TABLE OF CONTENTS
1. INTRODUCTION
2. KEY TERMS
3. CONTROLLER AND PROCESSOR
4. COLLECTION, PROCESSING AND USE OF PERSONAL DATA
5. MARKETING
6. PERSONAL DATA RELATING TO THIRD PARTIES
7. COOKIES
8. RECIPIENTS OF PERSONAL DATA
9. DATA STORAGE AND RETENTION
10. YOUR RIGHTS
11. DATA SECURITY
12. UPDATES
1. INTRODUCTION
The Shoreline group of companies (“the Group”/ “we”/ “our”/ “us”) is committed to protecting and respecting your privacy. Please read this Privacy Policy (“the Policy”) to understand how information we hold about you will be treated on Website, when you visit the Premises, and when you otherwise interact with us.
In this Policy, the Shoreline group of companies shall include the following entities:
i. Shoreline Mall p.l.c., a public limited liability company registered and incorporated under the laws of Malta with company registration number C 84005;
ii. Shoreline Management Limited, a private limited liability company registered and incorporated under the laws of Malta with company registration number C105525; and
iii. Shorematrix Limited, a private limited liability company registered and incorporated under the laws of Malta with company registration number C103891.
We collect, use and are responsible for certain personal data about you. When we do so we are regulated under data protection legislation and we are responsible as ‘controller’ of that personal data for the purposes of those laws.
The terms “User”, “you” and “your” shall refer to a User of the Website and/or customer or a prospective customer of the Group who is a natural person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.
We have created this Policy to explain to you:
i. how we use and process any Personal Data that we receive from you or may collect about you, and
ii. your privacy rights under Applicable Privacy Laws.
Our use of your Personal Data is subject to your instructions, the EU General Data Protection Regulation (“GDPR”), other relevant Maltese and EU legislation and our professional duty of confidentiality.
If you have any questions, need further clarification or additional information in connection with this Policy, please send us on [email protected] or call us on +356 99352308.
2. KEY TERMS
|
Applicable Privacy Law |
The relevant data protection and privacy law, including the GDPR (as defined in Section 1) to which the Controller (and the Processors) are subject, and any guidance or statutory codes of practice issued by the relevant Privacy Authority/Authorities. |
|
Data Controller / Controller |
The entity acting as the data controller, as identified in Section 3, which shall determine the purpose and means of the processing of Personal Data. |
|
Data Processor / Processor |
The entity acting as the data processor, as identified in Section 3, which processes Personal Data on behalf of the Controller. |
|
GDPR |
Shall mean the EU General Data Protection Regulation; |
|
Personal Data |
Any information relating to an identified or identifiable natural person as defined by the Applicable Privacy Law and including the categories of data listed in this Policy that the Controller (and the Processors) process. |
|
Premises |
Shall mean the shopping mall operated by the Group located at Smart City, Malta, known as ‘The Shoreline Mall’. |
|
Processing |
Any operation which is performed on personal data such as collection, storage, use and erasure. |
|
Sensitive Personal Data |
Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic and biometric data, and data concerning health, sex life or sexual orientation. |
|
Website |
The website https://www.shorelinemall.com/ and/or other affiliate domains and/or sub-domains. |
3. CONTROLLER AND PROCESSOR
For the purposes of the GDPR, the Group is considered the Controller of your personal data because it will determine how that data will be handled. Shoreline Mall p.l.c. is typically the primary Controller within the Group.
If you have any questions in relation to this Policy, please email the Group at [email protected] or call at +356 99352308.
4. COLLECTION, PROCESSING AND USE OF PERSONAL DATA
We shall only use your Personal Data when there is lawful reason to do so. The law provides that we may only process your Personal Data with your consent or when necessary:
i. For our legitimate interest;
ii. To carry out contractual obligations;
iii. To comply with a legal obligation.
Most of the information we process is given to us directly by you. This includes information that you input via our website and that you provide us with over the telephone and email.
The Group also collects Personal Data through CCTV equipment installed within the Premises (including at retail outlets operated by the Group and/or third-party operators). Signs are placed throughout our premises to inform you that CCTV is in operation. The CCTV system monitors are operated 24 hours a day, 7 days a week, and this data is continuously recorded. Camera locations are chosen to minimise the viewing of spaces which are not relevant to the legitimate purpose of the monitoring. All images captured by the CCTV System remain the property of the Group. The CCTV system ensures that the legitimate interests of Group, its personnel, and its property are safeguarded, and the main objectives are:
i. to detect, prevent and reduce the incidence of crime or unwanted behaviour on our premises;
ii. to reduce and/or intercept incidences of vandalism and damage to the Premises or personal property;
iii. to enhance the feeling of personal safety and security;
iv. to enable the identification and subsequent apprehension and prosecution of offenders in relation to crimes committed within the proximity of our Premises;
v. after-the-fact investigation of crimes committed against the company or its staff;
vi. after-the-fact investigation of suspected breaches by staff of the policies and procedures;
vii. after-the-fact investigation of the circumstances surrounding any incident or injury at the Group’s premises.
The following table provides the types of Personal Data that we may collect and use about you, and the corresponding legal basis for doing so:
|
Activity |
Personal data we may process |
Legal basis and Reasons for using Personal Data |
|
Making a general enquiry on our website |
Contact details that you provide to us when you request information about our services through our “Send us a Message” form on our website. These include your full name, email address and other personal data that you may wish to provide us, including your phone number. |
For our legitimate interests: Responding to your enquiries, comments and/or complaints. Updating and enhancing our contacts/client base and/or to be able to find a solution to your enquiries, comments and/or complaints. |
|
When you communicate with us for any other reason by telephone. |
Contact details that you provide us when you request information about any of our services, or when you wish to give us feedback or make a complaint via telephone. These include any Personal Data that you may provide us in your communications with us. |
For our legitimate interests: Getting to know the person contacting us. Managing business communications. Responding to your communications with us, including complaints or claims made by you. |
|
Signing up for email updates |
The email address you provide to us when subscribing to our newsletter through our “Receive our Newsletter” option on our website. |
For our legitimate interests: Develop our network of contacts. Share relevant content and promote our activities with persons who have previously expressed an interest in the Group. To provide you with all of our latest news, events and special offers. Consent On the basis of the consent that you have provided us, where this is required. |
|
Applying to participate in our promotions or competitions |
All the requested details you provide us in the application form. Other information or documentation about you may be collected and/or may be in the public domain. |
Pursuing legitimate interests: To develop our products/services and grow our business) e.g. in order establish what products you are interested in so we can target marketing and promotional material which we feel may be most relevant to you. Performance of a contract with you To be able to identify you in case you win the competition in which you participate in and to provide you with the prize To communicate with you by any effective means including communications by email, phone, and post. For other purposes like carrying out statistical analysis. Consent You are consenting to us processing your Personal Data upon the submission of your Personal Data in the context of your application, including conducting necessary checks to satisfy our legitimate interests. |
|
When you provide us with your CV to apply for a job at the Group. |
Contact details that you provide to us when applying for a job with us. These include the Curriculum Vitae, including all information provided therein, and contact details such as personal email address and mobile phone number. These may also include Special conditions (which may relate to disability, learning, specific learning difficulty, health issue) and any other data that you may provide to us through the application process. |
For our legitimate interests: Satisfy our staffing requirements and getting to know employees or potential employees. Ensuring that any potential recruit is suitably qualified for the position. Consent You are consenting us to use and process your Personal Data upon the submission of your Personal Data in the context of your application, which would include conducting necessary checks to satisfy our legitimate interests. Performance of a legal obligation In satisfaction of our obligation to verify whether a candidate has the right to work in Malta. |
|
CCTV System |
Images of clients captured through the use of CCTV cameras which are installed within and outside our outlets/premises. |
For our legitimate interests: Keeping our clients and employees safe and secure by preventing crime, preventing employee misconduct and, ensuring compliance with health and safety procedures. Used for security and monitoring purposes of clients and employees |
|
Seeking business opportunities |
Contact details that you provide to us when you contact us regarding potential business opportunities. Such details may include but are not limited to full name, email address, and contact number. |
For our legitimate interests: Getting to know the relative contact person who could result in a new business venture with the Group. Responding to your communications with us to provide you with the necessary information and to be able to start negotiations. To be able to manage business communications. |
|
Tracking data |
We may automatically collect technical information, including your Internet Protocol (IP) Address, browsing type, operating system and other information about your visits from your IP address when visiting our website. |
For our legitimate interests: To be able to trace the computer used in cases of any kind of misuse of our website. To improve our website. To be able to report aggregate information to third parties. |
|
To provide a service to you (including services provided through our mobile application) |
Information requested by the mobile application, including contact details, preferences & profile, technical / usage information, and financial Information |
Performance of a contract with you Consent to push notifications, via your device settings |
5. MARKETING
As a customer of the Group, you may receive personalised marketing communication for which you will be subject to automated decision-making (ie. automatically without any human intervention), including profiling. Any type of communication which is sent to you as direct marketing from our end is only done if this is authorised by law and, generally, with your consent. However, if you wish to stop receiving such communications and/or withdraw your consent, you may contact us by using the contact information found in Section 3 or update your preferences on the Website or the mobile application. If you wish to opt out of marketing sent to you via email, you can simply do so by pressing the “Unsubscribe” option at the bottom of any marketing email that we sent you.
6. PERSONAL DATA RELATING TO THIRD PARTIES
Should you choose to provide us with the Personal Data of a person other than yourself, it is assumed that you have the authority from the person in question to share their information with us, and the Group shall not bear any responsibility if you do not have such authority and we have collected, processed and made use of such data.
7. COOKIES
A cookie is a small text file which is copied onto your hard disk by a website. Cookies do not cause any damage to your computer and do not contain any viruses. The cookies from this Website do not cover any personal data about you. You can disable the use of cookies at any time via the settings in your browser. As a rule, cookies are only used on this Website for the length of your session for the purpose of anonymous, statistical assessments and improving the user-friendliness of this Website. Cookies may occasionally serve an additional purpose in certain sections of this Website. You will be informed of this, if you access one of these sections.
8. RECIPIENTS OF PERSONAL DATA
Your Personal Data is not shared with third parties and no Personal Data is transferred outside the European Economic Area (EEA) or to international organisations. Furthermore, we do not share your Personal Data with third parties for marketing reasons, unless you give us your consent to do so.
We may disclose your Personal Data to any of the following to the extent necessary to fulfil the purposes for which your data was collected:
i. between the undertakings forming part of the Group;
ii. The Group’s staff;
iii. Suppliers and service provides who may access your Personal Data when providing products or services to us, in particular providers of platform, data storage, CCTV, WiFi services, marketing and data security services;
iv. when required by law, regulation or order of the court or other competent authority;
v. with our insurers or legal advisors.
We may also share information or statistics with third parties in an aggregated or anonymised form that does not directly identify you, e.g. we may share aggregated and anonymised or pseudonymised information about your interests and geographic preferences and/or location with advertisers and third party deal sites for marketing purposes.
The Group guarantees compliance with the principles of lawfulness, fairness and transparency when processing Personal Data and any further processing of Personal Data must be adequate, relevant and limited to what is necessary for the purposes required and in accordance to law.
We ensure the appropriate security and confidentiality of Personal Data to include the prevention of unauthorised access and unauthorised use of Personal Data, and the equipment used for processing. This is also ensured with regard to third party websites which are be visibly marked on our website. Since the Group is not responsible for the content of such websites, we highly advise that you read through the privacy policies of these third-party websites.
9. DATA STORAGE AND RETENTION
We shall hold your Personal Data in our offices, and it shall only be retained for as long as necessary and we shall not collect more data than that which is required. Consideration shall be taken for the purpose as to why it was initially obtained. What is ‘necessary’ depends on the particular Personal Data in question as well as the type of relationship which you and the Group have (including its duration). The necessary time for the retention and storage of your Personal Data shall be in accordance to Maltese and EU law.
In relation to CCTV surveillance footage which is derived from the CCTV system, this shall be kept for a period of […] in order to ensure compliance with recordkeeping laws and to be able to answer any questions, complaint or claims made by you or if such footage is requested by the Police or other legal authority.
Once it is deemed that we no longer need your Personal Data, this will be deleted in secure manner or else, anonymised.
10. YOUR RIGHTS
As a user, you have certain rights when it comes to the processing of your Personal Data as set forth in the Applicable Privacy Law, including the rights set forth in Sections 10.1 to 10.7 below. To be subject to such rights, we first need to verify your identity and you may contact the Controller by email, by post or by phone using the contact details provided in Section 3 above.
We try to reply to all legitimate requests within 30 days from the date of receipt of your enquiry. If your request is particularly complex or we need to process an extraordinary number of simultaneous requests, the Controller’s reply may take longer. In such case, we may inform you accordingly and explain the reason for the delay in our response. Should we have reasonable doubts concerning your identity when making the request above, we may require additional information that is necessary to confirm your identity.
10.1. Transparency
The Group shall do its utmost to uphold the principle of transparency with regard to your Personal Data.
In order to maintain the principle of transparency, there are signs throughout the Premises indicating that CCTV surveillance system is in operation and such signs clearly read that the Premises are under surveillance by means of CCTV cameras. This is an appropriate measure to ensure that the processing of your Personal Data is done in a way which is concise, transparent, intelligible and in an easily accessible form.
10.2. Access
You may obtain confirmation from us as to whether or not your Personal Data is being processed. This includes access to any CCTV footage in which you may feature in provided that this request for access shall be subject to compliance with its GDPR obligations in relation to third parties. Any requests must be limited to a particular date and time period and Shoreline shall only disclose such footage after due verification of the identity of the Data Subject.
Such requests will not incur any fee, except when the requests are manifestly unfounded or excessive, in particular because of their repetitive character. In this case a reasonable fee will be charged, taking into account the administrative costs of providing the information or communication or taking the action requested. In this case, we may also refuse to act on the request after having explained our position.
10.3. Deletion / Erasure (“the right to be forgotten”)
You have the right to request that your Personal Data be erased in case:
i. the Personal Data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
ii. processing is based on legitimate interests and You have objected to processing in accordance with Section 10.5 below and there is no other overriding legitimate ground for processing;
iii. your Personal Data has been unlawfully processed;
iv. your Personal Data has to be erased in order to ensure compliance with any legal obligations arising from any legislation enacted within the EU or in Malta;
v. you have withdrawn your consent on which the processing is based (in those instances where we process on the basis of your consent) and we have no other legal ground to process your Personal Data; and/or
vi. special circumstances exist in connection with certain children’s rights as further specified in the GDPR.
We are not legally bound to comply with your request if the processing of your Personal Data is necessary for us to fulfil our legal obligations or else to establish, exercise or defend legal claims.
10.4. Restriction
You have the right to request a restriction on the processing of your Personal Data in case:
i. the processing of your Personal Data is unlawful, and you oppose the erasure of your Personal Data and request the restriction of its use instead;
ii. the Group no longer needs the Personal Data for the purposes of the processing;
iii. the Group no longer needs the Personal Data, but is required by you to retain the data for the establishment, exercise or defence of legal claims;
iv. you have objected to processing (as specified in detail below), pending the verification whether our legitimate grounds override yours.
When you restrict processing, your personal data will, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the EU or of a Member State. The processing of your Personal Data shall be restricted by temporarily moving the selected data to another processing system or making the Personal Data in question unavailable. In case you have obtained restriction of processing as per above, we will inform you before the restriction of processing is lifted.
10.5. Right to Object
You have the right to object to the processing of your Personal Data on grounds relating to your personal circumstances unless we have compelling legitimate grounds that override the rights and interest of the Data Subject.
10.6. Data Portability
You enjoy a right to data portability with respect to your Personal Data held by the Group and we hereby bind ourselves to provide such Personal Data, in a structured, commonly used and machine-readable format. Nonetheless, your right to transmit or receive your Personal Data should not oblige the Controller to adopt or maintain processing systems that are technically compatible.
If the requested Personal Data does not only include you but also includes others, your right to data portability should not prejudice the rights and freedoms of the other user/s.
The right to data portability shall not prejudice your right to obtain the erasure of personal data and the limitations set out by this right.
10.7. Complaint
In addition to the above, and without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the Information and Data Protection Commissioner (IDPC), competent Supervisory Authority for the Controller in Malta, if you deem it necessary to do so.
The complaint may be submitted online through this link (subject to change): https://idpc.org.mt/en/Pages/contact/complaints.aspx
11. DATA SECURITY
The Group takes reasonable and appropriate administrative, technical and physical measures to protect the confidentiality, integrity and availability of your Personal Data, whether in electronic or tangible, hard copy form. These measures include:
i. secure storage;
ii. access control.
We also take reasonable steps to protect your Personal Data from loss, misuse and unauthorised access, disclosure, alteration and destruction. For this purpose, the Group follows good practice policies and procedures.
12. UPDATES
We reserve the right to update, add and/or remove any sections from this Policy. If you are a client with whom we already have a contractual relationship with, we shall send you an email regarding any changes made to this policy. If on the other hand, you are a user of the Mall’s website but have no contractual relationship with the Group, we recommend that you check for any updates made to the policy. However, all past version of the Policy shall be archived for your perusal.