PRIVACY NOTICE ON THE PROCESSING OF PERSONAL DATA
Our shopping center’s business includes several situations in which we will process your personal data. More details can be found below.
We are uždaroji akcinė bendrovė “Ozantis”, a Lithuanian company, with its registered office in Vilnius, Ozo g. 18, registered under no. 126345741 (hereinafter referred to as “SC OZAS”).
This privacy policy is addressed to all data subjects who visit our shopping centre, access its website, participate in promotional campaigns or similar events carried out by us within the shopping centre or online or data subjects who represent suppliers/partners/collaborators or tenants in the contractual relationship with SC OZAS.
The way we process your personal data differs depending on your relationship with SC OZAS. To receive more information choose the category below that is applicable to you:
I am a visitor or customer of the shopping centre
I am a user of the shopping centre website
I am the legal representative or contact person of a supplier, collaborator or tenant of the shopping centre
I am part of the staff of suppliers, collaborators or tenants of the shopping centre
In all cases, you have several rights that can be exercised, individually or cumulatively, with respect to personal data that SC OZAS holds in relation to you. Information on these rights as well as how they can be exercised is available in the
Rights of data subjects section.
We undertake to process personal data in compliance with applicable legislation on the protection of personal data and good practices in this area. More information is available in the section on Data security and accuracy.
In addition, a Data Protection Officer has been appointed at the NEPI Rockcastle Group level, who can be contacted should there be any concerns about the protection of personal data and the exercise of data protection rights. The Data Protection Officer can be contacted by written, dated and signed request, using the contact details mentioned below:
1. Visitors of the shopping centre website
When you access the SC OZAS website (the “Website”), some of your personal data will be processed by SC OZAS, mainly to be able to provide you with the requested service, that is the access to the Website.
1.1 Personal data we process
We are collecting data through cookies or other similar technical means (i.e., small text files that are stored on your computer, phone, tablet or mobile device, and contain information about your activity on those sites/applications), e.g.: sub-pages accessed, period spent on a specific page.
More information regarding usage of cookies is available in the Cookie Policy.
1.2 Use of personal data
No.
|
Purpose of processing personal data
|
Legal basis of processing personal data
|
1 |
Use of marketing cookies for the purpose of:
-
conducting profiling activities, also called web profiling which involves the use of cookies to track online the general activity of a user in order to present content tailored to his preferences,
-
conducting targeting and retargeting campaigns
More information on cookies is available in the Cookie Policy
|
Your consent
|
2 |
Create statistics designed to provide information about the performance of the Website and the marketing campaigns displayed (e.g. the number of users who accessed the campaign page, the number of users who saw the campaign banner, etc.), made by using analysis cookies
More information on cookies is available in the Cookie Policy
|
Our legitimate interest in (i) improving the content of the Website and the campaigns conducted on the Website as well as the better evaluation of the performance indicators (KPI) of the commercial campaigns carried out on the Website and (ii) ensuring the operation, access and technical use of the Website and providing you with the services you have explicitly requested
|
3 |
Use of cookies necessary to ensure the operation of the Website
More information on cookies is available in the Cookie Policy
|
Perform the contract regarding the provision of our services (i.e. ensuring access to the Website)
|
1.3 Additional information on profiling activity
SC OZAS will create and analyse your profiles based on the personal data we hold about you - data about your interaction with the Website, data collected through cookies. As a result of analysing such data, we will be able to identify your preferences, interests and capabilities in terms of procurement, and thus relate them to the services we provide or to the products we promote.
Then, through automated procedures, SC OZAS sets the content of the direct marketing materials that can be sent to you. In the legal language these automated procedures are referred to as “automated individual process”.
Thus, the direct marketing materials that we will send you will be as specific, convincing and applicable as possible to you, and as a consequence may influence you (i.e. in the sense of purchasing the product/service included in the marketing material), as SC OZAS manages to correctly identify your preferences or characteristics.
With regard to the processing of data by automated individual processes, you have several additional rights, i.e. you can (a) obtain human intervention, (b) express your point of view, (c) get explanations about the decision made and (d) contest that decision. In addition, you can withdraw consent at any time in the manner prescribed in this Privacy Policy in the section dedicated to Data subjects rights.
1.4 Storage period
The personal data processed are kept for the period of time necessary to comply with the legal obligations imposed on us by the regulations specific to our field of activity.
Regarding the use of your personal data for direct marketing activities, they will be stored by SC OZAS from the moment you gave us your consent for this processing until the date you withdrew it.
Currently used cookies and their storage period is available in our Website in section "Show details" of the informational cookie message.
1.5 Third party access
Access to your data will be provided only to those persons or entities with whom we collaborate in fulfilling the purposes of processing, and for whom we (we or the intended recipients) can justify a legitimate reason or if we have a legal obligation to provide your data.
The following entities and their employees may have access to your data:
-
IT service providers (e.g., software maintenance and development, site maintenance and development).
-
Marketing service providers, including market research service providers, marketing communications service providers, online tool traffic and behaviour monitoring service providers, various marketing customization service providers, providers of marketing services through social media resources, providers of services for the preparation of the content of marketing forms.
-
Managing group company - NEPI Rockcastle Lithuania, UAB (registered under no. 304909465).
-
Other group companies.
As SC OZAS is part of the Nepi Rockcastle group of companies (the “Group”), your personal data will be processed for the purposes of consolidated management of the Group’s activities, for audit purposes and in any other situation when such processing is required or allowed by law, if we can (SC OZAS or the recipient companies in the Group) justify a legitimate basis in this regard or if we obtain your consent in this regard. The list of the Group companies can be found at the following address: https://nepirockcastle.com/portfolio/ .
We will also provide your personal data to judicial bodies, public institutions, or central and local public authorities, based on a duly substantiated request or legal obligation.
As a rule, SC OZAS will not transfer your personal data to third countries outside the European Economic Area. However, if such a transfer takes place, SC OZAS will take appropriate protection measures to ensure the protection of the personal data transferred.
2. Visitors and customers of the shopping centre
2.1 Personal data we process
-
Identification data, such as: first name and last name, date of birth
-
Special identification data, that is personal identity number
-
Contact details, such as: email address, phone number
-
Image (video or photo)
-
Data on the vehicle for which a parking space is granted in the car park of the shopping centre: vehicle plate number (with image)
-
Data on access to the shopping centre parking, e.g.: arrival date and time, departure date and time, length of stay, payment related data
-
IP, MAC of the devices, login time (mobile, laptop, tablet)
-
Data on participation in promotional campaigns and similar events, e.g.: prizes won
2.2 Use of personal data
No.
|
Purpose of processing personal data
|
Legal basis of processing personal data
|
1 |
Video surveillance by means of the CCTV system installed inside the shopping centre, in the common areas, access roads, as well as car park areas
|
Legitimate interest in ensuring the security of persons and property inside the shopping centre and its premises
|
2 |
Video surveillance of the parking control system equipment
|
Legitimate interest in ensuring security of the property, settlement of damage
|
3 |
Providing access to the parking lot of the shopping centre
|
Perform the contract regarding the provision of our services or lease of parking space of the parking lot (i.e. granting access to the parking lot of the shopping centre)
|
4 |
Take and use photos (which also include your image) in order to promote the shopping centre
|
Your consent
|
5 |
Solve requests for data and information received from the competent authorities and institutions
|
Legal obligation
|
6 |
Grant access to the free WiFi network
|
Perform the contract regarding the provision of our services (i.e. granting access to the facilities and services provided by the shopping centre)
|
7 |
Organise raffles, competitions, events or marketing campaigns in the shopping centre, including handing out prizes won
|
Perform the contract (i.e. in accordance with the regulation of the concerned raffle, competition or campaign) or legal obligation (regarding declaration and payment of taxes)
|
8 |
Management of notifications/complaints submitted within the shopping centre
|
Our legitimate interest in resolving complaints sent to us and in maintaining good relations with visitors/customers of the shopping centre
|
9 |
Management of requests regarding lost objects, filed inside the shopping centre
|
Our legitimate interest in resolving requests regarding lost objects
|
10 |
Carry out economic, financial and/or administrative management activities
|
Legal obligation
|
11 |
Settlement of disputes, investigations or any other petitions/complaints to which SC OZAS is a party
|
Legitimate interest in defending our rights in court/in front of any competent authority
|
12 |
Archiving
|
Legal obligation
|
13 |
Carry out risk controls on SC OZAS procedures and processes, as well as conduct audits or investigations of SC OZAS
|
Our legitimate interest in managing risks and ensuring compliance with SC OZAS procedures and processes
|
2.3 Storage period:
The personal data processed are kept for the period of time necessary to comply with the legal obligations imposed on us by the regulations specific to our field of activity.
Depending on the context in which we process your personal data, the following rules for determining the storage period will apply:
-
CCTV system: video recordings stored by the CCTV system are usually kept for a period of 14 (fourteen) days. Storage period may be extended if required by law or it is necessary in order to investigate a specific incident / event and to ensure that the interests of the SC OZAS are protected / damage is compensated.
-
Parking system: video surveillance of the parking and payment equipment - no longer than 1 month; arrival / departure to the parking lot related data - no longer than 2 months; payment related data - in accordance with tax regulation (usually - 10 years). Storage period may be extended if required by law or it is necessary in order to investigate a specific incident / event and to ensure that the interests of the SC OZAS are protected / damage is compensated.
-
WiFi network: Data is stored during the session and not longer than 1 (one) day after the session ends.
-
Inquiries, complaints, lost and found related data - no longer than 3 years from the date of dispatch of the reply, receipt of the document (in case no reply).
-
Contract data - no longer than 10 years after the end of the contract.
-
Marketing related data: in accordance with the rules of specific marketing campaign.
-
Other – in accordance with the storage periods, established by legal regulation.
2.4 Third party access:
Access to your data will only be provided to those individuals or entities with whom we collaborate for processing purposes and for whom we (the new or the intended recipients) can justify a legitimate ground in accordance with the GDPR or if we have an obligation legal to provide your data.
The following entities and their employees may have access to your data:
-
Security service providers, operator of the parking system - to ensure CCTV video surveillance and access control system in parking spaces, to operate the parking system, SC OZAS collaborates with specialised companies, authorised to carry out security, surveillance and operational activities.
-
Other service providers - with regard to participation in campaigns and events, as well as the handling of complaints, grievances and/or requests regarding lost items addressed to the staff of the Info Desk offices within the shopping centres, SC OZAS usually collaborates with specialised service companies.
-
Legal consultants.
-
Managing group company - NEPI Rockcastle Lithuania, UAB (registered under no. 304909465).
-
Other group companies.
As SC OZAS is part of the Nepi Rockcastle group of companies (the “Group”), your personal data will be processed for the purposes of consolidated management of the Group’s activities, for audit purposes and in any other situation when such processing is required or allowed by law, if we can (SC OZAS or the recipient companies in the Group) justify a legitimate basis in this regard or if we obtain your consent in this regard. The list of the Group companies can be found at the following address: https://nepirockcastle.com/portfolio/ .
Your personal data will also be processed in relation to a number of third party partners (“Partners”). They are the partners that SC OZAS promotes in its relationship with you by direct marketing and are usually the tenants of SC OZAS. The partners do not have access to your personal data, except if SC OZAS obtained your prior agreement in this respect.
We will contractually require these entities and their staff to respect the confidentiality of this data, ensuring a high level of security for the processing of your data.
We will also provide your personal data to judicial bodies, public institutions, or central and local public authorities, based on a duly substantiated request or legal obligation.
As a rule, SC OZAS will not transfer your personal data to third countries outside the European Economic Area. However, if such a transfer takes place, SC OZAS will take appropriate protection measures to ensure the protection of the personal data transferred.
3. Representatives of the contractual partners (suppliers/tenants of shopping centres/collaborators)
3.1 Personal data we process
-
Identification data, such as: first name and last name
-
Contact details, such as: email address, phone number
-
Occupational data, such as: position held, company in which you are employed or which you represent
3.2 Use of personal data
No.
|
Purpose of processing personal data
|
Legal basis of processing personal data
|
1 |
Concluding and executing lease or other commercial contracts
|
Legitimate interest in carrying out our activity and validly concluding commercial contracts agreements specific to our field of activity (i.e. commercial spaces lease and other agreements) or performance of contract
|
2 |
Contacting possible future tenants of the shopping centre (prospective tenants)
|
Legitimate interest in promoting our business and promoting the shopping centre to potential tenants (prospective tenants)
|
3 |
Carry out know-your-customer (KYC) checks in relation to potential contractual partners
|
Legitimate interest in performance of KYC procedure
|
4 |
Settlement of disputes, investigations or any other petitions/complaints to which SC OZAS is a party
|
Legitimate interest in defending our rights in court/in front of any competent authority
|
5 |
Archiving
|
Legal obligation
|
6 |
Carry out risk controls on SC OZAS procedures and processes, as well as conduct audits or investigations of SC OZAS
|
Our legitimate interest in managing risks and ensuring compliance with SC OZAS procedures and processes
|
3.3 Storage period
The personal data processed are kept for the period of time necessary to comply with the legal obligations imposed on us by the regulations specific to our field of activity.
Depending on the context in which we process your personal data, the following rules for determining the storage period will apply:
-
Inquiries, complaints, contacting related data - no longer than 3 years from the date of dispatch of the reply, receipt of the document (in case no reply) or data.
-
Contract data - no longer than 10 years after the end of the contract.
-
Other – in accordance with the storage periods, established by legal regulation.
3.4 Third party access
Access to your data will only be provided to those individuals or entities with whom we collaborate for processing purposes and for whom we (the new or the intended recipients) can justify a legitimate ground in accordance with the GDPR or if we have an obligation legal to provide your data.
The following entities and their employees may have access to your data:
As SC OZAS is part of the Nepi Rockcastle group of companies (the “Group”), your personal data will be processed for the purposes of consolidated management of the Group’s activities, for audit purposes and in any other situation when such processing is required or allowed by law, if we can (SC OZAS or the recipient companies in the Group) justify a legitimate basis in this regard or if we obtain your consent in this regard. The list of the Group companies can be found at the following address: https://nepirockcastle.com/portfolio/ .
We will contractually require these entities and their staff to respect the confidentiality of this data, ensuring a high level of security for the processing of your data.
We will also provide your personal data to judicial bodies, public institutions, or central and local public authorities, based on a duly substantiated request or legal obligation.
As a rule, SC OZAS will not transfer your personal data to third countries outside the European Economic Area. However, if such a transfer takes place, SC OZAS will take appropriate protection measures to ensure the protection of the personal data transferred.
4. Staff of suppliers, collaborators or tenants of the shopping centre
4.1 Personal data we process
-
Identification data, such as: first name and last name
-
Contact details, such as: email address, phone number
-
Occupational data, such as: position held, company in which you are employed or which you represent
-
Image (photo or video)
-
Data on the vehicle for which a parking space is granted in the car park of the shopping centre: vehicle plate number (with image)
-
Data on access to the shopping centre parking, e.g.: arrival date and time, departure date and time, length of stay, payment related data, information filled in section “notes”
-
IP, MAC of the devices, login time (mobile, laptop, tablet)
4.2 Use of personal data
No.
|
Purpose of processing personal data
|
Legal basis of processing personal data
|
1 |
Video surveillance by means of the CCTV system installed inside the shopping centre, in the common areas, access roads, as well as car park areas
|
Legitimate interest in ensuring the security of persons and property inside the shopping centre and its premises
|
2 |
Video surveillance of the parking control system equipment
|
Legitimate interest in ensuring security of the property, settlement of damage
|
3 |
Providing access to the parking lot of the shopping centre
|
Perform the contract regarding the provision of our services or lease of parking space of the parking lot (i.e. granting access to the parking lot of the shopping centre)
|
4 |
Grant access to staff of the tenants, service providers, contractors and other collaborators inside the shopping area outside the hours when the shopping centre is not open
|
Legitimate interest in ensuring the security of persons and property inside the shopping centre
|
5 |
Solve requests for data and information received from the competent authorities and institutions
|
Legal obligation
|
6 |
Grant access to the free WiFi network
|
Perform the contract regarding the provision of our services (i.e. granting access to the facilities and services provided by the shopping centre)
|
7 |
Management of notifications/complaints submitted within the shopping centre
|
Our legitimate interest in resolving complaints sent to us and in maintaining good relations with visitors/customers of the shopping centre
|
8 |
Management of requests regarding lost objects, filed inside the shopping centre
|
Our legitimate interest in resolving requests regarding lost objects
|
9 |
Carry out know-your-customer (KYC) checks in relation to potential contractual partners
|
Legitimate interest in performance of KYC procedure
|
10 |
Settlement of disputes, investigations or any other petitions/complaints to which SC OZAS is a party
|
Legitimate interest in defending our rights in court/in front of any competent authority
|
11 |
Archiving
|
Legal obligation
|
12 |
Carry out risk controls on SC OZAS procedures and processes, as well as conduct audits or investigations of SC OZAS
|
Our legitimate interest in managing risks and ensuring compliance with SC OZAS procedures and processes
|
4.3 Storage period
The personal data processed are kept for the period of time necessary to comply with the legal obligations imposed on us by the regulations specific to our field of activity.
Depending on the context in which we process your personal data, the following rules for determining the storage period will apply:
-
CCTV system: video recordings stored by the CCTV system are usually kept for a period of 14 (fourteen) days. Storage period may be extended if required by law or it is necessary in order to investigate a specific incident / event and to ensure that the interests of the Controller are protected / damage is compensated.
-
Parking system: video surveillance of the parking and payment equipment - no longer than 1 month; arrival / departure to the parking lot related data - no longer than 2 months; payment related data - in accordance with tax regulation (usually - 10 years); in case of lease of the parking space to the tenants and / or employees of the tenants of the shopping center - no longer than 1 month after the end of the lease contract. Storage period may be extended if required by law or it is necessary in order to investigate a specific incident / event and to ensure that the interests of the Controller are protected / damage is compensated.
-
WiFi network: Data is stored during the session and not longer than 1 (one) day after the session ends.
-
Inquiries, complaints, lost and found related data - no longer than 3 years from the date of dispatch of the reply, receipt of the document (in case no reply).
-
Contract data - no longer than 10 years after the end of the contract.
-
Other – in accordance with the storage periods, established by legal regulation.
4.4 Third party access
Access to your data will only be provided to those individuals or entities with whom we collaborate for processing purposes and for whom we (the new or the intended recipients) can justify a legitimate ground in accordance with the GDPR or if we have an obligation legal to provide your data.
The following entities and their employees may have access to your data:
-
Security and security service providers, operator of the parking system - to ensure CCTV video surveillance and access control system in parking spaces, to operate the parking system, SC OZAS collaborates with specialised companies, authorised to carry out security, surveillance and operational activities.
-
Other service providers - with regard to the handling of complaints, grievances and/or requests regarding lost items addressed to the staff of the Info Desk offices within the shopping centres, SC OZAS usually collaborates with specialised service companies.
-
Legal consultants.
-
Managing group company - NEPI Rockcastle Lithuania, UAB (registered under no. 304909465).
-
Other group companies.
We will contractually require these entities and their staff to respect the confidentiality of this data, ensuring a high level of security for the processing of your data.
We will also provide your personal data to judicial bodies, public institutions, or central and local public authorities, based on a duly substantiated request or legal obligation.
As a rule, SC OZAS will not transfer your personal data to third countries outside the European Economic Area. However, if such a transfer takes place, SC OZAS will take appropriate protection measures to ensure the protection of the personal data transferred.
5. Security and accuracy of personal data
We will take all necessary security measures to protect your personal data transmitted, stored or otherwise processed against destruction, loss, unlawful or accidental change, unauthorised disclosure or unauthorised access, as well as against any other unlawful processing. The security measures we implement with regard to your personal data can ensure the confidentiality, integrity, availability and continued resilience of processing systems and services, as well as the capacity to restore the availability of and access to personal data in a timely manner if a physical or technical incident occurs.
All personal data will be processed through secure pages using the SSL encryption system, marked with a padlock symbol, located at the top of the browser window.
For more information on security standards on the Website, go to the “Help” section.
SC OZAS makes all necessary efforts and uses appropriate IT technologies to ensure the protection and security of the data you provide us.
In the cases provided by the GDPR in connection with personal data breaches, SC OZAS will properly inform the relevant authorities and relevant persons.
SC OZAS processes personal data that is accurate and has an updated procedure in place. Thus, SC OZAS takes all necessary steps to ensure that inaccurate personal data, in view of the processing purposes, are erased or rectified without delay.
-
Right of access - you may request confirmation if your personal data are processed or not by SC OZAS, and if so, you may request access thereto, as well as certain information about this. Upon request, SC OZAS will also issue a copy of the processed personal data. The request for additional copies will be charged based on the actual costs incurred by SC OZAS,
-
Right to rectification - you can get your inaccurate personal data rectified and also supplement incomplete data, including by providing additional information.
-
Right to delete data ("the right to be forgotten") - in situations expressly regulated by law, you can obtain from SC OZAS the deletion of the data. Thus, you can request deletion of personal data if:
-
the data are no longer necessary for the purposes for which they were collected or otherwise processed;
-
you withdraw your consent on the basis of which processing takes place;
-
you oppose to the processing under the right of opposition;
-
processing your personal data is illegal;
-
data must be deleted for compliance with a legal obligation incumbent on SC OZAS.
-
Right to restrict processing - you may request the restriction of processing of personal data in certain situations governed by law, as follows:
-
you contests the accuracy of your data, for the time SC OZAS checks the accuracy of the concerned data;
-
processing is illegal and you oppose to the deletion of data;
-
you need these data to establish, exercise or defend some rights in court, and SC OZAS no longer needs this data;
-
you opposed the processing of personal data for the period in which we check if our legitimate interests prevail over the interests of your rights and freedoms.
In these situations, except for storage, the data will not be processed anymore.
-
Right to object to the processing of personal data - you can object at any time, for reasons related to your particular situation, to processing (including profiling) based on the legitimate interest of SC OZAS or, where appropriate, on the exercise by SC OZAS of a task which is in the public interest or results from the exercise of a public authority with which he would have invested SC OZAS.
Marketing materials sent electronically may contain brief information on your option of objecting to the processing of personal data in order to perform direct marketing. If you object to the processing of personal data for direct marketing purposes, your personal data will no longer be used in for these purposes.
The right to object to the direct marketing activity performed by PC OZAS is available when the processing of personal data for direct marketing purposes is based on (i) the legitimate interest of PC OZAS, or (ii) on the existing contractual relationship with PC OZAS and concerns products that are similar to those already contracted, and not on the consent given.
-
Right to data portability - you can receive your personal data in a structured, readable format, and you can request that the data be passed to another operator. This right applies only to personal data provided directly by you to SC OZAS, and only if the processing of personal data is done by automated means and is legally based on either the execution of a contract or the consent of that person,
-
Right to complain - you can complain about how SC OZAS processes your personal data. The complaint will be filed with the State data protection inspectorate ("SDPI") – details at https://vdai.lrv.lt,
-
Right to withdraw your consent - you may at any time withdraw your consent to the processing of personal data by SC OZAS in cases where processing is based on consent. Withdrawal of the consent will only have effect for the future, and processing prior to the withdrawal remains valid. For example, such a case is your option to withdraw your consent to direct marketing messaging.
-
Additional rights related to automated decisions used in the delivery of SC OZAS services - if SC OZAS makes automated decisions about personal data and these decisions affect you significantly, you can (a) obtain human intervention with respect to said intervention, (b) express your point of views on such processing, (c) obtain explanations of the decision made and (d) contest that decision.
These rights (except the right to contact SDPI, which you can exercise under the conditions established by this authority - in this regard you can see the official website https://vdai.lrv.lt) may be exercised, either individually or by aggregation sending a letter/message in the following ways:
In addition, a Data Protection Officer ("DPO") has been appointed at the Group level, who can be contacted if there are any concerns about the protection of personal data and the exercise of data protection rights. The DPO may be contacted by submitting a written, dated and signed application to the aboveindicated address.