About Us
Our Portfolio
Investors
Sustainability
Media
This Privacy Notice may vary from time to time so please check it regularly.
This Notice describes the types of information collected, how that information is used and disclosed, and how you can access, modify, or delete your information.
NewRiver REIT plc (“NewRiver”) (company number 10221027) whose registered office is at 16 New Burlington Place, London W1S 2HX (“we”, “us” or “our”) is the ‘data controller’ for the personal data we collect.
HOW DO WE COLLECT INFORMATION ABOUT YOU?
In all of the above instances, we will only provide you with email marketing where you have consented and you can withdraw this consent at any time by clicking the unsubscribe link within the emails you receive. Where we send you information electronically, we review whether the communication has been opened and whether you have clicked on any links in the communication. This is because we want to make sure that our communications are useful for you.
We also use third party marketing agencies who may have access to your personal details to develop email marketing campaigns, to provide customer insight through the analysis of data and to collect personal data on our behalf. We store your information in a secure marketing database hosted by a third party which we use to also generate our email marketing campaigns.
NewRiver uses service partners to provide front of house, concierge and guest services as well at its properties.
In relation to third parties, we ensure that they will also safeguard your data – please see Protection of Your Information below.
FOR WHAT PURPOSE IS IT COLLECTED
The personal information gathered through WIFI and Marketing is for our legitimate business interests, this includes to:
For the gift card, events, car parking, hiring services, Wifi-Service and competitions and promotions, the legal basis is also to form a contract with you to provide these services and promotions.
DATA MINIMISATION AND RETENTION
We will only collect the minimum amount of personal information necessary, and will only keep your information for as long as you remain engaged with our marketing campaigns. Where you have not engaged with our marketing material for over a year, we will take steps to remove your information from our marketing database. Where you unsubscribe from our marketing, we will add your email address to our suppression list and delete any additional information that we hold about you.
Where you have provided your details in relation to a competition, we will delete your personal data when the competition has finished (unless you have consented to your information being used for marketing purposes).
For any contractual purpose, your personal data will be held for as long as is required to deliver the services requested.
HOW DO WE COLLECT INFORMATION FROM YOU?
As part of our security operation, we will also be collecting personal images relating to visitors and customers to its properties from CCTV, Body Mounted Video and ANPR (Automatic Number Plate Recognition) systems.
We use third party service partners to provide security services, but the information recorded through these technologies is held on systems we control. The data we collect may be shared with the police for the prevention and detection of crime, or between our other sites to share intelligence. ANPR data can be shared with third parties for the purposes of enforcement.
Personal data is also collected from visitors to our properties. Access control data is held within our systems and the visitor management data may be held on third party systems.
In relation to access control and visitor data, where the data relates to our employees, contractors or visitors, we consider ourselves to be the Controller. However, personal data relating to our occupier’s staff, contractors and employees, we consider our occupiers to be the Data Controller.
In relation to third parties, we ensure that they will also safeguard your data – please see Protection of Your Information below.
FOR WHAT PURPOSE IS IT COLLECTED
CCTV, BMV, Visitor and Access control data is collated to pursue our legitimate interests to protect the property in question, to protect the vital interests of our visitors, tenants and customers,to assist with the prevention and detection of crime and to provide our contracted service to our tenants.
ANPR is collected to fulfill a contract between ourselves and our users of our parking facilities, including enforcement action.
Access control data is also processed because of our contractual responsibilities to our occupiers.
For CCTV, Body Mounted Video and ANPR: Generally, this data will not be held for longer than 31 days unless an incident or suspected incident has occurred.
Access Control Systems: Access cards and the personal data associated with them are deleted on requests from our occupiers. Cards which are not used for three months are deactivated. Any passes which have remained inactive for twelve months will have all data relating to the card permanently deleted.
Visitor Management Systems: All data is deleted where a visitor has not returned to the site within six months.
When an incident occurs at one of our properties, we are required to document the particulars of an incident which may include witness statements, CCTV footage, photographs and written reports. This information may include special categories of data depending on the nature of the incident. A third-party system is used to log details relating to these incidents and physical paperwork may also be stored on site.
The data may be shared with third parties such as insurance providers and legal advisors in order to defend a claim, government or other competent organisations who are required to report on incidents by law or the police to investigate a crime.
This information is collected to ensure that we comply with our legal responsibilities in relation to Health and Safety investigation and reporting, and also in relation to any future legal claims. The information can also be used to prevent and detect crime, or to protect the vital interests of individuals. Where health information is collected we may also need this for our substantial public interest for Insurance processing.
All personal data (CCTV, Witness Statements, Photographs and written reports) relating to the incident is held for six years, unless there are reasons to retain it for longer, such as an ongoing HSE investigation, a suspected pattern of fraud, or because an injury has been sustained by a child.
In addition to the purposes already described, we may use information collected to perform other important business operations, for example: to understand usage patterns (such as foot traffic) within our properties; to develop, provide, improve and personalise products and services; and, to provide customer service/support. We may undertake additional research, analysis, and surveys, both online and in our centres. The lawful basis for this use of Information is for our legitimate business interests.
We may pass on or allow access to your information:
- to our suppliers, contractors and professional advisors where this is necessary for them to provide services and facilities to us, for example:
- to our group companies and affiliates or third-party data processers who may process data on our behalf to enable us to carry out our usual business practices.
We have in place administrative, technical and physical measures designed to guard against and minimise the risk of loss, misuse or unauthorised processing or disclosure of the personal information that we hold. We place similar obligations on our third parties and risk assess their security based on the sensitivity of the personal data that they hold.
If we transfer your personal information outside of the EEA, it will continue to be subject to one or more appropriate safeguards set out in the law. These might be the use of model contracts in a form approved by regulators, or having our suppliers sign up to an independent privacy scheme approved by regulators.
This Privacy Notice only applies to the websites provided by us. If you link to another service and/or website from here, you should remember to read and understand that service and/or website’s privacy and cookies policy as well. We are not responsible for any use of your information that is made by other services and/or websites. Links or advertisements do not imply that we endorse or have reviewed such third parties or their privacy practices.
We do not collect Information from children under the age of 13, but it may be collected from parents/guardians with their consent. Examples include the Kids Club services within our centres, and competitions that involve children’s participation. We will not market directly to children. If you are under 13 and have inadvertently subscribed, please notify us as [email protected] to have your consent to marketing removed.
You have the right to opt out of receiving any marketing information which we send you.
Your duty to inform us of changes
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.
Your rights in connection with personal information
Under certain circumstances, by law you have the following rights:
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please email [email protected]
You will not have to pay a fee to access your personal information (or to exercise any of the other rights); however, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
You can also contact the Information Commissioner's Office via https://ico.org.uk/ for information, advice or to make a complaint.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
For more information, please contact the data protection officer on [email protected]