HAMMERSON – VISITOR PRIVACY NOTICE

Introduction

This privacy notice (the “Notice”) relates to your visit to Bullring & Grand Central (Birmingham) (the “Destination”) and your use of our Destination website (www.bullring.co.uk), including services you use via these channels and other data we collect during your visit. It details when and why we collect your personal data, how we use and keep it secure. It also explains your legal rights to control that processing. This Notice does not apply to third party websites that you may reach through links on our website.

About us and how to contact us

This Notice explains how Hammerson UK Properties Limited (“Hammerson”, “we”), a company incorporated and registered in England and Wales (company number 00298351) which has its registered office at Marble Arch House, 66 Seymour Street, London, W1H 5BX collect, use and manage your personal data in compliance with applicable data protection law.

If you have any questions relating to this Notice or would like to exercise your legal rights set out in this Notice, please contact us by email at dataprotectionofficer@hammerson.com.

How we collect and use your personal data

We collect information in several ways, which are listed below. Generally, we collect your information when you decide to use the services and facilities we offer.

We may collect the following information when you use the services and facilities we offer when visiting our Destination or using our online services:

• Wi-Fi: when connecting to and using our wi-fi services, we will collect your name and email address to log you on to the network, as well as a unique identifier, called a MAC address, which is collected by the wi-fi signal that your device transmits, IP address, identity of your device, routing data, duration and time of a communication. The lawful basis for the processing of this data is that it is necessary for entering into a contract for the provision of a service. We may also collect Information relating to the duration of visits and the identity of the device that connects to the wi-fi where it is in our legitimate interests to do so for the purpose of improving our services and to better understand our visitors. We do not monitor your browsing activity. To restrict location analytics on an iPhone device, do not connect to the Destination’s wi-fi. To restrict location analytics on an android device, please use airplane mode.

• Social media: when you publish personal information to publicly available social media sites, we may, with your consent, share your posts with our social media community.

• Events: when registering or purchasing a ticket to attend one of our events, we will collect your contact and registration details, such as name, email address and contact number in order to issue you with a ticket. The lawful basis for the processing of this data is that it is necessary for entering into a contract for the provision of this service. We may also process your image if you agree to be photographed when you attend one of our events, which will – depending on the type of event – be obtained by way of a release form or, via your attendance where prior notice of filming and / or photography has been provided. The images may be used for promotional purposes on our website and social media.

• Concierge services and other facilities: we may require your contact details and other information when we administer services such as lost property, or when you use equipment belonging to us. The lawful basis for the processing of this data is that it is necessary for entering into a contract for the provision of a service.

• Safeguarding, security and operation of our Destination: in operating, safeguarding and maintaining security at our Destination and in order to comply with our legal, and health and safety obligations, we may collect personal contact details, date of birth, gender, health and medical related information when logging accidents, details of any relevant activity, incidents, injuries, accidents or alleged accidents, damages or alleged damages to property, photographs, video footage via CCTV (closed circuit television) and BWV (body worn video) footage and your vehicle registration plate via ANPR (automatic number plate recognition). The processing of this data is also necessary for our legitimate interests (or those of a third party) in operating the Destination, as well as for your and our protection and your interests and fundamental rights do not override those interests. When required to do so, we may in compliance with applicable law share this data with law enforcement agencies and our insurance companies relating to crime prevention, criminal activity, incident management and legal claims.

• Newsletters: when you consent to subscribe to marketing newsletters and marketing information from us, we will collect your name, surname, and email address, including complying with any preferences you have made in relation to receiving marketing information. If you do not wish to receive such marketing e-mails, please let us know by e-mailing us at dataprotectionofficer@hammerson.com. We may also use this data for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests, which may include sending you surveys to help us improve our services and understand our visitors better or notifying you about changes to our services.

• Contact us: we collect your contact details when you contact us via our website feedback form so that we can respond to your query and to help us improve our services and understand our visitors better. The lawful basis for the processing of this data is that it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

• Charity or community space requests: we require your contact details when you submit a charity or community space request form, for consideration in our community support projects. We will use your data to administer your request and do so on the basis that it is necessary for entering into a contract for the provision of a service and for our legitimate interests in servicing the communities in which we operate.

• Prize draws and competitions: we will collect information from you, such as your name and email address when you enter prize draws or competitions run by us for administration and delivery purposes. Note that prize draws and competitions will be subject to separate terms and conditions which will be made available to you. The lawful basis for the processing of this data is that it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

• Compliance with legal obligations imposed on us: we may also process your personal information to allow us to comply with any requests you are lawfully entitled to make, including under data protection laws and to allow us to keep records that we are legally required to retain, including evidence of consents provided, or to evidence our compliance with any legal obligations we are subject to.

Other information we obtain

Accessing our website or downloading our App: when you install one of our mobile applications or use a device to access our website, we may collect information such as the type of device, your operating system, your browser, your internet service provider, your domain name, your internet protocol (IP) address, your device identifier (or UDID), the date and time that you accessed our service, the website that referred you to our website (if applicable), the web pages you requested, the date and time of those requests, and the subject of the ads you click or scroll over. We use this information for our legitimate interests, for the purpose of improving the effectiveness and operation of our services, to develop new services; to store information about your preferences enabling us to customise our site according to your interests, to recognise you when you return to our side and to inform and direct our marketing strategy.

To collect this information, we use cookies, beacons, and similar technologies. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you log on to our site. If you do not wish us to process this information, you may prevent this by disabling the function or blocking the cookies on your device or browser. However, if you select this setting, you may be unable to access certain parts of our site, or it may impact on the usability of our website. You can find more details on how we use cookies in our Cookie Policy, which can be found on the Destination website.

Footfall Counting: Our CCTV includes footfall counting technology which is also being monitored to measure audience and footfall traffic. This data is collected in aggregated form, such as the total number of visitors to each Destination and average times spent in certain segments of our Destination which helps us to understand visitor use, journeys and implement enhanced guest safety measures and services. The lawful basis for the processing of this data is that it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

Social Media: your information may be shared with us by independent organisations when there is a lawful basis to do so. You should check their privacy policy when you provide your information to them, to understand fully how they will process and safeguard your data. These independent organisations may include services like Instagram, Facebook, WhatsApp, Tik Tok or X (formerly Twitter). Depending on the sharing preferences you have set in those platforms, you may give us permission to access your personal data from those accounts or services.

How long will we hold your information

We retain the personal data we collect for as long as necessary for the purposes described in this Notice.

To determine the appropriate period for holding your personal data, we consider the applicable legal requirements, the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes we process your personal data for, and whether we can achieve those purposes through other means,

In some circumstances, we may anonymise personal data so that we can continue to use it for analytical purposes. Where this is not possible, we will delete the personal data. If neither anonymisation nor deletion is possible, (for example, because your personal information has been stored in backup archives), then we will securely store your personal data and isolate it from any further processing until it is deleted.

If your personal data is recorded or printed on paper we destroy the information in a secure manner. Electronic media is subject to technical destruction measures which make sure the data unable to be restored or reconstructed.

Sharing your personal data

We share your personal data with carefully selected third party partners, which include suppliers, contractors, and professional advisors, who help us deliver some of our services and other services you use, such as car parking services; wi-fi services and to help us manage our technology and surveillance platforms.

We also share your personal data with our group companies and affiliates who may process data on our behalf to enable us to conduct our usual business practices.

We may share your personal data, where necessary, with prospective purchaser(s) or purchaser of any part of our business, on the basis of our legitimate interests and the interests of our purchaser, so that they can appropriately value the business and assess any risks and continue doing business with you after the acquisition.

We may also disclose your personal data, where disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or comply with the law, including valid legal requests from the Police, or other government agencies.

Where your personal data is held

We may store or process your personal data outside the United Kingdom (UK) or European Economic Area (EEA). Whenever we transfer your personal data out of the UK or EEA to countries which have laws that do not provide the same level of data protection as UK and EU law, we always ensure that a similar degree of protection is afforded to it by ensuring that appropriate safeguards are implemented, such as the use of standard contractual terms approved for use in the UK and EU respectively, which give the transferred personal data the same protection as it has in the UK and EU.

Children

If you are under the age of 16, you will be required to confirm that you have your parent’s / guardian’s consent to use our services.

If any of our products or services are targeted directly at children, we will provide you with additional information about how their data will be used in the context of that service.

Your data protection rights

Under data protection law, you have the following rights in relation to the personal data we are processing about you. The rights available to you depend on our reason for processing your information.

Right to be informed: You have the right to be provided with concise, transparent and easily understandable information about how we collect and process your personal data. This Notice sets out this information.

Right of access: You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process.

Right to rectification: You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.

Right to erasure: You have the right to ask us to erase your personal information in certain circumstances, for example where you request erasure and there is no other legal justification for the use of your information.

Right to restriction of processing: You have the right to ask us to restrict the processing of your information in certain circumstances, for example where you have requested an update to your personal data.

Right to data portability: This only applies to personal data you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated.

Right to object and/or to withdraw consent: You have the right to ask us to stop processing your personal data, and we will do so, unless we can demonstrate compelling legitimate grounds for the processing; or the need to use your personal data in connection with any legal claims. If you have provided your consent to process your personal data and that is our legal basis for processing, you have the right to withdraw that consent at any time.

Right to not be subject to a decision based solely on automated processing: You have the right not to be subject to a decision when it is based on automatic processing, including profiling, if it produces a legal effect or similarly significantly affects you. This right is not applicable if profiling is necessary for the performance of a contract between you and us.

If you wish to make a data subject request, please use either our Contact Us page or email dataprotectionofficer@hammerson.com. We may require additional information to either confirm your identity before we can process your request and/or to assist us in responding to your request.

Customer Data Deletion Process You may request deletion of your data at any time by contacting us at dataprotectionofficer@hammerson.com stating Data Deletion in the subject line. Please ensure the email address you have used to opt-in to any newsletters or marketing materials is included in the message. Your data and customer account will be deleted within 30 days, and you will be notified by email.

If you wish to withdraw your consent to receive marketing materials, this can be done by: • emailing us at dataprotectionofficer@hammerson.com • updating your preferences on your online account; or • by clicking on the unsubscribe link on any emails we have sent.

If you withdraw your consent, this will not affect our rights to have sent you marketing material prior to your withdrawal, but we will not send any further marketing. Whilst we will endeavour to ensure that you do not receive any further marketing material immediately, there may be a slight delay for any changes to take effect. Please note that where you have withdrawn consent, your information will not be deleted but will be retained in a suppression list to ensure that we do not inadvertently send further marketing communications once you have withdrawn your consent to receive them.

Right to complain to a data protection supervisory authority: If you have a concern about any aspect of our data protection practices, including the way we are processing your personal data, you can report it to the Information Commissioners’ Office (ICO) - www.ico.org.uk

Modifications of this policy

We may revise this Privacy Policy from time to time. If we make any changes to this privacy policy that may materially impact on you or our processing of your personal data, we will notify you by means of a notice on our website prior to the change becoming effective.

Date of last change: 7 January 2025