses our WiFi network.

 

4.4      Third party access

 

Access to your data will only be provided to those individuals or entities with whom we collaborate for processing purposes and for whom we (the new or the intended recipients) can justify a legitimate ground in accordance with the GDPR or if we have an obligation legal to provide your data.

The following entities and their employees will have access to your data:

  • Security and security service providers – To ensure CCTV video surveillance and access control system in parking spaces, the landlord collaborates with specialized companies, authorized by law to carry out security and surveillance activities.
  • Other service providers – With regard to the handling of complaints, grievances and/or requests regarding lost items addressed to the staff of the Info Desk offices within the shopping centers, the Controller usually collaborates with specialized service companies.
  • Controller’s Property Manager.

We will contractually require these entities and their staff to respect the confidentiality of this data, ensuring a high level of security for the processing of your data.

We will also provide your personal data to judicial bodies, public institutions, or central and local public authorities, based on a duly substantiated request or legal obligation.

As a rule, the Controller will not transfer your personal data to third countries outside the European Economic Area. However, if such a transfer takes place, the Operator will take appropriate protection measures to ensure the protection of the personal data transferred.

Security and accuracy of personal data

We will take all necessary security measures to protect your personal data transmitted, stored or otherwise processed against destruction, loss, unlawful or accidental change, unauthorized disclosure or unauthorized access, as well as against any other unlawful processing. The security measures we implement with regard to your personal data can ensure the confidentiality, integrity, availability and continued resilience of processing systems and services, as well as the capacity to restore the availability of and access to personal data in a timely manner if a physical or technical incident occurs.

All personal data will be processed through secure pages using the SSL encryption system, marked with a padlock symbol, located at the top of the browser window.

For more information on security standards on the Website, go to the “Help” section.

In addition, for the security of the data and the confidentiality of the information transmitted through the Account, it is password protected. The Controller, or where applicable the Joint Controllers, shall make every effort and use appropriate information technology to ensure the protection and security of the data you provide to us.

In cases provided for by the GDPR in relation to personal data breaches, the Controller, or as the case may be, each of the Joint Controllers, will duly inform the competent authorities and relevant persons.

The Controller or Joint Controllers process personal data that are accurate and have a procedure in place to update them. Thus, the Controller/Joint Controllers shall take all necessary steps to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

Rights of the data subject with respect to the processing of personal data

  • Right of access – the right to request confirmation that the personal data are processed or not by us, and if so, the data subject may request access to the data, as well as certain information about such data. Upon request in this respect, we will also issue a copy of the processed personal data. Request for additional copies will be charged on the basis of the costs actually incurred.

 

  • Right to rectification– the right to get the inaccurate personal data rectified, as well as to supplement incomplete data, including by providing additional information.

 

  • Right to delete data (“the right to be forgotten“) – in situations expressly regulated by law, the right to obtain from us the deletion of the data. Thus, the deletion of personal data can be requested if:

 

    • the data are no longer necessary for the purposes for which they were collected or processed;
    • withdrawal of the consent on the basis of which processing is carried out;
    • the data subject opposes to the processing under the right of opposition;
    • processing of personal data is illegal;
    • the data must be deleted for the purpose of complying with a legal obligation incumbent on us.

 

  • Right to restrict processing– the right to request the restriction of processing of personal data in certain circumstances expressly regulated by the law, as follows:
    • the accuracy of the data is contested, for the period when the accuracy of the concerned data is checked;
    • the processing is unlawful and the data subject opposes to the deletion of data;
    • the data subject needs these data to establish, exercise or defend certain rights in court, and our company no longer needs such data;
    • the data subject opposes to the processing of personal data for the period in which we check if our legitimate interests prevail over their interests, rights and freedoms.

In these circumstances, except for storage, the data will not be processed anymore.

  • Right to object to the processing of personal data – the right to object at any time, for reasons related to the particular situation of the data subject, to the processing (including the creation of profiles) based on our legitimate interest.
  • Right to data portability– the right to receive the personal data provided in a structured, automated readable format, and the right to request that the data be passed to another controller. This right applies only to personal data provided directly by the data subject to the controller, and only if the processing of personal data is done by automated means and is legally based on either the execution of a contract or the consent of that person,
  • The right to lodge a complaint – the right to lodge a complaint in relation to the methods of personal data processing. The complaint will be submitted to the Commissioner for Information on Public Importance and Personal Data Protection (the “Commissioner”) – details at rs.
  • Right of withdrawal of consent – the right to withdraw, at any time, the consent to the processing of personal data in cases where processing is based on consent. Withdrawal of the consent will only have effect for the future, and processing prior to the withdrawal remains valid.
  • Additional rights related to automated decisions used in the delivery of services – if automated decisions are made about personal data and these decisions significantly affect the data subject, the data subject can (a) obtain human intervention with respect to said processing, (b) express their point of views on such processing, (c) obtain explanations regarding the decision made and (d) contest such decision.

These rights (except the right to contact the Commissioner, which can be exercised under the conditions established by this authority – in this regard you can see the official website www.poverenik.rs) may be exercised, anytime, either individually or by aggregation, sending a letter/message in the following ways:

You can exercise the right to withdraw your consent for the transmission of direct marketing messages (newsletter) by e-mail, by accessing the dedicated unsubscribe link (unsubscribe), included in each message of this kind.

Skip to toolbar

Terms and conditions

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry’s standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.

 

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry’s standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.

 

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry’s standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.

Partners

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry’s standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.

 

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry’s standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.

 

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry’s standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.

GDPR

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry’s standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.

 

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry’s standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.

 

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry’s standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.

Preferences

Nepi Rockcastle Group

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry’s standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.

 

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry’s standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.

 

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry’s standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.

Data info

Are you sure you want to deactivate your account?

Deactivate

In order to use this feature, you need to login.

Connect with Facebook

sau

Login

Sign up

Choose collection

New collection
Your collections

Back

Please turn your device to portrait