The largest shopping centre in Słupsk

OPEN TODAY: 9:00 - 21:00
Search
Close this search box.

Privacy policy

I. GENERAL PROVISIONS

This privacy policy ("Policy") was adopted by the company REI Poland Jantar limited liability company with its registered office in Warsaw (address: ol. Złota 59, 00-120 Warsaw), entered in the Register of Entrepreneurs of the National Court Register kept by the District Court for the Capital City of Warsaw in Warsaw, 12th Commercial Division of the National Court Register, under KRS number 0000602768, holding tax identification number (NIP): 525-264-58-97 and REGON: 363610817 ("Company" or "Administrator") following the entry into force of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) ("RODO").

The Policy governs the processing of personal data by the Company in connection with the operation of the Jantar Shopping Centre in Słupsk ("Centre").

The policy is also a regulation on the use of the websites operated by the Company ("Service").

II. TERMS OF SERVICE

  1. Terms of use
    1. The use of the Website requires the following technical conditions:
      1. Internet access,
      2. Operating system: Windows 7/8/10, Linux, Mac OS;
      3. Web browser: Google Chrome: 88.0.xxxx (Windows and Linux), Safari 14 (Mac Os);
      4. Add-ons: the website does not require any add-ons to function properly.
    2. Use of the Website constitutes acceptance of this Privacy Policy.
    3. The User is obliged to use the Website in a manner consistent with the law and good morals, with due regard for the personal rights and intellectual property rights of third parties. The User is prohibited from providing content of an unlawful nature. It is forbidden to use the Website in a way that interferes with the functioning of the Website, e.g. by using certain software or devices, or to send or post unsolicited commercial information on the Website.
  2. Types and scope of electronic services
    1. The administrator shall make information on the Centre's activities, events organised on its premises and services offered available to users via the Website.
    2. The Service's resources may also contain information of an advisory, thematic nature.
    3. The Administrator reserves the right to modify, add and delete resources on the Website, i.e. information resources may be made available via the Website on a permanent or only temporary basis.
    4. The Administrator shall endeavour to keep the Service's information resources up to date.
    5. The contract for the provision of electronic services is concluded when the user starts browsing the pages of the Website on his/her device. The services are provided while the user is using the Website. The agreement is terminated when the user leaves the Website.
    6. The Administrator provides electronic services in accordance with this Regolamin. The content of the Regolamin is available on the Website under the "Privacy Policy" tab.
  3. Complaints
    1. Complaints concerning the operation of the Service may be lodged by the users by contacting the Administrator at: Jantar Shopping Centre, ol. Szczecińska 58, 76-200 Słupsk or at e-mail address: info@ch-jantar.pl
    2. The complaint should contain a description of the problem giving rise to the complaint, the user's request and contact details (e-mail address) enabling the user to be contacted.
    3. The administrator shall recognise complaints within 14 days of their receipt by replying to the e-mail address indicated by the user.

    III. PROCESSING OF PERSONAL DATA

  4. Information on data management and contact details
    1. The Company processes the personal data of the persons referred to in section 5 in accordance with the applicable data protection legislation, including the RODO, and is the controller within the meaning of such legislation.
    2. The co-administrator of the personal data referred to in section 1 and 5.2.b) of the Policy, obtained by the Company, is CBRE Global Investors Poland spółka z ograniczoną odpowiedzialnością with its registered office in Warsaw (ol. Złota 59, 00-120 Warsaw), entered in the register of entrepreneurs kept by the District Court for the capital city of Warsaw in Warsaw, XII Economic Division of the National Court Register, under KRS number 0000123835, NIP: 526-250-47-21, REGON: 017188128.
    3. Regarding the processing of personal data, you can contact the Administrator in the traditional form at the address: Jantar Shopping Centre, ol. Szczecińska 58, 76-200 Słupsk or at the e-mail address: daneosobowe@ch-jantar.pl.
  5. Categories of persons whose data are subject to processing
    1. The Company, in connection with the operation of the Centre, processes the personal data of the following categories of persons:
      1. tenants/contractors who are natural persons,
      2. employees, representatives and contacts of tenants and contractors,
      3. employees of subcontractors of tenants and contractors.
    2. Notwithstanding the above, the Company also processes personal data of the following categories of persons:
      1. visitors to the Centre,
      2. persons making claims against the Company or persons against whom the Company makes claims,
      3. participants in competitions and marketing campaigns,
      4. social media users.
    3. As Articles 13 and 14 of the RODO require that information regarding the processing of personal data be provided to these individuals:
      • if the personal data is collected from the data subject - when the personal data is obtained,
      • if the personal data were not obtained from the data subject:

        - within a reasonable period of time after the personal data have been obtained - at the latest within one month - having regard to the specific circumstances of the processing of the personal data,
        - if the personal data are to be used for communication with the data subject, at the latest at the first such communication with the data subject,
        - if it is planned to disclose personal data to another recipient, at the latest on first disclosure;

        The Company has put in place appropriate mechanisms to exercise its information obligation in relation to the aforementioned data subjects.

    4. Notwithstanding the foregoing, subject to Clause 5, the Company shall publish information regarding the processing of personal data of the persons indicated in Clauses 5.1 and 5.2 of this Policy.
    5. Detailed information on the processing of the personal data of the persons indicated in points 2.c) and 5.2.d) is contained in the rules of each competition and marketing action and on the Centre's social media profile.
  6. Aims and legal basis for processing. Scope and source of the data and the need to provide them

    Personal data of tenants/contractors who are natural persons

    1. The Administrator processes the personal data of tenants/contractors, who are natural persons, for the following purposes:
      1. the performance of a contract to which the tenant/contractor is a party, including for the purpose of contact or the need to take action to conclude a contract with him/her (conducting negotiations, tender proceedings),
      2. - then the legal basis for the processing is Article 6(1)(b) of the RODO, i.e. the processing is necessary for the performance of a contract binding the Company or to take steps to enter into a contract,

      3. making settlements,
      4. storage of accounting documents,
      5. - then the legal basis for the processing is Article 6(1)(c) of the RODO, i.e. the processing is necessary for the fulfilment of the Company's legal obligations in the field of, inter alia, tax law and accounting;

      6. to ensure safety and order on the Centre's premises (in connection with, for example, access to premises, performance of work),
      7. carry out direct marketing,
      8. the assertion of claims and the defence of rights
      9. - then the legal basis for the processing is Article 6(1)(f) of the RODO, i.e. the processing is necessary for the Company's legitimate interests, i.e. to ensure order on the Centre's premises, to carry out direct marketing, to assert claims or to defend rights.

    2. The Company obtains personal data of the aforementioned persons directly from these persons or from publicly available sources.
    3. The provision of personal data is necessary for the conclusion of the contract (designation of the contractual parties). In other cases, the provision of data may be necessary for the performance of the contract. Failure to provide data may make it difficult or impossible to conclude or perform the contract.
    4. Personal data processed includes: first name, surname, residential address, PESEL number, REGON number, NIP number, ID card number, e-mail address, telephone number, bank account number.
    5. Personal data of employees, representatives and contact persons of tenants and contractors

    6. The controller processes personal data of employees, representatives and contact persons of tenants and contractors for the following purposes:
      1. making settlements,
      2. storage of accounting documents,
      3. - then the legal basis for the processing is Article 6(1)(c) of the RODO, i.e. the processing is necessary for the fulfilment of the Company's legal obligations in the field of, inter alia, tax law and accounting;

      4. to conclude and perform the contract concluded with the contractor, including for the purposes of contact, archiving of documentation, addressing requests for quotations,
      5. to ensure safety and order on the Centre's premises (in connection with, for example, access to premises, performance of work),
      6. carry out direct marketing,
      7. the assertion of claims and the defence of rights;
      8. - then the legal basis for the processing is Article 6(1)(f) RODO, i.e. the processing is necessary for the Company's legitimate interests, i.e. the establishment of cooperation, the performance of contracts binding the Company, ensuring order on the premises of the Centre, direct marketing and the assertion of claims or the defence of rights.

    7. The Administrator obtains the personal data of the aforementioned persons directly from these persons or from the hirer/contractor they represent/employ or from publicly available sources.
    8. The provision of data may be necessary for the performance of the contract (e.g. data of the contractor's employees necessary for the purpose of contact). Failure to provide data may make it difficult or impossible to conclude or perform the contract.
    9. Personal data processed includes: first name, last name, PESEL number, identity card number, e-mail address, telephone number, home address.
    10. Personal data of employees of subcontractors of tenants and contractors

    11. The controller processes personal data of employees of subcontracted tenants and contractors for the following purposes:
      1. the performance of the contract concluded with the contractor, including for the purpose of contact, archiving of documentation,
      2. ensuring safety and order on the Centre's premises (in connection with, for example, access to premises, performance of work),
      3. the assertion of claims and the defence of rights;
      4. - then the legal basis for the processing is Article 6(1)(f) RODO, i.e. the processing is necessary for the Company's legitimate interests, i.e. the performance of contracts binding the Company, ensuring order on the Centre's premises, the assertion of claims or the defence of rights.

    12. The Company obtains the personal data of the aforementioned persons directly from these persons or from the tenant/contractor for whom these persons carry out subcontracted work/provide services at the Centre.
    13. The provision of data may be necessary for the performance of the contract (e.g. data of employees of subcontractors of the contractor necessary for the purpose of contact). Failure to provide data may make it difficult or impossible to perform the contract.
    14. Personal data processed includes: name, surname, email address, contact telephone number, authority/position held.
    15. Personal data of visitors to the Centre

    16. The Administrator processes the personal data of visitors to the Centre for the following purposes:
      1. to ensure the security of persons and property on the Centre's premises in connection with the operation of CCTV video surveillance,
      2. the assertion of claims and the defence of rights;
      3. - then the legal basis for the processing is Article 6(1)(f) RODO, i.e. the processing is necessary for the Company's legitimate interests, i.e. to ensure the safety of persons and property on the Centre's premises and to pursue claims or defend rights.

    17. The Company obtains personal data of visitors to the Centre directly from such visitors. The Company obtains personal data (image) of the aforementioned persons through CCTV monitoring.
    18. The provision of data is voluntary although necessary for the above-mentioned purposes.
    19. Personal data of persons making claims against the Company or against whom the Company makes claims

    20. The controller processes the personal data of persons making claims against the Company or persons in relation to whom the Company makes claims in order to pursue claims and defend rights. The legal basis for the processing is Article 6(1)(f) RODO, i.e. the processing is necessary for the Company's legitimate interests, i.e. the pursuit of claims or the defence of rights. With regard to health data that the Company may receive from persons injured at the Centre, the legal basis for the processing is Article 9(2)(f) RODO, i.e. the processing of such data is necessary for the establishment, investigation or defence of claims
    21. The Company obtains personal data of the aforementioned persons directly from these persons or from the competent authorities.
    22. The provision of data is voluntary although necessary for the assertion or defence of rights. Failure to provide data may make it difficult or impossible to fulfil this purpose.
    23. The personal data processed may include: name, surname, residential address, PESEL number, identity card number, e-mail address, contact telephone number, health data, bank account number, image, and in the case of our contractors - natural persons also: NIP number, REGON number, business address.
  7. Information on recipients of personal data. Transfers of data to third countries and automatic decision-making
    1. The Administrator may transfer personal data of the persons indicated in point 5 of the Policy to providers of technical or organisational services and legal and advisory services used by the Company in connection with the operation of the Centre, i.e. in particular the Centre's manager, security company, marketing / PR agencies, law and tax offices, companies providing maintenance services for the Centre, courier and postal companies. Personal data may also be shared with public authorities, including the police and other inspections and guards.
    2. The personal data of the individuals identified in section 5 of the Policy will not be used for automated decision-making or profiling.
    3. As the Administrator and co-administrator are part of a foreign group, personal data may be transferred outside the EEA. The sharing of personal data will take place within the United States of America and the United Kingdom and the Administrator and the joint administrator apply appropriate safeguards to protect the data.
  8. Period of processing of personal data
    1. In the case of data processing on the basis of:
      1. consent - data is processed until the consent is withdrawn,
      2. legitimate interest of the Company - the data is processed for the period of time that allows the fulfilment of this interest or until an effective objection to the processing is raised,
      3. necessity for the conclusion and performance of the contract - data are processed until the contract is terminated,
      4. the need to process personal data in order to comply with the Company's legal obligations - the data is processed for the periods required by law.
    2. In other cases where the retention periods for personal data are not expressly provided for by law, the Administrator has determined them independently, i.e. in the case of CCTV recordings - data is stored for 50 days from the date of recording.
    3. The basic processing period may be extended if the processing is necessary for the establishment or assertion of claims or the defence of rights, and thereafter only if and to the extent required by law (extended processing period).
  9. Rights in relation to the processing of personal data
  10. General provisions

    1. In connection with the operation of the Centre, the Controller shall ensure that all persons whose data it processes exercise their rights, in accordance with the applicable legislation. These persons have the right to:
      1. access to their personal data,
      2. request the immediate rectification of personal data,
      3. request the immediate deletion of personal data,
      4. request the restriction of the processing of personal data,
      5. data portability,
      6. to object to the processing of their personal data, including profiling.
    2. Furthermore, where personal data are processed on the basis of consent, the data subject shall be able to withdraw consent at any time. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of consent prior to its withdrawal.
    3. At the same time, any person who believes that his or her data is being processed unlawfully by the Controller has the right to lodge a complaint with the supervisory authority: President of the Office for Personal Data Protection, ol. Stawki 2, 00-193 Warsaw.
    4. Right of access to data

    5. A person whose data is processed by the Controller may request to be informed whether his or her personal data is being processed and, if so, to be given access to it.
    6. Upon a person's request for access to his/her data, the controller shall inform the person of the scope, manner and purpose of the data processing and shall grant the person access to the data concerning him/her. The access to the data can be realized by issuing a copy of the data, whereby the first copy of the data is granted free of charge. If further copies of the data are requested, the Administrator is entitled to charge a fee corresponding to the administrative costs.
    7. Right of rectification

    8. If the personal data are outdated or incorrect, the data subject may request the rectification of the data. If the data have been made available to other entities, the Administrator shall inform these entities of the rectification. Furthermore, the Administrator shall complete and update the data at the request of the data subject. The Administrator may refuse to complete the data if they are unnecessary for the purposes of the processing.
    9. Right to erasure ("right to be forgotten")

    10. At the request of the data subject, the Controller shall delete the collected data. This is possible if:
      1. the data are no longer necessary for the purposes for which they were collected,
      2. the data subject has withdrawn the consent on which the processing was based and there is no other legal basis for further processing,
      3. the data subject has objected to the processing and there are no overriding legitimate grounds for the processing,
      4. personal data were processed unlawfully,
      5. personal data must be deleted in order to comply with a legal obligation imposed on the Administrator,
      6. personal data was collected in connection with the offering of information society services directly to the child.
    11. If the data to be deleted have been made available to other entities, the Controller shall take reasonable steps, including technical measures, to inform those entities of the need to delete and access the data. At the request of the data subject, the Administrator shall inform him/her of the entities to which his/her data have been made available.
    12. Right to restrict processing

    13. The controller shall carry out a restriction of data processing at the request of the data subject where:
      1. the data subject questions the accuracy of the personal data - for a period allowing the Administrator to verify the accuracy of the data,
      2. the processing is unlawful and the data subject objects to the erasure of the personal data, requesting instead the restriction of its use,
      3. The controller no longer needs the personal data for the purposes of the processing, but they are needed by the data subject to establish, assert or defend a claim,
      4. the data subject has objected to the processing - until it is established whether the legitimate grounds on the part of the Controller override the grounds of the data subject's objection.
    14. Where processing has been restricted, the Controller shall process the data, with the exception of storage, only with the consent of the data subject, or for the establishment, exercise or defence of claims, or for the protection of the rights of another natural or legal person, or for compelling reasons of public interest.
    15. Right to data portability

    16. Where the data are processed on the basis of consent or for the purpose of entering into a contract, the Controller shall, at the request of the person, either issue the data relating to him/her, processed in IT systems, in a structured, commonly used machine-readable format or transmit them, if possible, to another entity.
    17. The right to object to the processing of personal data, including profiling

    18. If the data subject raises an objection, based on his or her particular situation, to the processing of his or her data and the data are processed by the Controller on the basis of the Controller's legitimate interests, the Controller shall grant the objection, unless there are compelling legitimate grounds on the part of the Controller for the processing overriding the interests, rights and freedoms of the objector or grounds for the establishment, assertion and defence of claims.
    19. If an objection is made to the processing of data for direct marketing purposes (including profiling), the Controller shall take the objection into account immediately and cease processing the data of the person who made the objection.
  11. Dealing with requests from data subjects
    1. Persons whose data are processed by the Controller may exercise their rights as set out above by contacting the Controller:
      1. in writing to the following address Jantar Shopping Centre, ol. Szczecińska 58, 76-200 Słupsk,
      2. by e-mail to: daneosobowe@ch-jantar.pl.
    2. The notification of an individual's request for the exercise of rights should include:
      1. data relating to the natural person: name, surname, who the notification concerns and the notifier,
      2. a description of the request being made, together with an indication of any objections,
      3. the signature of the person making the request in the case of written submissions,
      4. a power of attorney, if an attorney is acting on behalf of the applicant,
      5. information on the preferred form of response, if the response channel is to be different from the request made.
    3. Before processing a request, the Controller may ask the data subject to verify his or her identity.
    4. The Controller shall, without undue delay - and in any case within one month of receipt of the request - provide the data subject with information on the actions taken in relation to the exercise of the data subject's rights set out above. In case of a complex request or a significant number of requests made, the Controller shall, within one month of receipt of the individual's request, inform the data subject of an extension of the time limit for a maximum of a further two months, together with the reasons for the delay.
    5. Where an individual's request cannot be complied with, the Administrator will inform the individual within the aforementioned time limits of the refusal to comply with the request, stating the reason.
    6. If the Controller does not act upon the data subject's request, the Controller shall inform the data subject without delay - at the latest within one month of receipt of the request - of the reasons for the failure to act and of the possibility of lodging a complaint to the supervisory authority and of seeking judicial remedies.

    IV. FINAL PROVISIONS

The Administrator shall endeavour to keep this Policy up to date as the factual and legal circumstances regarding the principles and manner of processing personal data change.

This Privacy Policy, in its current form, is effective as of 01/03/2021.