The Bull Ring Limited Partnership, Kings Place, 90 York Way, London, N1 9GE (“the Company”, “we”, “our” or “us”) has certain obligations under the General Data Protection Regulation (“GDPR”) to notify individuals (“you” or “your”) about how it will process any personal data it collects from or about them. We treat your data privacy very seriously and understand that you will wish to know how we will use that personal data. We maintain a registration as a data controller with the Information Commissioner’s office (www.ico.org.uk) and have registration number ZA194511. To contact us if you have any questions about this Policy or our processing of your personal data (including to exercise your rights under GDPR), including details of our Data Protection Officer, please see our contact details included below in this Policy under ‘How to contact the Company?’ header.
We are part of the Hammerson group of companies (“the Hammerson Group”), which may also be provided with personal data about you. This Policy will inform you of what personal information we collect in relation to your use of the Drive Thru web portal only (the “Portal”). This includes providing information about how that information is used, our lawful basis for such use, who it is shared with and why, where it is transferred, your rights in relation to it and how you can exercise such rights. For information about how other areas of the Hammerson Group process your personal data, please consider our other privacy notices/policies (as discussed below).
What personal data is collected?
Under the GDPR, personal data is information from which you are indentified or are identifiable (directly or indirectly). The personal data which may be collected and used by us when you register via the Portal include your:
• date of birth;
• contact details such as email address and phone number;
• vehicle registration number and other details relating to your car such as car make/model/car colour/fuel type/emissions;
• bank account or card details (for the purposes processing payments);
• cookies, to the extent these constitute your personal data (see ‘Cookies’ header below in this Policy)
• username and log-in password to enable you to use the Portal; and
• IP address (for security purposes, not for targeted/marketing purposes).
Furthermore, we may process details of your unresolved, non-compliance (if any) with contracts between us (e.g. if there has been a non-payment or other breach of contract by you in relation to your use of the car park), whether your vehicle has been involved in crime in relation to the car park, or in relation to facilitating the exit from the shopping centre following the commission of a crime, or is otherwise known to the control authorities (police, intelligence services and local authorities), or whether you are subject to a banning order from the shopping centre the car park is affiliated with. In these circumstances, we may have determined not to permit your vehicle, or the vehicle we have connected to you, to enter the car park based on that previous behaviour.
For what purposes will your personal data be used and what is our corresponding lawful basis under GDPR?
We may process your personal data for the following purposes:
• to enable you to enter into a contract with us to enrol via the Portal to enable automatic entry/exit on relevant payment when you use our Bullring car park services in accordance with our terms and conditions. Our lawful basis under GDPR in relation to these purposes is that it is necessary for the performance of our contract with you (or in order to take steps at your request prior to entering into a contract with you);
• legitimate business reasons - management reporting, accounting, other internal business (including joint ventures and business sales) and sales management, if any personal data is involved. Our lawful basis under GDPR in relation to these purposes is that it is necessary for the purposes of our (or a third party’s) legitimate business interests (e.g. to manage our business responsibly and efficiently), which are not overridden by your interests, fundamental rights and freedoms;
• customer relationship management - dealing with any queries or correspondence from you. Our lawful basis under GDPR in relation to these purposes is as follows: (i) where the processing relates directly to responding to you, our lawful basis is that you have consented to us responding to you, by making a request to us which requires a response; and (ii) where the processing is not directly related to responding to you (e.g. obtaining professional advice to allow us to consider our response, discussing your request in management meetings), our lawful basis is that it is necessary for the purposes of our (or a third party’s) legitimate business interests (e.g. to manage our business responsibly and efficiently, and to consider and protect our own legal rights), which are not overridden by your interests, fundamental rights and freedoms.
• enforcement of our terms and conditions. Our lawful basis under GDPR in relation to these purposes is that it is necessary for the performance of our contract with you (or in order to take steps at your request prior to entering into a contract with you);
• marketing e-mails (and/or SMS/texts) – we will only contact you by e-mail (and/or SMS/text) with marketing information about our goods and services which we feel may be of interest to you providing you have given your consent to receive such communications from us. When you access the Portal, you will be given an option to give your consent to receive such communications from us via email and/or SMS/text (and, if you do consent, you will be provided with the option to opt-out in the marketing communications we send to you);
• cookies – please see ‘Cookies’ header below in this Policy;
• compliance with legal, regulatory and other good governance obligations, including to request additional information from third parties (eg the DVLA) to allow us to meet these obligations. Our lawful basis it is necessary for compliance with a legal obligation to which we are subject;
• where we have determined not to permit your vehicle (or a vehicle that we have associated with you) to enter the car park based on previous behaviour (e.g. non-payment, breach of contract, criminal behaviour, banning orders, as explained above), our lawful basis under GDPR in relation to this purpose is that it is in our (or a third party’s, such as other users of our car park) legitimate business interests (e.g. to ensure that vehicles entering the car park do not present us with security or breach of contract risk, to enforce previous contracts, to protect others’ property rights or for the security of our car park), which are not overridden by your interests, fundamental rights and freedoms; and/or
• where our processing of the personal data referred to above relates to criminal offences (or alleged) (including its disclosure to law enforcement authorities or otherwise in relation to legal claims or determining not to permit your vehicle to enter the cark park), our lawful basis for determining not to permit your vehicle to enter the car park or disclosure to law enforcement authorities is that it is in in the substantial public interest and necessary for prevention or detection of an unlawful act (and if we sought your consent for this it would prejudice these purposes), and in respect of legal claims is that it is necessary for the establishment, exercise or defence of such claims.
We may also convert the personal data into statistical, aggregated non-identifiable form. This anonymised data cannot be linked back to you. We may then use that anonymised data to conduct research and analysis, including to produce statistical research and reports. For example, to help us understand car-park usage. The anonymised data, research and reports may also be made available to and used for market research/analysis purposes within the Hammerson corporate group of companies (who will not be able to identify you from the data made available to them).
Profiling and automated decisions (and our corresponding lawful basis under GDPR for this)
Where our profiling does not have legal or similarly significant effect on you, or where we (i.e. a person within Hammerson) has made a decision which is being implanted via our car park gates, such as to determine that the vehicle you are driving matches the details of a vehicle we have previously determined should be permitted or not to access the Bullring car parks, our lawful basis under GDPR is that is necessary for the purposes of our (or a third party’s) legitimate business interests (e.g. to ensure that vehicles entering the car park do not present us with security or breach of contract risk, to enforce previous contracts, to protect other’s property rights or for the security of our car parks in the case of vehicles which are not permitted to enter the car parks), which are not overridden by your interests, fundamental rights and freedoms, or that it is necessary for performance of a contract with you (e.g. as to automatic entry/exit)
However, where we use the personal data (including profiling) to make automated decisions about you which produce legal effects on you or similarly significantly affects you, we do so where it is necessary for entering into (or performing) a contract between us and you, as set out below. We will implement suitable measures to safeguard your rights, including providing you with the right to obtain human intervention, to express your point of view and contest the decision.
We may make such automated decisions based on your personal data where this is necessary for performance of a contract between you and us in order to:
• issue parking charge notices; and
• determine the correct tariff for our services to you – for example to offer discounts to low-emission vehicles or discounts based on other certain features of a vehicle (such as colour or vehicle type).
Where we make these automated decisions, to obtain human intervention (i.e. a human will review the automated decision which has been taken), express your point of view and contest the decision, please contact us as set out under the ‘How can I contact the Company?’ header below.
Who will see my personal data?
Your vehicle registration number and associated payment information will be made available to the Bullring car parks in order that your vehicle can be recognised when you use the car park/s in order for you to benefit from the services we provide via the Portal.
Your personal data may be made available to third parties providing relevant services under contract to us, or the Hammerson Group for these purposes, such as:
• providers of certain business function services, such as IT support, processing of payment card/details and other payment solutions (advam.com), website and data hosting providers and administrators, and marketing communications service providers. These parties will process the personal data on our behalf (as our data processor). We will disclose your personal data to them so that they can perform those functions. Examples of these providers include our outsourced IT systems software and maintenance, payment processing and back up, website and server hosting providers; and
• security/parking team service provider (for watching CCTV and responding to barrier/ticket questions). This provider will process the personal data on our behalf (as our data processor) and will disclose your personal data to it so it they can provide us with these services.
Your personal data will also be made available:
• when we believe that disclosure is appropriate in connection with efforts to investigate, prevent, or take action regarding illegal activity, suspected fraud, or other wrongdoing; to protect and defend the rights, property or safety of the Company, its customers, staff, suppliers or others; to comply with applicable law or co-operate with law enforcement; or to enforce its terms or other agreements (including, for example, where a vehicle has been abandoned in our car park). Our lawful bases under GDPR, and (where relevant) the Data Protection Act 2018 (“DPA”), for this processing are set out above in this Policy;
• to our advisors (such as consultants, legal advisors, auditors and other professional advisors), in order that we can receive advice and services from them. Our lawful basis under GDPR for this processing is that it is necessary for the purposes of our (or a third party’s) legitimate business interests (e.g. for us to be able to obtain professional or legal advice), which are not overridden by your interests, fundamental rights and freedoms. To the extent that the personal data disclosed consitutes crinimal offences (including alleged), this will be limited to disclosures in relation to legal claims and our lawful basis under the DPA is that the processing is necessary for the establishment, exercise or defence of legal claims.
• in response to a court order, or a request for cooperation from a law enforcement or other government agency; to establish or exercise its legal rights; to defend legal claims; or as otherwise required or permitted by applicable laws and/or regulations. Our lawful bases for this processing is set out above in this Policy; and/or
• to prospective or actual buyers in the event that the Company sells or buys any of its business or assets. Our lawful basis under GDPR for this processing is that it is necessary for the purposes of our (or a third party’s) legitimate business interests (e.g. for a purchaser of any of our business to have details of individuals using the services provided by that part of the business), which are not overridden by your interests, fundamental rights and freedoms.
Will my personal data be transferred abroad?
Your personal data processed in accordance with this Policy may be transferred to recipients who are located in Australia (i.e. not located within the European Economic Area (“EEA”) and whose jurisdiction may not offer the same level of protection as jurisdictions within the EEA). Steps will be taken with a view to protecting your personal data in that instance consistent with the GDPR, such as ensuring that we have put in place appropriate safeguards to protect the personal data (such as an appropriate contract with the recipient, where required by GDPR).
The Company takes precautions including administrative, technical and physical measures to protect your personal data against loss, theft and misuse, as well as against unauthorised access and disclosure.
How long do we retain your personal data?
We will only keep the personal data collected via the Portal for a limited amount of time and no longer than is necessary for the purposes for which it is processed, as set out below:
• Personal data you provide to us when you register via the Portal:
o 12 months from when you register, if you do not then go on to use the Bullring car park;
o if you do go on to use the car park, 24 months from your last use of the car park; and
• Cookies: please see ‘Cookies’ header below.
What rights do I have in relation to my personal data and how to exercise them?
You have certain legal rights in relation to any personal data about you which we hold, as summarized below. They do not apply in all circumstances. If you wish to exercise any of them we will explain at that time if they are engaged or not:
• the right to be informed about your processing of your personal information;
• the right to have your personal information corrected if it is inaccurate and to have incomplete personal information completed;
• the right to object to processing of your personal information (see further details below);
• the right to restrict processing of your personal information;
• the right to have your personal information erased (the “right to be forgotten”);
• the right to request access to your personal information and to obtain information about how we process it;
• the right to move, copy or transfer your personal information (“data portability”);
• rights in relation to automated decision making which has a legal effect or otherwise significantly affects you – as described under the ‘Profiling and automated decisions’ header above.
Where our processing of your personal data is based on your consent (i.e. sending you direct marketing communications or directly responding to any requests or enquiries that you make of us), you have the right to withdraw your consent at any time. If you do decide to withdraw your consent we will stop processing your personal data for that purpose, unless there is another lawful basis we can rely on – in which case, we will let you know. Your withdrawal of your consent won’t impact any of our processing up to that point.
Where our processing of your personal data is necessary for our legitimate interests, you can object to this processing at any time. If you do this, we will need to show either a compelling reason why our processing should continue, which overrides your interests, rights and freedoms or that the processing is necessary for us to establish, exercise or defend a legal claim.
If you wish to exercise any of your rights please contact us as set out below under the ‘How can I contact the Company?’ header.
You also have the right to lodge a complaint with the Information Commissioner’s Office, which is the UK data protection regulator. More information can be found on the Information Commissioner’s Office website at ico.org.uk.
Updates to this Policy
We may update this Policy from time to time to reflect changes to the type of personal data that we process and/or the way in which it is processed. We will update you on material changes to this Policy by publishing on the website Portal. We also encourage you to check this Policy on a regular basis.
How can I contact the Company?
If you have any queries or concerns relating to this Policy, or to exercise your rights in relation to your personal data, please contact our Data Protection Officer, whose details are set out below.
Our Data Protection Officer can be contacted at Kings Place, 90 York Way, London N1 9GE or Dataprotectionofficer@hammerson.com.
When you visit the Portal, we generate one or more “cookies” which we deploy with your consent (if required). Please see “What are cookies?” header below for what a “cookie” is.
Not all cookies require consent to be placed on your device. Essential cookies do not require consent. Non-essential cookies do require consent. This is governed by e-privacy law.
Some cookies collect personal data. This is governed by data protection law. This means a lawful reason is needed for us to collect that personal data (by the cookie). Either this is legitimate interests or it is consent. Where our lawful reason is legitimate interests, our interests are that they are needed to enable functionality of the portal, such as to enable its pages to be displayed properly on your device, and for the pages to retain your selections throughout/across sessions.
The table below summarises the different types of cookie we use on the Portal, together with their respective purpose and duration (i.e. how long each cookie will remain on your device).
For cookies where we require consent (whether that requirement comes from e-privacy law or data protection law) we ask for this consent by displaying a banner on the main Hammerson website homepage which leads you to the Portal. You are asked to take a positive action (such as click to give consent) if you do wish to give your consent. All cookies can be removed from your device at any time. To do this, you should set your browser settings accordingly or not use the Portal. Please be aware that if you disable the cookies that we use, this may impact your user experience while using the Portal.
If you give consent to cookies, then wish to withdraw that consent, you can do this in the same way as described under “What rights do I have in relation to my personal data and how to exercise them?” header.
The Portal uses "session cookies". Session cookies are temporary cookies that remain on your device until you leave the Portal. (Please note that the Portal does not use “persistent cookies”, which would stay on you device longer or until deleted.)
Please note that we do not currently use any targeting/advertising cookies (or any performance or functionality cookies).
What are cookies?
Cookies are files or pieces of information that may be stored on your computer (or other internet-enabled devices, such as a smartphone or tablet) when you visit the Portal. A cookie will usually contain the name of the Portal from which the cookie has come from, the "lifetime" of the cookie (i.e. how long it will remain on your device) and a value, which is usually a randomly generated unique number.
Most internet browsers are initially set up to automatically accept cookies. You can change the settings to block cookies or to alert you when cookies are being sent to your device. There are a number of ways to manage cookies. Please refer to your browser instructions or help screen to learn more about how to adjust or modify your browser.
If you disable the cookies that we use, this may impact your experience while on the Portal. For example, you may not be able to visit certain areas of the Portal.
If you use different devices to view and access the Portal (e.g. your computer, smartphone, tablet etc.), you will need to ensure that each browser on each device is adjusted to suit your cookie preferences.
Date last updated: 1st June 2019