Privacy Information Notice

  • Data Controllers

    • Data Controllers

      In the commercial activity carried out by the shopping and entertainment centre Ozas, there may be several situations in which we process your personal data. More details can be found below:

      We are uždaroji akcinė bendrovė „Ozantis“, a Lithuanian company, having its registered office in Ozas str. 18, LT-08243 Vilnius, Lithuania, registered under no. 126345741 (hereinafter the “Controller”), part of the NEPI Rockcastle Group.

      In promoting shopping and entertainment centre Ozas, we work with the following entities within the NEPI Rockcastle Group:

      ·        NE Property BV 7-29 Claude Debussylaan, having its registered office in Tribes Offices SOM Building, 3rd Floor, Amsterdam, The Netherlands, registered with the Dutch Chamber of Commerce under No. 34285470

      ·        NEPI Investment Management SRL, having its registered office in Calea Floreasca 169A, Cladirea A, sectiunea 5.1, biroul 14, Sector 1, Bucharest, Romania, registered with the Commercial Register under No. J40/16378/2007, unique registration number (CUI) RO22342136

      ·        NEPI Rockcastle Lithuania, UAB, having its registered office in Ozas str. 18-1002, Vilnius, Lithuania,  registered with the Legal entities registry of the Registry Centre, under No. 304909465

      From the perspective of how your personal data is processed for specific marketing purposes, the relationship between the Controller, NE Property BV, NEPI Investment Management SRL and  NEPI Rockcastle Lithuania, UAB is that of Joint Controllers, according to Article (26) of the GDPR.

      Also for the purpose of promoting the shopping and entertainment centre Ozas, NE Property BV makes the https://www.ozas.lt/ Website (the “Website”) available to users.

      This information notice is addressed to all data subjects who visit the  shopping and entertainment centre Ozas, access the Website, participate in promotional campaigns or similar events held on the premises of the shopping center or online or represent suppliers/partners/collaborators or tenants in the conduct of the contractual relationship with  shopping and entertainment centre Ozas.

      The way we process your personal data differs depending on your relationship with the shopping and entertainment centre Ozas. To receive more information, choose the category below that applies to you:

      • I am a visitor or customer of the shopping centre

      • I am a user of the shopping centre website

      • I am the legal representative or contact person of a supplier, collaborator or tenant of the shopping centre

      • I am part of the staff of suppliers, collaborators or tenants of the shopping centre

      In all cases, you have several rights that can be exercised, individually or cumulatively, with respect to personal data that shopping and entertainment centre Ozas holds in relation to you. Information on these rights as well as how they can be exercised is available in the Rights of data subjects section .

      We undertake to process personal data in compliance with applicable legislation on the protection of personal data and good practices in this area. More information is available in the section on Data security and accuracy.

      In addition, a Data Protection Officer has been appointed at the NEPI Rockcastle Group level, who can be contacted should there be any concerns about the protection of personal data and the exercise of data protection rights. The Data Protection Officer can be contacted by written, dated and signed request, using the contact details mentioned below:

      ·        by mail, at: Ozas str. 18, Vilnius LT-08243, uždaroji akcinė bendrovė “Ozantis”

      ·        by email, at:  duomenu.apsauga@nepirockcastle.com

  • 5. Security and accuracy of personal data

    • 5. Security and accuracy of personal data

      We will take all necessary security measures to protect your personal data transmitted, stored or otherwise processed against destruction, loss, unlawful or accidental change, unauthorised disclosure or unauthorised access, as well as against any other unlawful processing. The security measures we implement with regard to your personal data can ensure the confidentiality, integrity, availability and continued resilience of processing systems and services, as well as the capacity to restore the availability of and access to personal data in a timely manner if a physical or technical incident occurs.

      All personal data will be processed through secure pages using the SSL encryption system, marked with a padlock symbol, located at the top of the browser window.

      For more information on security standards on the Website, go to the “Help” section.

      In addition, for the security of the data and the confidentiality of the information transmitted through the Account, it is password protected. The Controller, or where applicable the Joint Controllers, shall make every effort and use appropriate information technology to ensure the protection and security of the data you provide to us.

      In cases provided for by the GDPR in relation to personal data breaches, the Controller, or as the case may be, each of the Joint Controllers, will duly inform the competent authorities and relevant persons.

      The Controller or Joint Controllers process personal data that are accurate and have a procedure in place to update them. Thus, the Controller/Joint Controllers shall take all necessary steps to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

  • 4. Staff of suppliers, collaborators or tenants of the shopping centre

    • 4. Staff of suppliers, collaborators or tenants of the shopping centre

      1.1        Personal data we process

      ·        Identification data, such as: first name and last name, date of birth

      ·        Contact details, such as: email address, phone number

      ·        Occupational data, such as: position held, company in which you are employed or which you represent

      ·        Data on the vehicle for which a parking space is granted in the car park of the shopping centre: vehicle plate number (with image)

      ·        Data on access to the shopping centre parking, e.g.: arrival date and time, departure date and time, length of stay, payment related data, information filled in section “notes”

      ·        IP, MAC of the devices, login time (mobile, laptop, tablet)

      ·        Image

      1.2        Use of personal data

      No.

      Purpose of processing personal data

      Legal basis of processing personal data

      1.    

      Video surveillance by means of the CCTV system installed inside the shopping centre, in the common areas, access roads, as well as car park areas

      Legitimate interest in ensuring the security of persons and property inside the shopping centre

      2.    

      Legitimate interest in ensuring the security of persons and property inside the shopping centre

      Grant access to tenants’ staff inside the shopping area outside the hours when the shopping centre is open

      3.    

      Providing access to the parking lot of the shopping centre

      Perform the contract regarding the provision of our services or lease of parking space of the parking lot (i.e. granting access to the parking lot of the shopping centre)

      4.    

      Solve requests for data and information received from the competent authorities and institutions

      Legal obligation

      5.    

      Grant access to the free WiFi network

      Perform the contract regarding the provision of our services (i.e. granting access to the facilities and services provided by the shopping centre)

      6.    

      Management of notifications/complaints submitted within the shopping centre

      Our legitimate interest in resolving complaints sent to us and in maintaining good relations with visitors/customers of the shopping centre

      7.    

      Management of requests regarding lost objects, filed inside the shopping centre

      Our legitimate interest in resolving complaints sent to us and in maintaining good relations with visitors/customers of the shopping centre

      8.    

      Carry out know-your-customer (KYC) checks in relation to potential contractual partners

      Legitimate interest in performance of KYC procedure

      9.    

      Carry out economic, financial and/or administrative management activities

      Legal obligation

      10. 

      Settlement of disputes, investigations or any other petitions/complaints to which the Controller is a party

      Legitimate interest in defending our rights in court/in front of any competent authority

      11. 

      Archiving

      Legal obligation

      12. 

      Conducting risk controls on the Controller's procedures and processes, as well as conducting audits or investigations of the Controller

      Our legitimate interest in managing risk and ensuring compliance with the Controller's procedures and processes

      1.3        Storage Period

      The personal data processed are kept for the period of time necessary to comply with the legal obligations imposed on us by the regulations specific to our field of activity.

      Depending on the context in which we process your personal data, the following rules for determining the storage period will apply:

      ·        CCTV system: Video recordings stored by the CCTV system are usually kept for a period of 14 (fourteen) days, unless the extension of their processing period is required by law or justified by legal procedures.

      ·        Parking system: video surveillance of the parking and payment equipment - no longer than 1 month; arrival / departure to the parking lot related data - no longer than 2 months; payment related data - in accordance with tax regulation (usually - 10 years); in case of lease of the parking space to the tenants and / or employees of the tenants of the shopping center - no longer than 1 month after the end of the lease contract. Storage period may be extended if required by law or it is necessary in order to investigate a specific incident / event.

      ·        WiFi network: Data is stored during the session and not longer than 1 (one) day after the session ends.

      ·        Inquiries, complaints, lost and found related data - no longer than 3 years from the date of dispatch of the reply, receipt of the document (in case no reply).

      ·        Contract data - no longer than 10 years after the end of the contract.

      ·        Other – in accordance with the storage periods, established by legal regulation.

      1.4        Third party access

      Access to your data will only be provided to those individuals or entities with whom we collaborate for processing purposes and for whom we (the new or the intended recipients) can justify a legitimate ground in accordance with the GDPR or if we have an obligation legal to provide your data.

      The following entities and their employees will have access to your data:

      ·        Security and security service providers - To ensure CCTV video surveillance and access control system in parking spaces, the landlord collaborates with specialised companies, authorised by law to carry out security and surveillance activities

      ·        Other service providers - With regard to the handling of complaints, grievances and/or requests regarding lost items addressed to the staff of the Info Desk offices within the shopping centres, the Controller usually collaborates with specialised service companies

      ·        Legal consultants

      ·        Group companies

      We will contractually require these entities and their staff to respect the confidentiality of this data, ensuring a high level of security for the processing of your data.

      We will also provide your personal data to judicial bodies, public institutions, or central and local public authorities, based on a duly substantiated request or legal obligation.

      As a rule, the Controller will not transfer your personal data to third countries outside the European Economic Area. However, if such a transfer takes place, the Controller will take appropriate protection measures to ensure the protection of the personal data transferred.

  • 6. Rights of the data subjects with respect to the processing of personal data:

    • 6. Rights of the data subjects with respect to the processing of data:

      (a)   Right of access - the right to request confirmation that the personal data are processed or not by us, and if so, the data subject may request access to the data, as well as certain information about such data. Upon request in this respect, we will also issue a copy of the processed personal data. Request for additional copies will be charged on the basis of the costs actually incurred.

      (b)   Right to rectification - the right to get the inaccurate personal data rectified, as well as to supplement incomplete data, including by providing additional information.

      (c)   Right to delete data ("the right to be forgotten") - in situations expressly regulated by law, the right to obtain from us the deletion of the data. Thus, the deletion of personal data can be requested if:

      o   the data are no longer necessary for the purposes for which they were collected or processed;

      o   withdrawal of the consent on the basis of which processing is carried out;

      o   the data subject opposes to the processing under the right of opposition;

      o   processing of personal data is illegal;

      o   the data must be deleted for the purpose of complying with a legal obligation incumbent on us.

      (d)   Right to restrict processing - the right to request the restriction of processing of personal data in certain circumstances expressly regulated by the law, as follows:

      o   the accuracy of the data is contested, for the period when the accuracy of the concerned data is checked;

      o   the processing is unlawful and the data subject opposes to the deletion of data;

      o   the data subject needs these data to establish, exercise or defend certain rights in court, and our company no longer needs such data;

      o   the data subject opposes to the processing of personal data for the period in which we check if our legitimate interests prevail over their interests, rights and freedoms.

      In these circumstances, except for storage, the data will not be processed anymore.

      (e)   Right to object to the processing of personal data - the right to object at any time, for reasons related to the particular situation of the data subject, to the processing (including the creation of profiles) based on our legitimate interest.

      (f)     Right to data portability - the right to receive the personal data provided in a structured, automated readable format, and the right to request that the data be passed to another controller. This right applies only to personal data provided directly by the data subject to the controller, and only if the processing of personal data is done by automated means and is legally based on either the execution of a contract or the consent of that person,

      (g)   The right to lodge a complaint - the right to lodge a complaint in relation to the methods of personal data processing. The complaint will be submitted to the State data protection inspectorate ("SDPI") – details at https://vdai.lrv.lt.

      (h)   Right of withdrawal of consent - the right to withdraw, at any time, the consent to the processing of personal data in cases where processing is based on consent. Withdrawal of the consent will only have effect for the future, and processing prior to the withdrawal remains valid.

      (i)     Additional rights related to automated decisions used in the delivery of services - if automated decisions are made about personal data and these decisions significantly affect the data subject, the data subject can (a) obtain human intervention with respect to said processing, (b) express their point of views on such processing, (c) obtain explanations regarding the decision made and (d) contest such decision.

      These rights (except the right to contact SDPI, which can be exercised under the conditions established by this authority - in this regard you can see the official website https://vdai.lrv.lt) may be exercised, anytime, either individually or by aggregation, sending a letter/message in the following ways:

      ·        by mail, at: Ozo str. 18, Vilnius LT-08243, UAB “Ozantis”

      ·        by email, at: duomenu.apsauga@nepirockcastle.com

      You can exercise the right to withdraw your consent for the transmission of direct marketing messages (newsletter) by e-mail, by accessing the dedicated unsubscribe link (unsubscribe), included in each message of this kind.

  • 3. Representatives of the contractual partners

    • 3. Representatives of the contractual partners (suppliers/tenants of shopping centres/collaborators)

      1.1        Personal data we process

      ·        Identification data, such as: first name and last name, date of birth

      ·        Contact details, such as: email address, phone number

      ·        Occupational data, such as: position held, company in which you are employed or which you represent

      1.2        Use of personal data

      No.

      Purpose of processing personal data

      Legal basis of processing personal data

      1.    

      Concluding and executing leases or other commercial contracts

      Legitimate interest in carrying out our activity and validly concluding commercial contracts agreements specific to our field of activity (i.e. commercial spaces lease agreements)

      2.    

      Contacting possible future tenants of the shopping centre (prospective tenants)

      Legitimate interest in promoting our business and promoting the shopping centre to potential tenants (prospective tenants)

      3.    

      Carry out know-your-customer (KYC) checks in relation to potential contractual partners

      Legitimate interest in performance of KYC procedure

      4.    

      Carry out economic, financial and/or administrative management activities

      Legal obligation

      5.    

      Settlement of disputes, investigations or any other petitions/complaints to which the Controller is a party

      Legitimate interest in defending our rights in court/in front of any competent authority

      6.    

      Archiving

      Legal obligation

      7.    

      Conducting risk controls on the Controller's procedures and processes, as well as conducting audits or investigations of the Controller

      Our legitimate interest in managing risk and ensuring compliance with the Controller's procedures and processes

      1.3        Storage Period

      The personal data processed are kept for the period of time necessary to comply with the legal obligations imposed on us by the regulations specific to our field of activity.

      Depending on the context in which we process your personal data, the following rules for determining the storage period will apply:

      ·          Inquiries, complaints, contacting related data - no longer than 3 years from the date of dispatch of the reply, receipt of the document (in case no reply) or data.

      ·          Contract data - no longer than 10 years after the end of the contract.

      ·          Other – in accordance with the storage periods, established by legal regulation.

      1.4        Third party access

      Access to your data will only be provided to those individuals or entities with whom we collaborate for processing purposes and for whom we (the new or the intended recipients) can justify a legitimate ground in accordance with the GDPR or if we have an obligation legal to provide your data.

      The following entities and their employees will have access to your data:

      ·        Legal consultants

      ·        Group companies

      As the Controller is part of the Nepi Rockcastle group of companies ("Group"), your personal data will be processed for the purposes of consolidated management of the Group's activities, for audit purposes and in any other situation where the law requires or permits such processing, if we (the Controller or the recipient companies in the Group) can justify a legitimate basis for doing so or if we obtain your consent to do so. The list of companies in the Group can be found at: www.nepirockcastle.com

      We will contractually require these entities and their staff to respect the confidentiality of this data, ensuring a high level of security for the processing of your data.

      We will also provide your personal data to judicial bodies, public institutions, or central and local public authorities, based on a duly substantiated request or legal obligation.

      As a rule, the Controller will not transfer your personal data to third countries outside the European Economic Area. However, if such a transfer takes place, the Controller will take appropriate protection measures to ensure the protection of the personal data transferred.

  • 2. Visitors and customers of the shopping centre

    • 2. Visitors and customers of the shopping centre

      1.1        Personal data we process

      ·        Identification data, such as: first name and last name, date of birth

      ·        Special identification data, that is personal identity number 

      ·        Contact details, such as: email address, phone number

      ·        Image

      ·        Data on the vehicle for which a parking space is granted in the car park of the shopping centre: vehicle plate number (with image)

      ·        Data on access to the shopping centre car park, e.g.: arrival time, departure time, length of stay

      ·        IP, MAC of the devices, login time (mobile, laptop, tablet)

      ·        Data on participation in promotional campaigns and similar events, e.g.: prizes won

      ·        Financial data, e.g.: bank account number

      1.2        Use of personal data

      1.2.1       General purposes

      When you visit the  shopping and entertainment centre Ozas, certain personal data about you will be processed by the Controller, mainly in order to be able to provide you with the services offered by the Controller or to fulfil our legal obligations.

      No.

      Purpose of processing personal data

      Legal basis of processing personal data

      1.    

      Video surveillance by means of the CCTV system installed inside the shopping centre, in the common areas, access roads, as well as car park areas

      Legitimate interest in ensuring the security of persons and property inside the shopping centre

      2.    

      Facilitate access to the car park of the shopping centre

      Perform the contract regarding the provision of our services (i.e. granting access to the facilities and services provided by the shopping centre)

      3.    

      Solve requests for data and information received from the competent authorities and institutions

      Legal obligation

      4.    

      Grant access to the free WiFi network

      Perform the contract regarding the provision of our services (i.e. granting access to the facilities and services provided by the shopping centre)

      5.    

      Management of notifications/complaints submitted within the shopping centre

      Our legitimate interest in resolving complaints sent to us and in maintaining good relations with visitors/customers of the shopping centre

      6.    

      Management of requests regarding lost objects, filed inside the shopping centre

      Perform the contract regarding the provision of our services (i.e. granting access to the facilities and services provided by the shopping centre)

      7.    

      Carry out economic, financial and/or administrative management activities

      Legal obligation

      8.    

      Settlement of disputes, investigations or any other petitions/complaints to which the Controller is a party

      Legitimate interest in defending our rights in court/in front of any competent authority

      9.    

      Archiving

      Legal obligation

      10. 

      Conducting risk controls on the Controller's procedures and processes, as well as conducting audits or investigations of the Controller

      Our legitimate interest in managing risk and ensuring compliance with the Controller's procedures and processes

      1.2.2       Data processing for marketing purposes 

      In its work to promote shopping and entertainment centre Ozas, including through the Website, the Controller works with the following entities within the NEPI Rockcastle Group: NE Property BV, NEPI Investment Management SRL and NEPI Rockcastle Lithuania, UAB. Thus, from the perspective of how your personal data is processed for marketing purposes, the entities of the NEPI Rockcastle Group mentioned above (hereinafter collectively referred to as the “Joint Controllers” and individually as the “Joint Controller”) act as Joint Controllers, pursuant to Article (26) of the GDPR.

      In connection with the processing of personal data for marketing purposes, you benefit from all the rights set out in the section Data subjects' rights. By virtue of the agreement entered into by the Joint Controllers regarding the processing of personal data for marketing purposes, they will cooperate and ensure that they fully respect your rights, regardless of the Joint Controller to whom you choose to send your request to exercise your rights.

      No.

      Purpose of processing personal data

      Legal basis of processing personal data

      1.    

      Take and use photos (which also include your image) in order to promote the shopping centre

      Your consent

      2.    

      Organise raffles, competitions, events or marketing campaigns in the shopping centre, including handing out prizes won

      Perform the contract concluded (i.e., in accordance with the Regulation of the concerned raffle, competition or campaign)

      1.3        Storage period:

      The personal data processed are kept for the period of time necessary to comply with the legal obligations imposed on us by the regulations specific to our field of activity.

      Depending on the context in which we process your personal data, the following rules for determining the storage period will apply:

      ·        CCTV system: Video recordings stored by the CCTV system are usually kept for a period of 14 (fourteen) days, unless the extension of their processing period is required by law or justified by legal procedures.

      ·        Parking system: video surveillance of the parking and payment equipment - no longer than 1 month; arrival / departure to the parking lot related data - no longer than 2 months; payment related data - in accordance with tax regulation (usually - 10 years). Storage period may be extended if required by law or it is necessary in order to investigate a specific incident / event.

      ·        WiFi network: data is stored during the session and not longer than 1 (one) day after the session ends.

      ·        Data processed for marketing purposes: data collected for marketing purposes will be processed until consent is withdrawn. Once you choose to withdraw your consent, your data will be stored by the Joint Controllers, for an additional period of 60 days, in the legitimate interest of the Joint Controllers to be able to access and provide the necessary documentation in the event of a potential legal claim, complaint, investigation (i.e., but not to be used for sending direct marketing materials).

      ·        Inquiries, complaints, lost and found related data - no longer than 3 years from the date of dispatch of the reply, receipt of the document (in case no reply).

      ·        Contract data - no longer than 10 years after the end of the contract.

      ·        Marketing related data: in accordance with the rules of specific marketing campaign.

      ·        Other – in accordance with the storage periods, established by legal regulation.

      1.4        Third party access:

      Access to your data will only be provided to those individuals or entities with whom we collaborate for processing purposes and for whom we (the new or the intended recipients) can justify a legitimate ground in accordance with the GDPR or if we have an obligation legal to provide your data.

      The following entities and their employees will have access to your data:

      ·        Security and security service providers - To ensure CCTV video surveillance and access control system in parking spaces, the Controller collaborates with specialised companies, authorised by law to carry out security and surveillance activities

      ·        Other service providers - With regard to participation in campaigns and events, as well as the handling of complaints, grievances and/or requests regarding lost items addressed to the staff of the Info Desk offices within the shopping centres, the Controller usually collaborates with specialised service companies

      ·        Legal consultants

      ·        Group companies

      As both the Controller and the other Joint Controllers are part of the Nepi Rockcastle group of companies (the “Group”), your personal data will be processed for the purposes of consolidated management of the Group's activities, for audit purposes and in any other situation where the law requires or permits such processing, if we (the Controller, the Joint Controllers or the recipient companies in the Group) can justify a legitimate basis for doing so or if we obtain your consent to do so. The list of companies in the Group can be found at: www.nepirockcaste.com

      ·        Partners of shopping and entertainment centre Ozas

      Your personal data will also be processed in relation to a number of third party partners (“Partners”). These are the Partners that the Joint Controllers promote in their relationship with you through direct marketing activities, and are usually represented by shopping and entertainment centre Ozas tenants. Partners do not have access to your personal data, unless the Controller or the Joint Controllers have obtained your prior consent to do so. The full list of Partners is updated quarterly and can be found here –

      https://ozas.lt/en/tenants/services

      https://ozas.lt/en/tenants/entertainment

      https://ozas.lt/en/tenants/restaurants

      https://ozas.lt/en/tenants/shops

      ·        Shopping and entertainment centre Ozas Property Manager

      We will contractually require these entities and their staff to respect the confidentiality of this data, ensuring a high level of security for the processing of your data.

      We will also provide your personal data to judicial bodies, public institutions, or central and local public authorities, based on a duly substantiated request or legal obligation.

      As a rule, the Controller or, where applicable, the Joint Controllers, will not transfer your personal data to third countries outside the European Economic Area. If such a transfer nevertheless takes place, the Controller or the Joint Controllers will take appropriate safeguards to ensure the protection of personal data transferred.

  • 1. I am a visitor or customer of the shopping centre

    • 1. I am a visitor or customer of the shopping centre

      1.1        Personal data we process

      ·        Identification data, such as: name

      ·        Contact details, such as: email address, phone number

      ·        Data on your preferences/interests, such as data on areas of interest - e.g., fashion, technology, pets, etc.

      ·        Data about your interaction with the Website, such as: information about the stores you searched for, the fact that you chose a series of products/services as favorites or that you selected a series of events that you want to participate in, as well as the recurrence with which you visit our Website/access the Account.

      ·        Data collected through cookies or other similar technical means (i.e., small text files that are stored on your computer, phone, tablet or mobile device, and contain information about your activity on those sites/applications), e.g.: sub-pages accessed, period spent on a specific page

      In the case of the Website, we also collect your IP, but this data is not processed or used for any subsequent purpose at this time.

      1.2        Use of personal data

      1.2.1       General purposes

      When you access the shopping and entertainment centre Ozas website (the “Website”), certain personal data about you will be processed by NE Property BV, mainly in order to be able to provide you with the requested service, namely access to the Website.

      No.

      Purpose of processing personal data

      Legal basis of processing personal data

      1.    

      Carry out economic, financial and/or administrative management activities

      Legal obligation

      2.    

      Settlement of disputes, investigations or any other petitions/complaints to which NE Property BV is a party

      Legitimate interest in defending our rights in court/in front of any competent authority

      3.    

      Archiving

      Legal obligation

      4.    

      Conducting risk controls on NE Property BV procedures and processes, as well as conducting audits or investigations of NE Property BV

      Our legitimate interest to manage risks and ensure compliance with NE Property BV procedures and processes

      5.    

      Ensure a high level of security of information systems (e.g., applications, network, infrastructure, website)

      Our legitimate interest in ensuring the security of our computer systems

      6.    

      Provide you with support services when you request so

      Perform the contract concluded regarding the provision of our services (i.e., in accordance with the Terms and Conditions of the Website)

      1.2.2       Data processing for marketing purposes 

      In its work to promote the shopping and entertainment centre Ozas, including through the Website, NE Property BV works together with the following entities within the NEPI Rockcastle Group: uždaroji akcinė bendrovė „Ozantis“,  NEPI Investment Management SRL and NEPI Rockcastle Lithuania, UAB. Thus, from the perspective of how your personal data is processed for marketing purposes, the entities of the NEPI Rockcastle Group mentioned above (hereinafter collectively referred to as the “Joint Controllers” and individually as the “Joint Controller”) act as Joint Controllers, pursuant to Article (26) of the GDPR.

      In connection with the processing of personal data for marketing purposes, you have all the rights set out in Data subjects' rights. By virtue of the agreement entered into by the Joint Controllers regarding the processing of personal data for marketing purposes, they will cooperate and ensure that they fully respect your rights, regardless of the Joint Controller to whom you choose to send your request to exercise your rights.

      No.

      Purpose of processing personal data

      Legal basis of processing personal data

      1.    

      to contact you through the means of communication to provide you with information about the Website (i.e. non-marketing information),

      Perform the contract concluded regarding the provision of our services (i.e., in accordance with the Terms and Conditions of the Account)

      2.    

      Create and analyse profiles about you in order to present content tailored to your preferences and to improve our services

      See more details on how to identify your preferences in section 1.3

      Your consent

      3.    

      Send general or customised direct marketing messages (newsletter) via the e-mail provided when subscribing to the newsletter, in order to promote our activities, offers and products, the Group, but also the Partners

      More information about the Partners of the  shopping and entertainment centre Ozas is available in section 1.5

      Your consent

      4.    

      To perform internal analyses (including statistical analyses, reports) with respect to the customer portfolio, in order to improve and develop services, and to conduct market studies and researches to improve and develop the services of the Controller, of the Group and of their Partners,

      More information about the Controller’s Group and Partners  shopping and entertainment centre Ozas is available in section 1.5

      Our legitimate interest consists in market knowledge, strategic development, development and improvement of our services

      5.    

      Document your consent

      Legal obligation

      6.    

      Use of marketing cookies for the purpose of:

      -        conducting profiling activities, also called web profiling which involves the use of cookies to track online the general activity of a user in order to present content tailored to his preferences,

      -        conducting targeting and retargeting campaigns

      More information on cookies is available in the Cookie Policy 

      Your consent

      7.    

      Create statistics designed to provide information about the performance of the Website and the marketing campaigns displayed (e.g. the number of users who accessed the campaign page, the number of users who saw the campaign banner, etc.), made by using analysis cookies

      More information on cookies is available in the Cookie Policy

      Our legitimate interest in (i) improving the content of the Website and the campaigns conducted on the Website as well as the better evaluation of the performance indicators (KPI) of the commercial campaigns carried out on the Website and (ii) ensuring the operation, access and technical use of the Website and providing you with the services you have explicitly requested

      8.    

      Use of cookies necessary to ensure the operation of the Website

      More information on cookies is available in the Cookie Policy

      Perform the contract regarding the provision of our services (i.e. ensuring access to the Website)

      1.3        Additional information on profiling

      The Joint Controllers will create and analyse your profiles based on the personal data we hold about you - data about your preferences/interests, data about your interaction with the Website, data collected through cookies. As a result of analysing such data, we will be able to identify your preferences, interests and capabilities in terms of procurement, and thus relate them to the services we provide or to the products we promote.

      Then, through automated procedures, the Joint Controllers determine the content of the direct marketing materials to be sent to you. In the legal language these automated procedures are referred to as “automated individual process”.

      Thus, the direct marketing materials that we will send you will be as specific, convincing and applicable as possible to you, and as a consequence may influence you (i.e. in the sense of purchasing the product/service included in the marketing material), as the manage to correctly identify your preferences or characteristics.

      With regard to the processing of data by automated individual processes, you have several additional rights, i.e. you can (a) obtain human intervention, (b) express your point of view, (c) get explanations about the decision made and (d) contest that decision. In addition, you can withdraw consent at any time in the manner prescribed in this Privacy Information Notice in the section dedicated to Data subjects rights.

      1.4        Storage period

      The personal data processed are kept for the period of time necessary to comply with the legal obligations imposed on us by the regulations specific to our field of activity.

      With regard to the use of your personal data for direct marketing activities, it will be stored by the Joint Controllers from the time you have given us your consent for such processing until the date you have withdrawn it. Once you choose to withdraw your consent, your data will be stored by the Joint Controllers, for an additional period of 60 days in the legitimate interest of the Joint Controllers to be able to access and provide the necessary documentation in the event of a potential legal claim, complaint, investigation (i.e., but not to be used for sending direct marketing materials).

      1.5        Third party access

      Access to your data will be provided only to those persons or entities with whom we collaborate in fulfilling the purposes of processing, and for whom we (we or the intended recipients) can justify a legitimate reason or if we have a legal obligation to provide your data.

      The following entities and their employees will have access to your data:

      ·        IT service providers (e.g., software maintenance and development, site maintenance and development)

      ·        CRM solution providers

      ·        Marketing service providers, including market research service providers, marketing communications service providers, online tool traffic and behavior monitoring service providers, various marketing customization service providers, providers of marketing services through social media resources, providers of services for the preparation of the content of marketing forms,

      ·        Legal consultants

      ·        Group Companies

      As both the Controller and the other Joint Controllers are part of the Nepi Rockcastle group of companies (the “Group”), your personal data will be processed for the purposes of consolidated management of the Group's activities, for audit purposes and in any other situation where the law requires or permits such processing, if we (the Controller, the Joint Controllers or the recipient companies in the Group) can justify a legitimate basis for doing so or if we obtain your consent to do so. The list of companies in the Group can be found at: www.nepirockcastle.com

      ·        Partners of shopping and entertainment centre Ozas

      Your personal data will also be processed in relation to a number of third party partners (“Partners”). These are the Partners that the Joint Controllers promote in their relationship with you through direct marketing activities, and are usually represented by tenants of NEPI Rockcastle Group shopping centres. Partners do not have access to your personal data, unless NE Property BV or the Joint Controllers have obtained your prior consent in this respect. The full list of Partners for the  shopping and entertainment centre Ozas location is updated quarterly and can be found here -

      https://ozas.lt/en/tenants/shops

      https://ozas.lt/en/tenants/restaurants

      https://ozas.lt/en/tenants/entertainment

      https://ozas.lt/en/tenants/services

      and

      We will contractually require these entities, as well as their staff, to respect the confidentiality of this data, ensuring a high level of security for the processing of your data.

      We will also provide your personal data to judicial bodies, public institutions, or central and local public authorities, based on a duly substantiated request or legal obligation.

      As a rule, NE Property BV or, as the case may be, the Joint Controllers, will not transfer your personal data to third countries outside the European Economic Area. If such a transfer nevertheless takes place, NE Property BV and the Joint Controllers will take appropriate safeguards to ensure the protection of personal data transferred.

Navigate To Section