Privacy Policy
Serravalle Outlet Mall S.r.l., with registered office in Piazza Pio IX n. 1 – 20123 Milan (MI), registration number with the Milan Register of Companies, tax code/VAT code IT03765590967 (referred to in this Privacy Policy as "MAG", "we", "us" or "our"), manages the “Serravalle Designer Outlet” Centre, in Serravalle Scrivia (AL), via Della Moda nos. 1, 2, 3 and 4 (hereinafter, the "Centre") and is part of the McArthurGlen group which develops and manages designer outlet centres across the United Kingdom and Europe.
At MAG, we take the privacy of your data seriously. We understand that by providing your personal information, whether for the purpose of accessing and using the areas of the Centre known as "Flora's Baby Park" and "Lele's Aqua Park" (hereinafter, also referred to as the "Areas" or, singularly, as the "Area"), you are trusting us with your information.
We have developed this policy to give you full transparency about the information we collect from you, why we collect it and how we use it. We also need to ensure that you understand the rights you have over your personal data, including your rights of access to that data, how you can correct it and, if necessary, how you can erase it.
This Privacy Policy ("Policy") is provided by MAG, who acts as data controller, also pursuant to Articles 13 and 14 of EU Regulation no. 679/2016 (for brevity, “GDPR”), and regards the collection and processing of data of visitors, users and customers of the Centre (hereinafter, "Users") who intend to access the Areas, or any of them, also in order to use any of the services offered therein by MAG, or on behalf of MAG, by making the relevant registration. The Policy explains, in particular, what personal data MAG collects and processes, and what it does with that data.
It set outs a description of the rights of data subjects, including their right to object to data processing. This Policy also explains what personal data is collected and stored on computers and devices and in certain cases offline, and what is done with that data.
Information MAG collects
MAG collects, receives, stores and processes the following data:
• Users' personal information and contact details (including accompanying parents, any accompanying adults authorised by the parents, and children accessing the Area), such as, by way of example, name, surname, place and date of birth, gender (optional; except in the case of children and accompanying adults authorised by the parents, for whom this is mandatory), nationality (optional), postcode/city, telephone number, e-mail address, digital signature.
• the User's entry and exit times; this data will be collected at the access/exit point of the Area manually by Area staff and/or automatically, also through the use of devices (e.g. check-in and check-out wristbands and encoders, or other similar devices).
The processing will also regard data relating to children.
The processing may also regard data collected through video surveillance systems (in particular, at Lele's Aqua Park), which may also collect images of Users when they enter the range of the surveillance cameras.
Use of personal data
MAG uses your personal data for the following purposes:
• to enable you to access and use the Areas, including for the purposes of the activities carried out therein;
• to manage accesses (check-in) and exits (check-out) in relation to the Areas, access to which is subject to the terms and conditions set out in the relevant Regulations);
• to respond to your questions and requests for information;
• to provide you with information regarding the Areas and the services and activities relating thereto;
• to meet any legal and regulatory requirements;
• to verify compliance with the terms and conditions of the Regulations;
• to protect rights, property, or safety of MAG and its Users;
• to defend or enforce a right of MAG in or out of court;
• with regard to video surveillance, where activated, as indicated above, data processing is carried out for security reasons, to protect the Company's assets, in order to ascertain possible violations of the Regulations, to defend or take legal action and for the related collection of evidence
Sharing your data
MAG may transmit personal data to other parties as follows:
• to third party service providers performing functions on behalf of MAG, who act as data processors appointed by MAG pursuant to Article 28 of the GDPR, which include, among others, Zucchetti Itaca s.r.l., for services related to IT systems and back office, Saloca Ltd (trading as Appointedd) for services related to booking online, and Bellavita s.r.l., for services and relations with Users at the Areas;
• if MAG is under a duty to disclose or share personal data in order to comply with any legal obligation, or in order to enforce or apply its terms and conditions or other agreements or to protect the rights, property, or safety of MAG, the Group Companies, our customers, visitors, users or others;
• to government authorities, and to other third parties when compelled to do so by government and law enforcement authorities or otherwise as required or permitted by law, including but not limited to in response to court orders and subpoenas. MAG also discloses information about Users when it has reason to believe that someone is causing injury to or interference with MAG’s rights or property, other users of the Areas, or anyone else that could be harmed by such activities. Additionally, MAG cooperates with law enforcement inquiries and other third parties to enforce laws, intellectual property rights and other rights.
If you would like a list of the third parties with whom we share personal information, please contact Savannah Christensen, Data Protection Officer, compliance.officer@mcarthurglen.com.
Securing your data
MAG takes reasonable steps to protect your personal data and to protect such personal data from any loss, misuse, unauthorised access, disclosure, alteration or destruction. Unfortunately, no data transmission can be guaranteed to be 100% secure. As a result, MAG cannot warrant the absolute security of the personal data you provide to us and you do so at your own risk.
Transfers
You understand and acknowledge that MAG transfers personal data to countries outside the European Economic Area (“EEA”) to our Group Companies and to third parties, including countries which have different data protection standards to those which apply in the EEA. The Group Company locations are set out in the 'Group Companies' section below. MAG’s service providers include locations in Australia and Canada.
Where service providers process your personal data in countries deemed adequate by the European Commission, MAG relies on the European Commission's decision to protect personal data.
For transfers to Group Companies and service providers outside the EEA, MAG uses standard contractual clauses or relies on a service provider's Privacy Shield certification or a service provider's (EU data protection authority approved) corporate rules that are in place to protect your personal data. You have a right to ask us for a copy of the standard contractual clauses or a copy of the other methods used (by contacting us as set out below).
Our Group Companies
Retention
MAG retains your personal data for a period of 2 years from their collection.
Personal data collected and processed through the video-surveillance system will be retained for a period of time not exceeding the purposes for which they were collected and in any case for a period not exceeding 7 days from their collection.
Legal basis for processing
MAG processes your personal data when it is required to do this by law, including in response to requests by government or law enforcement authorities conducting an investigation or court orders.
MAG processes your personal data when it is necessary for the performance of a contract to which you are the party or in order to take steps at your request prior to entering into a contract (for example, when MAG provides or delivers services to you pursuant to a contract). If you do not provide the required personal data that MAG needs in order to allow access to and use of the Areas, MAG will not be able to allow you to access and use the Areas.
MAG processes your personal data when it is necessary for the purposes of a legitimate interest pursued by MAG or a third party (when these interests are not overridden by your data protection rights).
Where MAG does process personal data based on express consent, your consent is revocable at any time.
Your rights
You may ask us for a copy of your information and, where applicable, to correct it, erase it or to transfer it to other organisations at your request. You also have rights to object to some processing and, where MAG has asked for your consent to process your personal data, to withdraw this consent. Where MAG processes your personal data because it has a legitimate interest in doing so (as explained above), you also have a right to object to this. These rights may be limited in some situations – for example, where MAG can demonstrate that it has a legal requirement to process your personal data.
MAG hopes to satisfy queries you may have about the way MAG processes your personal data. However, if you have unresolved concerns you also have the right to complain to data protection authorities. You can bring the complaint in your member state of residence, place of work or where an alleged infringement of data protection law occurred.
To protect your privacy and security, MAG will take reasonable steps to verify your identity when dealing with requests.
Contact
The contact details of our Data Protection Officer are as follows: Savannah Christensen, Data Protection Officer, compliance.officer@mcarthurglen.com.
If you have any queries, comments or requests in relation to your personal information or this Policy, you can email us at Dataprotection@mcarthurglen.com or contact us by post at: Data Protection Officer, McArthurGlen UK Limited, Nations House, 3rd Floor, 103 Wigmore Street, London, W1U 1WH, United Kingdom.
Serravalle Outlet Mall S.r.l., with registered office in Piazza Pio IX n. 1 – 20123 Milan (MI), registration number with the Milan Register of Companies, tax code/VAT code IT03765590967 (referred to in this Privacy Policy as "MAG", "we", "us" or "our"), manages the “Serravalle Designer Outlet” Centre, in Serravalle Scrivia (AL), via Della Moda nos. 1, 2, 3 and 4 (hereinafter, the "Centre") and is part of the McArthurGlen group which develops and manages designer outlet centres across the United Kingdom and Europe.
At MAG, we take the privacy of your data seriously. We understand that by providing your personal information, whether for the purpose of accessing and using the areas of the Centre known as "Flora's Baby Park" and "Lele's Aqua Park" (hereinafter, also referred to as the "Areas" or, singularly, as the "Area"), you are trusting us with your information.
We have developed this policy to give you full transparency about the information we collect from you, why we collect it and how we use it. We also need to ensure that you understand the rights you have over your personal data, including your rights of access to that data, how you can correct it and, if necessary, how you can erase it.
This Privacy Policy ("Policy") is provided by MAG, who acts as data controller, also pursuant to Articles 13 and 14 of EU Regulation no. 679/2016 (for brevity, “GDPR”), and regards the collection and processing of data of visitors, users and customers of the Centre (hereinafter, "Users") who intend to access the Areas, or any of them, also in order to use any of the services offered therein by MAG, or on behalf of MAG, by making the relevant registration. The Policy explains, in particular, what personal data MAG collects and processes, and what it does with that data.
It set outs a description of the rights of data subjects, including their right to object to data processing. This Policy also explains what personal data is collected and stored on computers and devices and in certain cases offline, and what is done with that data.
Information MAG collects
MAG collects, receives, stores and processes the following data:
• Users' personal information and contact details (including accompanying parents, any accompanying adults authorised by the parents, and children accessing the Area), such as, by way of example, name, surname, place and date of birth, gender (optional; except in the case of children and accompanying adults authorised by the parents, for whom this is mandatory), nationality (optional), postcode/city, telephone number, e-mail address, digital signature.
• the User's entry and exit times; this data will be collected at the access/exit point of the Area manually by Area staff and/or automatically, also through the use of devices (e.g. check-in and check-out wristbands and encoders, or other similar devices).
The processing will also regard data relating to children.
The processing may also regard data collected through video surveillance systems (in particular, at Lele's Aqua Park), which may also collect images of Users when they enter the range of the surveillance cameras.
Use of personal data
MAG uses your personal data for the following purposes:
• to enable you to access and use the Areas, including for the purposes of the activities carried out therein;
• to manage accesses (check-in) and exits (check-out) in relation to the Areas, access to which is subject to the terms and conditions set out in the relevant Regulations);
• to respond to your questions and requests for information;
• to provide you with information regarding the Areas and the services and activities relating thereto;
• to meet any legal and regulatory requirements;
• to verify compliance with the terms and conditions of the Regulations;
• to protect rights, property, or safety of MAG and its Users;
• to defend or enforce a right of MAG in or out of court;
• with regard to video surveillance, where activated, as indicated above, data processing is carried out for security reasons, to protect the Company's assets, in order to ascertain possible violations of the Regulations, to defend or take legal action and for the related collection of evidence
Sharing your data
MAG may transmit personal data to other parties as follows:
• to third party service providers performing functions on behalf of MAG, who act as data processors appointed by MAG pursuant to Article 28 of the GDPR, which include, among others, Zucchetti Itaca s.r.l., for services related to IT systems and back office, Saloca Ltd (trading as Appointedd) for services related to booking online, and Bellavita s.r.l., for services and relations with Users at the Areas;
• if MAG is under a duty to disclose or share personal data in order to comply with any legal obligation, or in order to enforce or apply its terms and conditions or other agreements or to protect the rights, property, or safety of MAG, the Group Companies, our customers, visitors, users or others;
• to government authorities, and to other third parties when compelled to do so by government and law enforcement authorities or otherwise as required or permitted by law, including but not limited to in response to court orders and subpoenas. MAG also discloses information about Users when it has reason to believe that someone is causing injury to or interference with MAG’s rights or property, other users of the Areas, or anyone else that could be harmed by such activities. Additionally, MAG cooperates with law enforcement inquiries and other third parties to enforce laws, intellectual property rights and other rights.
If you would like a list of the third parties with whom we share personal information, please contact Savannah Christensen, Data Protection Officer, compliance.officer@mcarthurglen.com.
Securing your data
MAG takes reasonable steps to protect your personal data and to protect such personal data from any loss, misuse, unauthorised access, disclosure, alteration or destruction. Unfortunately, no data transmission can be guaranteed to be 100% secure. As a result, MAG cannot warrant the absolute security of the personal data you provide to us and you do so at your own risk.
Transfers
You understand and acknowledge that MAG transfers personal data to countries outside the European Economic Area (“EEA”) to our Group Companies and to third parties, including countries which have different data protection standards to those which apply in the EEA. The Group Company locations are set out in the 'Group Companies' section below. MAG’s service providers include locations in Australia and Canada.
Where service providers process your personal data in countries deemed adequate by the European Commission, MAG relies on the European Commission's decision to protect personal data.
For transfers to Group Companies and service providers outside the EEA, MAG uses standard contractual clauses or relies on a service provider's Privacy Shield certification or a service provider's (EU data protection authority approved) corporate rules that are in place to protect your personal data. You have a right to ask us for a copy of the standard contractual clauses or a copy of the other methods used (by contacting us as set out below).
Our Group Companies
|
Name of entity |
Country |
|
Outlet Services Holdco Limited |
Jersey |
|
McArthurGlen Management Gesellschaft m.b.H. |
Austria |
|
McArthurGlen Management (Belgium) S.P.R.L |
Belgium |
|
McArthurGlen Management Vancouver Limited |
Canada |
|
MG-RB Europe SAS |
France |
|
McArthurGlen Service GmbH |
Germany |
|
McArthurGlen Management Greece Designer Outlet EPE |
Greece |
|
MGR Management & Retail Srl |
Italy |
|
McArthurGlen Management Spain SLU |
Spain |
|
MGE-RB (Roermond) Management Co B.V. |
Netherlands |
|
MGE-RB (Rosada) Management Co B.V. |
Netherlands |
|
McArthurGlen UK Ltd |
United Kingdom |
Retention
MAG retains your personal data for a period of 2 years from their collection.
Personal data collected and processed through the video-surveillance system will be retained for a period of time not exceeding the purposes for which they were collected and in any case for a period not exceeding 7 days from their collection.
Legal basis for processing
MAG processes your personal data when it is required to do this by law, including in response to requests by government or law enforcement authorities conducting an investigation or court orders.
MAG processes your personal data when it is necessary for the performance of a contract to which you are the party or in order to take steps at your request prior to entering into a contract (for example, when MAG provides or delivers services to you pursuant to a contract). If you do not provide the required personal data that MAG needs in order to allow access to and use of the Areas, MAG will not be able to allow you to access and use the Areas.
MAG processes your personal data when it is necessary for the purposes of a legitimate interest pursued by MAG or a third party (when these interests are not overridden by your data protection rights).
Where MAG does process personal data based on express consent, your consent is revocable at any time.
Your rights
You may ask us for a copy of your information and, where applicable, to correct it, erase it or to transfer it to other organisations at your request. You also have rights to object to some processing and, where MAG has asked for your consent to process your personal data, to withdraw this consent. Where MAG processes your personal data because it has a legitimate interest in doing so (as explained above), you also have a right to object to this. These rights may be limited in some situations – for example, where MAG can demonstrate that it has a legal requirement to process your personal data.
MAG hopes to satisfy queries you may have about the way MAG processes your personal data. However, if you have unresolved concerns you also have the right to complain to data protection authorities. You can bring the complaint in your member state of residence, place of work or where an alleged infringement of data protection law occurred.
To protect your privacy and security, MAG will take reasonable steps to verify your identity when dealing with requests.
Contact
The contact details of our Data Protection Officer are as follows: Savannah Christensen, Data Protection Officer, compliance.officer@mcarthurglen.com.
If you have any queries, comments or requests in relation to your personal information or this Policy, you can email us at Dataprotection@mcarthurglen.com or contact us by post at: Data Protection Officer, McArthurGlen UK Limited, Nations House, 3rd Floor, 103 Wigmore Street, London, W1U 1WH, United Kingdom.