Privacy Policy

Last updated: 08/05/2024

The Mall Luton and your personal data

This is The Mall Luton’s Privacy Policy. In the rest of this document ‘The Mall’ may be used to mean ‘The Mall Luton’. It sets out how we collect and process your personal data, what we use it for, and gives you important information on how you can amend information we hold on you such as amending or removing consent for marketing communications or updating your personal details. If you have any queries about this policy or how we handle any personal data you provide to us, please contact us using the details provided at the bottom of this document.

“Personal Data” is any data that identifies you. The Personal Data which you supply to us you agree will be true. We will deal with your Personal Data in compliance with the current UK & EU data protection legislation, which includes the EU General Data Protection Regulation (GDPR). Please note this applies only to services which we operate and control and not to other companies’ or organisations’ websites to which we may link. For such external services or sites please see their Privacy Policies to understand how they might be handling your data.

Who is The Mall Luton?

The Mall Luton shopping centre is owned by The Mall (Luton) (General Partner) Ltd and managed by CBRE.

Our Purpose for Collecting and Processing Personal Data

Our intention is to provide the best possible experience for visitors to our shopping centres, the retailer brands and people that work there, and the local community in which we operate. We collect and process data in order to understand who our customers are, send them appropriate and relevant information, track the performance of our centres, and to help provide and improve our services as a whole.

Some data is required in order to operate our services to you, and in some cases we are required to hold certain information for legal compliance, law enforcement or contractual purposes.

Legal Basis

Data protection laws set out a number of valid reasons for the collection and processing of personal data. These include: Consent, such as ticking a box to opt-in to receive marketing emails from us; legitimate Interest; compliance with the law; and, to fulfil contractual obligations.

When entering competitions, either in-centre or via our website, we collect personal data like your contact information in order to administer the competition, for example to ensuring age restrictions are adhered to and in order to notify winners. Prior to 25th May 2018 by entering you will also have been opted-in to receive marketing communications from The Mall in line with pre-GDPR regulations, namely ‘implied consent’. After 25th May 2018 consent to receive news and updates from The Mall requires a separate and unbundled consent from the competition entry.

What Data We Collect

Personal details are required in order to sign-up to the RewardME loyalty scheme, which provides members with offers and promotions at The Mall. These details are required to administer the scheme, such as the posting of membership cards, identifying members, informing them of the current offers and promotions within the scheme, and tracking usage of the scheme.

For businesses operating within our centre, such as retailers and kiosk traders, we collect business and personal data such as names and contact details in order to create contracts and administer our business operations. Some of this information is required to conduct these services.

Our car parks utilise number plate recognition systems in order to provide an efficient service, monitor usage and provide information for security purposes. If required to do so we may provide this information to law enforcement agencies.

To protect our centre, shoppers, and retail staff we operate CCTV systems throughout the centre and car parks which record images for security. We do this on the basis of our legitimate business interests. If required to do so we may provide this information to assist with law enforcement.

We do not currently employ any automated decision-making tools.

With the exception of names used to administer certain elements of our Kids Club service, we do not collect personal data from children under the age of 13.

We use Google reCAPTCHA on our website to prevent various types of data processing abuse attempts, such as phishing and spam submissions. You can read which data is collected by Google and what this data is used for at https://policies.google.com/privacy. You can read the terms of use for Google services and products at https://policies.google.com/terms.

Use of personal Data for Marketing Communications

We only send post, email, text messages and mobile notifications to you about news and services that we consider may be of interest to you only if you have given us permission to do so or if appropriate where we consider there to a legitimate interest in the information for example if you have signed-up to the RewardME loyalty scheme and knowledge of available offers and promotions is the primary function of the scheme.

If you have agreed to be contacted by telephone, calls may be monitored and recorded for quality and training purposes.

Who Controls or Has Access to the Data?

Personal data may be accessed and processed by staff at The Mall (Luton) (General Partner) Ltd and CBRE involved in operating the relevant shopping centre services. The use of personal data will remain under the control of The Mall (Luton) (General Partner) Ltd at all times operating as the Data Controller. We will not sell your data to other companies without your explicit permission.

We use selected third parties, called Data Processors, to help operate our services which include, for example, email system or database providers. When employing Data Processors, we ensure that they comply with data protection laws including ensuring that data is held securely and that only the information required to complete the work is supplied to them. If we stop using a particular Data Processor’s services we require that personal data held by them is securely deleted or anonymised. Third parties involved with our database and email systems are Tiger Systems and Of Colour & Code, and website data is processed by our digital marketing and website agency Of Colour & Code.

In compliance with the law we may be obligated to disclose Data about you to a law enforcement agency or by a court order.

Personal Data is held and processed only within the EU.

Data subjects have various rights in relation to accessing and amending the data companies hold on them under GDPR. More information on how to do this can be found later in this document.

Your personal data is not shared with other companies for their own purposes unless specifically stated at the time of collection and you have given your permission. An example of potential cases when this might happen would be for during competitions run with partners where we offer a tick box for you to opt-in to receive information from that company as well as from ourselves. If you opt-in to receive information from the additional company please see their Privacy Policy for information on how they handle your data.

Retention Period & Criteria

We only keep personal data for as long as necessary for the purpose for which it was collected or to comply with legal, contractual or law enforcement purposes.

Data held on our marketing database is regularly cleansed and deleted.

CCTV footage is held for a period of 30 days before being deleted unless legitimate access is required, for example by the police.

Security

We endeavour to take all reasonable steps to protect your personal information. However, we cannot guarantee the security of any data you disclose online. You accept the inherent security risks of providing information and dealing online over the Internet and will not hold us responsible for any breach of security unless this is due to our negligence or wilful default.

Data Subject’s Rights

Data subjects have a number of rights which we recognise and uphold. These include: The right to be informed about how we collect and process your personal data which is detailed in this document; The right to access this information; The right to rectify or erase data; The right to restrict the processing of data; The right to data portability; The right to object; and, rights relating to automated decision making and profiling. Data subjects also have the right to lodge complaints with the Information Commissioners Office and the right to withdraw consent.

How do I access or amend my data?

Marketing data such as your email opt-in and postal and email address can be managed via our customer data tool by visiting https://themall.profile.tigertracks.xyz/request-link

You can also contact us by emailing themallluton@tigersystems.com.

How do I remove myself from your mailing list?

If you want to be removed from our mailing list, please use the unsubscribe link in all of our emails, visit https://themall.profile.tigertracks.xyz/request-link or contact us at themallluton@tigersystems.com.

Opting out of marketing communications will be honoured unless a later opt-in is received for the same contact details.

If you would like request we delete your data completely please email us at themallluton@tigersystems.com.

Changes to this Privacy Statement

We will occasionally update this Privacy Statement and when we do, we will also revise the “last updated” date at the top of this document. We will obtain your consent for any updates to this Privacy Statement that materially expand the sharing or use of your personal information in ways not disclosed in this Privacy Statement at the time of collection.

Identity and Contact Details

Data Controller: The Mall (Luton) (General Partner) Ltd.

If you have any comments or queries in connection with our privacy policy or the data we hold, please  email themallluton@tigersystems.com, or telephone or write to us using the contact details at the bottom of this page.