PRIVACY NOTICE ON THE PROCESSING OF PERSONAL DATA AND YOUR RIGHTS

In the case that you provide your personal data during installation of “Aupark App” mobile application, we, as the data controller AUPARK Hradec Králové s.r.o., having its registered seat at Panská 854/2, Nové Město, 110 00 Praha, the Czech Republic, ID No.: 03 977 790, registered with the Commercial Register maintained by the City Court Prague, Section: Sro, File No.: C 240843/MSPH (hereinafter referred to as “Aupark” or “we”) would like to inform you about the processing of your personal data and of your rights related to the said processing.

Aupark is part of the HB Reavis Group, which consists of all the entities consolidated under the group holding HB Reavis Holding S.A. with its headquarters in Luxembourg, due to which the reference to HB Reavis Group may be found in the Privacy Notice (hereinafter referred to as the “HB Reavis Group”).

The “Aupark App” application unlocks a range of special offers, prices and limited campaigns to all registered members. It enables them to discover and follow stores, events and news, as well as see the map. The content of the app and advertisements is personalised in real time based on members’ preferences, which are gathered from their activity in the app and in the mall thanks to iBeacons, the Bluetooth devices used for location tracking. You can use some of the above-mentioned benefits even if you only download it and do not register in the "Aupark App" application.

Personal data is processed for the following processing activities:

Installation of “Aupark App” without registration
Installation “Aupark App” with registration
GDPR complaints

A further description of our purposes:

Installation of Aupark App without registration

What is our purpose for processing your personal data?

If you download our mobile application without registration, we may perform the following processing operations for the following purposes:
1. We process your personal data that you provided to us when downloading, installing and using the "Aupark App" application in order to send customised marketing content without your identification;
2. We generate anonymous aggregated statistics regarding the effect of relevant marketing campaigns.
What is our legal basis for the processing of your personal data?

For the processing activities listed under a) and b), we process your personal data on the basis of legitimate interests within the meaning of Article 6 (1) (f) of GDPR.

What kind of personal data do we process?
1. If you are not a registered user of the "Aupark App" application, we will process the emplate ID, which is a unique identifier of the application installed on your device;
2. sex (if applicable), age (if applicable), date of birth (if applicable), postal code (if applicable), name, surname (if applicable), telephone number (if applicable);
3. Transactional data based on scanned receipts:
  
  Categories of personal data
  
  Information provided by yourself when you choose to scan the receipt: Store name, Mall address, Purchase date, Purchase amount, Line items (what you have purchased)
  
  Legal basis
  
  Based on your consent cf. article 6(1)A of EU GDPR.
  
  Retention period
  
  We keep your personal data until you withdraw your consent/delete your account or if you have been inactive for 24 months. Hereafter, we will delete or anonymize your personal data.
How long do we store your personal data?
1. Your personal data will be processed as long as you have the "Aupark App" application installed;
2. We store your personal data in an aggregate form for 2 years;
Installation of Aupark App with registration

What is our purpose for and legitimate interest in processing your personal data?

If you have downloaded the "Aupark App" application and you have registered and given your consent (in the case of point a) you give your consent directly to your phone's operating system and not to the "Aupark App" application), we may perform the following processing operations for the following purposes:
1. We are checking the location of your mobile device (via Bluetooth or WiFi) in Aupark to provide you with relevant marketing content at the relevant time and place (the application does not collect location data on other movements) by "push notification";
2. the processing of your personal data when downloading, installing and using the “Aupark App” application, to send personalized marketing content based on your preferences.
What is our legal basis for the processing of your personal data?

For the processing activities listed under points a) and b), we process your personal data on the basis of consent in accordance with Article 6 (1) (a) of GDPR.

What kind of personal data do we process?
1. localization data on the respective mobile device, the Controller can process information on entering the Aupark shopping centre, on your exact place in the Aupark, and on being located in the proximity of the Aupark.
2. In addition to the emplate ID, we will process the following personal data in the case that the data subject registers an account manually: email address, telephone number, salutation, first name, last name (if provided), date of birth (if provided), ZIP code (if provided); The data subject can also sign in with his/her Apple account. In that case, we will process the email address, first name, last name (if provided), date of birth (if provided), ZIP code (if provided) and gender (if provided). If the data subject registers using a Facebook account, the following information will be collected: email address, full name, profile picture, Facebook user ID, device name, the operating system version, the “Aupark App” application version, event tracking information pro
How long do we store your personal data?
1. We retain your personal data for as long as you allow us to when installing the application and we retain data from iBeacons for 90 days. You can withdraw your consent anytime directly in your phone's operating system;
2. We store your personal data for the period of validity of the consent. You can revoke your consent at any time by using the consent management icon directly in the application.
GDPR complaints

What are our purposes for the processing of your personal data?

We strive to protect your privacy as much as possible, and therefore we process your personal data in compliance with GDPR and all other relevant laws. However, if you disagree with the way we handle your personal data, you can exercise your rights via our Data Protection Officer. To ensure that your complaint is handled, some of your personal data has to be processed.

What is our legal basis for the processing of your personal data?

Your personal data is processed while handling your complaint in accordance with Article 6 (1) (c) GDPR, i.e. the processing is necessary for compliance with a legal obligation to which our company is subject.

What kind of personal data do we process?

Personal data provided by you when submitting the complaint (such as name, surname, email, phone number, etc.).

How long do we store your personal data?

We store your personal data strictly during the time necessary to deal with the complaint.

General provision on the retention period

Once we no longer need your personal data for the purposes for which we processed it, we will delete your personal data or archive it for the period of time specified by law or the archiving plan.

With whom do we share your personal data?

We may also share your personal data with companies within the HB Reavis Group. We may also be obliged to disclose your personal data to state authorities and public authorities, (courts and law enforcement authorities i.e. (police and prosecutor), and only to the extent necessary as required by applicable and effective law to exercise their power.

Based on several agreements with third parties, which act as our intermediaries or independent operators, we may provide your personal data, in particular to these companies, to the extent necessary to ensure the provision of services specified for individual companies:

Bloomreach SK s.r.o., with its registered office at Staromestská 3, Bratislava - mestská časť Staré Mesto 811 03, the Slovak Republic, IČO: 50 017 560, entered in the Commercial Register of the District Court Bratislava I, section: Sro, file no.: 107011 / B; the company as a processor ensures the generation of personalised marketing content;

In addition to the companies listed above, we use the following categories of intermediaries: data centres, hosting - marketing tools - analysis and tracking tools - events, surveys - business operations / management tools - task management and communication tools.

From whom do we get personal data?

We get personal data from you.

Do we use automated individual decision making?

Yes, we use automated individual decision making to provide personalised content on our application. However, we do not make any decisions based solely on automated processing that have legal effects on you or that significantly affect you. We analyse your behaviour in the "Aupark App" application solely to provide more attractive offers for the purchasing of goods and/or services and to adapt the content of the website to your preferences.

Do we transfer your personal data to third countries?

Your personal data is processed within the territory of the Slovak Republic and other states of the European Union. Your personal data can be processed by a country outside of the European Union if this third country has been confirmed by the European Commission as a country with an adequate level of data protection or if other appropriate data protection safeguards exist (for example, binding corporate privacy rules or EU standard data protection clauses).

What are your rights?

Your rights as a data subject are stated below. Please note that the exact conditions to exercise these rights are set out in detail in Chapter III of GDPR, while in particular circumstances not all rights may be exercised. You have the following rights:

Access to the personal data we process about you
Rectification of incorrect or inaccurate personal data and adding incomplete personal data
Restriction, i.e. blocking of the processing of your personal data
The deletion of personal data in case of an absence of purpose or unauthorised data processing
Submission of an objection to the processing of personal data if you believe that our data processing is not justified
To be excluded from automated decision making
Listing of personal data in a structured and machine-readable format or for another controller
Revocation of consent to the processing of personal data
To lodge a complaint with the supervisory authority

How can you exercise your rights?

Electronically: dataprivacy@hbreavis.com

In writing to the address: AUPARK Hradec Králové s.r.o., at hands of: compliance department, Panská 854/2, Nové Město, 110 00 Praha

Telephone: +421 918 723 243

We strive to protect your privacy as much as possible, and therefore we process your personal data in compliance with GDPR and all other relevant laws. However, if you disagree with the way we handle your personal data, you can exercise your rights by contacting our Data Protection Officer: Erika Wild, contact point at Twin City C, Mlynské Nivy 16, 821 09 Bratislava, the Slovak Republic, tel. +421 918 723 243, email: dataprivacy@hbreavis.com

Or you can file a complaint with the supervisory authority regarding the processing of your personal data. Your local supervisory authority may be found at https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.

Profile deletion

You can always request to get your profile and all your personal data deleted directly from the app. Follow the steps below to delete your profile:

Open the app
Go to "More"
Select "Profile Settings"
Select "Delete My Profile"