Personal data protection declaration for the Olav Thon Group
Your data protection is important to the Olav Thon Group and we are committed to protecting the integrity, availability and confidentiality of your personal information. All processing of personal data by the Olav Thon Group shall comply with the data protection regulations at any given time, including the GDPR and the Personal Data Act.
This personal data protection declaration provides in-depth information about what personal data is collected, how data is collected, and what rights you have if personal data about you is registered with us.
Olav Thon Gruppen AS determines the purpose of the processing of personal data and the means to be used for the different companies where the Olav Thon Gruppen AS has a 50% or more holding (collectively referred to below as the Olav Thon Group). In our assessment therefore, Olav Thon Gruppen AS is to be considered as data controller for the personal data that is processed by the Olav Thon Group, cf. summary below. The administrative and operational responsibility for compliance with data protection in the Olav Thon group has been delegated to Thon Holding AS. Responsibility for the daily follow-up of our compliance with the data protection regulations has been delegated to the data protection coordinator of the Olav Thon Group.
Our processing of personal data
The Olav Thon Group processes personal data for the following main purposes:
Operation of shopping centres
To be able to operate our shopping centres it is necessary to process personal data relating to tenants, including names and contact information for contact persons at the tenants and the names of employees who are registered in the IT systems for registration of daily sales, as well as personal data that is processed as part of our control measures, such as security services.
Leasing of commercial property
In connection with the leasing of commercial property, it is necessary for us to process personal data such as name and contact information of contact persons at tenants.
Rental and sale of homes
To be able to enter into and comply with agreements for the rental or sale of homes, it is necessary for us to process names, contact information, personal ID numbers, credit checks (for rental), family relationships/marital status etc.
Operation of hotels
In order to administer hotel bookings, course and conference bookings and offer accommodation to our guests, it is necessary for us and our partners to process names, addresses, date of birth, details of the accommodation (name of hotel, room number, room rate, payment method, number of days, number of guests etc.), passport number (only for guests with a registered address abroad) and employer (for overnight stays covered by a company agreement).
To be able to enter into and comply with hotel agreements, it is necessary to process personal data such as names and contact information of contact persons at customers in both public and private sectors.
In order to maintain the hotel agreement, we need to keep personal data of contact persons at customers for agreements that last from 1 to 5 years.
Thon DISCOVERY is the Thon Hotels loyalty program in which members receive bonuses and discounts on overnight stays and selected restaurants in Oslo. To be able to comply with the agreement, it is necessary for us to process names, contact information, language choice, currency, details of accommodation history (see above), as well as any preferences that you have provided.
The Olav Thon Group offers various forms of customer service to assist our customers in various situations where this is necessary. In order to provide this service we will process your personal data with the purpose of identifying you, and troubleshooting in your account.
All audit logs that are retained for the purpose of providing you support services will be deleted when the purpose is achieved. All other information regarding complaints you may have registered with us will be stored for 10 years, in order for us to comply with any rights you may have under consumer law.
The legal grounds for processing your personal data for support purposes is lawful interest, our legal obligations and your approval of any membership terms.
Customer clubs for shopping centres
Each of our shopping centres has a customer club where members receive offers and newsletters sent by e mail or SMS text. To be able to comply with these agreements, it is necessary to process name, address, telephone number, e-mail address, gender and date of birth, among other things. We use an automatic look-up from Link Mobility AS, through Eniro AS, to make registration easier. Members can also choose to register interests, the number of children and age of children.
We offer free WiFi at our chopping centres and hotels. For you to be able to use this service, it is necessary for us to process IP address, MAC address and phone number, among other things.
Parking facilities (Time Park)
When you drive into and out of our parking facilities, we take a photograph of the number plate of your vehicle. We use the photographs and information about the time and place they were taken to calculate parking charges. If there is no charge payable when driving out, the photographs are deleted after you drive out. If there is a charge to pay, the photographs are deleted after the charge is paid or the claim is otherwise withdrawn. The camera does not photograph people inside the vehicle. You can find car parking close to wherever you are on the internet. To provide this service we need information about your location. We also use an online complaint form. If you complain about a calculated parking fee or penalty, we will process the personal data that you provide in the complaint. This is typically the name and address of the driver. There may also be further information about the driver and other persons in your reasons for the complaint and in any documents that you may attach. Time Park will collect details of who owns the vehicle from the Motor Vehicle Register.
Your Gift Voucher
In the payment solution to DittGavekort.no, we work with Nets, Evry and Microlog, and we need personal data about you in order to be able to deliver this service. We use your personal data to provide the service and support the product after it is delivered. The information that is obtained when performing the purchase is your e-mail address, so that we can send you a receipt for the purchase. We take name and address to be able to send you the gift voucher by post and your telephone number so that we can send the activation code, to ensure secure transport of the gift voucher.
Like most other businesses, we have a legitimate interest in marketing our services. If we have an existing customer/member relationship with you, we will send you relevant information relating to our services. For example, this could be sending invitations to events, information on current promotions, newsletters, members’ magazines etc. You can make a reservation against receiving this type of material at any time by sending an e-mail to .
Any marketing beyond this will be based on your consent.
In order to market our services, it is necessary for us to process names and contact information. You can also update your member profile yourself with your interests and preferences.
Test environment and development
We wish to offer stable, safe and easy-to-use IT systems. It is also important that IT systems contain the correct data. For this reason, we test and develop our IT systems so as to be able to pursue this justifiable interest. We endeavour to have anonymous test environments, but in some cases it may be necessary for us to use real personal data for testing purposes. In such cases, we will provide adequate information security, including access control, deletion and possibly pseudonymity.
We use a number of forms on our websites. In some cases, information is stored in the CMS, but otherwise it is relayed to our CRM system or the relevant contact person. Each form should be clearly marked with what the information is used for and we will not use personal data for other marketing unless an opportunity is provided and consent obtained.
The Olav Thon Group stores data on which search terms users use in our CMS and in Google Analytics. The purpose of storing this data is to improve our information provision. It is only the search words that are stored and these cannot be linked to other information about users, such as IP addresses.
How long do we store your personal data?
Personal data will not be stored any longer than is necessary in order to fulfil the purpose of the processing or statutory obligations; for example the Bookkeeping Act requires that we keep detailed purchasing history for five years.
We will also delete personal data about you if you ask us to, unless we have a legal basis or statutory obligation to keep your personal data further.
Can other people access your personal data?
We will only share your personal data with other companies in the Olav Thon Group to the extent necessary to ensure day-to-day operations. Since Thon Holding is responsible for administrative work in the Olav Thon Group, this means that personal data processed by Thon Hotels, including Thon DISCOVERY, and Thon Property and the customer clubs, as well as Time Park will be shared with Thon Holding. In addition to this, personal data about hotel operations and Thon DISCOVERY will be shared with the companies that are subsidiary to Thon Hotels. The legal grounds for this is justified interest, in that we wish to streamline operations and provide the best possible service.
Unpaid claims will be sent to debt collection companies. We will also share your personal data with public authorities to the extent necessary to comply with our legal obligations.
Beyond this, we will not share your personal data with other organisations unless you consent to this.
We take data security seriously and we have established suitable security measures to protect the integrity and accessibility of your personal data. Access to your personal data is limited to employees who have a need of such access in their work. We will provide training to employees and third parties where relevant, to further awareness of the Olav Thon Group's guidelines and routines for personal data protection.
Use of data processors
We use other companies, consultants or contractors to perform services on our behalf. This helps us to offer our services to you. For example, we may engage data processors:
- to handle advertising, communication, infrastructure and IT services;
- to personalise and optimise the service:
- to manage credit card transactions or other payment methods;
- to offer customer service;
- to analyse and improve data (including data on users’ interaction with the service);
- to manage and administer consumer surveys
The Olav Thon Group enters into data processor agreements with all organisations that process personal data on our behalf. Our data processors cannot process your personal data in any way other than those agreed upon by us and described in this data protection declaration.
Where is your personal data stored?
Personal data that is processed by the Olav Thon Group is essentially stored on servers in Norway and Europe. We do not store personal data in countries outside the EU/EEA. Personal data that is processed in connection with Thon DISCOVERY is stored at on the supplier’s servers in Frankfurt.
You have the right to access, correct or delete personal data or restrict the processing of personal data that applies to you. Under certain conditions you also have the right to protest against processing, as well as the right to data portability. You can also withdraw any consent you have given to the processing of your personal data at any time.
You also have the right not to be subject to any decision that is solely based on automated processing that has a legal effect for you or that significantly affects you in a corresponding way.
Any questions or requests to inspect information registered about you can be directed to or by post to Thon Holding AS, PB 489 Sentrum, 0105 Oslo.
If you believe that we are processing personal data in contravention of the law, you have the right to complain to the Norwegian Data Protection Authority ().
Data protection officer
The Olav Thon Group has appointed its own data protection officer to assist with guidance to ensure that personal data is treated properly and in line with the regulations. If you have any questions about or objections to Olav Thon Group's personal data processing, e-mail the data protection officer at .
If we make changes to this data protection declaration, the changes will be published on this website 14 days before they come into effect.