Privacy

CHARTER FOR THE PROTECTION OF PERSONAL DATA

The Klépierre Group, including each of its member companies (hereinafter referred to as the "Klépierre Group" or "Klépierre"), is committed to protecting the privacy and information of users of its websites and mobile applications. These consist of the "www.klépierre.com" institutional website and the websites and mobile applications associated with shopping centers operated by Klépierre. Klépierre strives to establish and comply with a strict confidentiality policy in accordance with applicable regulations.

Klépierre is subject to the applicable rules on the protection of personal data and in particular the European General Data Protection Regulation, No. 2016/679 of 27 April 2016 (known as the "AVG"), as well as all rules of national legislation adopted in implementation thereof, for each subsidiary.

The purpose of this Personal Data Protection Charter (the "Charter") is to provide clear, simple and comprehensive information to all data subjects ("You" or "Your") about the manner in which Klépierre, in its capacity as data controller, collects and uses personal data about You ("Personal Data") and about the means available to You to manage such use and exercise Your rights thereon.

The Klépierre Group, including each of its member companies ("the Klépierre Group" or "Klépierre"), is committed to protecting the privacy and information of users of its websites and mobile applications. These consist of the "www.klépierre.com" institutional website and the websites and mobile applications associated with shopping centers operated by Klépierre. Klépierre strives to establish and comply with a strict confidentiality policy in accordance with applicable regulations.

Klépierre is subject to the applicable rules on the protection of personal data and in particular the European General Data Protection Regulation, No. 2016/679 of 27 April 2016 (known as the "AVG"), as well as all rules of national legislation adopted in implementation thereof, for each subsidiary.

The purpose of this Personal Data Protection Charter (the "Charter") is to provide clear, simple and comprehensive information to all data subjects ("You" or "Your") about the manner in which Klépierre, in its capacity as data controller, collects and uses personal data about You ("Personal Data") and about the means available to You to manage such use and exercise Your rights thereon.

1. WHEN IS YOUR PERSONAL DATA COLLECTED?
(i) Klépierre may collect Your Personal Data in connection with Your visit and Your use of its online services and those of its partners, Your customer journey for those services (e.g. cookies for audience metering) or Your contacts with the Klépierre teams, in particular at Klépierre:
- The creation of a user account or candidate account;
- subscribing to a newsletter or other notification system;
- subscribing to a contest or a customer loyalty program;
- participating in satisfaction surveys; or
- making contact with a Klépierre contact.

Your Personal Information may also be collected in connection with Your use of other products and services offered by Klépierre, particularly in its shopping centers.

That Personal Information is that which You provide by means of forms, whether or not in hard copy, either on the websites or mobile applications provided by Klépierre, or at the terminals installed in its shopping centers, or in response to enquiries made to You by Klépierre employees or service providers authorized by it.

On these occasions, Klépierre takes into account the principles of minimum data processing and data protection, from the design stage of projects and in default settings (privacy by design and privacy by default settings). Therefore, only relevant, appropriate and limited information is collected for the purposes for which it is processed.

The Personal Data required for processing are indicated in the collection medium with a "! " or "*". Outside of these situations, you are free to decide whether you wish to provide (any part of) your Personal Data, taking into account that such a decision may lead to a restriction on your access to certain services or products offered by Klépierre, or other functionalities offered on its websites and mobile applications (such as keeping your date of birth to congratulate you on your birthday).

(ii) Social plug-ins
Our websites may use plug-ins (the ""Plug-ins"") provided by social networks (facebook.com, Instagram, twitter, etc.). The Plug-ins are identified by the logo of the social network to which they belong. They allow you to mark the pages of these networks in Your Favorites and share Your Favorites with their other users.

When you visit a page that contains Plug-ins, your browser connects directly to the corresponding social media servers. The Integrated Plug-ins inform the social network that you have opened the corresponding page on our sites. If you are connected to the social network, your visit can be linked to your account on the social network. If you use the plug-ins, for example by clicking on the "share" button on Facebook, the corresponding information is sent directly by your browser to the social network of Facebook and is stored there. Even if you are not connected to the social network, it is possible that the Plug-ins transmit your IP address to the social network.

These notes also apply to the use of the "JustAsk" functionality with which you can communicate with Klépierre via Facebook Messenger.

For more information about the purpose and scope of data processing by social media and Your rights in this respect, and to set up options to protect Your privacy, please refer to the privacy policies of the website of each of these networks, including:
Twitter privacy policy: https://twitter.com/privacy
Facebook data policy: https://www.facebook.com/policy.php
Data policy Instagram: https://help.instagram.com/196883487377501

(iii) Registration, connection via Facebook
In addition, we offer you the possibility to register with our websites using the Facebook registration button or via the "Login" button. If You choose to create an account using Your account on Facebook's social network, and subject to Your prior consent, the relevant social network will send us the Personal Data You have provided to that network (including but not limited to Your last name, first name, username, profile picture, e-mail address, gender, date of birth, education(s) and profession), Your contact details (street name, city, postal code and country), Your telephone number, Your "likes and dislikes" (such as pages, films, music, TV programmes, etc.).), Your publications, Your friends lists and other information that You have indicated as public information.

(iv) Cookies
When browsing our sites, cookies may be placed on Your device (computer, phone or tablet) depending on the preferences You have set and which You can change at any time.

A cookie is a small text file containing information relating to the navigation on these websites, the main purpose of which is to improve the way in which they are viewed and to enable personalised services to be provided to users.

On computers, cookies are managed by the Internet browser.

These cookies may be session cookies (in which case the cookie is automatically deleted when the browser is closed) or permanent cookies (in which case the cookie remains on the device until its expiry date).

Here you will find the cookies used by our websites.

How can you accept or reject cookies?
You can set your browser to accept or reject cookies, either systematically or depending on the sender, or to notify you when a cookie is stored on the terminal.

However, deleting all cookies used by the browser, including those used by other websites, may result in modification or loss of certain settings or information.

The configuration of each browser is different. You are responsible for following the instructions of your browser editor (the links available on the date of the most recent update of this page):
- If you use Internet Explorer
- If you are using Safari
- If you use Chrome
- If you use Opera

For more information about cookies and their consequences, please visit the website of the Dutch Data Protection Authority.

COOKIES USED ON OUR WEBSITE

(v) Collection of external partners
Your Personal Information may also be sent to us by external partners, in order to allow you to benefit from our newsletters, offers, discounts and other promotions. In particular, these are companies responsible for customer loyalty programmes and chain stores within the Klépierre shopping centres. As with all our other forms of processing Personal Data, regardless of source, we comply with the requirements of the applicable regulations, in particular the principles of minimum data processing and protection from the design stage and by default. Therefore, only relevant, appropriate and limited information is collected for the purposes for which it is processed.

Please note that in such cases, the confidentiality policies of the relevant partners, under which they may disclose Your Personal Data to Klépierre, may apply to You.

2. WHAT IS THE LEGAL BASIS FOR PROCESSING YOUR DATA?
Your Personal Data will only be processed by Klépierre in the cases permitted under applicable regulations and in particular under the following conditions:
- If you have freely, specifically, knowingly and unambiguously given your consent to the processing of your Personal Data (e.g. by subscribing to a newsletter, partner offers, etc.);
- if this is necessary for the performance of an agreement or to take action at Your request prior to the conclusion of an agreement (e.g. an application within the Klépierre Group);
- to comply with an obligation imposed on the Klépierre Group by law or regulation (such as combating fraud);
- if the legitimate interests of Klépierre or the recipients justify the processing of Your Personal Data by Klépierre (e.g. IT security measures), which is accompanied by appropriate safeguards'.
"Clear information in accordance with applicable law is provided in any case.
Please note specifically that for children under the age of 16, this consent must be granted or approved by the parent carrier.
If the latter discovers that Personal Data relating to the child in question has been entrusted to Klépierre without his/her consent, he/she may request Klépierre to delete that Personal Data by following the procedure described under 7.2 of this Charter.

3.3 FOR WHAT PURPOSES ARE YOUR PERSONAL DATA COLLECTED?
Your Personal Data is collected for specific, explicit and legitimate purposes.
Depending on the situation, Your Personal Data may be used to:
- Allow You to request and obtain information about the Klépierre Group or any of its entities or a Klépierre shopping centre, or about the products and services offered by the Klépierre Group or its partners;
- give you the opportunity to subscribe to a newsletter or other notification system;
- enable You to create and manage a user account on the web site of a Klépierre Group operated shopping center in order to benefit from information, products and/or services or other types of benefits offered by Klépierre, a shopping center or its partners;
- respond to Your request to rent a permanent or temporary space within a Klépierre Group shopping centre;
- participate in satisfaction surveys, analyses and statistics for the improvement of our products and services as well as knowledge about our (potential) customers;
- process your application for a position within the Klépierre Group;
- manage our customer loyalty programmes;
- Improve your customer experience and/or offer you customised and personalised services.

None of Your Personal Data is currently processed by us in the context of automated decision-making regarding You, including profiling. However, Klépierre may send You personalised advertisements and other specific offers based on Your own Personal Information and the analysis of Your user behaviour and, in particular, the consumption preferences You have communicated to us. You can object to this profiling at any time under the conditions set out in article 7 below.

In addition, Klépierre may also use Your Personal Data for administrative purposes or for other purposes imposed by applicable law (for example, to notify You of a significant change in this Charter).

4. WHO ARE THE RECIPIENTS OF YOUR PERSONAL DATA?
As Your Personal Data is confidential, only persons who have lawfully obtained permission from Klépierre by virtue of their position have access to Your Personal Data, without prejudice to its possible transfer to the extent required by applicable regulations.

All persons for whom Klépierre is responsible and who have access to Your Personal Data are bound by a non-disclosure agreement. They may be subject to disciplinary action and/or other sanctions if they fail to comply with that obligation.

These persons include authorized employees within the Klépierre Group and, more specifically, depending on the situation, the purchasing, marketing, commercial, administrative and accounting, logistics and IT departments, the human resources, customer relationship management and their line managers.

Our authorised service providers may also need to process your Personal Data to the extent strictly necessary for the provision of the services we outsource to them, including, in particular, service providers responsible for conducting satisfaction surveys, monitoring customer opinions, organising competitions, managing customer relations, managing customer loyalty programmes, sending emails for marketing data and analysing customer behaviour. It is hereby expressly stated that the management of our websites and mobile applications is currently carried out by the following service provider that processes Your Personal Data as a subcontractor on our behalf: the société par actions simplifié (simplified joint stock company) CHORUS, registered in the Trade and Companies Register in Paris, France, under number 309 540 367 and established at 32, rue de Jeûneurs,75002, Paris.

Subject to your express prior consent, Your Personal Data may also be passed on to our Partners for marketing purposes and in order to benefit from their own newsletters, discounts, offers and other promotions. These "Partners" are defined as permanent or temporary brands that can be found in shopping centres operated by Klépierre.

Your Personal Data may also be transferred to comply with requests under laws and regulations, court rulings, subpoenas or legal proceedings, if required by applicable law.

Finally, your Personal Data may be transferred to an assignee if Klépierre's assets are sold or transferred to a third party company.

In the event that service providers established outside the European Union are engaged, Klépierre undertakes to verify that appropriate measures are in place to ensure that an adequate level of protection is afforded to Your Personal Data (in particular, by means of European Commission standard contractual clauses, internal rules of procedure or the "Privacy Shield" as established by the European Union and the United States of America).

5. HOE WORDT DE BEVEILIGING VAN UW PERSOONSGEGEVENS GEWAARBORGD?
Klépierre streeft ernaar Uw Persoonsgegevens te beschermen en te beveiligen om ervoor te zorgen dat deze geheim gehouden worden en om te voorkomen dat deze worden vertekend, beschadigd, vernietigd of aan onbevoegde derden worden verstrekt.

Voor zover de verstrekking van gegevens aan derden noodzakelijk en toegestaan is, zal Klépierre ervoor zorgen dat die derden hetzelfde beschermingsniveau bieden als door Klépierre wordt geboden en verlangt Klépierre contractuele garanties om er met name voor te zorgen dat de gegevens uitsluitend worden verwerkt voor geoorloofde doeleinden, met alle noodzakelijke geheimhouding en beveiliging.

Klépierre treft technische en organisatorische maatregelen om ervoor te zorgen dat de Persoonsgegevens zo veilig mogelijk bewaard blijven, gedurende de periode dat dat noodzakelijk is voor het realiseren van de beoogde doeleinden en in overeenstemming met het toepasselijk recht.

Hoewel Klépierre alle redelijke maatregelen treft om Uw Persoonsgegevens te beschermen, is geen enkele verzend- of opslagtechnologie volledig onfeilbaar.

In overeenstemming met de toepasselijke Europese regelgeving verbindt Klépierre zich, in geval van een bewezen inbreuk in verband met Persoonsgegevens, die een groot risico zou kunnen inhouden voor de rechten en vrijheden van de betrokkenen, om die inbreuk te melden aan de betrokken toezichthoudende autoriteit en, voor zover dat is vereist op grond van die regelgeving, aan de betrokkenen (afhankelijk van de individuele dan wel algemene situatie).

Onverminderd het voorgaande dient U voorzichtigheid te betrachten om ongeoorloofde toegang tot Uw Persoonsgegevens en Uw apparaten (computer, smartphone, tablet, etc.) te voorkomen, in het bijzonder door een sterk wachtwoord te kiezen.

Voorts kunnen de websites en mobiele applicaties van Klépierre links bieden naar websites van derden die voor U interessant kunnen zijn (zoals sociale netwerken). Klépierre heeft geen zeggenschap over de content op de websites van die derden of hun praktijken als het gaat om de bescherming van de Persoonsgegevens die zij mogelijk verzamelen. Derhalve aanvaardt Klépierre geen enkele aansprakelijkheid voor de verwerking door die derden van Uw Persoonsgegevens, welke niet valt onder dit Handvest. U bent zelf verantwoordelijk voor het verkrijgen van informatie over de beleidsregels van die derden inzake bescherming van Persoonsgegevens.”"

6 HOW LONG WILL YOUR PERSONAL DATA BE STORED?
"Klépierre only retains your Personal Data for as long as is necessary to achieve the intended purposes, subject to the legal possibilities for archiving, the obligation to retain certain data and/or anonymization.
In particular, we apply the following retention periods for the following broad categories of Personal Data:
• Personal data of (potential) customers are retained for as long as the user remains active, up to a maximum of three years after the last contact with the user;
• Personal connection data: up to a maximum of 1 year after the connection;
• Cookies: maximum 13 months after installation on the browser;
• Applicant's personal data (recruitment section): the time needed to process the application and, in case of a negative result, a maximum of 2 years after the last contact (unless the applicant agrees to a longer period).

7. WHAT ARE YOUR RIGHTS WITH REGARD TO YOUR PERSONAL DATA AND HOW CAN YOU EXERCISE THEM?
(i) Your rights
Subject to the restrictions applicable under applicable regulations, You have the following rights with respect to Your Personal Data:".
➢ Right to information about the processing of Your Personal Data

Klépierre strives to provide you with concise, transparent, understandable and easily accessible information, in clear language, on the conditions under which Your Personal Data is processed".
➢ Right of access, rectification, erasure (or "right of forgetfulness") with respect to Your Personal Data

The right of inspection gives you the opportunity to obtain information from Klépierre about whether or not we process Your Personal Data and the conditions of such processing, as well as to receive a copy thereof (for an additional copy, Klépierre may charge a reasonable administration fee based on the administration costs incurred). If this request is sent electronically, the information will be provided in a common electronic form, unless you indicate otherwise.

In addition, You have the right to obtain immediate rectification by Klépierre of any Personal Data that is inaccurate or incomplete.

Finally, subject to exceptions provided by applicable law (e.g. retention necessary to comply with a legal obligation), You have the right to request Klépierre to delete Your Personal Data immediately for any of the following reasons:

- Your Personal Data is no longer needed for the purposes for which it was collected or otherwise processed;
- You wish to revoke your consent that served as the legal basis for processing your Personal Data, where applicable, and there is no other legal basis for such processing;
- You believe and can determine that Your Personal Data has been unlawfully processed;
- Your Personal Data must be deleted on the basis of a legal obligation.
➢ Right to Restrict the Processing of Your Personal Data
The regulations in force stipulate that this right may be exercised in certain situations, in particular:
- If You dispute the accuracy of Your Personal Data, for as long as necessary to verify its accuracy;
- if you believe and can determine that the processing of Your Personal Data is unlawful but you object to the removal of the Personal Data and instead require that the processing be restricted;
- If Klépierre no longer needs Your Personal Data, but You still need it to establish, exercise or defend Your legal rights;
- if You object to the processing on the grounds of the legitimate interest of the data controller, for as long as necessary to verify whether the legitimate interests of the data controller outweigh Your legitimate interests.

➢ Right to object to marketing (including profiling)
You may object at any time to the processing of Your Personal Data for marketing purposes. You can also only object to profiling. In that case, you will no longer receive personalised offers.
➢ Right to transferability of Your Personal Data
If the processing is based on Your consent or an agreement, the right to data transfer allows You to receive the Personal Data You have provided to Klépierre in a structured, common and machine-readable form, and to transfer that Personal Data to another data controller, without being hindered by Klépierre.

Wherever technically possible, you may request Klépierre to forward this Personal Data directly to another data controller".
➢ Right to revoke consent to the processing of Personal Data
If Klépierre processes your Personal Data on the basis of your consent, it may be revoked at any time by using the means available to you for that purpose (hyperlink and/or the procedure indicated under 7.2 of this Charter). However, the withdrawal of your consent is, in accordance with applicable law, only valid for the future and therefore does not affect the lawfulness of the processing carried out prior to this withdrawal.
➢ Right to lodge a complaint with a supervisory authority
If, despite Klépierre's efforts to protect the confidentiality of Your Personal Data, You consider that Your rights are not being respected, You have the right to lodge a complaint with a supervisory authority.
An overview of the supervisory authorities can be found on the website of the European Commission.
➢ Right to have access to your Personal Data after your death
Finally, You have the right to dispose of Your Personal Data after Your death by adopting general or specific provisions. Klépierre declares that it will comply with these provisions.
In the absence of provisions, Klépierre acknowledges the rights of heirs to exercise certain rights, in particular the right of access, if necessary for the settlement of the estate, and the right to object to the closure of the deceased's user accounts and to the processing of his/her data.
(ii) Procedures for exercising Your rights

For all questions relating to this Charter and/or for exercising Your rights as described above, for modifying Your information via the "My Account" page, to which You are entitled at any time, or for a specific question (not covered by the options offered on the "My Account" page), You can contact Klépierre, either by e-mail or post, by sending a letter, together with a copy of an identity document, to the following address:

Klépierre Management Nederland B.V.
T.a.v. Digital Marketing Department
P.O. Box 8243
3503 RE Utrecht
Email address: GDPR.nederland@klepierre.com

Klépierre will send you a response as soon as possible and in any case within one month after receipt of your request.

If necessary, this period may be extended by two months, given the complexity and number of requests addressed to Klépierre. In this case, you will be informed of this extension and the reasons for the delay.

If your application is submitted electronically, the information will, where possible, also be provided to you electronically, unless you explicitly indicate otherwise.

If Klépierre does not respond to your request, it will inform you of the reasons for not responding and you can lodge a complaint with a supervisory authority and/or start legal proceedings.

8. APPLICABLE LAW AND JURISDICTION
This Charter is governed by French law. If a dispute arises and no amicable settlement can be reached, the court determined in accordance with the applicable procedural rules shall have jurisdiction.

DATA STORAGE FOR THE PURPOSE OF CUSTOMER ANALYSIS.

Our organization processes segmentation data from Whooz to analyze the needs of our customers and to translate these insights into a better service. Whooz is a service provider in the field of consumer information, which information is provided under the product name Whize. As a segmentation specialist, Whooz provides predictions of characteristics, interests and behaviours of all Dutch households. If you object to us combining your customer data with the Whooz data, we will - if you request us to do so - block your data. If you would like more information about the Whooz data, you can find it on the Whooz website (www.whooz.nl/privacy-en-voorwaarden). Questions about the Whooz data can be directed to compliance@whooz.nl.