INFORMATION ON PERSONAL DATA PROCESSING

In connection with the implementation of the requirements of the Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016, on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the repeal of Directive 95/46/EC (general regulation on data protection) (“GDPR”), Atrium Poland Real Estate Management sp. z o.o. with its registered office in Warsaw, address: Ostrobramska 75C, 04-175, Warsaw, entered in the register of entrepreneurs kept by the District Court for the Capital City of Warsaw in Warsaw, XIII Commercial Department of the National Court Register, under the number KRS 7144, Taxpayer ID number: 5262489619, Corporate ID number: 016105353, share capital PLN 500,000 (“ ATRIUM”) informs about the rules for processing your personal data and about your related rights.

The following rules apply from 25 May 2018.

If you have any questions about the manner and scope of processing your personal data by ATRIUM, as well as about your rights, please contact ATRIUM by mail at the address Ostrobramska 75C, 04-175 Warsaw, or the personal data inspector by e-mail, at the following address: dpo-pl@aere.com or in writing at the address Ostrobramska 75C, 04-175 Warsaw.

1. Indication of the administrator

The administrator of your personal data is ATRIUM.

2. The purposes of processing your personal data and the legal basis for their processing

a) Your personal data, consisting of e-mail address, information about the location of the device on which the Shop Fun Application is installed, the Shop Fun Application ID number, MAC address of the device on which the Shop Fun Application is installed and the information confirming the appropriate age of the user will be processed in order to ensure the proper functioning of the mobile application, whose aim is to engage its users in games and competitions based, among other things, on visiting certain places in the shopping centre, completing specific tasks and rewarding this type of tasks (“Application”), these data are necessary to create an account in the Application and to use the Application, and to verify your age (Article 6 paragraph 1 section b of GDPR);

b) In the case of creating an account in the Application using your account on a social network (Facebook), we will also process your data provided to us by Facebook, including name, surname, gender, city of residence, e-mail address and date of birth, in order to enable you to access the Application and use the above functionalities of this Application;

c) In some situations it is or may be necessary to process your data for purposes other than those indicated above and necessary for the implementation of the legitimate interests of ATRIUM (Article 6 par. 1 section f of GDPR), in particular for:

i. direct marketing, in particular to inform about the promotions and offers by ATRIUM, by business partners in ATRIUM shopping centres, and about competitions by ATRIUM and by business partners in ATRIUM shopping centres, including combining your data with other data held by ATRIUM for the same processing purposes;

ii. analysis of your behaviour related to the use of the Application for the purpose of improving the quality of the Application's operation and the quality of the services provided by ATRIUM;

iii. analysis of your behaviour regarding visits to the ATRIUM shopping centres (i.e. data on the frequency of visits, routes and locations within the shopping centre) for the purpose of improving the quality of services provided by ATRIUM;

iv. allowing you to take part in a competition or promotion, carrying them out and organising in relation to the personal data provided by you in the competition or promotion application or later during the competition or promotion;

v. dealing with complaints and requests, handling correspondence and responding to letters and requests in connection with the use of the Application or participation in competitions and promotions;

vi. investigation and defence against any claims related to the use of the Application, participation in contests and promotions and the processing of your personal data;

vii. archiving and accountability required by the provisions of the GDPR.

d) In other cases, your personal data will be processed only on the basis of prior consent, to the extent and purpose specified in the consent.

3. The obligation to provide personal data to ATRIUM

Providing personal data is voluntary, with the reservation that personal data, including e-mail address, information about the location of the device on which the Application is installed, Application ID, MAC address of the device on which the Application is installed, and information confirming the appropriate age of the user, are necessary to provide the Application service.

To the extent that personal data is collected on the basis of consent, providing personal data is voluntary.

4. Recipients of personal data

In connection with the processing of your personal data for the purposes indicated in section 2, your personal data may be shared with the following recipients or categories of recipients:

a) public authorities and entities performing public tasks or acting on behalf of public authorities, to the extent and for the purposes resulting from the provisions of law;

b) entities associated with ATRIUM in the implementation of reporting and information obligations;

c) entities supporting ATRIUM in its business processes, including entities processing personal data for ATRIUM (the so-called data processors).

5. Duration of personal data processing

Your personal data will be processed for the period necessary to implement the objectives indicated in section 2, i.e. during the use of the Application, until the end of your use of the Application, and after that for the period and to the extent required by the provisions the law or by ATRIUM's implementation of the legitimate interest of the data administrator in the scope specified in section 2 above, and in the case of your consent to the processing of data, until such consent is withdrawn.

6. Automated data processing and profiling

Profiling should be understood as any form of automated processing of personal data, which consists in their use to assess some of the physical person’s characteristics, in particular to analyse or forecast aspects related to the effects of the work of that individual, his/her economic situation, health, personal preferences, interests, credibility, behaviour, location or movement.

Your personal data will not be used for automated decision-making in relation to you, including profiling, which may cause legal effects to you or affect you significantly in a similar way. For the purposes of marketing and analytics referred to in section 2, subsection c), clauses i - iii, your personal data (including data on the visits frequency, routes and locations within the shopping centre) can be used for profiling to adapt the services provided by ATRIUM to the preferences of the users of the ATRIUM shopping centre (profiling is not the basis for decisions that could have legal effects for you or would affect you significantly in a similar way).

7. The rights of the data subject

ATRIUM would like to assure you that all persons whose personal data is processed by ATRIUM have the appropriate rights resulting from the GDPR. Therefore, you have the following rights:

a) the right to access personal data, including the right to obtain a copy of this data;

b) the right to request the rectification (correction) of personal data – if the data is incorrect or incomplete;

c) the right to request the deletion of personal data (the so-called “right to be forgotten”) if: (i) the data is no longer necessary for the purposes for which it was collected, (ii) the data subject has withdrawn his/her consent on which the processing is based and there is no legal basis for processing, (iii) the data subject has objected to the processing of personal data, (iv) the data is processed illegally, (v) the data must be removed in order to fulfil the obligation resulting from legal provisions, (vi) personal data have been collected in connection with offering information society services;

d) the right to request limitation of the processing of personal data if: (i) the data subject questions the correctness of personal data, (ii) data processing is unlawful and the data subject opposes data deletion, requesting limiting them instead, (iii) the administrator no longer needs data for their purposes, but the data subject needs them to identify, defend or pursue claims, (iv) the data subject has objected to the processing of the data – pending determination whether the legitimate grounds on the part of the administrator override the grounds for objection;

e) the right to transfer personal data if: (i) the processing takes place on the basis of an agreement concluded with the data subject or on the basis of the consent of that person, and (ii) the processing takes place in an automated manner;

f) the right to object to the processing of personal data, including profiling, when (i) there are reasons related to your special situation and the processing is based on the necessity basis for the purposes of the legitimate interest of ATRIUM referred to in section 2 above; or (ii) data is processed for direct marketing purposes.

8. The right to withdraw consent to the processing of personal data

To the extent that you consented to the processing of your personal data, you have the right to withdraw your consent to the processing of personal data. Withdrawal of consent does not affect the lawfulness of the data processing which has been made on the basis of consent before its withdrawal.

9. The right to lodge a complaint to the supervisory body

If you believe that the processing of your personal data by ATRIUM violates the provisions of the GDPR, you have the right to lodge a complaint with the competent supervisory authority.

10. Transfer of personal data to entities outside the European Economic Area

In justified and necessary cases, ATRIUM may disclose your personal data to entities located outside the EEA, i.e. to Jersey.

The data will be sent to Jersey on the basis of the Commission Decision of 8 May 2008 under Directive 95/46/EC of the European Parliament and Council on the adequate protection of personal data in Jersey. When transferring the data, ATRIUM will ensure the appropriate standards for the protection of your personal data.

You have the right to obtain a copy of this data via ATRIUM.