Information Notice on the Processing of Personal Data
In the commercial activity carried out by Arena Center, there may be several situations in which we process your personal data. More details can be found below:
We are Arena Center Zagreb d.o.o. a company registered with the Commercial court in Zagreb, PIN no. 83997642580, Vice Vukova 6, Zagreb (hereinafter the “Controller”), part of the NEPI Rockcastle Group.
In promoting Arena Centre we work with the following entities within the NEPI Rockcastle Group:
From the perspective of how your personal data is processed for specific marketing purposes, the relationship between the Controller, NE Property BV and NEPI Investment Management SRL is that of Joint Controllers, according to Article (26) of the GDPR.
Also for the purpose of promoting the Arena Centre, NE Property BV makes the Arena Centre Website (the “Website”) available to users.
This information notice is addressed to all data subjects who visit Arena Centre, access the Website, participate in promotional campaigns or similar events held on the premises of the shopping centre or online or represent suppliers/partners/collaborators or tenants in the conduct of the contractual relationship with Arena Centre.
The way we process your personal data differs depending on your relationship with Arena Centre. To receive more information choose the category below that is applicable to you:
In all cases, you have several rights that can be exercised, individually or cumulatively, with respect to personal data that Arena Centre holds in relation to you. Information on these rights as well as how they can be exercised is available in the Rights of data subjects section .
We undertake to process personal data in compliance with applicable legislation on the protection of personal data and good practices in this area. More information is available in the section on Data security and accuracy.
In addition, a Data Protection Officer has been appointed at the NEPI Rockcastle Group level, who can be contacted should there be any concerns about the protection of personal data and the exercise of data protection rights. The Data Protection Officer can be contacted by written, dated and signed request, using the contact details mentioned below:
In the case of the Website, we also collect your IP, but this data is not processed or used for any subsequent purpose at this time.
When you access the Arena Centre website (the “Website”), certain personal data about you will be processed by NE Property BV, mainly in order to be able to provide you with the requested service, namely access to the Website.
| No. | Purpose of processing personal data | Legal basis of processing personal data |
| 1. | Carry out economic, financial and/or administrative management activities | Legal obligation |
| 2. | Settlement of disputes, investigations or any other petitions/complaints to which NE Property BV is a party | Legitimate interest in defending our rights in court/in front of any competent authority |
| 3. | Archiving | Legal obligation |
| 4. | Conducting risk controls on NE Property BV procedures and processes, as well as conducting audits or investigations of NE Property BV | Our legitimate interest to manage risks and ensure compliance with NE Property BV procedures and processes |
| 5. | Ensure a high level of security of information systems (e.g., applications, network, infrastructure, website) | Our legitimate interest in ensuring the security of our computer systems |
| 6. | Provide you with support services when you request so | Perform the contract concluded regarding the provision of our services (i.e., in accordance with the Terms and Conditions of the Website) |
In its work to promote the Arena Centre, including through the Website, NE Property BV works together with the following entities within the NEPI Rockcastle Group: The Controller, as owner of the Shopping Centre and NEPI Investment Management SRL. Thus, from the perspective of how your personal data is processed for marketing purposes, the entities of the NEPI Rockcastle Group mentioned above (hereinafter collectively referred to as the “Joint Controllers” and individually as the “Joint Controller”) act as Joint Controllers, pursuant to Article (26) of the GDPR.
In connection with the processing of personal data for marketing purposes, you have all the rights set out in Data subjects’ rights. By virtue of the agreement entered into by the Joint Controllers regarding the processing of personal data for marketing purposes, they will cooperate and ensure that they fully respect your rights, regardless of the Joint Controller to whom you choose to send your request to exercise your rights.
| No. | Purpose of processing personal data | Legal basis of processing personal data |
| 1. | to contact you through the means of communication to provide you with information about the Website (i.e. non-marketing information), | Perform the contract concluded regarding the provision of our services (i.e., in accordance with the Terms and Conditions of the Account) |
| 2. | Create and analyze profiles about you in order to present content tailored to your preferences and to improve our services
See more details on how to identify your preferences here |
Your consent |
| 3. | Send general or customised direct marketing messages (newsletter) via the e-mail provided when subscribing to the newsletter, in order to promote our activities, offers and products, the Group, but also the Partners
More information about the Partners of the Arena Centar is available here |
Your consent |
| 4. | Organize raffles, competitions or other similar campaigns | Perform the contract concluded (i.e., in accordance with the Regulation of the concerned raffle, competition or campaign) |
| 5. | Conduct direct marketing campaigns for specific regions or Waze users | Your consent |
| 6. | Manage and operate the accounts on the social networks of the shopping centre; conduct campaigns on social networks | Your consent |
| 7. | Conduct surveys or other market research | Our legitimate interest in promoting the shopping centre and better understanding the market demands |
| 8. | To perform internal analyses (including statistical analyses, reports) with respect to the customer portfolio, in order to improve and develop services, and to conduct market studies and researches to improve and develop the services of the Controller, of the Group and of their Partners,
More information about the Controller’s Group and Partners Arena Centar is available here |
Our legitimate interest consists in market knowledge, strategic development, development and improvement of our services |
| 9. | Document your consent | Legal obligation |
| 10. | Use of marketing cookies for the purpose of:
More information on cookies is available in the Cookie Policy |
Your consent |
| 11. | Create statistics designed to provide information about the performance of the Website and the marketing campaigns displayed (e.g. the number of users who accessed the campaign page, the number of users who saw the campaign banner, etc.), made by using analysis cookies
More information on cookies is available in the Cookie Policy |
Our legitimate interest in (i) improving the content of the Website and the campaigns conducted on the Website as well as the better evaluation of the performance indicators (KPI) of the commercial campaigns carried out on the Website and (ii) ensuring the operation, access and technical use of the Website and providing you with the services you have explicitly requested |
| 12. | Use of cookies necessary to ensure the operation of the Website
More information on cookies is available in the Cookie Policy |
Perform the contract regarding the provision of our services (i.e. ensuring access to the Website) |
The Joint Controllers will create and analyze your profiles based on the personal data we hold about you – data about your preferences/interests, data about your interaction with the Website, data collected through cookies. As a result of analyzing such data, we will be able to identify your preferences, interests and capabilities in terms of procurement, and thus relate them to the services we provide or to the products we promote.
Then, through automated procedures, the Joint Controllers determine the content of the direct marketing materials to be sent to you. In the legal language these automated procedures are referred to as “automated individual process”.
Thus, the direct marketing materials that we will send you will be as specific, convincing and applicable as possible to you, and as a consequence may influence you (i.e. in the sense of purchasing the product/service included in the marketing material), as we manage to correctly identify your preferences or characteristics.
With regard to the processing of data by automated individual processes, you have several additional rights, i.e. you can (a) obtain human intervention, (b) express your point of view, (c) get explanations about the decision made and (d) contest that decision. In addition, you can withdraw consent at any time in the manner prescribed in this Memorandum in the section dedicated to Data subjects rights.
The personal data processed is kept for the period of time necessary to comply with the legal obligations imposed on us by the regulations specific to our field of activity.
With regard to the use of your personal data for direct marketing activities, it will be stored by the Joint Controllers from the time you have given us your consent for such processing until the date you have withdrawn it. Once you choose to withdraw your consent, your data will be stored by the Joint Controllers, for an additional period of 3 years, in the legitimate interest of the Joint Controllers to be able to access and provide the necessary documentation in the event of a potential legal claim, complaint, investigation (i.e., but not to be used for sending direct marketing materials).
Access to your data will be provided only to those persons or entities with whom we collaborate in fulfilling the purposes of processing, and for whom we (we or the intended recipients) can justify a legitimate reason or if we have a legal obligation to provide your data.
The following entities and their employees will have access to your data:
As both the Controller and the other Joint Controllers are part of the Nepi Rockcastle group of companies (the “Group”), your personal data will be processed for the purposes of consolidated management of the Group’s activities, for audit purposes and in any other situation where the law requires or permits such processing, if we (the Controller, the Joint Controllers or the recipient companies in the Group) can justify a legitimate basis for doing so or if we obtain your consent to do so. The list of companies in the Group can be found at: www.nepirockcastle.com
Your personal data will also be processed in relation to a number of third party partners (“Partners”). These are the Partners that the Joint Controllers promote in their relationship with you through direct marketing activities and are usually represented by tenants of NEPI Rockcastle Group shopping centers. Partners do not have access to your personal data, unless NE Property BV or the Joint Controllers have obtained your prior consent in this respect. The full list of Partners for the Arene Centre location is updated quarterly and can be found here – https://megamallbucuresti.ro/magazine/, https://megamallbucuresti.ro/categorie_unitate/divertisment/ and https://megamallbucuresti.ro/servicii/
We will contractually require these entities, as well as their staff, to respect the confidentiality of this data, ensuring a high level of security for the processing of your data.
We will also provide your personal data to judicial bodies, public institutions, or central and local public authorities, based on a duly substantiated request or legal obligation.
As a rule, NE Property BV or, as the case may be, the Joint Controllers, will not transfer your personal data to third countries outside the European Economic Area. If such a transfer nevertheless takes place, NE Property BV and the Joint Controllers will take appropriate safeguards to ensure the protection of personal data transferred.
When you visit the Arene Centre, certain personal data about you will be processed by the Controller, mainly in order to be able to provide you with the services offered by the Controller or to fulfil our legal obligations.
| No. | Purpose of processing personal data | Legal basis of processing personal data |
| 1. | Video surveillance by means of the CCTV system installed inside the shopping centre, in the common areas, access roads, as well as car park areas | Legitimate interest in ensuring the security of persons and property inside the shopping centre |
| 2. | Facilitate access to the car park of the shopping centre | Perform the contract regarding the provision of our services (i.e. granting access to the facilities and services provided by the shopping centre) |
| 3. | Solve requests for data and information received from the competent authorities and institutions | Legal obligation |
| 4. | Grant access to the free WiFi network | Perform the contract regarding the provision of our services (i.e. granting access to the facilities and services provided by the shopping centre) |
| 5. | Management of notifications/complaints submitted within the shopping centre | Our legitimate interest in resolving complaints sent to us and in maintaining good relations with visitors/customers of the shopping centre |
| 6. | Management of requests regarding lost objects, filed inside the shopping centre | Perform the contract regarding the provision of our services (i.e. granting access to the facilities and services provided by the shopping centre) |
| 7. | Carry out economic, financial and/or administrative management activities | Legal obligation |
| 8. | Settlement of disputes, investigations or any other petitions/complaints to which the Operator or [Shopping Mall Name] is a party | Legitimate interest in defending our rights in court/in front of any competent authority |
| 9. | Archiving | Legal obligation |
| 10. | Conducting risk controls on the Controller’s procedures and processes, as well as conducting audits or investigations of the Controller | Our legitimate interest in managing risk and ensuring compliance with the Controller’s procedures and processes |
In its work to promote Arena Centre, including through the Website, the Controller works with the following entities within the NEPI Rockcastle Group: NE Property BV and NEPI Investment Management SRL. Thus, from the perspective of how your personal data is processed for marketing purposes, the entities of the NEPI Rockcastle Group mentioned above (hereinafter collectively referred to as the “Joint Controllers” and individually as the “Joint Controller”) act as Joint Controllers, pursuant to Article (26) of the GDPR.
In connection with the processing of personal data for marketing purposes, you benefit from all the rights set out in the section Data subjects’ rights. By virtue of the agreement entered into by the Joint Controllers regarding the processing of personal data for marketing purposes, they will cooperate and ensure that they fully respect your rights, regardless of the Joint Controller to whom you choose to send your request to exercise your rights.
| No. | Purpose of processing personal data | Legal basis of processing personal data |
| 1. | Take and use photos (which also include your image) in order to promote the shopping centre | Your consent |
| 2. | Organize raffles, competitions, events or marketing campaigns in the shopping centre, including handing out prizes won | Perform the contract concluded (i.e., in accordance with the Regulation of the concerned raffle, competition or campaign) |
The personal data processed are kept for the period of time necessary to comply with the legal obligations imposed on us by the regulations specific to our field of activity.
Depending on the context in which we process your personal data, the following rules for determining the storage period will apply:
Access to your data will only be provided to those individuals or entities with whom we collaborate for processing purposes and for whom we (the new or the intended recipients) can justify a legitimate ground in accordance with the GDPR or if we have an obligation legal to provide your data.
The following entities and their employees will have access to your data:
As both the Controller and the other Joint Controllers are part of the Nepi Rockcastle group of companies (the “Group”), your personal data will be processed for the purposes of consolidated management of the Group’s activities, for audit purposes and in any other situation where the law requires or permits such processing, if we (the Controller, the Joint Controllers or the recipient companies in the Group) can justify a legitimate basis for doing so or if we obtain your consent to do so. The list of companies in the Group can be found at: www.nepirockcaste.com
Your personal data will also be processed in relation to a number of third party partners (“Partners”). These are the Partners that the Joint Controllers promote in their relationship with you through direct marketing activities and are usually represented by [Shopping Mall Name] tenants. Partners do not have access to your personal data, unless the Controller or the Joint Controllers have obtained your prior consent to do so. The full list of Partners is updated quarterly and can be found here – https://megamallbucuresti.ro/magazine/,https://megamallbucuresti.ro/categorie_unitate/divertisment/ and https://megamallbucuresti.ro/servicii/
We will contractually require these entities and their staff to respect the confidentiality of this data, ensuring a high level of security for the processing of your data.
We will also provide your personal data to judicial bodies, public institutions, or central and local public authorities, based on a duly substantiated request or legal obligation.
As a rule, the Controller or, where applicable, the Joint Controllers, will not transfer your personal data to third countries outside the European Economic Area. If such a transfer nevertheless takes place, the Controller or the Joint Controllers will take appropriate safeguards to ensure the protection of personal data transferred.
| No. | Purpose of processing personal data | Legal basis of processing personal data |
| 1. | Concluding and executing leases or other commercial contracts | Legitimate interest in carrying out our activity and validly concluding commercial contracts agreements specific to our field of activity (i.e. commercial spaces lease agreements) |
| 2. | Contacting possible future tenants of the shopping centre (prospective tenants) | Legitimate interest in promoting our business and promoting the shopping centre to potential tenants (prospective tenants) |
| 3. | Carry out know-your-customer (KYC) checks in relation to potential contractual partners | Legal obligation |
| 4. | Carry out economic, financial and/or administrative management activities | Legal obligation |
| 5. | Settlement of disputes, investigations or any other petitions/complaints to which the Operator is a party | Legitimate interest in defending our rights in court/in front of any competent authority |
| 6. | Archiving | Legal obligation |
| 7. | Conducting risk controls on the Controller’s procedures and processes, as well as conducting audits or investigations of the Controller, | Our legitimate interest in managing risk and ensuring compliance with the Controller’s procedures and processes, |
The personal data processed is kept for the period of time necessary to comply with the legal obligations imposed on us by the regulations specific to our field of activity.
Access to your data will only be provided to those individuals or entities with whom we collaborate for processing purposes and for whom we (the new or the intended recipients) can justify a legitimate ground in accordance with the GDPR or if we have an obligation legal to provide your data.
The following entities and their employees will have access to your data:
As the Controller is part of the Nepi Rockcastle group of companies (“Group“), your personal data will be processed for the purposes of consolidated management of the Group’s activities, for audit purposes and in any other situation where the law requires or permits such processing, if we (the Controller or the recipient companies in the Group) can justify a legitimate basis for doing so or if we obtain your consent to do so. The list of companies in the Group can be found at: www.nepirockcastle.com
We will contractually require these entities and their staff to respect the confidentiality of this data, ensuring a high level of security for the processing of your data.
We will also provide your personal data to judicial bodies, public institutions, or central and local public authorities, based on a duly substantiated request or legal obligation.
As a rule, the Operator will not transfer your personal data to third countries outside the European Economic Area. However, if such a transfer takes place, the Operator will take appropriate protection measures to ensure the protection of the personal data transferred.
| No. | Purpose of processing personal data | Legal basis of processing personal data |
| 1. | Video surveillance by means of the CCTV system installed inside the shopping centre, in the common areas, access roads, as well as car park areas | Legitimate interest in ensuring the security of persons and property inside the shopping centre |
| 2. | Legitimate interest in ensuring the security of persons and property inside the shopping centre | Grant access to tenants’ staff inside the shopping area outside the hours when the shopping centre is open |
| 3. | Solve requests for data and information received from the competent authorities and institutions | Legal obligation |
| 4. | Grant access to the free WiFi network | Perform the contract regarding the provision of our services (i.e. granting access to the facilities and services provided by the shopping centre) |
| 5. | Management of notifications/complaints submitted within the shopping centre | Our legitimate interest in resolving complaints sent to us and in maintaining good relations with visitors/customers of the shopping centre |
| 6. | Management of requests regarding lost objects, filed inside the shopping centre | Our legitimate interest in resolving complaints sent to us and in maintaining good relations with visitors/customers of the shopping centre |
| 7. | Carry out know-your-customer (KYC) checks in relation to potential contractual partners | Legal obligation |
| 8. | Carry out economic, financial and/or administrative management activities | Legal obligation |
| 9. | Settlement of disputes, investigations or any other petitions/complaints to which the Operator is a party | Legitimate interest in defending our rights in court/in front of any competent authority |
| 10. | Archiving | Legal obligation |
| 11. | Conducting risk controls on the Controller’s procedures and processes, as well as conducting audits or investigations of the Controller | Our legitimate interest in managing risk and ensuring compliance with the Controller’s procedures and processes |
The personal data processed is kept for the period of time necessary to comply with the legal obligations imposed on us by the regulations specific to our field of activity.
Depending on the context in which we process your personal data, the following rules for determining the storage period will apply:
Access to your data will only be provided to those individuals or entities with whom we collaborate for processing purposes and for whom we (the new or the intended recipients) can justify a legitimate ground in accordance with the GDPR or if we have an obligation legal to provide your data.
The following entities and their employees will have access to your data:
We will contractually require these entities and their staff to respect the confidentiality of this data, ensuring a high level of security for the processing of your data.
We will also provide your personal data to judicial bodies, public institutions, or central and local public authorities, based on a duly substantiated request or legal obligation.
As a rule, the Controller will not transfer your personal data to third countries outside the European Economic Area. However, if such a transfer takes place, the Operator will take appropriate protection measures to ensure the protection of the personal data transferred.
We will take all necessary security measures to protect your personal data transmitted, stored, or otherwise processed against destruction, loss, unlawful or accidental change, unauthorized disclosure or unauthorized access, as well as against any other unlawful processing. The security measures we implement with regard to your personal data can ensure the confidentiality, integrity, availability and continued resilience of processing systems and services, as well as the capacity to restore the availability of and access to personal data in a timely manner if a physical or technical incident occurs.
All personal data will be processed through secure pages using the SSL encryption system, marked with a padlock symbol, located at the top of the browser window.
For more information on security standards on the Website, go to the “Help” section.
In addition, for the security of the data and the confidentiality of the information transmitted through the Account, it is password protected. The Controller, or where applicable the Joint Controllers, shall make every effort and use appropriate information technology to ensure the protection and security of the data you provide to us.
In cases provided for by the GDPR in relation to personal data breaches, the Controller, or as the case may be, each of the Joint Controllers, will duly inform the competent authorities and relevant persons.
The Controller or Joint Controllers process personal data that are accurate and have a procedure in place to update them. Thus, the Controller/Joint Controllers shall take all necessary steps to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
In these circumstances, except for storage, the data will not be processed anymore.
These rights (except the right to contact AZOP, which can be exercised under the conditions established by this authority – in this regard you can see the official website https://azop.hr/ ) may be exercised, anytime, either individually or by aggregation, sending a letter/message in the following ways:
You can exercise the right to withdraw your consent for the transmission of direct marketing messages (newsletter) by e-mail, by accessing the dedicated unsubscribe link (unsubscribe), included in each message of this kind.
