Information
Notice on the processing of personal data for persons visiting or working in AUPARK Žilina
Notification concerning the processing of personal data
for persons visiting
or working within the premises of shopping center
Company AUPARK
Žilina SC a.s., headquartered in Veľká
okružná 59A, Žilina 010 01, registered in Commercial register of District Court
Žilina, section Sa, under file no. 10806/L, having Business Identification number
44 441 193, further on called
„Controller”, processes the personal
data of data subjects that visit or work within the premises of shopping center
AUPARK Žilina – Shopping Center („SC”), as follows:
Purposes of processing:
a.
fulfilling
the legitimate interests of the owner or operator of the building to ensure security
and safety of assets, for which purpose it decided to use video surveillance of
public areas by the means of CCTV system
installed on the premises of the asset, in the common areas, access ways,
parking areas
b.
fulfilling
the contractual obligations, respectively enabling the access to
the parking space or manage the parking payment system (exit is
enabled after payment of the parking fee, based on temporary registration of
the vehicle license plate)
c. solving the requests for data
and information received from the competent authorities and institutions
d.
archiving,
settling disputes, investigations, or any other petitions / complaints to which
our company is party, as well as conducting risk controls on procedures and
processes, as well audits or investigations at the company level
e.
granting
free access to the WiFi network
f.
participating in the comercial
center’s marketing campaigns and awarding of prizes gained in such campaigns (e.g.:
signing handing-over minutes etc.)
g.
handling complaints filed
in the SC premises (e.g.: complaints forms etc.)
h.
processing the lost&found
requests filed in the SC premises (e.g.: lost&found forms etc.).
Processed categories of data:
-
in the context of using
the CCTV video surveillance system: the image of the data subjects
-
in the context of the usage
of parking areas: the brand, the type and license number of the vehicle for
which a parking space is offered, the image of the data subjects, the time of
entry and exit in/out the parking areas
-
in the context of the issuance
of parking cards: the identification data of the data subjects and the time of
entry and exit in/out the parking areas
-
in the context of
accessing the Free WiFi: the MAC of the devices
-
as
regards the SC’s campaigns, the types of processed data are to be detailed in
the Campaign Regulation, as published on the SC’s website.
Categories of data subjects whose personal data are
processed:
-
visitors and clients of
the SC
-
personnel of the tenants
of the SC
-
personnel of the providers/partners/collaborators
of the Controller.
Legal grounds for processing:
In view of the above, we
process the personal data of the data subjects that visit or work within the SC
premises, as the case may be, based on:
-
legal obligations of the Controller
(e.g. handling data subjects
and/or authorities requests)
-
the consent of the data
subject (e.g. participation in campaigns)
-
legitimate interest of
the Controller (e.g. protection
of property and other assets, protection of individuals, manage the
parking payment system, processing operations within the Group the Controller
belongs to).
Storage period:
The processed personal
data is kept for the period of time necessary to comply with the legal
obligations imposed by the regulations specific to our field of activity.
As far as video
recordings are concerned, they are usually kept for a period of up to 14 (fourteen)
days, unless the extension of their processing period is imposed by law or
justified by legal procedures.
The MAC of devices is
stored only for the period the device is using the WiFi network.
As
regards the SC’s campaigns, the data storage coordinates are to be included in the
Campaign Regulation, as published on the SC’s website.
Third party access:
In order to ensure CCTV video surveillance, as well as to issue access
cards in the premises and in the parking areas, the Controller cooperates with companies
within the NEPI Rockcastle Group („Group”) or specialized and authorized
companies according to the law, for the purpose to carry out such activities.
Personal data thus processed may also be made available to competent
authorities and institutions, in accordance with the law, or processed within
the Group, for the purpose of group management consolidated activities, for
audit purposes and in any other situation where the law imposes or permits such
processing.
As regards the SC’s campaigns and events, as well
the handling of complaints and/or lost & found requests, if filed in the SC’s
premises, to the Info Desks, the Controller usually collaborates with
specialized 3rd party providers.
Rights of data subjects whose data are processed as
described herein:
a)
Right of access - you may request confirmation if your personal
data are processed or not by us, and if so, you may request
access thereto, as well as certain information about this. Upon request,
we will also issue a copy of the processed personal data. The request for additional
copies will be charged based on the actual costs incurred by us,
b)
Right to rectification - you
can get your inaccurate personal data rectified and
also supplement incomplete data, including by providing additional
information.
c)
Right to delete data ("the right to be forgotten") -
in situations expressly regulated by law, you can obtain from us
the deletion of the data. Thus, you can request deletion of personal data
if:
-
the data are
no longer necessary for the purposes for which they were collected or otherwise
processed;
-
you withdraw
your consent on the basis of which processing takes place;
-
you oppose to
the processing under the right of opposition;
-
processing
your personal data is illegal;
-
data
must be deleted for compliance with
a legal obligation incumbent on us.
d)
Right to restrict processing - you may request the restriction of
processing of personal data in certain situations governed by law, as follows:
-
you contest
the accuracy of your data, for the time the accuracy of the
concerned data is checked;
-
processing is
illegal and you oppose to the deletion of data;
-
you need these
data to establish, exercise or defend some rights in court, and we no longer
need this data;
-
you opposed
the processing of personal data for the period in which we check if
our legitimate interests prevail over the interests of
your rights and freedoms.
In these situations, except for storage, the data will not be
processed anymore.
e)
Right to object to the processing of
personal data - you
can object at any time, for reasons related to your particular situation,
to processing (including profiling) based on our legitimate interest or,
where appropriate, on us exercising a task which is in the public interest
or results from the exercise of a public authority with
which we would have been invested thereby.
Marketing materials sent electronically
may contain brief information on your option of objecting to the
processing of personal data in order to perform direct marketing. If you object
to the processing of personal data for direct marketing purposes, your personal
data will no longer be used in for these purposes.
The right to object to the direct marketing
activity is available when the processing of personal data for direct marketing
purposes is based on (i) our legitimate interest, or (ii) on the existing
contractual relationship with us and concerns products that are
similar to those already contracted, and not on the consent given.
f)
Right to data portability - you can receive your personal data in a
structured, readable format, and you can request that the data
be passed to another operator. This right applies only to personal data
provided directly by you, and only if the processing of personal data is
done by automated means and is legally based on either the execution of a contract
or the consent of that person,
g)
Right to complain - you can complain about how we process your
personal data. The complaint will be filed with the Office for Personal Data
Protection ("Office") – details at www.dataprotection.gov.sk,
h)
Right to withdraw your consent - you may at any time withdraw your
consent to the processing of personal data in cases where processing is based
on consent. Withdrawal of the consent will only have effect for the future, and
processing prior to the withdrawal remains valid.
i)
Additional rights related to automated decisions used in the delivery of services - if we
make automated decisions about personal data and these decisions affect
you significantly, you can (a) obtain human intervention with respect to
said intervention, (b) express your point of views on such processing, (c)
obtain explanations of the decision made and (d) contest that decision.
These
rights (except the right to contact the Office, which you can exercise
under the conditions established by this authority - in this regard you can see
the official website www.dataprotection.gov.sk) may be exercised, either individually or by
aggregation sending a letter/message in the following ways:
-
by post, at: NEPI
Slovakia Management s.r.o., Veľká okružná 59A, 010 01 Žilina;
-
by email, at
the email address: osobnyudaj@nepirockcastle.com.
In addition, a Data
Protection Officer ("DPO") has
been appointed at the Group level, who can be contacted if there are any
concerns about the protection of personal data and the exercise of data
protection rights. The DPO may be contacted by the means of a written, dated
and signed application, using the contact details mentioned below:
-
NEPI Rockcastle, Data Protection Officer, Floreasca Business Park, building A, 5th floor,
169A Calea Floreasca, Bucuresti, Sector 1, cod 014459, Romania
-
e-mail: data.protection@nepirockcastle.com
Update: 27.11.2019