PERSONAL DATA PROTECTION STATEMENT
We take care of the privacy of our website visitors and City Center one shopping mall visitors, and in our business operation, we act in accordance with the legislation on data protection and in particular with the General data protection regulations applied from 25th May 2018.
This statement aims to inform you about why and how we process your personal data in the context of using our website or visiting our shopping malls, about the grounds on which we process your personal information and how we handle it, as well as the rights you can exercise in this context.
Who are we?
CC REAL d.o.o., Jankomir 33, Zagreb (“CC Real”), as the owner of citycenterone.hr website and the managing company of shopping malls City Center one in Zagreb and Split stands as a data processing representative and is responsible for processing your personal data. CC Real acts as an independent data processing representative in web analytics and cookies as well as prize contests and competitions (unless a certain prize contest or competition states otherwise). In other situations (described hereinafter), along with CC Real the companies acting as joint representatives that are taking responsibility for processing your data are the following:
- MANTA d.o.o., Jankomir 33, Zagreb, as the owner of shopping malls City Center one in Zagreb; and
- KAUFMANN and HOFMANN d.o.o., Jankomir 33, Zagreb, as the owner of shopping mall City Center one in Split.
In all cases, and pursuant to the agreement with other joint representative, CC Real is a contact point for any issues n connection of processing your personal data:
CC Real d.o.o.
Telephone number: 01 5494 054
How, when and why do we process your personal data?
Who are our responders?
Throughout our business activities we process personal data belonging to the following responders:
- Customers who buy our gift vouchers and the persons those gift vouchers are addressed to;
- Potential business associates (in case of small business owners, family farm owners or independent business owners), that is, their contact persons (if they are companies and other legal entities);
- Our Newsletter recipients;
- Participants of prize contests and competitions (which includes participants who apply on their own and, if applicable, persons they sign up);
- Shopping centres’ visitors and users of car parking spaces belonging to the centres;
- Our website visitors.
Personal data that we process
For the purposes of our activities we process the following categories of personal data:
- Basic personal information (such as first name, last name, address and ID number, OIB – personal identification number, and signature);
- Contact details (such as telephone number, e-mail address, job, user name on social networks);
- Bank details (such as card type and name, last four card digits);
- Content of your messages (positive and negative comments, complaints, opinions, suggestions and so on);
- Videos (videos of people that enable identification and vehicle licence plates);
- IP address and your preferences.
How do we collect your personal information?
Personal information that we collect is processed in one of the following ways:
- When we respond to your requests (purchasing gift vouchers, applying to lease business premises or advertising space, applying to participate in a prize contest/competition);
- When giving consent for direct marketing (Newsletter);
- When sending your complaints, positive reactions and other messages;
- When staying in the premises under video surveillance;
Purposes for which we collect data and legal grounds for data collection
In the context of using our website and visiting shopping malls, purpose and legal grounds of personal data processing differ depending on the activities. Generally speaking, personal data is processed as to respond to your requests, to conclude and execute contracts as well as for our own marketing and to realise our legitimate interests in business and security improvement. For more details on personal data processing, applicable purposes and legal grounds regarding particular activities, please click on the activity you are interested in:
- Applying for business premises lease or advertising and promotion
- Sending positive comments, complaints, suggestions and opinions (“visitor‘s messages“)
- City Center one gift vouchers
- Direct marketing (Newsletter)
- Cookies and similar technologies
- Video surveillance
- Prize contests and competition
Applying for business premises lease or advertising and promotion
In order to enable continuous development of our business, we give an option to our potential lessees and business partners (for the purposes of advertising and promotion) to contact us through appropriate forms on our website. We process data exclusively as to respond to your request, to give you feedback and, depending on the circumstances, to start negotiating a lease contract/contract on business cooperation.
First and last name, company or small business and e-mail address given in web forms are required to know who is sending an enquiry and how to make contact regarding the enquiry. In a lease enquiry, we additionally ask you to state shortly if you are interested in short-term or long-term lease, so we can consider your inquiry in an adequate way. In addition, you are able to state the details of your enquiry in the form provided (including which shopping mall you are interested in), leave a telephone number, for easier communication regarding the details of your enquiry.
If we have received an enquiry directly from the potential lessee/business partner (e.g. small business owner), legal grounds for data processing is their request to take action that precedes contract signing. In case the enquiry is sent by the person other than the potential lessee/business partner (e.g. person authorised to represent the company), legal grounds of data processing is a legitimate interest to establish business contact with potential lessees/business partners (regarding potential contract negotiation).
Data is entered into the appropriate potential lessee database/business associates database we keep on grounds of legitimate interest. Legitimate interest is shown in the fact that contract negotiations can continue for an extended period, and they may ultimately break down, which may involve contacting other interested parties from the database (to continue communication regarding a previous enquiry). In this way we are facilitating business operation and reducing negotiation time as well as the entire contract signing process.
Sending positive comments, complaints, suggestions and opinions (“visitor’s messages“)
We value our visitor’s opinion and therefore we make sure you are able to send us your positive comments, complaints, suggestions, opinions and other messages (hereinafter “visitor’s messages“) by e-mail, post or the Book of Impressions at the Information Point of a particular shopping mall (“Information Point“).
In order to respond to your messages and ensure their effect and implementation, it is necessary to process their content and thus your personal information. Depending on the way you send messages (by regular mail or electronic mail), information we process includes your first name and last name, e-mail address and residence address, and naturally the content of your messages. When it comes to the Book of Impressions, we only process the data you have stated in your messages, if there are any.
Processing your personal data as part of your messages is based on legitimate interest, which is reflected in helping visitors, thus increasing centres reputation and developing and improving its business.
City Center one Gift Vouchers
Gift vouchers can be purchased at the Centre’s Information Point or online (with an option of collection at the Information Point). In this way the following personal information is processed:
- First and last name of the buyer and the person collecting the gift voucher (if different);
- E-mail address (for online purchases, in order to issue a receipt), home address and telephone number;
- First and last name of the card holder, name and type of bank card and last 4 card digits (when the card holder is a natural person/small business owner), in case of small business owner their OIB – personal identification number is also required.
Legal grounds to process this data is completion of the contract on the sale of gift vouchers with a buyer (when a buyer is a natural person/small business owner), that is, legitimate interest for proper completion of the contract for the purpose of collecting gift vouchers (when a buyer is a company or the data refers to the person who is collecting it).
When collecting a gift voucher, we also take the buyer’s signature and ID number, or of the person authorised to collect the gift voucher, in order to verify the buyer’s identity, that is the identity of the person authorised for collection. This data processing is based on legitimate interest of proper completion of the contract on the sale of gift vouchers and providing protection and enforcing legal requirements.
In case of card payment, the payment is made through our service provider, company Agent Cash (details below). After a successful transaction, CC Real receives only the above mentioned card information. This data is needed to make our claims towards the banks after a successful transaction.
Payments by debit and credit cards in our web shop and at the Information Point take place exclusively through the systems under technical and legal responsibility of our service provider for online payments:
AGENT CASH LTD
1 Mark Square
London EC2A 4EG
In certain situations, our business partners involved in certain business support activities regarding centre management (REIWAG Facility Services d.o.o., Zagreb) have insight into our data, including the management of the Information Point and fiscal cash registers. They work exclusively in line with our instructions ensuring the necessary level of protecting your data.
Direct marketing (Newsletter)
Direct marketing is a form of informing and advertising we use to address directly our visitors through e-mail. Newsletters we send include news on discounts, events and novelties at our City Center one shopping malls (in Zagreb and/or Split, depending on your choice).
In order to deliver the Newsletter to you, we collect and process exclusively information about your e-mail address, based on your consent (whether you have completed a form available on our website or at our business partners premises, such as Kids Jungle Playroom). E-mail addresses are stored independently in the appropriate Newsletter database (Zagreb and/or Split, depending on your choice).
You can withdraw your consent at any moment free of charge by clicking on the link ‘unsubscribe’ found at the bottom of every newsletter or by sending your request to the following e-mail address: firstname.lastname@example.org.
We use MailChimp platform and the services of “The Rocket Science Group, LLC” from the USA (Atlanta, Georgia 30308, SAD) to deliver newsletters and manage the list of recipients as well as the complaints register (unsubscribe list). This company is the Data Processor and it undertakes all necessary measures of data protection, according to the membership in “the Privacy Shield“. For more information regarding “the Privacy Shield” programme please contact us or find information on Croatian Personal Data Protection Agency website (http://azop.hr/aktualno/detaljnije/vodic-za-gradane-eu-sad-stit-privatnosti).
As part of using the MailChimp platform we also cooperate with a marketing agency from Zagreb, ZOO Agencija d.o.o., whose authorised employees can access the e-mail address database. They act solely according to our instructions and they are not allowed to use the information from the database in any other way.
Cookies and similar technologies
We use Google Analytics cloud, Google Inc. (“Google”) to process data for the purposes of analytics and all the data is transferred and stored on the servers in the USA. In accordance with the membership in “the Privacy Shield”, Google undertakes all necessary measures to protect the data. For more information regarding “the Privacy Shield” programme, please contact us or find information on Croatian Personal Data Protection Agency website (http://azop.hr/aktualno/detaljnije/vodic-za-gradane-eu-sad-stit-privatnosti).
There are several external services (such as Facebook, Google) which store certain cookies (so called third party cookies) for the visitors of our website. These help us provide additional services to our visitors such as access to the social networks, sharing articles on the social networks, using maps for navigation (Google maps) and so on. These cookies are not set up by our website, they are controlled by external services.
We carry out video surveillance that covers common inside areas of the shopping mall (excluding individual stores), parts of our parking lots, roads and the food court area. Video surveillance is carried out in order to ensure you have a safe visit at our shopping malls as well as to protect the property (yours and ours, and the property of others who work at the centre).
Data processing (videos that enable identification of people and vehicles’ licence plates) is carried out based on the specified legitimate interest based on the Law on Implementation of General Data Protection. Videos are used exclusively for the purpose of ensuring safety and inspecting possible unlawful actions (that is, for the purpose of subsequent action in case of recorded incidents), all in accordance with legal regulations.
Video surveillance system is protected from access by unauthorised persons. Access to video recordings is only for authorised persons, more precisely, CC Real d.o.o. Members of the Management Board and the Centre Manager. Authorised employees of the security company Securitas Hrvatska d.o.o. from Zagreb also have access. Only in exceptional cases the authorised employees of the company for facility management and maintenance (Reiwag Facility Services d.o.o.) can have access, as well as the employees and authorised persons of the company in charge of IT system maintenance (BLINK d.o.o.). All mentioned authorised representatives of external partners act solely according to our instructions, in accordance with the contract. Pursuant to the law, insight into video recordings can be provided to competent state authorities as part of performing their duties from the scope of work determined by the law.
With regard to your rights, we would like to direct you to the section Your rights and how to exercise them at the end of this document. Please note that prior information may be required from your side in order to exercise certain rights (such as time and place of the video recording, to determine the video that refers to you). Also, exercising some rights may be limited (e.g. due to protecting the rights of other persons recorded in the video). In any case you can get additional information about processing your data and all specified circumstances.
Prize contests and competitions
As part of our business activity, we often organise various prize contests and competitions with a purpose of promoting shopping malls and products. On that occasion we collect and process personal data, which depend on the specific prize contest or competition. This kind of information can include personal data such as users names on the social networks, comment or photograph (which enables the identification of an individual), first name and last name, contact details (e-mail address and/or telephone number), address, age and similar details.
These are details that are necessary to conduct a prize contest or a competition as well as to give rewards, and we process them based on your request, or application, in order to fulfil our commitment which follows from a prize contest or a competition.
Additional personal data is processed when collecting the prize – usually an ID needs to be presented, ID number is entered in the form that confirms the prize has been collected together with the signature. We collect such details based on our legitimate interest which is to ensure the ability to prove fulfilment of our obligations towards the winner, and for protection and enforcing legal requirements.
Details on processing personal data as part of a prize contest or a competition are always published in the notification on processing personal data that accompanies every prize contest or competition.
Who are the recipients of personal data?
In the framework permitted by law and depending on the processing activity, your details are delivered or disclosed to the following associates:
- IT service providers as part of software support and maintenance (e.g. BLINK d.o.o.);
- Providers of cloud software services (including the providers in the USA, e.g.The Rocket Science Group LLC);
- Billing service providers (AGENT CASH LTD) and banks;
- Security service providers in the Centres (Securitas Hrvatska d.o.o.) and support services in centre management (REIWAG Facility Services d.o.o.);
- Companies that own the centres and managing companies (Manta d.o.o. for Zagreb and Kaufmann and Hofman d.o.o. for Split);
- Business partners listed in this statement under the appropriate processing purpose.
In some cases, the recipients of personal data are located outside of the EU. As explained on case by case basis, in the section “Purposes for which we collect data and legal grounds for data collection“, in all cases of transferring personal data in such countries, adequate level of protecting personal data is ensured according to the law (e.g. recipient’s membership in “the Privacy Shield” programme in case of recipients in the USA, by signing standard contract clause with the recipient). Also, at any given moment you can request additional information on personal data transfer outside of the EU and safety measures which are applied when using our contact details.
How long do we keep your data?
Your data is kept only until there is a purpose for data storing and processing.
- Bookkeeping records (such as receipts and proof of collecting gift vouchers/prizes): 11 years (accounting regulations);
- Data obtained based on consent (such as e-mail address for newsletter): only until there is a valid consent;
- Database of potential lessees/business associates: up to 12 months;
- Visitors’ messages (positive comments, complaints, suggestions and so on): within the time needed to consider and reply to your message, depending on the content and our capacities (approximately 2 weeks). Records of consumer complaints is kept 1 year after the receipt of the written complaint (consumer protection legislation);
- Processed data that maybe subject to claims: in accordance with statutory limitations (up to 5 years);
- Prize contests and competitions: until there is a need to resolve complaints (depending on the time defined by the rules of prize contests/competitions), that is, longer in exceptional cases due to inspection or possible legal proceedings, in line with statutory limitations (up to 4-5 years);
- Video surveillance recordings: usually up to 15 days after being recorded. In case of incidents recorded on the video which was reported, a longer period can be required based on the need to carry out the legal proceedings;
- Legal proceedings: If legal proceedings occur, personal data necessary for enforcement is kept until the date of the final decision of the proceedings. Accepted claims are kept 10 years after the finality of the decision or a settlement (statutory limitations).
If there is a tax liability for particular type of data, required for the execution of the contract, the period of keeping the records is extended to 10 years in accordance with the tax regulations and processing of such data is limited in that particular period.
If the same data is used for several different purposes, we will keep it until the expiration of later retention period; however we will stop using it for other purposes for which (the shorter) retention period has expired.
After the data retention period expires, your data that is no longer needed is either irreversibly anonymized (and anonymized data can be kept) or deleted/destroyed in a safe way.
Your rights and how to exercise them
All our responders have the rights granted by personal data protection regulations.
You are granted the following rights:
- Right to withdraw a consent (when processing is based on consent)
- Right to access
- Right to delete (“right to be forgotten”)
- Right to make a correction
- Right to object
- Right to limit processing
- Right to transfer data
- Right to complain to competent authority
The enquiries and requests you send us will be processed without delay, in accordance with legal obligations, and you will be informed about the measures we have taken.
CC Real contact to exercise your rights: email@example.com
|Right to withdraw a consent||Newsletter recipients have the right to withdraw their consent at any moment free of charge:
|Right to access||You have the right to receive from us a confirmation on processing your personal data (including the copy of the data) as well as access to information regarding data processing (such as the purpose of processing, categories of personal data, recipients, period of keeping the data). In the case of transferring your personal data outside of the EU, you have the right to access information regarding appropriate safety measures.|
|Right to delete||You have the right to obtain from us personal data deletion, without delay, if there is no legitimate reason for further data processing (e.g. if the data is no longer necessary for the purposes it was previously processed for). If such a legitimate reason still exists, we will inform you in detail as part of our response to your request.|
|Right to make a correction||You have the right to obtain from us a correction in case your personal details are inaccurate, and we are obliged to correct it without delay. Taking into consideration the purpose of processing, you have the right to supplement incomplete personal data, by providing an additional statement.|
|Right to object||If data processing is based on realising our legitimate interests, you have the right to object in any given moment to such processing to the extent it relates to your personal data. In this event, we will not continue processing the data for the purposes relating to the objection, unless we prove that there are convincing legitimate reasons beyond your interests, rights and freedoms or if this is necessary to realize or defend our legal requirements.|
|Right to limit processing||You have the right to obtain from us certain restrictions regarding your personal data processing if: you dispute accuracy; processing is not legal, and you oppose deletion; you are asking for restrictions as to set up, realise or defend your legal requirements, and we no longer need your details for data processing; you have made an objection with regard to processing your personal data and you are expecting confirmation.|
|Right to transfer data||You have the right to receive your data that you provided to us, in a structured, commonly used and easy to read format, and you can transfer it to a different service provider. By doing so you have the right to direct data transfer from us to a different processing representative if this is technically possible.|
|CONTACT TO EXERCISE RIGHTS:||Specified rights can be exercised in the following way: firstname.lastname@example.org|
|COMPLAINT TO COMPETENT AUTHORITY||You can also exercise your rights by way of complaint to a supervising authority regarding the processing of your personal data. Croatian Personal Data Protection Agency, Martićeva ulica 14, 10 000 Zagreb, is the competent authority in the Republic of Croatia; find additional information on how to contact them on Agency’s website (http://azop.hr ).|
With regard to our continued care regarding the protection of your data, it may happen that over the course of time we need to make some changes in this statement in order to align it with the actual situation or legal provisions. In case of significant changes, we will take appropriate measures to inform you in a timely manner of all such amendments.