Personal data protection declaration

Your data protection is important to the Olav Thon Group and we are committed to protecting the integrity, availability and confidentiality of your personal information. All processing of personal data by the Olav Thon Group shall comply with the data protection regulations at any given time, including the GDPR and the Personal Data Act. This personal data protection declaration provides in-depth information about what personal data is collected, how data is collected, and what rights you have if personal data about you is registered with us.

Your data protection is important to the Olav Thon Group and we are committed to protecting the integrity, availability and confidentiality of your personal information. All processing of personal data by the Olav Thon Group shall comply with the data protection regulations at any given time, including the GDPR and the Personal Data Act. This personal data protection declaration provides in-depth information about what personal data is collected, how data is collected, and what rights you have if personal data about you is registered with us.

Data controller

Olav Thon Gruppen AS determines the purpose of the processing of personal data and the means to be used for the different companies where the Olav Thon Gruppen AS has a 50% or more holding (collectively referred to below as the Olav Thon Group). In our assessment therefore, Olav Thon Gruppen AS is to be considered as data controller for the personal data that is processed by the Olav Thon Group, cf. summary below. The administrative and operational responsibility for compliance with data protection in the Olav Thon group has been delegated to Thon Holding AS. Responsibility for the daily follow-up of our compliance with the data protection regulations has been delegated to the data protection coordinator of the Olav Thon Group.

Our processing of personal data

The Olav Thon Group processes personal data for the following main purposes:

Operation of shopping centres

To be able to operate our shopping centres it is necessary to process personal data relating to tenants, including names and contact information for contact persons at the tenants and the names of employees who are registered in the IT systems for registration of daily sales, as well as personal data that is processed as part of our control measures, such as security services.

Leasing of commercial property

In connection with the leasing of commercial property, it is necessary for us to process personal data such as name and contact information of contact persons at tenants.

Rental and sale of homes

To be able to enter into and comply with agreements for the rental or sale of homes, it is necessary for us to process names, contact information, personal ID numbers, credit checks (for rental), family relationships/marital status etc.

Operation of hotels

In order to administer hotel bookings, course and conference bookings and offer accommodation to our guests, it is necessary for us and our partners to process names, addresses, date of birth, details of the accommodation (name of hotel, room number, room rate, payment method, number of days, number of guests etc.), passport number (only for guests with a registered address abroad) and employer (for overnight stays covered by a company agreement).

Table reservation at our restaurants

In order to manage table reservations at some of our restaurants, it is necessary for us to process information such as name, contact information, telephone number, e-mail address and comments regarding the reservation. The personal information is primarily used to provide customer service. If you have consented, we will also use the information to provide you with relevant information and great offers from the restaurant. Communication will take place via e-mail and / or SMS.

Hotel agreements

To be able to enter into and comply with hotel agreements, it is necessary to process personal data such as names and contact information of contact persons at customers in both public and private sectors. In order to maintain the hotel agreement, we need to keep personal data of contact persons at customers for agreements that last from 1 to 5 years.

Thon+

THON+ is Thon Hotels' loyalty program. Members receive benefits in connection with accommodation, bonus points and other benefits. For more information, see THON+ Privacy Policy here: https://www.thonhotels.com/thon-plus/terms-and-conditions/privacy-policy-thon/.

Customer support

 

  • The Olav Thon Group offers various forms of customer service to assist our customers in various situations where this is necessary. In order to provide this service we will process your personal data with the purpose of identifying you, and troubleshooting in your account.
  • All audit logs that are retained for the purpose of providing you support services will be deleted when the purpose is achieved. All other information regarding complaints you may have registered with us will be stored for 10 years, in order for us to comply with any rights you may have under consumer law.
  • The legal grounds for processing your personal data for support purposes is lawful interest, our legal obligations and your approval of any membership terms.

 

Customer clubs for shopping centres

Each of our shopping centers have a customer club where members receive offers and newsletters sent via SMS and / or e-mail. In order to fulfill this agreement, it is necessary to process, among other things, name, address, postal code, telephone number, e-mail address, gender and date of birth. We use auto-lookups from Link Mobility AS, through Eniro AS, and from Boostcom, through Bisnode, to make registration easier. In addition, members may choose to register interests, number of children and age of children, as well as consent to the processing of behavioral data collected / processed. All marketing is done according to the information we receive and the consent given.

To avoid storing information about inactive members, we keep track of your activity. After two years of inactivity, we will send a request if you still want to be a member, via SMS and email. In the absence of a reply or message that you do not wish to be a member, all personal information about you will be deleted. Definition of inactive member: Did not open SMS link, newsletter or app in 2 years.

We are in process of changing provider of the technical system for the customer club and will, for a transitional period, move your personal data to the new system. Changing the technical system will not affect your privacy.

Min Shopping (Shopping Center App)

Purpose

When using the “Min Shopping” app, we will process personal information about you for the following purposes:

  • Stay up to date on the center's opening hours, offers, activities and promotions/ campaigns
  • If you choose to register as a loyalty club member, provide you with relevant offers and discount coupons
  • Participation in user surveys, provided that you have consented to this.
  • If you agree to share your location, this data will be used to find our centers near you
  • If you agree to “register your visit”, we will give you relevant offers based on stores you visit. In addition, we use anonymous data for insight. All processing of personal data takes place on your phone. The Olav Thon Group does not have access to your movements, transactions or other behavioral data.

Especially about the use of location data

We want to use location data for the reasons mentioned above. Some of our shopping centers have installed transmitters that are used for visitor registration. This is so that we can gain better insight into the use of our shopping centers and have a good data basis for further development. We only process data at an aggregate level and do not have the opportunity to acquire information about an individual, all processing of personal data will only take place on your phone.

Receivers

We enter into data processor agreements with all companies that process personal data on our behalf. Our data processors may not process your personal information in any way other than as agreed with us and described in this privacy statement. The data is stored within the EU / EEA. Beyond this, the personal information is not transferred to other third parties.

Storage

Personal information collected through the “Min Shopping” app can be deleted at any time via your profile under "my settings" in the app. Note that if you delete your information, you will also be opted out from your loyalty clubs. In the same way, your data is deleted when you opt out of your customer clubs.

Your rights

As a user of the app, you have rights under the Personal Data Act. You can access, correct or delete your information in the app at any time under "my settings". Would you prefer to get in touch with us regarding your rights, you can use the form at the bottom of this page.

Thon Wifi

We offer free WiFi at our chopping centres and hotels. For you to be able to use this service, it is necessary for us to process IP address, MAC address and phone number, among other things.

Thon Flex

Upon use of the Thon Flex App, information about the location of your mobile device, will be registered only when:

  • You have accepted sharing of location data in your mobile device operating system (only iOS);
  • You have consented in the app that location data may be registered even as the app is not running.

We will also ask for consent to access push functionality on your mobile device – this in order to be able to send you messages from the app. Consenting to this will allow the app to gather data about your mobile device and its network connection, for instance your operating system, device manufacturer or network-Id.

Parking facilities (Time Park)

When you drive into and out of our parking facilities, we take a photograph of the number plate of your vehicle. We use the photographs and information about the time and place they were taken to calculate parking charges. If there is no charge payable when driving out, the photographs are deleted after you drive out. If there is a charge to pay, the photographs are deleted after the charge is paid or the claim is otherwise withdrawn. The camera does not photograph people inside the vehicle. You can find car parking close to wherever you are on the internet. To provide this service we need information about your location. We also use an online complaint form. If you complain about a calculated parking fee or penalty, we will process the personal data that you provide in the complaint. This is typically the name and address of the driver. There may also be further information about the driver and other persons in your reasons for the complaint and in any documents that you may attach. Time Park will collect details of who owns the vehicle from the Motor Vehicle Register.

Upon use of our ParkLink-app, information will be stored as long as a user is active. Consent is collected in the installation process, and again in any subsequent update of our privacy policy. For more information, go to: www.parklink.no. Certain locations have a built-in waiting period in the tariff structure (se sign at entrance/tollgate or toll road listings on vegvesen.no). This requires data to be stored until the end of the waiting period (usually 1 hour).

Camera surveillance (use of ITV)

To prevent, detect and investigate criminal offenses, our properties are equipped with ITV equipment. Photos and video are stored for 7 days and then deleted. Information obtained from photos and / or video can be shared with the police in connection with criminal cases. Places where ITV equipment is used are marked and information on use can be found on site.

Your Gift Voucher

In the payment solution to DittGavekort.no, we work with Nets, Evry and Microlog, and we need personal data about you in order to be able to deliver this service. We use your personal data to provide the service and to support the product after it is delivered. The information we obtain when you purchase an SMS gift voucher is your name and e-mail address, so that we can send you a purchase receipt. We will also store the recipients phone number, so we are able to send an access code. Purchasing physical gift vouchers to be delivered by post, requires us to obtain the buyers address so we can send a purchase receipt as well as the recipients or the buyers name, address and phone number for delivery and activation of the gift voucher.

Marketing

Like most other businesses, we have a legitimate interest in marketing our services. If we have an existing customer/member relationship with you, we will send you relevant information relating to our services. For example, this could be sending invitations to events, information on current promotions, newsletters, members’ magazines etc. You can make a reservation against receiving this type of material at any time by sending an e-mail to gdpr.personvern@olavthon.no.

Any marketing beyond this will be based on your consent.

In order to market our services, it is necessary for us to process names and contact information. You can also update your member profile yourself with your interests and preferences.

Test environment and development

We wish to offer stable, safe and easy-to-use IT systems. It is also important that IT systems contain the correct data. For this reason, we test and develop our IT systems so as to be able to pursue this justifiable interest. We endeavour to have anonymous test environments, but in some cases it may be necessary for us to use real personal data for testing purposes. In such cases, we will provide adequate information security, including access control, deletion and possibly pseudonymity.

Websites and apps

We use a number of forms on our websites. In some cases, information is stored in the CMS, but otherwise it is relayed to our CRM system or the relevant contact person. Each form should be clearly marked with what the information is used for and we will not use personal data for other marketing unless an opportunity is provided and consent obtained.

We use cookies on our websites. Cookies are a piece of data in the form of text or numbers, stored locally on your computer when you visit the site. We use cookies to obtain information about the number of visitors to different pages, the duration of visits, the websites the users came from and the browsers used, among other things. This is information that is used for internal statistics and to improve the website and your user experience. The data is processed in de-identified form, which means that we cannot track the information we collect back to an individual user.

By visiting our domains, you agree to our use of cookies. If you wish to deactivate the use of cookies, you can do so in the settings on your web browser. Please note that deactivating cookies can result in a poorer user experience.

Read more about the use of cookies her.

The Olav Thon Group stores data on which search terms users use in our CMS and in Google Analytics. The purpose of storing this data is to improve our information provision. It is only the search words that are stored and these cannot be linked to other information about users, such as IP addresses.

Our mobile applications use tools to track user behavior and app navigation. This information is used only to improve the user experience, and is not traceable to any individual user. We also gather information on use and individual units in order to follow up on error messages. Any other access to information requires permission settings, which is under user control.

How long do we store your personal data?

Personal data will not be stored any longer than is necessary in order to fulfil the purpose of the processing or statutory obligations; for example the Bookkeeping Act requires that we keep detailed purchasing history for five years.

VWe will also delete personal data about you if you ask us to, unless we have a legal basis or statutory obligation to keep your personal data further.

Can other people access your personal data?

We will only share your personal data with other companies in the Olav Thon Group to the extent necessary to ensure day-to-day operations. Since Thon Holding is responsible for administrative work in the Olav Thon Group, this means that personal data processed by Thon Hotels, including Thon Discovery, and Thon Property and the customer clubs, as well as Time Park will be shared with Thon Holding. In addition to this, personal data about hotel operations and Thon Discovery will be shared with the companies that are subsidiary to Thon Hotels. The legal grounds for this is justified interest, in that we wish to streamline operations and provide the best possible service.

Unpaid claims will be sent to debt collection companies. We will also share your personal data with public authorities to the extent necessary to comply with our legal obligations.

Beyond this, we will not share your personal data with other organisations unless you consent to this.

Data security

We take data security seriously and we have established suitable security measures to protect the integrity and accessibility of your personal data. Access to your personal data is limited to employees who have a need of such access in their work. We will provide training to employees and third parties where relevant, to further awareness of the Olav Thon Group's guidelines and routines for personal data protection.

Use of data processors

We use other companies, consultants or contractors to perform services on our behalf. This helps us to offer our services to you. For example, we may engage data processors:

  • to handle advertising, communication, infrastructure and IT services;
  • to personalise and optimise the service;
  • to manage credit card transactions or other payment methods;
  • to offer customer service;
  • to analyse and improve data (including data on users’ interaction with the service);
  • to manage and administer consumer surveys

The Olav Thon Group enters into data processor agreements with all organisations that process personal data on our behalf. Our data processors cannot process your personal data in any way other than those agreed upon by us and described in this data protection declaration.

Where is your personal data stored?

Personal data that is processed by the Olav Thon Group is essentially stored on servers in Norway and Europe. We do not store personal data in countries outside the EU/EEA. Personal data that is processed in connection with Thon Discovery is stored at on the supplier’s servers in Frankfurt.

Rights

You have the right to access, correct or delete personal data or restrict the processing of personal data that applies to you. Under certain conditions you also have the right to protest against processing, as well as the right to data portability. You can also withdraw any consent you have given to the processing of your personal data at any time.

You also have the right not to be subject to any decision that is solely based on automated processing that has a legal effect for you or that significantly affects you in a corresponding way.

Any questions or requests to inspect information registered about you can be directed to personvern.gdpr@olavthon.no or by post to Thon Holding AS, PB 489 Sentrum, 0105 Oslo.

If you believe that we are processing personal data in contravention of the law, you have the right to complain to the Norwegian Data Protection Authority post@datatilsynet.no.

Data protection officer

The Olav Thon Group has appointed its own data protection officer to assist with guidance to ensure that personal data is treated properly and in line with the regulations.

If you have any questions about or objections to Olav Thon Group's personal data processing, e-mail the data protection officer at: personvernombud@olavthon.no.

Changes:

If we make changes to this data protection declaration, the changes will be published on this website 14 days before they come into effect.