REDI Shopping Centre Privacy Notice for the Customer Register
Drafted on: 17.4.2019
Kiinteistö Oy Kauppakeskus REDI (“REDI” or ”controller”)
Business ID 2630492-6
Hermannin rantatie 5 A
Contact person for register matters
Hermannin rantatie 5A, 00580 Helsinki
Name of register
REDI shopping centre customer register
Legal basis for and purpose of processing personal data
The legal basis for processing personal data is REDI’s legitimate interest (based on customer relationship and direct marketing) and fulfilment of requests for information and feedback of the data subjects and newsletter subscriptions. The legal basis for processing personal data is consent of the data subject when it is necessary for sending electronic direct marketing.
The purposes of processing personal data are:
- creation, management and development of customer relationship between REDI and the data subject
- marketing, offering, performance and development of REDI shopping center services
- communication with the data subject, including customer feedback and satisfaction surveys
- targeting and performance of direct marketing by mail, phone and electronic direct marketing as well as digital advertising
- opinion polls, surveys and marketing research
- promotional sweepstakes and contests
- development and planning of shopping center services and businesses
- detection, prevention and investigation of fraud and other criminal offences
- analyzing, profiling and statistics for the purposes explained above (such as follow up and analyze visitor experience)
Data subjects and categories of personal data
We process the following personal data of our customers:
- basic information of the data subject: name, date of birth, email address, phone number, address
- gender, title and profession
- interests and information provided by the data subject and marketing efforts performed
- user data of electronic services; registration data required for a REDI application; usage and browsing information of the website; information about the data subject’s individual device and/or cookie identifier, MAC and IP address.
- customer communication, including customer feedback and reclamations;
- possible prohibitions and consents of direct marketing
- other possible information provided by the data subject
Regular sources of information
Personal data are collected directly from the data subject when the data subject is registering to the REDI application, using a web site or other services, sending request for contact or feedback, visiting shopping centre or participating to events.
Disclosure and transfer of data outside the EU or the EEA
Personal data will not be disclosed to external parties except when it is necessary to comply with the legal or contractual obligations of the controller.
Personal data may be shared with third parties only if we have your consent to do so, e.g. disclose name and email address to Q-Park Finland Oy (Taskuparkki sovellus) with your consent in order to get parking benefit.
The controller outsources some functions of the service to third party vendors or other sub-contractors, such as ICT, marketing and communication service providers. In such case personal data will be transferred to these sub-contractors to the extent necessary for the provision of their services. These sub-contractors will process personal data on behalf of the controller and must comply with controller´s instructions. The controller will ensure through contractual measures that the personal data is processed in compliance with the legislation.
We transfer personal data outside the EU/EEA. When personal data is processed outside the EU/EEA, we make sure that the subcontractor has committed to use the EU Commission’s standard contractual clauses and/or is covered by the Privacy Shield -system.
Data protection and retention
Only those of our employees, who on behalf of their work are entitled to process customer data, are entitled to use the system containing personal data. Each user has a personal username and password to the system. The data is collected into databases that are protected by firewalls, passwords and other technical measures. The databases and their backup copies are in locked premises and can be accessed only by certain pre-designated persons.
Personal data will be retained as long as it is necessary for the purposes and will be deleted one years after the customer relationship has ended.
After the customer relationship has ended the controller may keep anonymized data as well as the above described basic information of the data subject for direct marketing purposes, taking into account the applicable legislation. The controller will estimate the need for data storage regularly and take care of such reasonable actions that ensure no incompatible, outdated or inaccurate personal data is stored in the register taking into account the purpose of the processing.
Rights of the data subject
Data subject has the right to know what kind of personal data has been collected and processed and right to request rectification and removal of any incorrect, unnecessary, incomplete or outdated personal data. The requests can be submitted in person or in writing to the contact persons defined in section 2 above.
Data subject is entitled to prohibit the use of the data for direct marketing, distant selling and profiling, as well as use in questionnaires and market research. This prohibition can be submitted anytime to the contact persons or exit from the email list as stated in the marketing message.
Data subjects may withdraw consents they have given, object to or restrict processing of their data in cases defined by law, and the right to complain to the supervisory authority.
The requests can be submitted to contact persons defined in section 2 above. The controller may need to ask additional information to confirm the identity of the data subject.