Last update: 9/10/2020
Kingfisher Shopping Centre and your personal data
"Personal Data" is any data that identifies you. The Personal Data which you supply to us you agree will be true. We will deal with your Personal Data in compliance with the current UK & EU data protection legislation, which includes the EU General Data Protection Regulation (GDPR) which came into force on 25th May 2018. Please note this applies only to services which we operate and control and not to other companies' or organisations' websites to which we may link. For such external services or sites please see their Privacy Policies to understand how they might be handling your data.
Who is Kingfisher Shopping Centre?
Kingfisher Shopping Centre is part of Capital & Regional PLC.
Our Purpose for Collecting and Processing Personal Data
Our intention is to provide the best possible experience for visitors to our shopping centres, the retailer brands and people that work there, and the local community in which we operate. We collect and process data in order to understand who our customers are, send them of appropriate and relevant information, track the performance of our centres, and to help provide and improve our services as a whole.
Some data is required in order to operate our services to you, and in some cases we are required to hold certain information for legal compliance, law enforcement or contractual purposes.
Data protection laws set out a number of valid reasons for the collection and processing of personal data. These include: Consent, such as ticking a box to opt-in to receive marketing emails from us; legitimate Interest; compliance with the law; and, to fulfil contractual obligations.
What Data We Collect
When entering competitions, either in-centre or via our website, we collect personal data like your contact information in order to administer the competition, for example to ensuring age restrictions are adhered to and in order to notify winners. Prior to 25th May 2018 by entering you will also have been opted-in to receive marketing communications in line with pre-GDPR regulations, namely 'implied consent'. After 25th May 2018 consent to receive news and updates from Kingfisher Shopping Centre requires a separate and unbundled consent from the competition entry.
Personal details are required in order to sign-up to the +More loyalty scheme, which provides members with offers and promotions. These details are required to administer the scheme, such as the posting of membership cards, identifying members, informing them of the current offers and promotions within the scheme, and tracking usage of the scheme.
We may collect electronic data such as IP addresses or device information when you use Kingfisher services such as the websites in order to monitor the performance of those services and improve their quality. However, the data will only be disclosed on an anonymous and aggregated basis not in a way in which you will be personally identified, unless consent to the contrary has been given.
For businesses operating within our centres, such as retailers and kiosk traders, we collect business and personal data such as names and contact details in order to create contracts and administer our business operations. Some of this information is required to conduct these services.
Our car parks utilise number plate recognition systems in order to provide an efficient service, monitor usage and provide information for security purposes. If required to do so we may provide this information to law enforcement agencies.
To protect our centres, shoppers, and retail staff we operate CCTV systems throughout our centres and car parks which record images for security. We do this on the basis of our legitimate business interests. If required to do so we may provide this information to assist with law enforcement.
We do not currently employ any automated decision-making tools.
With the exception of names used to administer certain elements of our Kids Club service, we do not collect personal data from children under the age of 13.
To support NHS Test and Trace (which is part of the Department for Health and Social Care) in England, we collect and keep a limited record of staff, customers and visitors who come onto our office premises for the purpose of contact tracing.
Covid-19 Track & Trace
To support NHS Test and Trace (which is part of the Department for Health and Social Care) in England, we have been mandated by law to collect and keep a limited record of staff, customers and visitors who come onto our office premises for the purpose of contact tracing.
By maintaining records of staff, customers and visitors, and sharing these with NHS Test and Trace where requested, we can help to identify people who may have been exposed to the coronavirus.
As a customer/visitor of our business premises you will be asked to provide some basic information and contact details. The following information will be collected:
- the names of all customers or visitors, or if it is a group of people, the name of one member of the group
- a contact phone number for each customer or visitor, or for the lead member of a group of people
- date of visit and arrival time and departure time
The venue/establishment as the data controllers for the collection of your personal data, will be responsible for compliance with data protection legislation for the period of time it holds the information. When that information is requested by the NHS Test and Trace service, the service would at this point be responsible for compliance with data protection legislation for that period of time.
The NHS Test and Trace service as part of safeguarding your personal data, has in place technical, organisational and administrative security measures to protect your personal information that it receives from the venue/establishment, that it holds from loss, misuse, and unauthorised access, disclosure, alteration and destruction.
In addition, if you only interact with one member of staff during your visit, the name of the assigned staff member will be recorded alongside your information.
NHS Test and Trace have asked us to retain this information for 21 days from the date of your visit, to enable contact tracing to be carried out by NHS Test and Trace during that period. We will only share information with NHS Test and Trace if it is specifically requested by them.
For example, if another customer at the venue reported symptoms and subsequently tested positive, NHS Test and Trace can request the log of customer details for a particular time period (for example, this may be all customers who visited on a particular day or time-band, or over a 2-day period).
We may require you to pre-book appointments for visits or to complete a form on arrival.
Under government guidance, the information we collect may include information which we would not ordinarily collect from you and which we therefore collect only for the purpose of contact tracing. Information of this type will not be used for other purposes, and NHS Test and Trace will not disclose this information to any third party unless required to do so by law (for example, as a result of receiving a court order). In addition, where the information is only collected for the purpose of contact tracing, it will be destroyed by us 21 days after the date of your visit.
However, the government guidance may also cover information that we would usually collect and hold onto as part of our ordinary dealings with you (perhaps, for example, your name, date of birth and phone number). Where this is the case, this information only will continue to be held after 21 days and we will use it as we usually would, unless and until you tell us not to.
Your information will always be stored and used in compliance with the relevant data protection legislation.
The use of your information is covered by the General Data Protection Regulations Article 6 (1) (c) - a legal obligation to which we as a venue/establishment are subject to. The legal obligation to which we're subject, means that we're mandated by law, by a set of new regulations from the government, to co-operate with the NHS Test and Trace service, in order to help maintain a safe operating environment and to help fight any local outbreak of corona virus.
We do not hold or transfer this data outside of the EU.
By law, you have a number of rights as a data subject, such as the right to be informed, the right to access information held about you and the right to rectification of any inaccurate data that we hold about you.
- You have the right to request that we erase personal data about you that we hold (although this is not an absolute right).
- You have the right to request that we restrict processing of personal data about you that we hold in certain circumstances.
- You have the right to object to processing of personal data about you on grounds relating to your particular situation (also again this right is not absolute).
If you are unhappy or wish to complain about how your information is used, you should contact a member of staff in the first instance to resolve your issue.
If you are still not satisfied, you can complain to the Information Commissioner's Office. Their website address is www.ico.org.uk.
Use of Personal Data for Marketing Communications
We only send post, email, text messages and mobile notifications to you about news and services that we consider may be of interest to you only if you have given us permission to do so or if appropriate where we consider there to a legitimate interest in the information for example if you have signed-up to the +More loyalty scheme and knowledge of available offers and promotions is the primary function of the scheme.
If you have agreed to be contacted by telephone then calls may be monitored and recorded for quality and training purposes.
Electronic notifications may be sent to you via your internet browser if you have given consent for us to do so. If you subsequently wish to remove consent for these you can do so following the instructions provided by your internet browser software.
Who Controls or Has Access to the Data?
Personal data is accessed and processed by staff at Kingfisher and Capital & Regional involved in operating the relevant shopping centre services. The use of personal data will remain under the control of Kingfisher and Capital & Regional at all times operating as the Data Controller. We do not sell your data to other companies without your explicit permission.
We use selected third parties, called Data Processors, to help operate our services which include, for example, email system or database providers. When employing Data Processors, we ensure that they comply with data protection laws including ensuring that data is held securely and that only the information required to complete the work is supplied to them. If we stop using a particular Data Processor's services we require that personal data held by them is securely deleted or anonymised.
In compliance with the law we may be obligated to disclose Data about you to a law enforcement agency or by a court order.
Personal Data is held and processed only within the EU.
Data subjects have various rights in relation to accessing and amending the data companies hold on them under GDPR. More information on how to do this can be found later in this document.
Retention Period & Criteria
We only keep personal data for as long as necessary for the purpose for which it was collected or to comply with legal, contractual or law enforcement purposes. At the end of this period data is either deleted or anonymised so that it can be used for statistical and analytical purposes in a non-identifiable way.
We endeavour to take all reasonable steps to protect your personal information. However, we cannot guarantee the security of any data you disclose online. You accept the inherent security risks of providing information and dealing online over the Internet and will not hold us responsible for any breach of security unless this is due to our negligence or wilful default.
Data on our customer database system is held in accordance with ISO27001.
Data Subject's Rights
Data subjects have a number of rights which we recognise and uphold. These include: The right to be informed about how we collect and process your personal data which is detailed in this document; The right to access this information; The right to rectify or erase data; The right to restrict the processing of data; The right to data portability; The right to object; and, rights relating to automated decision making and profiling. Data subjects also have the right to lodge complaints with the Information Commissioners Office and the right to withdraw consent.
How do I access or amend my data?
You can access and update your personal details using our customer profile tool found at: www.kingfishershopping.co.uk/mydata. This tool is also linked to from our website and from each of our emails.
Access to this tool and to amend any the details is free and actioned immediately, although please allow a few working days for the changes to be reflected across all parts of our system.
For services that cannot be completed via the customer profile tool please contact us at email@example.com. In line with GDPR access requests are free and will be responded to within a month.
How do I remove myself from your mailing list?
If you want to be removed from our mailing list, please use our customer profile tool, accessed here: www.kingfishershopping.co.uk/mydata.The tool will allow you to change your contact preferences, to reduce the number of emails received, choose to received only +More emails for those people who are +More members, or to completely opt-out.
Alternatively, please email firstname.lastname@example.org with the word 'remove' in the subject line and the email address that you wish to be removed within the email. Please note that it may take up to 28 days to action your request via this method.
Each email we send contains an unsubscribe link and a link to the customer profile tool.
Opting out of marketing communications will be honoured unless a later opt-in is received for the same contact details.
If you would like request we delete your data completely please email us at email@example.com.
Changes to this Privacy Statement
We will occasionally update this Privacy Statement and when we do, we will also revise the "last updated" date at the top of this document. We will obtain your consent for any updates to this Privacy Statement that materially expand the sharing or use of your personal information in ways not disclosed in this Privacy Statement at the time of collection.
Identity and Contact Details
Data Controller: Capital & Regional / Kingfisher, 22 Chapter Street, London, SW1P 4NP.
Some websites store information in a small text file called a "cookie" on your computer. Cookies contain information about you and your preferences. For example, it might contain a record of which pages within the site you visited or your display preferences to help the site customise the view for you the next time you visit. Only the information that you provide, or the choices you make, while visiting a website can be stored in a cookie. For example, the site cannot determine your email address unless you choose to type it. Allowing a website to create a cookie does not give that or any other site access to the rest of your computer and only the site that created the cookie can read it. In the main cookies are used to provide a pleasant browsing experience.
Your browser also generates other information, including which language the site is displayed in, and your Internet Protocol address ("IP address"). Your IP address is automatically logged by our servers and used to collect traffic data, such the number of visitors to our site. We do not use your IP address to identify you personally and the information is not passed to third parties.
We use the cookies below throughout our website. None of our cookies are used to store any personal information about you.
- Google Analytics: __utma; __utmb; __utmc; __utmz
Google Analytics is a popular analytics platform used to record anonymous information about our site's visitors. Collecting this information helps us to identify which areas of our site work well and which do not so that we can continue to improve our website and your experience when using it.
- Google Search: PREF
Our site makes use of a customized Google search engine to give you a quick search feature. This cookie is used by the Google search engine and stored under the google.com domain.
You can control whether your computer accepts or rejects cookies by default, or to tell you when a site tries to save a cookie on your computer, by adjusting your browser setting. Cookies can also be manually deleted. The method to change these settings varies depending on the browser. Read the help section within your browser to find out more, or visit www.aboutcookies.org (We are not responsible for the content of external websites). Many modern browsers also have an anonymous usage mode (called "Incognito" in Google Chrome, "InPrivate" in Internet Explorer and "Private Browsing" in Firefox) which can be used to automatically stop cookies being stored on your computer.
This site operates implied consent for cookies, which means we assume by using this site you are happy with the usage of the cookies outlined below. If you do not want to accept the use of these cookies you should discontinue use of the site, delete the cookies, or adjust your browser settings accordingly.