Controller – jointly Controller 1 and Controller 2 or, depending on context, any of the above.
Controller 1 – company EPP PROPERTY MANAGEMENT Spółka z ograniczoną odpowiedzialnością with its registered office in Kielce, adres: ul. Świętokrzyska 20, 25-406 Kielce.
Controller 2 – company EPP COMMUNITY PROPERTIES - PM SERVICES sp. z o.o. with its registered office in Kielce, adres: ul. Świętokrzyska 20, 25-406 Kielce
Personal Data – information on an individual identified or identifiable by one or several specific features determining his/her physical, physiological, genetic, psychic, economic, cultural or social identity, including the image, voice recording, contact details, location data, information included in correspondence, and information collected via recording equipment or other similar technology.
Facility – shopping centre administered by the Controller
Data Subject – an individual to whom the Personal Data processed by the Controller refer.
Policy – this Personal Data Processing Policy.
Employee – an individual employed by the Controller under an employment contract.
GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
the Company – the Controller
Associate – an individual providing services for the Controller under a civil law contract (e.g., a contract of mandate, a contract of commission).
DATA PROCESSING BY THE CONTROLLER
In connection with its business activity, the Controller 1 and Controller 2 collect and process the Personal Data pursuant to applicable legal regulations, including, without limitation, GDPR, and the data processing rules set out therein.
Controller 1 and Controller 2 are joint controllers of the Personal Data based on a separate agreement.
The Controller ensures the transparency of the Personal Data processing; in particular, the Controller shall always provide information about data processing when collecting data, including information on the purpose and the legal basis for processing (e.g., when signing a lease agreement). The Controller shall see to it that data are collected only to such extent as may be necessary to achieve specific purpose and processed only for such period as necessary.
When processing the Personal Data, the Controller shall ensure data safety and confidentiality and provide access to processing information to Data Subjects. Should any breach of the Personal Data protection (e.g., data leakage or loss) occur despite the security measures applied, the Controller shall communicate such incident to the Data Subjects in the manner compliant with legal regulations.
The processing of Personal Data may take place in an automated manner, i.e. automated decision-making by the Controller on the basis of personal data processed in connection with the use of the participant's account in the application and/or participation in the points collection program, incentive program and/or in individual campaigns and in in connection with the use of the application - under the account of the participant's interests and preferences - in order to prepare individual offers for participants, including offers of the Controller and / or partners of the action - at the time of registration in the application or during your participation in a particular action - in the wording made available in the application – the legal basis is art. 22 sec. 2 lit. ca GDPR). The Controller, thanks to automated data processing - can assess selected factors regarding natural persons in order to analyze their behavior or create forecasts for the future for marketing purposes, including for the purpose of targeting contextual advertising to participants, i.e. tailored to the participant's individual preferences.
If the Participant provides a sufficient range of data, the Controller will perform profiling as part of the necessity to perform the contract in order to prepare and deliver tailored Promotions.
CONTROLLER’S CONTACT DETAILS
The Controller can be contacted by writing at its mailing address: ul. Świętokrzyska 20, 25-406 Kielce.
The Controller has appointed the Personal Data Protection Coordinator who can be contacted by writing at rodo@epp-poland.com in any issues related to Personal Data processing by the Controller.
PERSONAL DATA SAFETY
In order to warrant data integrity and confidentiality, the Controller implemented the procedures which enable granting access to the Personal Data only to authorised persons and only to such extent as may be necessary in the light of the duties they perform. The Controller shall apply organisational and technical measures aimed to ensure that any and all operations on the Personal Data are registered and performed by authorised persons only.
The Controller shall take any such measures as may be necessary to ensure that its subcontractors and other associates equally warrant the application of appropriate security measures each time they process the Personal Data on the Controller’s instruction.
The Controller analyses the risk related to the Personal Data processing on an ongoing basis, performs data protection impact assessments and monitors whether the data security measures applied are adequate to the identified threats. If necessary, the Controller implements additional measures aimed to increase data safety.
PURPOSES AND LEGAL BASIS FOR DATA PROCESSING
Video monitoring
Due to the need to ensure safety of persons and property, the Controller applies video monitoring in the facilities related to its business activity and controls entry to the premises and the area it manages. Data collected as a result of the above are not used for any purposes other than described above.
The Personal Data in the form of monitoring recordings are processed for the purpose of ensuring safety of persons and property and keeping order at the Facility, and for the purpose of determining and seeking claims by the Controller or defending against claims made against the Controller, if any. The legal basis for the Personal Data processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR), consisting in ensuring safety of persons staying and property located on the area managed by the Controller and the protection of its rights.
The area covered by the Company monitoring shall be marked with proper graphic signs.
E-mail and mail correspondence
If the Controller receives, via e-mail or regular mail, any correspondence unrelated to the services provided for the sender or other contract concluded therewith, or otherwise unrelated to any relations with the Controller, the Personal Data contained in such correspondence shall be processed exclusively for the purpose of communication and handling the case to which the correspondence refers.
The legal basis for processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR), consisting in conducting the correspondence received by the Controller in connection with its business activity.
The Company processes only those Personal Data which are relevant to the case to which the correspondence refers. The entire correspondence is stored in the manner that warrants safety of the Personal Data (and other information) contained therein and may be disclosed to authorised persons only.
Telephone contact
If the Controller is contacted by telephone on issues unrelated to the contract concluded or services provided, the Controller may request the calling individual to provide his/her Personal Data only in the case where it is necessary to handle the case reported by phone. In such case, the legal basis for processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR), consisting in the need to handle a reported issue related to its business activity.
Data collecting in connection with providing services or performing other contracts
In the case of collecting data for purposes related to performance of a specific contract (e.g., a lease agreement, trade agreement with a business partner or a contract of debt collection operations connected with business activity), the Controller shall communicate to the Data Subject detailed information on the processing of his/her Personal Data at the time of signing the contract or at the time of obtaining Personal Data in the case where their processing is necessary for the Controller to take steps on the Data Subject’s request before signing the contract.
Point collection programs, incentive programs, applications
The Controller collects Personal Data from participants to the extent necessary to fulfill its obligations towards participants in the scope of handling the participant's account in applications and platforms used to support point and incentive programs and in individual campaigns, as well as to fulfill the obligations arising from participation in the point program , incentive program or, respectively, in individual actions, to provide participants with services offered using the application.
The Controller processes Personal Data to the extent necessary to analyze the behavior of participants, assess the effects and effectiveness of actions taken using the application, as well as directing marketing offers to participants related to the shopping centre and conducted using tools other than the application after expressing relevant consents of the participant.
Participants' personal data will be processed for the purposes of servicing the participant's account in the application - in order to provide services available as part of the application's functionality - the legal basis is the necessity of processing to perform the contract (Article 6(1)(b) of the GDPR), in particular such as:
Maintaining and servicing the participant's account in the application;
joining the points collection program;
Access to Information about the offers available in the shopping centre.
Participants' personal data will be processed for the purposes of organizing and conducting the points collection program - in order to provide services available as part of the application's functionality - the legal basis is the necessity of processing to perform the contract (Article 6(1)(b) of the GDPR), in particular such as:
registration in the points collection program and setting up a points account;
maintaining and servicing a points account, i.e. registering proofs of purchase, calculating points, including non-purchase points, keeping a balance of points;
ordering and issuing prizes;
access to information about offers under the points collection program and/or offered in the application
Participants' personal data will be processed for the purposes of organizing and conducting the incentive program - in order to provide services available as part of the application's functionality - the legal basis is the necessity of processing to perform the contract (Article 6(1)(b) of the GDPR), in particular such as:
maintaining and servicing the bonus account, i.e. registering referral links and referral codes, verifying the right to the prize, calculating the point bonus, maintaining the point bonus balance; and ordering and issuing awards provided for in the incentive program (see definitions in the regulations of the incentive program).
The legal basis for the processing of Participants' Personal Data for the purposes of organizing the points collection program, incentive program and carrying out individual campaigns, respectively, is:
in the case of a points collection program and/or an incentive program, respectively - the legal basis is the necessity of processing to conclude and perform the contract (Article 6(1)(b) of the GDPR) regarding participation in the point program and/or incentive programme;
in the case of actions - advertising and promotion of the shopping centre - the legal basis is the legitimate interest of the controller consisting in carrying out individual actions by the controller (Article 6(1)(f) of the GDPR) - unless another basis is indicated in the regulations of a particular action;
in the case of considering possible complaints related to participation in the points collection program, incentive program and, respectively, in a particular action - the legal basis is the legitimate interest of the Controller consisting in meeting the obligations towards participants resulting from these projects (Article 6(1)(f) of the GDPR);
in the event of the fulfilment of legal obligations incumbent on the Controller resulting from the provisions of law, e.g. tax and accounting regulations - the legal basis is a legal obligation (Article 6(1)(c) of the GDPR).
The legal basis for the processing of Participants' Personal Data for the purposes of providing services available as part of the application's functionality is:
In the case of registration in the application and setting up a participant account in the application, a points account and, accordingly, a bonus account; maintaining and servicing the participant's account in the application, points account and bonus account, respectively, access to information about offers in the shopping centre carried out using the application - the necessity of processing to perform the contract (Article 6(1)(b) of the GDPR).
In addition, personal data of participants in applications and platforms used to support point and incentive programs and in individual campaigns are processed on the following grounds:
In the case of considering any complaints related to the use of the application and participation in the points collection program, incentive program or, respectively, in a particular action - the legal basis is the necessity of processing to perform the contract (Article 6(1)(b) of the GDPR);
In the event of the fulfillment of legal obligations incumbent on the Controller resulting from the provisions of law, e.g. tax and accounting regulations - the legal basis is a legal obligation (Article 6(1)(c) of the GDPR);
For analytical and statistical purposes in the field of participants' activity, as well as their preferences in connection with the use of the participant's account in the application and the points collection program, incentive program and, respectively, as part of individual actions and / or applications - the legal basis is the legitimate interest of the Controller and group Controller (Article 6(1)(f) of the GDPR) - i.e. improvement of the functionalities used and the services provided;
In the case of establishing, pursuing claims or defending against claims - the legal basis is the Controller's legitimate interest (Article 6(1)(f) of the GDPR), i.e. protection of its rights;
In the case of geolocation of the participant in the shopping centre, including the study of the frequency of visits and movement in the shopping centre, if the participant agrees to it at the time of registration in the application or during his participation in the points collection program - in the wording made available in the application - the legal basis is granting consent (Article 6(1)(a) of the GDPR and Article 22(2)(c) of the GDPR).
Marketing and commercial information
In. The Controller processes the personal data of participants in applications and platforms used to support point and incentive programs and in individual actions, on the following grounds:
for the purpose of direct marketing in the scope of using the participant's account in the application and participation in the points collection program, incentive program and, respectively, in the scope of participation in individual campaigns, benefits resulting from such projects, services offered and the application and its functionality - the legal basis is (Art. 22(2)(c) GDPR);
for marketing purposes of the action partner - if the participant agrees to it at the time of registration in the application or during his participation in the points collection program or, respectively, in a particular action - in the wording made available in the application - the legal basis is consent (Article 6(1)(a) and GDPR);
if the participant has ordered the newsletter service, the Controller may direct marketing content as part of the newsletter - constituting the Controller's direct marketing (then the legal basis is the Controller's legitimate interest (Article 6(1)(f) of the GDPR) - i.e. direct marketing) or regarding the marketing of goods and action partner services - if the participant agrees to it at the time of registration in the application or during his participation in the points collection program or, respectively, in a given action - in the wording made available in the application - the legal basis is consent (Article 6(1)(a) GDPR).
The Participant may agree to receive commercial information for marketing purposes via e-mail, SMS / MMS or to use telecommunications terminal equipment (including using automatic calling systems). Consent is given by submitting an appropriate statement in the wording made available at the time of registration in the application and/or registration in the points collection program, incentive program and/or a particular action, respectively. granting consent is not necessary to use the application and to join and participate in the points collection program, incentive program and/or in individual campaigns, however, consent is necessary - if the participant is interested in receiving marketing content, advertisements, information and notifications about available promotions, news or personalized offers (behavioral advertising), including marketing content as part of the newsletter.
Processing personal data of staff members of contracting parties or lessees cooperating with the controller
In connection with concluding trade and lease agreements as part of its business activity, the Controller receives from its contracting parties / lessees the data of persons involved in the performance of such contracts (e.g., contact persons, persons performing commissions, suppliers, etc.). The scope of provided data is in each case restricted to such degree as may be necessary to perform the contract and usually does not include any information other than the individual’s full name and business contact details.
Such Personal Data are processed for the purpose of pursuing the legitimate interest of the Controller and its contracting party (Article 6(1)(f) GDPR), consisting in enabling the proper and effective performance of the contract. Such data may also be disclosed to third parties involved in the contract performance as well as to entities obtaining access to data on the basis of regulations on transparency of public information and proceedings conducted under the public procurement law, to the extent set out in such legal regulations.
Data are processed for such period as may be necessary to pursue the abovementioned interests and fulfil legal obligations.
Data collecting in other cases
In connection with its business activity, the Controller collects the Personal Data in other cases as well, e.g., through building and using permanent mutual business contacts (networking) during business meetings or industry events or through exchange of business cards, for purposes connected with initiating and maintaining business contacts. In such case, the legal basis for processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR), consisting in networking in connection with its business activity.
The Personal Data collected in such cases are processed exclusively for the purpose for which they were collected and the Controller ensures their proper protection.
DATA RECIPIENTS
In connection with pursuing activity which requires data processing, the Personal Data are disclosed to third party entities, including, without limitation, the providers responsible for the operation of IT systems and equipment (e.g., CCTV equipment in the scope of video monitoring), entities providing legal, accounting or security services, couriers, and marketing agencies. Data are also disclosed to member entities of EPP group of companies for the purpose of implementation of their internal administrative objectives (administrative support for EPP Group) on the basis of their legitimate interest. For more information on the Controller’s group of companies, see https://pl.epp-poland.com/.
The Controller reserves the right to disclose selected information about the Data Subject to competent authorities or third parties who require the provision of such information, relying on relevant legal basis and in compliance with applicable legal regulations.
DATA TRANSFER OUTSIDE EEA
The Personal Data protection level outside the European Economic Area (“EEA”) differs from the one which the European law ensures. For this reason, the Controller transfers the Personal Data outside the EEA only in the case where it is necessary and subject to ensuring appropriate protection level, mainly through:
the cooperation with the Personal Data processors in the countries for which the European Commission issued a decision declaring that an appropriate level of the Personal Data protection is ensured therein (adequacy decision);
the application of standard contractual clauses issued by the European Commission;
the application of binding corporate rules approved by the competent supervisory authority.
PERSONAL DATA PROCESSING PERIOD
The period of data processing by the Controller depends on the type of the service provided and the processing purpose. The data processing period may also result from legal regulations, if they form the basis for processing. In the case of data processing on the basis of the Controller’s legitimate interest (e.g., for security reasons), data are processed for the period enabling to pursue that interest or until making an effective objection against data processing. If the processing takes place on the basis of a consent, data are processed until the withdrawal of the consent. If the legal basis for processing is the necessity to conclude and perform a contract, data are processed until contract termination.
The data processing period may be extended in the case where the processing is necessary to determine and seek or defend against claims, if any, and after the expiry of this period only in the case and to the extent required by legal regulations.
RIGHTS RELATED TO PERSONAL DATA PROCESSING
Data subjects’ rights
Data Subjects shall have the following rights:
right to information on the Personal Data processing – on this basis, the Controller provides the requesting individual with information on data processing, mainly information on the purposes and legal bases for processing, scope of data held, entities to which data are being disclosed, and the planned data removal date;
right to obtain a copy of the data – on this basis, the Controller submits a copy of the processed data of the requesting individual;
right to have the data rectified – the Controller is obliged to eliminate any discrepancies or mistakes in the processed Personal Data and to complete data whenever they are incomplete;
right to have the data deleted – on this basis, the Data Subject may request the Controller to delete the data whose processing is no longer necessary to pursue any of the purposes for which they were collected;
right to restrict processing – if such request is made, the Controller ceases to perform operations on the Personal Data, save for the operations the Data Subject consented to, and to store the same, in compliance with the adopted retention rules or until the reasons for restricting such data processing cease to exist (e.g., until a supervisory authority issues a decision permitting further data processing);
right to data portability – on this basis, to the extent the data are processed by automated means in connection with a contract concluded or a consent granted, the Controller releases data supplied by the data subject, in the machine-readable format. It is also possible to request the Controller to send such data to some other entity, provided that there exist relevant technical capabilities both on the part of the Controller and the indicated entity;
right to object against data processing for marketing purposes – the Data Subject can object against the Personal Data processing for marketing purposes at any time, without the need to provide rationale for such objection;
right to object against other purposes of data processing – the Data Subject can object at any time, for reasons related to his/her special situation, against the Personal Data processing taking place on the basis of the Controller’s legitimate interest (e.g., for analytical or statistical purposes or due to property protection considerations); such objection must include rationale;
right to withdraw the consent – if data are processed on the basis of the consent granted, the Data Subject can withdraw such consent at any time; the withdrawal shall not affect the lawfulness of the processing done before such withdrawal;
the right to human intervention in the case of profiling - the data subject has the right to obtain human intervention from the Controller, to express his own position and to challenge the decision made automatically;
right to complain – if the Data Subject finds that the Personal Data processing violates GDPR regulations or other Personal Data protection regulations, the Data Subject can lodge a complaint with the authority supervising the Personal Data processing which is competent for such person’s place of ordinary stay, place of work or place where the alleged breach was committed. In Poland, the supervisory authority is the President of the Personal Data Protection Office.
Filing requests related to the exercise of rights
A request concerning the exercise of the Data Subjects’ rights can be filed:
in writing, at the following address: ul. Świętokrzyska 20, 25-406 Kielce;
in justified cases related to the requesting person’s stay in the Facility, with the Controller’s Employee/Associate present in the Controller’s facility, on a special form (request template) available in selected locations within the Facility, e.g., from the security staff Employees.
If the Controller is unable to identify an individual on the basis of his/her request, it shall demand additional information from the requesting person. The provision of such data is not mandatory; however, a failure to provide the same will result in the refusal to grant the request.
A request may be filed personally or via a legal representative (e.g., a family member). For data safety reasons, the Controller encourages providing a power of attorney certified by a notary or an authorised legal counsel or advocate which will significantly accelerate verification of the request authenticity.
A response to the request should be given within one month of its receipt. If it is necessary to extend such time limit, the Controller shall inform the requesting person about the reasons for such extension.
If a request is sent to the Company by electronic means, the response shall be given in the same form, unless the requesting person demanded a response in other form. In other cases, response is given in writing. Where it is impossible to provide a response in writing due to the period of fulfilling the request and where the scope of the requesting person’s data processed by the Controller enables contact by electronic means, the request shall be given by electronic means.
The Company stores the information on the request made and the requesting person for the purpose of ensuring the ability to demonstrate compliance and for the purpose of determining and seeking its claims or defending against claims made by Data Subjects, if any. The register of requests shall be safe-kept in the manner ensuring integrity and confidentiality of the data contained therein.
Charging fees
The requests are processed free of charge. Fees may only be charged if:
a request is filed for issuing the second and any subsequent data copy (the first data copy is provided free of charge); in such case, the Controller may demand the payment of a PLN 30 fee. The fee includes the administrative costs related to fulfilling the request;
the same person files requests which are excessive (e.g., files requests extremely often) or obviously groundless; in such case, the Controller may demand the payment of a PLN 30 fee. The fee includes the costs of communication and the costs related to taking the requested steps.
In the case of questioning a decision to charge a fee, the Data Subject can lodge a complaint with the authority supervising the Personal Data processing which is competent for such person’s place of ordinary stay, place of work or place where the alleged breach was committed. In Poland, the supervisory authority is the President of the Personal Data Protection Office.
AMENDMENTS TO PERSONAL DATA PROCESSING POLICY
This Policy is subject to ongoing verification and is updated whenever necessary.