Notification concerning the processing of personal data when accessing the premisses of commercial center
Company MLYNY, a.s., headquartered in Veľká okružná 59/A, 010 01, Žilina, registered in Commercial register of District Court Žilina, section Sa, under file no. 10958/L, having Business Identification number 36 287 351, further on called „Controller”, processes the personal data of data subjects that physically access the premisses of MLYNY Nitra, as follows:
Purposes of processing:
a. fulfilling the legitimate interests of the owner or operator of the building to ensure security and safety of assets, for which purpose it decided to use video surveillance of public areas by the means of CCTV system installed on the premises of the asset, in the common areas, access ways, parking areas
b. to manage the parking payment system (exit is enabled after payment of the parking fee, based on temporary registration of the vehicle license plate)
c. solving the requests for data and information received from the competent authorities and institutions
d. archiving, settling disputes, investigations, or any other petitions / complaints to which our company is party, as well as conducting risk controls on procedures and processes, as well audits or investigations at the company level
e. granting free access to the WiFi network
f. participating in the comercial center’s marketing campaigns and awarding of prizes gained in such campaigns (e.g.: signing handing-over minutes etc.)
g. handling complaints filed in the commercial center premises (e.g.: complaints forms etc.)
h. processing the lost&found requests filed in the commercial center premises (e.g.: lost&found forms etc.).
Processed categories of data:
- in the context of using the CCTV video surveillance system: the image of the data subjects
- in the context of the usage of parking areas: the mark, the type and license number of the vehicle for which a parking space is offered, the image of the data subjects
- in the context of accessing the Free WiFi: the MAC of the devices
- as regards the commercial center’s campaigns, the types of processed data are to be detailed in the Campaign Regulation, as published on the commercial center’s website.
Categories of data subjects whose personal data are processed:
- visitors and clients of the commercial center
- personnel of the tenants of the commercial center
- personnel of the providers/partners/collaborators of the Controller and/or the tenants.
Legal grounds for processing:
In view of the above, we process the personal data of the data subjects that work within or just visit the premises, as the case may be, based on:
- legal obligations of the Data Controller (e.g. handling data subjects and/or authorities requests)
- the consent of the data subject (e.g. participation in campaigns)
- legitimate interest of the controller (e.g. protection of property and other assets, protection of individuals, manage the parking payment system, processing operations within the Group the controller belongs to).
The processed personal data is kept for the period of time necessary to comply with the legal obligations imposed by the regulations specific to our field of activity.
As far as video recordings are concerned, they are usually kept for a period of up to 14 (fourteen) days, unless the extension of their processing period is imposed by law or justified by legal procedures.
The MAC of devices is stored only for the period the device is using the WiFi network.
As regards the commercial center’s campaigns, the data storage coordinates are to be included in the Campaign Regulation, as published on the commercial center’s website.
Third party access:
In order to ensure CCTV video surveillance, as well as to issue access cards in the premises and in the parking areas, the controller cooperates with specialized and authorized companies according to the law, for the purpose to carry out such activities.
Personal data thus processed may also be made available to competent authorities and institutions, in accordance with the law, or processed within the NEPI Rockcastle Group („Group”), for the purpose of group management consolidated activities, for audit purposes and in any other situation where the law imposes or permits such processing.
As regards the commercial center’s campaigns and events, as well the handling of complaints and/or lost & found requests, if filed in the commercial center’s premises, to the Info Desks, the Controller usually collaborates with specialized 3rd party providers.
Rights of data subjects whose data are processed as described herein:
a) Right of access - you may request confirmation if your personal data are processed or not by us, and if so, you may request access thereto, as well as certain information about this. Upon request, we will also issue a copy of the processed personal data. The request for additional copies will be charged based on the actual costs incurred by us,
b) Right to rectification - you can get your inaccurate personal data rectified and also supplement incomplete data, including by providing additional information.
c) Right to delete data ("the right to be forgotten") - in situations expressly regulated by law, you can obtain from us the deletion of the data. Thus, you can request deletion of personal data if:
- the data are no longer necessary for the purposes for which they were collected or otherwise processed;
- you withdraw your consent on the basis of which processing takes place;
- you oppose to the processing under the right of opposition;
- processing your personal data is illegal;
- data must be deleted for compliance with a legal obligation incumbent on us.
d) Right to restrict processing - you may request the restriction of processing of personal data in certain situations governed by law, as follows:
- you contest the accuracy of your data, for the time the accuracy of the concerned data is checked;
- processing is illegal and you oppose to the deletion of data;
- you need these data to establish, exercise or defend some rights in court, and we no longer need this data;
- you opposed the processing of personal data for the period in which we check if our legitimate interests prevail over the interests of your rights and freedoms.
In these situations, except for storage, the data will not be processed anymore.
e) Right to object to the processing of personal data - you can object at any time, for reasons related to your particular situation, to processing (including profiling) based on our legitimate interest or, where appropriate, on us exercising a task which is in the public interest or results from the exercise of a public authority with which we would have been invested thereby.
Marketing materials sent electronically may contain brief information on your option of objecting to the processing of personal data in order to perform direct marketing. If you object to the processing of personal data for direct marketing purposes, your personal data will no longer be used in for these purposes.
The right to object to the direct marketing activity is available when the processing of personal data for direct marketing purposes is based on (i) our legitimate interest, or (ii) on the existing contractual relationship with us and concerns products that are similar to those already contracted, and not on the consent given.
f) Right to data portability - you can receive your personal data in a structured, readable format, and you can request that the data be passed to another operator. This right applies only to personal data provided directly by you, and only if the processing of personal data is done by automated means and is legally based on either the execution of a contract or the consent of that person,
g) Right to complain - you can complain about how we process your personal data. The complaint will be filed with the Office for Personal Data Protection ("Office") – details at www.dataprotection.gov.sk,
h) Right to withdraw your consent - you may at any time withdraw your consent to the processing of personal data in cases where processing is based on consent. Withdrawal of the consent will only have effect for the future, and processing prior to the withdrawal remains valid.
i) Additional rights related to automated decisions used in the delivery of services - if we make automated decisions about personal data and these decisions affect you significantly, you can (a) obtain human intervention with respect to said intervention, (b) express your point of views on such processing, (c) obtain explanations of the decision made and (d) contest that decision.
These rights (except the right to contact the Office, which you can exercise under the conditions established by this authority - in this regard you can see the official website www.dataprotection.gov.sk) may be exercised, either individually or by aggregation sending a letter/message in the following ways:
- by post, at: NEPI Slovakia Management s.r.o., Veľká okružná 59A, 010 01 Žilina;
- by email, at the email address: firstname.lastname@example.org.
In addition, a Data Protection Officer ("DPO") has been appointed at the Group level, who can be contacted if there are any concerns about the protection of personal data and the exercise of data protection rights. The DPO may be contacted by the means of a written, dated and signed application, using the contact details mentioned below:
- NEPI Rockcastle, Data Protection Officer, Floreasca Business Park, building A, 5th floor, 169A Calea Floreasca, Bucuresti, Sector 1, cod 014459, Romania
- e-mail: email@example.com