Declaració de Privacitat

1 | Introduction

MULTI SPAIN MANAGEMENT S.A. (“Multi”) process your personal data if you access our website and applications, if we provide products or services to you or the organization through whom you are known to us, if you visit our shopping centers and/or take part in our marketing events or campaigns.

Multi is strongly committed to protecting the privacy of your personal data. Multi only uses your personal data legitimately and responsibly in line with applicable privacy laws and regulations.

In this Privacy Statement, we describe who we are, how and for which purposes we process your personal data, how you can exercise your privacy rights, and all other information that may be relevant to you.

We did our best to provide you with all information in a clear and readable format. However, if you have any questions about our use of your personal data after reading this Privacy Statement, you can of course always contact us through the contact details provided below.

We are continually developing and improving our products and services, which might result in some changes to the way we are processing personal data. We will make sure to reflect these changes in this Privacy Statement. We recommend that you regularly take notice of this Privacy Statement for any modifications. At the bottom of this Privacy Statement you can read when this Privacy Statement has been modified for the last time.

We may use cookies and similar technologies. For more information on how we use cookies, you may also want to read our Cookies Statement.

2 | Who are we?

MULTI SPAIN MANAGEMENT S.A. is a retail asset management, property management and (re)development company. We are located at C/Prim, 19, 28004 Madrid, Spain. For more information, please read paragraph “More information?”.

3 | To which personal data does this Privacy Statement apply?

All personal data that is collected, stored, shared, transmitted, and/or otherwise used in relation to Multi’s website, applications, shopping centers, products and services in Spain falls within scope of this Privacy Statement. This includes, inter alia, personal data of our investors, candidates, business partners, tenants, clients to whom Multi provides products and services, suppliers, visitors and other individuals (in any form).

4 | What is personal data?

Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.

You share such data with us if you are a client, we provide products or services to you, if you are a visitor of our shopping centers or have contact with us in another capacity.

5 | Which personal data do we collect from you?

We might collect several of the following categories of personal data when you are seeking contact or are in contact with Multi:

– Demographic data (name, gender, date of birth, age, nationality, martial status & dependents)

– Contact details (name, function, address, place of residence, email address, telephone number);

– Application data (CV and motivation)

– Financial data (bank account details, loan reference number, credit card number)

– Company details (address, trade register number, tax identification number)

– Account details (username and password)

– Marketing preferences (whether you have opted in or out for direct marketing)

– Interaction details (contact with our client service or digital and/or written correspondence)

– (Online) identifiers, surfing data and visitor movement data (IP address, cookies, MAC address, browsing behavior on our websites and applications, shopping behavior and location)

– Participation details (whether you participate in promotions, loyalty programs, surveys, competitions, or social and marketing events)

– Data needed for security and fraud prevention (official identification, camera recordings)

– Image data (photos, video images)

6 | How do we collect, receive or generate your personal data?

We might process the categories of personal data mentioned above either directly from you, from external parties or through profiling and automated decision-making techniques in so far as permitted by law.

Personal data directly provided by and about you

The following data is collected directly from you:

– Personal data which you provide when creating an account, using our applications, concluding a contract, participating in promotions, loyalty programs or social and marketing events and/or other information which you enter or provide through the use of Multi’s products or services;

– Your surfing behaviour on our website and your buying behavior when participating in our loyalty programs;

– Personal data you provide as a visitor of our shopping centers (this could also be movement information generated by Wifi-tracking);

– Personal data you, or the organization through whom you are known, provides to us in the performance of our products or services; and

– Personal data you provide as part of correspondence, recruitment, feedback, help (Q&A) and dispute settlement.

Personal data we receive from external parties

We can receive (additional) personal data, for example with the help of services of external parties or social media websites, in so far as permitted by law. The limits set by law can, for example, require your given consent in advance. We receive personal data from the following external parties:

– Data from organizations to which we provide products and services (e.g. owners of shopping centers);

– Data on companies and their representatives from the Trade Register of the Chamber of Commerce and Land Register;

– Data from public sources such as status inquiry agencies (companies specialised in credit profiles), the insolvency register (information on bankruptcies and statutory debt adjustment procedures), sanction lists, Politically Exposed Persons (PEP) lists, newspapers, the internet or social media (Facebook, Instagram, YouTube, Google+ and Twitter); and

– Data from (other) companies to which you have given permission to collect and sell information on you.

Profiling techniques / automated decision-making

We might want to approach you in a relevant and personal way.

To make that possible we might analyse personal data to determine the most relevant target groups, segments, content, advertisements, information, moments and channels. We only make use of such profiling or automated decision techniques based on your explicit consent, whereby we will inform you about the logic involved and the consequences of such techniques. At the same time, we take the necessary measures to safeguard your rights and to make sure that the techniques do not legally or significantly affect you, If you object to use of a profile to provide you with personalized marketing, please contact us by using the contact details set out in paragraph “More information?”.

7 | For which purposes do we process your personal data?

We collect and process your personal data for the following purposes:

– Execution of an agreement: to enter into and fulfill agreements with you and other clients, tenants, suppliers or (business) partners;

– Communication, (direct) marketing and personalization purposes: to maintain contact, promote and provide information about Multi’s products and services or the businesses of others (marketing);

– Quality and management purposes: to monitor and improve our products and services;

– Back office activities: invoice and collections management;

– Security and safety: for security reasons, accidents, insurance claims, etc.; and

– Legislation and regulation: to comply with legislation (e.g. verification requirements) or court orders to which Multi is subject.

In more detail, we process your personal data for the following purposes.

Execution of an agreement

We process your personal data to prepare, effect, perform and (possibly) terminate several kinds of agreements, e.g. leases, shopping center management contracts, sale and purchase agreements, e.a.. To that end, we could require demographic data, contact details, company details and financial details.

Communication, (direct) marketing and personalization purposes

– Client relationship management – Your relationship with Multi is important to us and as such, we take the utmost care to ensure that your personal data is accurate and up-to-date. Client relationship management includes the contact creation and registration of your account as a Multi’s client. It also includes facilitating the sharing of your contact information with Multi to draft business proposals and send invoices to the right client. To that end, we collect your demographic data, contact details and company details.

– Client service and support – We want to be able to assist you as quickly as possible whenever you contact us for support or want to file a(n) additional request or complaint. Therefore, we need to process your personal data in the form of taking notes and registering reports and telephone conversations that you have with our employees. We use this information not only to facilitate the resolution of your query, but also to analyze and improve the quality of our services. To that end, we collect your demographic data, contact details, company details, financial details and your request or complaint.

– Marketing and promotional offerings – If you are already a client of Multi or have indicated that you want to receive information about Multi’s products and services or the businesses of others, we can include you in a mailing list through which newsletters, brochures and other information are sent. In order to send these (personalized) offerings, we process your demographic data, contact details and company details.

– Loyalty program participation – We may also process your personal data if you indicated that as a visitor of our shopping centers, you want to participate in loyalty programs to receive personalized offerings and provide feedback through customer satisfaction and/or interest surveys. To that end, Multi collects your demographic data, contact details, financial data, account details and participation details.

Quality and management purposes

We process your personal data to monitor and improve the quality of our products and services, processes and systems, to inform the management and to perform internal audits. For example, Multi might use WIFI tracking to monitor visitor movement and flow and to assess the performance of certain shopping centers. To that end, Multi collects interaction details, surfing behaviour data and visitor movement data.

Back office activities

We process your personal data to manage the relation with you and to meet the requirements under an agreement. For example, clients with unpaid invoices will be sent reminders and therefore, personal data such as demographic data, contact details, company details, financial data and account details are processed.

Security and safety

We process your personal data to ensure the safety of our visitors and for the prevention and detection of crime. For this purpose, Closed Circuit Television (“CCTV”) might be in operation during your visit to any of Multi’s premises all in accordance with the relevant image capture laws. CCTV is well designed and selectively used and the necessary precautionary measures and restrictions have been taken (into account) by Multi to minimize the impact on your privacy rights. If you are subject to CCTV, you are informed through signs.

Legislation and regulation

We process your personal data to verify whether or not Multi can accept someone as a client or (business) partner, to counter fraud, to perform audits, to comply with legislation (e.g. civil, criminal, administrative, tax law) and regulation and to take the necessary legal action to enforce our rights.

8 | On which legal grounds do we process your personal data?

To be lawful, personal data which is processed for certain purposes (as identified above) has to be based on a legal ground1. Multi processes personal data on the following legal grounds:

8.1 | The performance of a (service) agreement with you

We process your personal data, which is necessary for our performance under an agreement with you. Without these data, we would not be able to fulfil our side of the agreement.

8.2 | Compliance with a legal obligation

We are legally obliged to process your personal data in order to comply with our legal obligations.

1 The legal grounds are listed in article 6 of the EU General Data Protection Regulation (“GDPR”).

8.3 | Legitimate interests pursued by us

We use your personal data for our legitimate interests, such as:

– To improve the quality and effectiveness of our services;

– To protect our visitors and stakeholders interests;

– To detect fraud and security incident (e.g. on our website and in our shopping centres);

– To defend ourselves in legal proceedings;

– To comply with the law.

8.4 | Your consent

If the previous three legal grounds do not apply, we can only process your personal data with your prior unambiguous explicit consent. Note that you can always withdraw your given consent. Please keep in mind that you can only withdrawal in case you have given your consent first and such withdrawal has no retrospective effect.

Multi processes personal data it has collected for the purposes as identified above on the following legal grounds:

Purpose Legal basis

Execution of an agreement: to enter into and fulfill agreements with you and other clients, suppliers or (business) partners.

1 | The performance under a (service) agreement.

Communication, (direct) marketing and personalization purposes: to maintain contact, promote and provide information about Multi’s products and services or the businesses of others (marketing).

1 | The performance under a (service) agreement;

2 | Legitimate interests pursued by us;

3 | Your consent.

Quality and management purposes: to monitor and improve our products and services;

1 | Legitimate interests pursued by us;

2 | Your consent.

Back office activities: invoice and collections management;

1 | The performance under a (service) agreement;

2 | Legitimate interests pursued by us.

Security and safety: security reasons, accidents, insurance claims, etc.

1 | Legitimate interests pursued by us.

Legislation and regulation: to comply with legislation (e.g. verification requirements) or court orders to which Multi is subject.

1 | Compliance with a legal obligation;

2 | Legitimate interests pursued by us.

9 | To whom do we provide your personal data?

We can provide your personal data to third parties in accordance with this Privacy Statement and in so far as permitted by law. Your personal data can be received by the following categories of recipients.

Group companies

We may share personal data with other entities of Multi for the purpose of providing you with information and/or services (such as registration and client support), the development of new websites, applications, services, promotions and communication, and to prevent, trace and examine possible illegal activities, infringements of our policies, fraud and/or breaches of our data security.

Authorities

We may provide your personal data to supervisory authorities such as Tax and Customs Administration, the police and other statutory bodies. We provide your personal data:

– To comply with a statutory obligation, court order or law; or

– If this is necessary to prevent, trace or prosecute criminal offence; or

– If this is necessary to enforce our policies, or to protect the rights and freedoms of others.

Business service companies (data processors)

We make use of business service companies to support us execute our business. These organizations act only on our instructions and are contractually bound by us not to use your data for their own purposes.

Other

Each external party to which we – with your given consent – provide your personal data (for example within the context of a collaboration, mandate or (service) agreement), and/ or to which other company now or in the future forms part of us as a result of a restructuring, merger or acquisition.

10 | Are your personal data being transferred outside the European Union?

Your personal data might be transferred outside of the European Union. We have taken all necessary measures to ensure that the transfers are safe and take place within the limits set by law.

Your personal data is being transferred to the following countries outside the European Union:

–  Turkey

– Ukraine

– New Zealand

– United States of America

To ensure a proper level of protection we make sure your data is only transferred if subject to one of the following safeguards:

Adequacy decision

We are allowed to transfer your personal data outside the European Union based on a so-called  ‘adequacy decision’. An adequacy decision is a decision of the European Commission that decides that the country in question ensures an adequate level of protection with regard to personal data.

EU-US Privacy Shield

Your personal data is only transferred outside the European Union if the recipient or data processor guarantees an adequate level of data protection under the U.S. Privacy Shield framework.

EU Standard Contract Clauses and Governance

The (lawful) transfer of personal data outside the European Union is made possible as a result of appropriate safeguards provided by us and recipients or data processors. We have implemented such safeguards through Multi’s governance rules and our standard data protection clauses to which we agree upon with all parties that process data on our behalf.

11 | How long do we store your personal data?

Your personal information is kept as long as necessary for the purpose for which the data are processed or allowed by law. Hereinafter your personal data will be removed or made anonymous.

12 | How can you exercise your privacy rights?

You have the right to request access to an overview of your personal data, and under certain conditions, rectification and/or erasure of personal data. In addition, you also have the right of restriction of processing concerning your personal data, the right to object to processing as well as the right to data portability.

To invoke your right of access, rectification, and/or erasure of personal data, your right of restriction of processing, and/or your right to object to processing as well as to invoke your right to data portability, please contact us by using the contact details set out above and in paragraph “More information?”. Please keep in mind that we may ask for additional information to verify your identity.

If you no longer want to receive direct marketing communication, please contact us by using the contact details set out in paragraph “More information?”. For information on how to object to profiling, please see the information on profiling techniques below.

13 | Can you lodge a complaint?

You can lodge a complaint with us via the contact details set out in paragraph “More information?”. Furthermore, you can lodge a complaint with the relevant data protection supervisory authority. For example, if you believe that we do not use your personal data carefully, or because you have sent us a request to access or rectification of your personal data and you are not satisfied with our reply, or we did not reply in a timely manner.

14 | More information?

If you have any questions about the way we process your personal data that are not answered by this privacy statement, you want to exercise your privacy right or want to file a complaint, please contact us:

MULTI SPAIN MANAGEMENT S.A.

C/Prim, 19

28004 Madrid Spain

T. +34 91 701 4610 / E. office-es@multi.eu

Our data protection officer (“DPO”) is: F.L.H. Gerards.

T. +31 20 2588 100 / E. compliance@multi.eu

15 | When was the last modification made to this Privacy Statement?

This Privacy Statement applies since 25 May 2018. The last modifications to this Privacy Statement were made on 25 May 2018.