Centrale & Whitgift (we) are committed to protecting any personal data you provide to us, including information you provide or we collect when you use our digital channels.
We believe it is important for you to know what personal data we collect and how we use it. This policy (together with our terms and conditions and any other documents referred to in it) explains the personal data we process, what it is used for and the legal basis upon which we process this information. It also explains legal rights you may have to control that processing.
About us and how to contact us
Centrale & Whitgift are Unibail-Rodamco-Westfield “URW Group”, and both Centrale & Whitgift and Westfield Europe Limited are data controllers in respect of your data.
If you have any specific issues relating to this privacy policy, would like a list of URW Group companies who may process your data, or any wider privacy issues relating to us, please get in touch via our Contact Us page or by sending an email to dpo@urw.com
What personal data do we process
We process the personal data set out below, provided to us by either you or your device when accessing our website. There is no obligation on you to provide the information listed below; however, if you do not, we may be unable to engage with you, send you the materials you have requested or allow you to enter competitions or redeem offers if we do not have the necessary information to do so.
The type of data that we process about you includes:
Information you have given to us by filling in forms, or by communicating with us, including name, address, title, contact details including email address and mobile telephone number, date of birth, details of any offer or competitions you have signed up for, any communications you may have with us (including reporting problems with our site), preferences as to any methods and types of marketing information you have consented to receive.
Information we collect from or observe about you when you use our services, including:
(a) Device and Website Use Information – When you use a computer, tablet, smart phone or other device to access our websites, we may collect information about the device and how you use it. This information may include the type of device, your operating system, your browser (for example, whether you used Internet Explorer, Firefox, Safari, Chrome or another browser), your internet service provider, your domain name, your internet protocol (IP) address, your device identifier (or UDID), the date and time that you accessed our service, the website that referred you to our website, the web pages you requested, the date and time of those requests, and the subject of the ads you click or scroll over. To collect this information, we use cookies, beacons and similar technologies.
(b) Images of you collected from CCTV cameras in operation at Centrale & Whitgift.
How we use it
Sending marketing messages or otherwise engaging with you.
We use your data to send you marketing information by various channels including email, SMS, mail or telephone, including sending notices of new products, special offers and other marketing materials to enhance and support your relationship with Centrale & Whitgift. We will use this data in accordance with any preferences you have selected, either on the basis of consent (where requested) or of legitimate interests where you have not objected to receiving such information.
We may also use your data for our own legitimate interests, which include:
- sending you surveys or supporting Marketing Research activities to you in other ways to help us improve our services and understand our customers better;
- allowing you to participate in interactive features of our service, when you choose to do so;
- ensuring that content from our digital channels is presented in the most effective manner for you and for your computer/smart phone and/or tablet;
- allowing us to investigate and respond to any issues or correspondence received;
- notifying you about changes to our services.
We believe that these interests are justified as it is completely optional for you to register, participate or otherwise provide us with Personal Data in the above situations. You will be able to object to this processing at any time. For more information, please see ‘Your rights’ below.
Device and Website Use
We use Website Use information to improve the effectiveness and operation of Centrale & Whitgift’s website, to improve our existing services and develop new services and to inform and direct our marketing strategy. In addition, anonymised statistical data may also be shared with retailers or used by us to develop new promotions that may interest our customers.
We will also use this information for system administration and to report aggregate information to our retailers. This is anonymised statistical data about our users’ browsing actions and patterns and to help us to improve our site and to deliver a better and more personalised service. They enable us:
• To estimate our audience size and usage pattern.
• To store information about your preferences, and so allow us to customise our site according to your individual interests.
• To speed up your searches; and
• To recognise you when you return to our site. For more information, please see our Cookie Policy.
CCTV images
Where we consider that, on balance, it is appropriate for us do so, we will process CCTV footage for the following legitimate interests:
• keeping our staff, visitors and property safe and secure;
• ensuring compliance with health and safety procedures;
• detecting and preventing crime; and
• assisting law enforcement agencies in the apprehension, investigation and prosecution of offenders.
This may include sharing footage with the police or other law enforcement agencies, or our insurers where necessary in relation to a claim, as well as any other third parties in connection with legal proceedings or emergency situations.
Data processed where it is necessary for compliance with a legal obligation imposed on us.
We will process your personal data to allow us to comply with any requests you are lawfully entitled to make, including under data protection laws, to ensure that age inappropriate content is not provided to individuals under 18, and to allow us to keep records that we are legally required to retain, including evidence of consents provided, or to evidence our compliance with legal obligations.
How long will we hold your information
We will normally retain your personal data for a period of up to 7 years from the latter of:
• when you unsubscribe from receiving marketing from us (if later); unless we are legally required to retain the information for longer. However, we may delete your data sooner if we have no purpose to retain it.
We will retain your details if you have unsubscribed from marketing to ensure that we respect your withdrawal of consent on an ongoing basis.
Who will we share your personal information with?
We will share your personal data within the URW Group of companies (including our subsidiaries, our ultimate holding company and its subsidiaries (if applicable)), for the purposes outlined above, including for our own internal business management and the provision of efficient centralised services within our group, where this occurs, they will comply with a privacy notice comparable to this one, unless they provide you with an alternative privacy notice.
We also use third party service providers acting on our instructions to support our provision of the website, or our services to you, who are specifically contracted to process personal data on our behalf. We may share your personal data, where necessary, with prospective purchaser(s) or purchaser of any part of our business, on the basis of our legitimate interests and the interests of our purchaser, so that they can appropriately value the business and assess any risks and continue doing business with you after the acquisition.
We will also share your personal data where:
(a) you have provided prior explicit consent;
(b) where we are required by law, including any court order;
(c) where necessary to protect you, the Centrale & Whitgift, its customers or the wider public.
Where will your personal data be held
We may store or process your personal data outside the European Economic Area (EEA) or other countries approved by the European Commission as providing appropriate safeguards for personal data, when we use service providers located in those countries. If this is the case, we will put in place appropriate safeguards to protect your personal data and ensure that it is compliant with all appropriate legal requirements. If you require further information in respect of the countries where your personal data is processed and/or copies of any documents setting out the appropriate safeguards we have implemented to protect it, please contact us.
Children’s Privacy
Where people under the age of 13 use our services they are required to confirm that they have their parent’s consent. Parents should supervise the online activities of their children, and consider the use of tools available from online services and software providers that help provide child-friendly Internet environments. If any of our products or services are targeted directly at children, we will provide you with additional information about how their data will be used in the context of that service.
If the user’s age has been provided it is used to ensure that products inappropriate for those under 18 are not promoted to any user aged under 18.
Other Sites
Our digital channels may contain links to other sites on the Web. These other sites are not covered by this privacy policy and although we are committed to protecting your Personal Data, we cannot control and do not accept any responsibility or liability for the privacy practices, cookies or content of such other websites. We encourage you to read the privacy statements of each and every website that collects your Personal Data.
Your rights
Customer Data Deletion Process Users may request deletion of their account and data at any time by contacting us at dpo@urw.com stating Data Deletion in the subject line. Please ensure the email address you have used to register your account is included in the message. Your data and customer account will be deleted within 30 days and you will be notified by email.
If you wish to withdraw your consent to receive marketing materials, this can be done by:-
• emailing us at dpo@urw.com
• by clicking on the unsubscribe link on any emails we have sent.
If you withdraw your consent, this will not affect our rights to have sent you marketing material prior to your withdrawal, but we will not send any further marketing. Whilst we will endeavour to ensure that you do not receive any further marketing material immediately, there may be a slight delay for any changes to take effect. Please note that your information will not be deleted but will be retained in a suppression list to ensure that we do not inadvertently send further marketing communications once you have withdrawn your consent to receive them.
Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you log on to our site.
If you do not wish us to process your Device and Website Use information, you may prevent this by disabling the function or blocking the cookies on your device or browser.
However, if you select this setting you may be unable to access certain parts of our site, or it may impact on the usability of our website. You are also entitled to request that we:-
• provide you with a copy of any personal data we hold about you,
• provide you with a copy of any of your personal data, provided by you, that we hold in an electronic format, in a structured, commonly used, machine-readable format;
• have any incorrect personal data corrected or completed.
• delete any personal data that we no longer need for the above purposes, where you have withdrawn your consent and there are no other grounds to process that information, where the personal data has been unlawfully processed or where we are required by law to delete it; and
• restrict the processing of your personal data whilst we confirm whether any data needs correcting following your request, the processing is unlawful and you do not want us to delete this personal data; where we no longer need to process the personal data, but you require the information to establish, exercise or defend legal claims. In these circumstances we will only process your personal data for purposes for which you have consented, or for the establishment, exercise or defence of legal claims or the protection of the rights of another person; and/or
• object to our processing of your personal data, where we process it under the legitimate interests grounds and we are unable to show a compelling legitimate interest that overrides your interests, rights and freedoms, or for the purposes of defending, exercising or defending legal claims.
If you wish to make such a request, please use either our Contact Us page or email dpo@urw.com
We may require additional information to either confirm your identity before we can process your request and/or to assist us in responding to your request. If you are unhappy with the outcome of your request or with our processing of your personal data, you are entitled to lodge a complaint with the Information Commissioner’s Office (ICO), whose website is www.ico.org.uk.
Modifications of this policy
We may revise this Privacy Policy from time to time. If we make any changes to this privacy policy that may materially impact on you or our processing of your personal data, we will notify you by email (sent to the email address specified in your account) or by means of a notice on our website prior to the change becoming effective. Date of last change 4 August 2023.
Any questions, comments and requests regarding this privacy policy are welcomed and should be addressed via our Contact Us page or directly by email to dpo@urw.com
Parking Privacy Policy (Centrale Multi-Storey)
Croydon Car Park Ltd 21 North End Croydon CR01TY (“the Company”, “we”, “our” or “us”) has certain obligations under the General Data Protection Regulation (“GDPR”) to notify individuals (“you” or “your”) about how it will process any personal data it collects from or about them. We treat your data privacy very seriously and understand that you will wish to know how we will use that personal data. We maintain a registration as a data controller with the Information Commissioner’s office (www.ico.org.uk) and have registration number ZA571318. To contact us if you have any questions about this Policy or our processing of your personal data (including to exercise your rights under GDPR), including details of our Data Protection Officer, please see our contact details included below in this Policy under ‘How to contact the Company?’
We are part of the URW Group of companies (“the URW Group”), which may also be provided with personal data about you. This Policy will inform you of what personal information we collect in relation to our car parking facilities only, how that information is used, our lawful basis for such use, who it is shared with and why, where it is transferred, your rights in relation to it and how you can exercise such rights.
What personal data is collected?
We collect various “personal data” about you in order to provide you with this car park service, as set out in our terms and conditions, including to ensure the security of our car park. This Policy relates only to your use of our car-parking services, not other services which we may provide to you. If you are using any of our other services, please consider our website for other applicable privacy notices/policies www.centraleandwhitgift.co.uk
Under the GDPR, personal data is information from which you are indentified or are identifiable (directly or indirectly). The personal data which may be collected and used by us in our provision of the car park service include your:
• vehicle registration number (collected by automatic number plate recognition cameras (“ANPR”)), and other details relating to your car such as car make/model/car colour/fuel type/emissions;
• photograph (which may be collected as part of ANPR image);
• video recording (without sound) (collected by CCTV used in the car park);
• time and date of use of our services (and, consequently, your location); and/or
• payments and payment methods for the use of the car park.
In the majority of cases we do not (unless you are a customer for any additional services we may provide such as pre-booking services and loyalty schemes) seek to combine the above information with other information we have about you, such as name/contact details, which makes it harder for us to identify you. Circumstances where we can and do identify you include: (i) when it is necessary to obtain vehicle-owner information from the DVLA (in the limited circumstances permitted by law); (ii) if you contact us and provide such additional information to enable us to identify you from the above data, for example (a) when raising an enquiry with us about your use of our services or (b) when signing up for other services which we may provide where applicable (including pre-booking services or to administer loyalty schemes); and (iii) if you are eligible for automatic entry/exit to the car park (e.g. if you are a Company employee, URW Group employee, a contract parker, pre-paid parker, competition winner for free parking or recipient of a loyalty or promotional offer).
In addition, should we need to carry out further enquiries, in accordance with our terms and conditions and/or to deal with an enquiry raised by you and/or to enable you to sign up for other services (where applicable) such as pre-booking services (season tickets and/or day-to-day) or to administer loyalty schemes, we may also collect your:
• name;
• contact details (business or personal);
• opinions or suggestions on our services; and/or
• bank account details (for the purposes processing payments).
If we offer and you have chosen to use an online portal or a mobile app to enable you to interact with us (including to use our car-parking services), your use of that online portal or app may lead to us processing additional types of personal data about you. This will be described in a separate privacy notice/policy which we will make available to online portal users and app users as relevant.
Furthermore, we may process details of your unresolved, non-compliance (if any) with contracts between us (e.g. if there has been a non-payment or other breach of contract by you in relation to your use of the car park), whether your vehicle has been involved in crime in relation to the car park, or in relation to facilitating the exit from the shopping centre following the commission of a crime, or is otherwise known to the control authorities (police, intelligent services and local authorities), or whether you are subject to a banning order from the shopping centre the car park is affiliated with. In these circumstances, we may have determined not to permit your vehicle, or the vehicle we have connected to you, to enter the car park based on that previous behaviour.
In addition, we may (unintentionally) also process ”special category personal data” about you (as described in this paragraph), in particular when your image is captured by CCTV or ANPR cameras. For example, your race/ethnicity, health information (for example where this is apparent from images captured by CCTV images), sexual life, religious beliefs, political opinions, or trade union membership. Such processing is only incidental to our use of CCTV or ANPR cameras, and we do not use this special category personal data to make any decisions about you or otherwise act on it. We may also process your personal data which relates to the commission, or alleged commission of offences to the extent this is caught on car park CCTV.
For what purposes will your personal data be used and what is our corresponding lawful basis under GDPR?
We may process your personal data for the following purposes:
• providing car park services (and, where applicable, pre-booking services (season tickets and/or day to day) and loyalty schemes) to you in accordance with our terms and conditions. Our lawful basis under GDPR in relation to these purposes is that it is necessary for the performance of our contract with you (or in order to take steps at your request prior to entering into a contract with you);
• legitimate business reasons – management reporting, accounting, other internal business (including joint ventures and business sales) and sales management, if any personal data is involved. Our lawful basis under GDPR in relation to these purposes is that it is necessary for the purposes of our (or a third party’s) legitimate business interests (e.g. to manage our business responsibly and efficiently), which are not overridden by your interests, fundamental rights and freedoms;
• customer relationship management – dealing with any queries or correspondence from you. Our lawful basis under GDPR in relation to these purposes is as follows: (i) where the processing relates directly to responding to you, our lawful basis is that you have consented to us responding to you, by making a request to us which requires a response; and (ii) where the processing is not directly related to responding to you (e.g. obtaining professional advice to allow us to consider our response, discussing your request in management meetings), our lawful basis is that it is necessary for the purposes of our (or a third party’s) legitimate business interests (e.g. to manage our business responsibly and efficiently, and to consider and protect our own legal rights), which are not overridden by your interests, fundamental rights and freedoms.
• enforcement of our terms and conditions. Our lawful basis under GDPR in relation to these purposes is that it is necessary for the performance of our contract with you (or in order to take steps at your request prior to entering into a contract with you);
• compliance with legal, regulatory and other good governance obligations, including to request additional information from third parties (eg the DVLA) to allow us to meet these obligations. Our lawful basis it is necessary for compliance with a legal obligation to which we are subject;
• where we have determined not to permit your vehicle (or a vehicle that we have associated with you) to enter the car park based on previous behaviour (e.g. non-payment, breach of contract, criminal behaviour, banning orders, as explained above), our lawful basis under GDPR in relation to this purpose is that it is in our (or a third party’s, such as other users of our car park) legitimate business interests (e.g. to ensure that vehicles entering the car park do not present us with security or breach of contract risk, to enforce previous contracts, to protect others’ property rights or for the security of our car park), which are not overridden by your interests, fundamental rights and freedoms; and/or
• where our processing of the personal data referred to above, or otherwise to the extent this is caught on car park CCTV, relates to criminal offences (or alleged) (including its disclosure to law enforcement authorities or otherwise in relation to legal claims or determining not to permit your vehicle to enter the cark park), our lawful basis for determining not to permit your vehicle to enter the car park or disclosure to law enforcement authorities is that it is in in the substantial public interest and necessary for prevention or detection of an unlawful act (and if we sought your consent for this it would prejudice these purposes), and in respect of legal claims is that it is necessary for the establishment, exercise or defence of such claims.
We may also convert the personal data into statistical, aggregated non-identifiable form. This anonymised data cannot be linked back to you. We may then use that anonymised data to conduct research and analysis, including to produce statistical research and reports. For example, to help us understand car-park usage. The anonymised data, research and reports may also be made available to and used for market research/analysis purposes within the URW group of companies (who will not be able to identify you from the data made available to them).
Profiling and automated decisions (and our corresponding lawful basis under GDPR for this)
In addition to the purposes outlined above, we may also carry out profiling which involves the processing of your personal data. The profiling we carry out is focused on your vehicle (or in some instances a vehicle which we have associated with you), although because we are able to identify you from your vehicle details (in conjunction with other personal data held about you, as described above in this Policy) this will constitute profiling based on your personal data. We create a profile of your vehicle, including whether (or not, to the extent relevant) your vehicle is permitted to enter the car park based on previous behaviour (e.g. non-payment, breach of contract, criminal behaviour, banning orders, as explained above in this Policy), frequency of visits, vehicle and fuel type, or whether you are eligible for automatic entry/exit to the car park (e.g. if you are a Company employee, URW Group employee, a contract parker, pre-paid parker, competition winner for free parking or recipient of a loyalty or promotional offer). This enables us to determine whether to permit you to enter the car park, to enter into and enforce our contracts, or to potentially offer discounts (e.g. to low-emission vehicles, vehicles with certain characteristics, loyalty offers).
Where our profiling does not have legal or similarly significant effect on you, or where we (ie a person within URW) has made a decision which is being implanted via our car park gates, such as to determine that the vehicle you are driving matches the details of a vehicle we have previously determined should be permitted or not to access the car park, our lawful basis under GDPR is that is necessary for the purposes of our (or a third party’s) legitimate business interests (e.g. to ensure that vehicles entering the car park do not present us with security or breach of contract risk, to enforce previous contracts, to protect other’s property rights or for the security of our car park) in the case of vehicles which are not permitted to enter the car park), which are not overridden by your interests, fundamental rights and freedoms, or that it is necessary for performance of a contract with you (e.g. as to automatic entry/exit).
However, where we use the personal data (including profiling) to make automated decisions about you which produce legal effects on you or similarly significantly affects you, we do so where it is necessary for entering into (or performing) a contract between us and you, as set out below. We will implement suitable measures to safeguard your rights, including providing you with the right to obtain human intervention, to express your point of view and contest the decision.
We may make such automated decisions based on your personal data where this is necessary for performance of a contract between you and us in order to:
• issue parking charge notices; and
• determine the correct tariff for our services to you – for example to offer discounts to low-emission vehicles or discounts based on other certain features of a vehicle (such as colour or vehicle type).
Where we make these automated decisions, to obtain human intervention (i.e. a human will review the automated decision which has been taken), express your point of view and contest the decision, please contact us as set out under the ‘How can I contact the Company?’ header below.
Who will see my personal data?
Your personal data may be made available to third parties providing relevant services under contract to us, or the URW Group for these purposes, such as:
• providers of certain business function services, such as IT support, processing of payment card/details website and data hosting providers and administrators. These parties will process the personal data on our behalf (as our data processor). We will disclose your personal data to them so that they can perform those functions. Examples of these providers include our outsourced IT systems software and maintenance, payment processing and back up and server hosting providers; and
• security/parking team service provider (for watching CCTV and responding to barrier/ticket questions). This provider will process the personal data on our behalf (as our data processor) and will disclose your personal data to it so it they can provide us with these services. Your personal data will also be made available:
• when we believe that disclosure is appropriate in connection with efforts to investigate, prevent, or take action regarding illegal activity, suspected fraud, or other wrongdoing; to protect and defend the rights, property or safety of the Company, its customers, staff, suppliers or others; to comply with applicable law or co-operate with law enforcement; or to enforce its terms or other agreements (including, for example, where a vehicle has been abandoned in our car park). Our lawful bases under GDPR, and (where relevant) the Data Protection Act 2018 (“DPA”), for this processing are set out above in this Policy;
• to our advisors (such as consultants, legal advisors, auditors and other professional advisors), in order that we can receive advice and services from them. Our lawful basis under GDPR for this processing is that it is necessary for the purposes of our (or a third party’s) legitimate business interests (e.g. for us to be able to obtain professional or legal advice), which are not overridden by your interests, fundamental rights and freedoms. To the extent that the personal data disclosed consitutes crinimal offences (including alleged), this will be limited to disclosures in relation to legal claims and our lawful basis under the DPA is that the processing is necessary for the establishment, exercise or defence of legal claims.
• in response to a court order, or a request for cooperation from a law enforcement or other government agency; to establish or exercise its legal rights; to defend legal claims; or as otherwise required or permitted by applicable laws and/or regulations. Our lawful bases for this processing is set out above in this Policy; and/or
• to prospective or actual buyers in the event that the Company sells or buys any of its business or assets. Our lawful basis under GDPR for this processing is that it is necessary for the purposes of our (or a third party’s) legitimate business interests (e.g. for a purchaser of any of our business to have details of individuals using the services provided by that part of the business), which are not overridden by your interests, fundamental rights and freedoms.
Will my personal data be transferred abroad?
Your personal data processed in accordance with this Policy may be transferred to recipients who are located within the European Economic Area (“EEA”). It will not be transferred to or otherwise processed by recipients located outside of the EEA.
Security
The Company takes precautions including administrative, technical and physical measures to protect your personal data against loss, theft and misuse, as well as against unauthorised access and disclosure.
How long do we retain your personal data?
We will only keep the personal data for a limited amount of time and no longer than is necessary for the purposes for which it is processed, as set out below:
• Personal data related to your transaction (with the exception of CCTV images) will be retained for a period of up to 5 years from the date of the transaction, to the extent necessary for the purposes of legal claims and dealing with any queries from you; and
• CCTV images will be retained by us for 30 Days, unless required to be kept for longer due to legal obligations or legal claims.
What rights do I have in relation to my personal data and how to exercise them?
You have certain legal rights in relation to any personal data about you which we hold, as summarised below. They do not apply in all circumstances. If you wish to exercise any of them we will explain at that time if they are engaged or not:
• the right to be informed about your processing of your personal information;
• the right to have your personal information corrected if it is inaccurate and to have incomplete personal information completed;
• the right to object to processing of your personal information (see further details below);
• the right to restrict processing of your personal information;
• the right to have your personal information erased (the “right to be forgotten”);
• the right to request access to your personal information and to obtain information about how we process it;
• the right to move, copy or transfer your personal information (“data portability”);
• rights in relation to automated decision making which has a legal effect or otherwise significantly affects you – as described under the ‘Profiling and automated decisions’ header above.
Where our processing of your personal data is based on your consent (i.e. directly responding to any requests or enquiries that you make of us), you have the right to withdraw your consent at any time. If you do decide to withdraw your consent we will stop processing your personal data for that purpose, unless there is another lawful basis we can rely on – in which case, we will let you know. Your withdrawal of your consent won’t impact any of our processing up to that point.
Where our processing of your personal data is necessary for our legitimate interests, you can object to this processing at any time. If you do this, we will need to show either a compelling reason why our processing should continue, which overrides your interests, rights and freedoms or that the processing is necessary for us to establish, exercise or defend a legal claim.
If you wish to exercise any of your rights please contact us as set out below under the ‘How can I contact the Company?’ header.
You also have the right to lodge a complaint with the Information Commissioner’s Office, which is the UK data protection regulator. More information can be found on the Information Commissioner’s Office website at https://ico.org.uk/.
Updates to this Policy
We may update this Policy from time to time to reflect changes to the type of personal data that we process and/or the way in which it is processed. We will then publish the updated Policy on our website www.centraleandwhitgift.co.uk and it will also be made available upon request at our customer service desks. We also encourage you to check this Policy on a regular basis so that you are aware of updates.
How can I contact the Company?
In first instance, you are encouraged to contact dpo@urw.com with any queries or concerns relating to this Policy, or to exercise your rights in relation to your personal data.
Date last updated: 04/08/23