1. The personal information we use
1.1 Information we collect directly from you
1.2 Information we collect from other sources
1.3 Other information we use about you
1.4 Special categories of personal data
2. How we use your personal information and the basis on which we use it
3. Your rights over your personal information
4. Automated decisions about you
5. Information Sharing
6. Information Security and Storage
7. International Data Transfer
8. Contact Us
9. Changes to the Policy
This privacy notice describes how Central Saint Giles, whose managing agent is Savills UK Ltd and other members of our group of companies (which we will call ‘we’ or ‘us’) collect and process personal information about you, how we use and protect this information, and your rights in relation to this information.
This privacy notice applies to all personal information we collect or process about you. Personal information is information, or a combination of pieces of information that could reasonably allow you to be identified.
This privacy notice is effective from and including 04 April 2019. It may vary from time to time so please check it regularly.
- Personal information we use
We will collect personal information about you from a variety of sources, including information we collect from you directly (e.g. when you contact us) and information we collect about you from other sources, described below.
Note that we may be required by law to collect certain personal information about you, or as a consequence of any contractual relationship we have with you. Failure to provide this information may prevent or delay the fulfilment of our obligations. We will inform you at the time your information is collected whether certain data is compulsory and the consequences of the failure to provide such data.
1.1 Information we collect directly from you
(a) When you visit our websites the web server collects some basic information such as your browser type, MAC or IP address, internet service provider’s domain name, which pages you accessed on the site, and when. Details of cookies that we use on our websites can be found in our Cookie Notice.
(b) Where you sign up for a newsletter, fill out a feedback form, complete a “contact us” form or enter a competition or promotion we collect personal information such as your email address, name, contact number, postcode and date of birth. Not all fields are mandatory, and provision of the information is optional but if you provide less information this may limit your use of our online services. Where you enter into a competition or promotion we may share your details with the retailers from time to time at the property to which the competition relates. This will be made clear to you at the time you sign up to the competition or promotion.
(c) Where you register online or place an order for a gift card we, or a third party service provider on our behalf, collect your name email address, billing and delivery address, phone number and credit or debit card details. These details may be shared with others, such as those providing merchant acquiring services and card issuers, but only where this is necessary to take a payment. In some circumstances these entities will be data controllers in respect of these details.
(d) When we send emails to you we review whether these have been opened and whether you have clicked on any links within these.
(e) When visiting some of our centres or other buildings we collect information from your mobile device and identify its location. This occurs whether or not you have used the Wi-Fi at the centre or other building. To opt out of the collection of your MAC or IP address and location turn off your device’s Wi-Fi and Bluetooth capabilities.
(f) You may be asked to complete a survey or questionnaire either directly at our centres or other buildings or via email, SMS or post and in doing so we may ask for details such as your age, gender and postcode. The information captured is for research purposes and so we can understand the type of visitors coming to our centres and other buildings.
(g) We occasionally stream videos on social media, such as Facebook live, and take and display photos of members of the public using and enjoying our centres and other buildings. Where we do so, we inform members of the public of this possibility through the signs placed around the centre or building.
(h) We operate CCTV at our centres and other buildings for the purposes of public safety, crime prevention and prosecution, insurance, property management and marketing and advertising. At some centres and other buildings we operate facial recognition technology for the purposes of public safety, crime prevention and prosecution.
(i) Where we own a building, we capture personal data within the system which controls access to our buildings. This comprises personal data of people who work in a building and those who visit it and includes name, occupation, employer and contact details. In relation to access control and visitor data where the data relates to us, we consider ourselves to be the data controller. Where the personal data relates to our tenants’ staff, contractors or visitors, our tenants may also be data controllers depending on the circumstances.
(j) Where we do not own a building but we provide property management services for the building owner and/or we provide access control system services for the building owner we capture personal data within the access control system. This comprises personal data of people who work in a building and those who visit it and includes name, occupation, employer and contact details. The data controller in these situations will be the building owner or the tenants of the building owner and we are a data processor.
(k) Where we own a building or we provide property management services for a building owner we collect data on accidents in order to comply with health and safety legislation.
(l) Where you are a tenant living at one of our buildings you provide us with personal data such as references and financial information, identity documentation, your contact details and the contact details of your next of kin, bank account details and information relevant to health and safety matters at the building (such as any difficulty you may have in using the stairs in the event of a fire). This is so that we can assess your suitability to be a tenant, allow you to pay the sums due under your lease and manage our buildings.
(m) Where you are a commercial tenant of at one of our centres or other buildings you provide us with personal data such as financial and business information, contact details and bank account details. This is so that we can assess your suitability to be a tenant, allow you to pay the sums due under your lease and manage our buildings.
(n) Where you work for a tenant of one of our centres or other buildings we may be provided with your contact details by your employer if we need to liaise about estate management matters.
(o) Where we provide property management services for a third party landlord (who is not us) we can be provided with personal data on tenants and their employees where this is necessary for us to carry out these services. We are not the data controller in these circumstances and are a data processor for the third party landlord.
1.2 Information we collect from other sources
(a) If you use one of the Wi-Fi networks in our centres or other buildings, the Wi-Fi provider will collect personal information about you, such as your name, email address and postcode, which is required in order for you to log onto the Wi-Fi network. This is then shared with us. In some cases, the Wi-Fi provider makes the provision of your email address and your consent to receive marketing communications a mandatory field and you cannot access the Wi-Fi without providing this. We will however give you the opportunity to unsubscribe from all marketing communications from us in each email that we send to you.
(b) If you access one of the Wi-Fi networks in our centres or other buildings using your social media, such as Twitter or Facebook, or other online accounts, we are also provided with the data that is shared by your social media/online provider. Information on what personal data is being shared should be available to you from your own social media/online provider.
(c) Through your use of the Wi-Fi networks in our centres or other buildings data is also collected and shared with us which shows how often, how long and from which centre/building you are accessing the Wi-Fi and your movements within a centre/building and your browsing history.
(d) Third party car park operators which are not part of Central Saint Giles operate CCTV and ANPR (Automatic Number Plate Recognition) cameras at some of the car parks at our properties. There are signs at the locations where this is used showing that it is in operation at that car park. Our car park operators can obtain the name and address of an individual from the Driver and Vehicle Licensing Agency (DVLA) for parking enforcement purposes. In most cases our car park operators are controllers of your number plate data when they use it to manage the terms and conditions of use of car parks at our sites including using it to apply parking charges for cars which outstay their allotted time. When car park operators are controllers for these purposes we are not responsible for the way in which our car park operators use your ANPR data. Please see their privacy notices for further information on how they handle your personal information.
(e) Number plate data is shared with us which shows frequency and duration of visits to a centre or other building and we obtain further information from the DVLA, including postcodes, in order to understand more about our customers and where they are coming from. This in turn helps us to better tailor our centres and other buildings to appeal to our customers and to manage our estate. We never use this information to identify the name or address of an individual.
(f) Our footfall operators use detectors to count the volumes of customers using our centres and other buildings by entrance and time of day.
(g) We use social media such as Facebook, either ourselves or through third party advertising agencies, to carry out digital advertising on the profiles of users who we think may be interested in our advertising campaigns based on events of ours that they have attended, what marketing communications they have subscribed to and which parts of our website they have visited or users who are in a similar demographic to such persons. Information on how advertising is shown to you should be available from your own social media provider.
- How we use your personal information and the basis on which we use it
We use your personal information to:
(a) provide and personalise our services;
(b) deal with your enquiries and requests;
(c) comply with legal obligations to which we are subject and cooperate with regulators and law enforcement bodies;
(d) contact you with marketing and offers relating to products and services offered by us and/or other members of our group (unless you have opted out of marketing, or we are otherwise prevented by law from doing so);
(e) personalise the marketing messages and offers we send you to make them more relevant and interesting;
(f) to contact you for research purposes, where you have consented to us doing so, in order to understand what you think of our sites and how we can improve them;
(g) maintain the quality of our websites and to analyse the use of our websites in order to help guide improvements;
(h) to better design and optimise our properties to improve the experience of our consumers;
(i) allow you to pay for parking services;
(j) drive our insights, research and data analytics programme. This is used for research, analysis, testing, monitoring, risk management and administrative purposes and to develop our business, inform business decision making and support the purposes identified elsewhere in this section by collecting statistics, traffic patterns, information on the movement around our centres and other buildings, demographics, customer satisfaction, geographic catchment, shopper analysis, retail mix, centre and building performance including footfall and identifying shopping trends; and
(k) we contract with third parties which in certain circumstances will be controllers of your personal data and responsible for managing it properly and in others will be processors who deal with your personal data in accordance with our instructions. Whether a third party supplier (who is not us) is a processor or controller of your personal data depends on the facts and where we appoint a third party processor of your personal data we will put a framework around what we expect them to do with it and how they manage it. We have identified in paragraphs 1.1(c) (payments), 1.1(i) and (j) (access control) and 1.2(d) (number plate data) certain cases where third parties are controllers of your personal data.
We must have a legal basis to process your personal information. In most cases the legal basis will be one of the following:
(a) to fulfil our contractual obligations to you, for example to fulfil the terms of a competition or promotion that you have entered or to provide you with information you have requested;
(b) to comply with our legal obligations to you, for example health and safety obligations while you are on our premises, or to a third party (e.g. the police); and
(c) to meet our legitimate interests, for example to understand how you use our services and our centres and other buildings and to enable us to derive knowledge from that which in turn enables us to develop new services and further tailor our centres and other buildings to appeal to a wide variety of persons. When we process personal information to meet our legitimate interests, we put in place robust safeguards to ensure that your privacy is protected and to ensure that our legitimate interests are not overridden by your interests or fundamental rights and freedoms.
We may obtain your consent to collect and use certain types of personal information when we are required to do so by law (for example, in relation to our direct marketing activities, Cookies or when we process sensitive personal information). If we ask for your consent to process your personal information, you may withdraw your consent at any time by contacting us using the details at the end of this privacy notice.
- Your rights over your personal information
You have certain rights regarding your personal information, subject to local law. These include the following rights to:
- access your personal information
- rectify the information we hold about you
- erase your personal information
- restrict our use of your personal information
- object to our use of your personal information
- receive your personal information in a usable electronic format and transmit it to a third party (right to data portability)
- lodge a complaint with your local data protection authority.
If you would like to discuss or exercise such rights, please contact us at the details below.
We encourage you to contact us to update or correct your information if it changes or if the personal information we hold about you is inaccurate.
We will contact you if we need additional information from you in order to honour your requests.
- Automated decisions about you
We make automated decisions about you based on your personal information in the following circumstances:
- to select personalized offers, discounts or recommendations to send you based on your browsing history; and
- to personalise the marketing messages we send you to make them more relevant and interesting.
These types of decisions will not have legal or similar effects for you, but you can still contact us for further information.
- Information Sharing
We may share your personal information with third parties under the following circumstances:
- Service providers and business partners. We may share your personal information with our service providers and business partners that perform marketing services and other business operations for us. For example, we may partner with other companies to process secure payments, fulfil orders, optimize our services, send newsletters and marketing emails, support email and messaging services and analyse information.
- Central Saint Giles work closely with other businesses and companies that fall under the Savills UK Ltd family. We may share certain information about you with other Savills UK Ltd companies for marketing purposes, internal reporting and in order to carry out the purposes listed in this notice.
- Law enforcement agency, court, regulator, government authority, insurer or other third party. We may share your personal information with these parties where we believe this is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights or the rights of any third party or to put in place insurance for our centres and other buildings.
- Asset purchasers and joint venture partners. We may share your personal information with any third party that purchases one or more of our properties or the companies with which we might jointly own a property.
- We may share non-personally identifiable information with third parties such as partners, customers, tenants and suppliers, for example to show trends on the use of our centres and other buildings.
Because we operate as part of a large business, the recipients referred to above may be located outside the jurisdiction in which you are located (or in which we provide the services). See the section on “International Data Transfer” below for more information.
- Information Security and Storage
We implement technical and organisational measures to ensure a level of security appropriate to the risk to the personal information we process. These measures are aimed at ensuring the on-going integrity and confidentiality of personal information. We evaluate these measures on a regular basis to ensure the security of the processing.
We will keep your personal information for as long as we have a relationship with you. Once our relationship with you has come to an end, we will retain your personal information for a period of time that enables us to:
- Maintain business records for analysis and/or audit purposes or risk management purposes;
- Comply with our business record retention requirements;
- Defend or bring any existing or potential legal claims; and
- Deal with any complaints regarding the services.
We will delete your personal information when it is no longer required for these purposes. If there is any information that we are unable, for technical reasons, to delete entirely from our systems, we will put in place appropriate measures to prevent any further processing or use of the data.
- International Data Transfer
Your personal information may be transferred to, stored, and processed in a country that is not regarded as ensuring an adequate level of protection for personal information under European Union law / by the European Commission. Where this is the case we have put in place appropriate safeguards (such as contractual commitments) in accordance with applicable legal requirements to ensure that your data is adequately protected. For more information on the appropriate safeguards in place, please contact us at the details below.
- Contact Us
Central Saint Giles whose managing agent is Savills UK Ltd is the controller responsible for the personal information we collect and process (save in circumstances where we specify otherwise).
If you have questions or concerns regarding the way in which your personal information has been used, please contact email@example.com.
Our Data Protection Officer can be contacted at: firstname.lastname@example.org.
We are committed to working with you to obtain a fair resolution of any complaint or concern about privacy. If, however, you believe that we have not been able to assist with your complaint or concern, you have the right to complain to the data protection authority in your country (the Information Commissioner in the UK). If you need more information about how to contact your local data protection authority please let us know by contacting email@example.com.
- Changes to the Policy
You may request a copy of this privacy notice from us using the contact details set out above. We may modify or update this privacy notice from time to time.
04 April 2019