Last update: 21/08/2019
Capital & Regional and your personal data
"Personal Data" is any data that identifies you. The Personal Data which you supply to us you agree will be true. We will deal with your Personal Data in compliance with the current UK & EU data protection legislation, which includes the EU General Data Protection Regulation (GDPR) which comes into force on 25th May 2018. Please note this applies only to services which we operate and control and not to other companies' or organisations' websites to which we may link. For such external services or sites please see their Privacy Policies to understand how they might be handling your data.
Who is Capital & Regional?
Capital & Regional plc owns and operates a number of shopping centres in the UK. Capital & Regional is listed on the main market of the London Stock Exchange and has a secondary listing on the Johannesburg Stock Exchange.
Our Purpose for Collecting and Processing Personal Data
We collect and process data in order to: Understand who our shareholders and stakeholders are and to send them appropriate and relevant information; to carry out marketing for both Capital & Regional and our Shopping centres; and in order to manage the operations of our business such as contracts with businesses operating in our centres. In some cases we are also required to hold certain information for legal compliance, law enforcement or contractual purposes.
Data protection laws set out a number of valid reasons for the collection and processing of personal data. These include: Consent, such as ticking a box to opt-in to receive marketing emails from us; legitimate Interest; compliance with the law; and, to fulfil contractual obligations.
What Data We Collect
When registering to receive RNS or media updates we collect personal data like your contact information. Similarly Shareholders acquiring shares will register their name and address. We also collect contact information in respect of advisors or third parties and in certain circumstances are required to collect and maintain additional personal information such as ID or Passport numbers for regulatory purposes.
Use of personal Data for Marketing Communications
We only send post, email, text messages and mobile notifications to you about news and services that we consider may be of interest to you only if you have given us permission to do so.
Electronic notifications may be sent to you via your internet browser if you have given consent for us to do so. If you subsequently wish to remove consent for these you can do so following the instructions provided by your internet browser software.
Who Controls or Has Access to the Data?
Personal data is accessed and processed by staff at the support office of Capital & Regional. The use of personal data will remain under the control of Capital & Regional at all times operating as the Data Controller. Capital & Regional do not sell your data to other companies.
We use selected third parties, called Data Processors, to help operate our services which include, for example, email system or database providers. When employing Data Processors, we ensure that they comply with data protection laws including ensuring that data is held securely and that only the information required to complete the work is supplied to them. If we stop using a particular Data Processor’s services we require that personal data held by them is securely deleted or anonymised. Third parties involved with our database and email systems are Tiger Systems and Nunki, and website data can be processed by Innovation Digital. Some customer data required to fulfil retailer and commercial partner requests and to fulfil contractual obligations, is stored within Salesforce.
In compliance with the law we may be obligated to disclose Data about you to a law enforcement agency or by a court order.
Personal Data is held and processed only within the EU.
Data subjects have various rights in relation to accessing and amending the data companies hold on them under GDPR. More information on how to do this can be found later in this document.
Your personal data is not shared with other companies for their own purposes unless specifically stated at the time of collection and you have given your permission.
Retention Period & Criteria
We only keep personal data for as long as necessary for the purpose for which it was collected or to comply with legal, contractual or law enforcement purposes. At the end of this period data is either deleted or anonymised so that it can be used for statistical and analytical purposes in a non-identifiable way.
We endeavour to take all reasonable steps to protect your personal information. However, we cannot guarantee the security of any data you disclose online. You accept the inherent security risks of providing information and dealing online over the Internet and will not hold us responsible for any breach of security unless this is due to our negligence or wilful default.
Data Subject’s Rights
Data subjects have a number of rights which we recognise and uphold. These include: The right to be informed about how we collect and process your personal data which is detailed in this document; The right to access this information; The right to rectify or erase data; The right to restrict the processing of data; The right to data portability; The right to object; and, rights relating to automated decision making and profiling. Data subjects also have the right to lodge complaints with the Information Commissioners Office and the right to withdraw consent.
How do I access or amend my data?
Please contact us firstname.lastname@example.org. In line with GDPR access requests are free and will be responded to within a month.
How do I remove myself from your mailing list?
Please email email@example.com with the word 'remove' in the subject line and the email address that you wish to be removed within the email. Please note that it may take up to 28 days to action your request via this method.
Each email we send contains an unsubscribe link and a link to the customer profile tool.
Opting out of marketing communications will be honoured unless a later opt-in is received for the same contact details.
If you would like request we delete your data completely please email us at firstname.lastname@example.org.
Changes to this Privacy Statement
We will occasionally update this Privacy Statement and when we do, we will also revise the "last updated" date at the top of this document. We will obtain your consent for any updates to this Privacy Statement that materially expand the sharing or use of your personal information in ways not disclosed in this Privacy Statement at the time of collection.
Identity and Contact Details
Data Controller: Capital & Regional / The Mall, 22 Chapter Street, London, SW1P 4NP.