WESTFIELD CLUB PRIVACY POLICY
This Privacy Notice (“Privacy Notice” or “Notice”) was last updated on 29th June 2021.
This Privacy Notice explains how the data controllers [referred to in this Privacy Notice as the Data Controller, we, us or our] (as defined below) collects and process your personal data in the context of the provision of our Loyalty Programme (including the access to your loyalty account within the website and shopping centre applications, together, the “Services”).
This Privacy Notice covers the following:
- Contact details of the Data Controller
- How do we collect your personal data?
- Details about the processing of your personal data
- How do we share your personal data?
- How do we keep your personal data secure?
- Do we transfer your personal data outside the European Economic Area?
- Your rights in relation to your personal data
- Geolocation
- Automated decision making/profiling
- Transfer in case of change of ownership
- Update of this Privacy Policy
1. Contact details of the Data Controller
The Local Data Controller:
Westfield Europe Limited ("Westfield")
Incorporated in England and Wales with registered number 03912122 and registered office at 4th Floor, 1 Ariel Way, London, W12 7SL (registered with the Information Commissioner’s Office with registration number Z5539526). The local Data Controller will process your personal data in the context set out below.
The Group Data Controller:
Unibail Management
Simplified joint stock company with a capital of €20 000 000. Having its registered office at 7 place du Chancelier Adenauer 75016 Paris. Registered within the Paris Register under number 414 878 389.
The Westfield Data Protection Officer may be contacted by email at dpo@urw.com or via post at 4th Floor, 1 Ariel Way, London, W12 7SL.
The Unibail Management Data Privacy Team (including its DPO) may be contacted by email at data.protection@urw.com or via post at 7 place du Chancelier Adenauer 75116 PARIS.
In general, the group data controller will process your personal data in order to assist the local data controller and to ensure a general governance at group level.
Some roles are specifically assigned to the local Data Controller or the Group Data Controller as follows:
Role of the local Data Controller
The local Data Controller will process your personal data in order to send you communications to inform you about specific offers and events of the respective shopping centre and to provide you with offers.
Role of the group Data Controller
The group Data Controller has concluded several data processing agreements and service agreements with service providers to provide you with the technical opportunity to register you to the Loyalty Program or download and use the shopping centre application.
The group Data Controller will also handle the preparation of some communications, coordinated at group level, that will be sent by the local Data Controller. Furthermore, the group Data Controller will negotiate with third parties special offers which will be accessible for loyalty members.
The group Data Controller will process your personal data in order to:
- Manage your registration to the Loyalty Programme
- Analyse your behaviour within the shopping centre as further detailed in the table below (3.1) to provide you with customised offers and events you might be interested in
The local data controller and the group data controller are acting as Joint Data Controllers and will hereinafter be referred to together as “Data Controller”, “we”, “us” or “our”.
2. How do we collect your personal data?
We collect personal data about you through the following means:
- directly from you; and/or
- from your use of the Services
- When you use the Loyalty Card, including the virtual one, if scanned during your visit, we collect:
- When you use our shopping centre application or website as an authenticated user, we collect:
- When you use the website and accept the use of cookies, we collect the cookies you have accepted
information related to the type of service your Loyalty Card was used for (example: events, birthday present) and therefore your presence within our shopping centre.
information about the frequency of your visits, your itineraries within the shopping centre provided that we have obtained your prior written consent to collect that information (only for shopping centre application - see article 8 Geolocation).
You will find all details about cookies uses and policy in the Terms of Use accessible by clicking on the following links: Westfield Terms and Conditions and Westfield Cookies Policy
Details about those different ways of collection are given in section “Personal Data involved” in the table in article 3 below.
3. Details about the processing of your personal data
3.1 - You will find in the table below all information in relation with:
- Why we are processing your personal data (Specific purpose)
- What personal data is involved (Personal data involved)
- On which legal basis we are processing your personal data (Lawful basis)
- How long we are storing your personal data (Retention period)
- What rights you can exercise in relation to your personal data (Rights)
| Specific purpose | Personal data involvement | Lawful basis | Retention period | Rights The available rights depend on the lawful basis |
|---|---|---|---|---|
| Management of your Registration to the Loyalty Programme | Directly provided by you: Provided to us by a third party: |
Execution of a contract (Terms of Use of the Loyalty Programme) GDPR Article 6(1)(b) |
3 years from last digital contact or use of the Services | Access Rectification Deletion Limitation of the processing Portability |
Management of the participation to events organised by the shopping centre Please note that we might send you communications to allow you to participate in the event (for example: if the event requires you to have a proof of registration to enter it) |
Directly provided by you: Provided to us by a third party: |
Legitimate interest of the data controller to offer the opportunity for the members of the Loyalty Programme to participate to events organized to their attention and ensure the security of such event GDPR Article 6(1)(f) |
6 months after the event | Access Rectification Deletion Limitation of the processing Objection to the processing |
| Loyalty Points Collection | Directly provided by you: Provided by Transaction Connect: |
Execution of a contract (Terms and Conditions of the Loyalty Programme) GDPR Article 6(1)(b) |
3 years from the last use of the service | Access Rectification Deletion Limitation of the processing Portability |
Management of the offers and benefits of the Loyalty Programme Free access to some services (in conditions detailed in the Terms and Conditions of the Loyalty Programme) |
Directly provided by you: Provided to us by a third party: |
Execution of a contract (Terms and Conditions of the Loyalty Programme) GDPR Article 6(1)(b) |
No storage for the use of the offers and benefit. |
Access Rectification Deletion Limitation of the processing Portability |
| Participation in competitions organised for loyalty members | Directly provided by you: Provided to us by a third party: |
Execution of a contract (Rules of competitions) GDPR Article 6(1)(b) |
6 months after delivery of the prizes to the winner(s) | Access Rectification Deletion Limitation of the processing Portability |
Granting of rewards for loyalty members who have activated the Loyalty Points Collection (for example: prize granted to a member randomly chosen among the people who have spent a specific amount of GBP during a given time – specific communication to members within the scope would be made) |
Provided by Transaction Connect: transaction amount, date of purchase and name of retailer |
Legitimate interest of the Data Controller to manage the program in order to increase its database and the amount spent in the shopping centre and legitimate interest of the members to win prizes GDPR Article 6(1)(f) |
No specific data retention as the information are retained in the framework of the Loyalty point collection – see below | Access Rectification Deletion Limitation of the processing Objection to the processing |
Management of communications for information purposes in relation to the Loyalty Program (‘service communications’) (for example: information about an event accessible only to the loyalty members) |
Directly provided by you: Provided to us by a third party: |
Execution of a contract (Terms of Use Loyalty Programme) GDPR Article 6(1)(b) |
3 years from last digital contact or use of the Services | Access Rectification Limitation of the processing Portability |
Management of commercial (‘marketing’) communications By e-mail and/or sms if you have provided us with your mobile phone number and your consent to receive marketing via sms texts |
Directly provided by you: Provided to us by a third party: |
Consent GDPR Article 6(1)(a) |
3 years from last digital contact or use of the Services or until withdrawal of the consent, whatever occurs first | Access Rectification Deletion Limitation of the processing Objection to the processing Portability Withdrawal of consent |
Analysis of your information/use of the services to provide you with personalized offers; and to improve our understanding of your expectations and needs and develop new features and services Please note in this perspective, we will combine the personal data listed in the relevant columns. |
Obtained directly from you: Obtained from your activity: |
Legitimate interest of the Data Controller to better understand the customer in order to deliver appropriate services and/or offers and legitimate interest of the loyalty members to receive personalised offers and services. GDPR Article 6(1)(f) please note that:
|
3 years from last digital contact or use of the Services | Access Rectification Deletion Limitation of the processing Objection to the processing Portability |
Geolocation (within the shopping centre only – via the shopping centre application) |
Directly provided by you: Provided to us by a third party: |
Consent (given via shopping centre application) GDPR Article 6(1)(a) |
No storage of your geolocation will be made by Us | Access Rectification Deletion Limitation of the processing Portability Withdrawal of consent |
| Respond to loyalty members requests related to personal data | Directly provided by you: Provided to us by a third party: |
Legal obligation GDPR Article 6(1)(c) |
The year of receipt of request, plus 5 years If your photo ID is requested, it will be deleted right after the check of your identity |
Access Rectification Deletion Limitation of the processing |
| Obtain feedback from you on our services | Directly provided by you: answers to a questionnaire in respect with the appreciation of the services provided by us |
Legitimate interest of the data controller to better understand the customer and improve the services and deliver appropriate services and/or offers GDPR Article 6(1)(f) |
3 years from last digital contact or use of the Services | Access Rectification Deletion Limitation of the processing Objection to the processing |
Establishment, exercise or defence of legal claims (for example where a law enforcement body or regulatory body are investigating a crime or incident) |
Relevant personal data related to the claim or litigation | Legitimate interest of the data controller to ensure its defence; GDPR Article 6(1)(f) |
Legal time limit depending on the type of claim/litigation | Access Rectification Deletion Limitation of the processing Objection to the processing |
3.2 - Specific provisions - Loyalty Points Collection
As part of a special functionality of the Loyalty Programme to activate, please note that you have the possibility to subscribe to the Loyalty Points Collection. Under the Loyalty Points Collection, you may be entitled to get cashbacks, depending upon purchases you make in the shopping centre. For further information, please see the Terms and Conditions of the Loyalty Programme.
For the purposes of organising, managing and implementing the cashback payments resulting from your transactions as well as analysing the payment flows resulting from your use of the Loyalty Points Collection, please note that Transaction Connect (a French company with headquarters at 86, rue du faubourg St Denis 75010 Paris, and registered with the Registry of Commerce and Companies of Paris under number 822 619 185) alone shall be deemed acting as independent data controller with respect to the concerned processing of your personal data. For sake of clarity, both us and Transaction Connect are individually responsible for the processing of your Personal data for the purpose of the Loyalty Points Collection.
You can find additional information about the processing activities implemented by Transaction Connect, including information about your rights as a data subject, by clicking here for Westfield London and here for Westfield Stratford City. Please note that, in any event, we are not responsible for the processing activities implemented by Transaction Connect acting as data controller. Consequently, any claims or requests relating to the processing carried out by Transaction Connect shall be directed to Transaction Connect directly subject to their respective privacy policies for Westfield London and Westfield Stratford City; and respective terms of use for Westfield London and Westfield Stratford City, which you will be required to read and accept when subscribing to the Loyalty Points Collection.
Once you have activated the Loyalty Points Collection, the Data Controllers will receive confirmation of the relevant purchases you conduct within the shopping centre as detailed in the table above, so that the Data Controllers can manage your Loyalty Points account and benefits. Under no circumstances, will we have access to or receive any information related to you bank accounts, credit cards or any Personal data of a financial nature.
4. How do we share your personal data?
We may share your personal data with:
- our processors as listed in Appendix 1; The list of our current third-party processors is published in Appendix 1 below. The list is regularly updated and includes company-name, company-address, specific of purpose of processing of service provider.
- any competent authority or legal entity to answer to legal or regulatory requests, court orders, subpoena or legal process, if necessary to comply with applicable laws;
- any transferee, when personal data is transferred as part of the sale or otherwise transfer of all or part of our assets to another company
- with our insurers, lawyers, other advisers and courts when enforcing claims and/or defending our position;
5. How do we keep your personal data secure?
We take the security of all the personal data we hold very seriously and we are committed to protecting your personal data. We have therefore implemented all the necessary technical and organisational security measures, and have chosen our providers accordingly.
We have entered into specific data processing agreements with each service provider listed in Appendix 1 and have checked their general technical and organisational measures. The service providers are only authorised to process the data, as data processor, in compliance with the provision of this Privacy Policy, only on our behalf and according to our instructions.
However, we can't control all the risks related to the use of the Internet, and data security also relies on everyone's vigilance and good use of these technologies, therefore we invite our customers to remain vigilant on potential inherent risks while using Internet services.
6. When do we transfer your personal data outside the European Economic Area?
We use third party service providers that help us provide the Services to you and process your personal data on our behalf. Such third party service providers will always be subject to security and confidentiality obligations consistent with this Privacy Policy and the applicable law.
Note that some third party service providers are located outside the EEA (European Economic Area) and thus may access and process your Personal data from countries which do not provide an adequate level of data protection. In case of such transfer outside the EEA, we enter into the model clauses adopted by the European Commission to ensure that your personal data benefits from an adequate level of protection when accessed and processed from there. Our processors may also rely on Binding Corporate Rules.
If you need further information on this, please contact us by e-mail at the address mentioned in paragraph 7.5 below.
Information on the model clauses can be found here.
Information on the Binding Corporate Rules can be found here.
7. Your rights in relation to your personal data
7.1 Pursuant to all applicable laws, and in accordance with the provisions of the table of article 3.1 above (column “Rights”) you have the right*:
- to access to your personal data: we will give you detailed information about your personal data being processed;
- to obtain rectification your personal data: if the personal data we are processing are inaccurate;
- to obtain erasure of your personal data: if you want us to erase some or all of your personal data;
- to object to the processing of your personal information: if you want us to stop the processing of your personal data until we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims;
- to obtain the restriction of the processing of your personal information: if you contest the accuracy, lawfulness or our need to process your personal data, we will limit the processing of your personal data to the minimum (storage) and, if applicable, will process them only for the establishment, exercise or defence of legal claims or, where necessary, for protection of another natural or legal person, or other limited reason dictated by applicable laws;
- to receive your personal data in a structured and standard format or to ask for the transmission of such information to other controller (portability)
Please note that the available rights depend on the lawful basis of the processing relied upon. See provisions of the table at Paragraph 3.1 above (column “Rights”) to see the rights you can exercise specifically by processing activity.
7.2 Withdrawal of your consent(s) When the legal basis of the processing is your consent, as detailed in the table displayed in article 3.1 above (column “Legal basis”), you may withdraw your given consent(s) at any time without any reason.
If you do so, we will stop any further processing based on this consent. Please note that the withdrawal of your consent does not affect lawfulness of any processing done on the understanding that you have given your consent before.
To withdraw your consent to receive commercial (marketing) communication:
- send an e-mail as described in the section Exercise of your rights below
- directly change your subscription settings in your loyalty account
- click on the ‘unsubscribe’ link present in all our commercial communications
7.3 Unsubscribing to communication for information purpose in relation with the Loyalty Programme
As part of the Loyalty Programme and based on the lawful basis of the execution of a contract formed between us (the terms of Use of the Loyalty Programme) we will send you ‘service’ communications (that will only be about the Loyalty Programme and that will not contain any commercial offers).
7.4 Deletion of your Loyalty Account
If you want to delete your Loyalty Account, you can either:
- delete it directly in the setting of your Loyalty Account; or,
- send an e-mail as described in the section Exercise of your rights below.
7.5 Exercise of your Rights
If you wish to exercise these rights and/or obtain all relevant information, please contact us at the following address: dpo@urw.com
To ensure an effective exercise of your rights, please note that you can send your request at the above mentioned address for your questions and demands in relation to processing of both data controllers (local Data Controller and group Data Controller).
In order to avoid infringing third party rights, we reserve the right, in case of reasonable doubt, to require verification of your identity by requesting:
- your loyalty club membership number, and/or
- a photo ID Document
We will respond within 1 month after receipt of your request, but we retain, when necessary due to the complexity of your request, the right to extend this period by 2 months. We will in any event inform you within 1 month after receipt of your request if We decide to extend the period to respond.
If needed, you can also address any question at the welcome desk of your shopping centre.
7.6 Complaints
You have the right to make a complaint about the way we process your Personal data to the UK Data Protection Regulator, the Information Commissioners Office:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113
Fax: 01625 524510
8. Geolocation
8.1 General principle
Subject to your prior express consent given in the shopping centre application, information related to your location within our shopping centre may be collected and processed by us while you are authenticated on our shopping centre Applications for the purposes of measuring the frequency of your visits and your itineraries within our shopping centre and/or providing location related services.
Geolocation will only take place if you have activated the additional services/specific function in the settings of your downloaded shopping centre application on your mobile device. You could deactivate those additional services at any time in the settings latter one at any time.
Please note that when given, your consent will be effective immediately for any further connections on our shopping centre Application and for any further visits in our shopping centre within 12 months from first connection, unless you withdraw your consent.
8.2 How to manage your geolocation preferences on your mobile device
In order to be located within the shopping centre, you will be required to activate the location services on your mobile device.
If you only want to check out the map the activation of the location services feature is not required.
Please note that we will not locate you outside our shopping centre. The location option is carried out by the location services beacons which are installed in the common areas of the shopping centre only.
You may disable the geolocation of your mobile device through your mobile settings at any time.
9. Automated decision making/profiling
There is currently no automated decision-making process which would legally affect you or otherwise significantly affects you. But we will provide you with specific offers based on your individual Personal data and analysis of your user behavior.
Indeed, as we do not want to bother you with information and promotions that may not be relevant to you, we assess your purchase profile, i.e. information such as your earlier purchases and preferences that we collect through your use of our Services as detailed in table (article 3.1), to send you only information and promotions we consider interesting or relevant to you.
10. Transfer in case of change of ownership
If Unibail-Rodamco-Westfield Group is involved in a merger, acquisition, dissolution, or sale all or part of the shopping centres, or its managing company or owner, where you are registered as a Loyalty Program member, we reserve the right to transfer your personal data. You will be notified if such change requires notification or consent under applicable law, you will be notified or given the opportunity to consent.
11. Update of this Privacy Policy
We may revise or update this Privacy Policy from time to time. Any change to this Privacy Policy will become effective upon online publication on this website.
If such change requires notification or consent under applicable law, you will be notified or given the opportunity to consent.
