Corporate Privacy Notice

CORPORATE PRIVACY POLICY

V1.1 1 Legal

Version Date: 22 March 2024

This Notice

This Privacy Notice (“Notice”) contains important information about how we use personal data relating to the following data subjects (“you”):

tenants, suppliers, service providers, shareholders, potential investors and visitors to McArthurGlen properties who are natural persons; and

representatives of tenants, suppliers, service providers, shareholders, potential investors and visitors to McArthurGlen properties which are legal entities. Where relevant, those legal entities should ensure that their representatives are aware that their personal data is being used or otherwise processed by us as described in this Notice.

At McArthurGlen, we take the privacy of your personal data seriously. We have developed this Notice to give you full transparency about the information we collect about you, why we collect it and how we use it. We also need to ensure that you understand the rights you have over your personal data, including your rights of access to that data, how you can correct it and, if necessary, how you can erase it.

Introduction

McArthurGlen develops and manages designer outlet centres across the UK, Europe and Canada. McArthurGlen UK Limited, registered in England and Wales with company number 2810264 at Nations House, 3rd Floor, 103 Wigmore Street, London, United Kingdom W1U 1QS will be a controller of the personal data described in this Notice. In some circumstances, one of our group companies listed in Appendix 1 will also be a controller of your personal data. References in this Notice to “our”, “we”, or “us” refers to McArthurGlen UK Limited and the group companies listed in Appendix 1.

We may be contacted:

at dataprotection@mcarthurglen.com;

via our EU Representative appointed in accordance with Article 27 GDPR, MGE-RB (Roermond) Management Co B.V., registered in the Netherlands at Stadsweide 2, 6041 TD Roermond, The Netherlands , via dataprotection@mcarthurglen.com; or

where we have appointed a local Data Protection Officer in a specific jurisdiction, using the contact details in Appendix 1.

Our Data Protection Officer may also be contacted via dataprotection@mcarthurglen.com.

References in the remainder of this Notice to "the GDPR" are to Regulation (EU) 2016/679 (General Data Protection Regulation) with respect to our establishments in the European Union and European Economic Area (EU/EEA) and to the GDPR as it now forms part of retained EU law in the UK (the UK GDPR) for our establishment in the United Kingdom.

The type of personal data we collect and the source of that information

We may currently collect and process the following information about you:

First name, last name, date of birth, email address, address, phone number, copies of identification documents or information, photo or video and/or audio recording (in the context of our use of CCTV and Body Worn Cameras and where legally permitted);
Login details, passwords, visitor pass, IP address, online identifiers/ cookies, logs, access times (including in the context of you using our centres' WiFi (for more information see our WiFi Policy);
Job title, position and name of company;
Business financial information (e.g. bank account details, payment card details and billing address insofar as you are a natural person) and risk rating information such as credit risk rating;
Compliance related information (e.g., records of required training);
Results of background checks relating to organisations which may include related party checks;
Vehicle Registration Numbers;
For anti-money laundering and sanctions compliance purposes, due diligence information including details of source of funds and your ownership of corporate vehicles. Information available through public sources such as internet publications, the press, government lists of sanctioned entities and through providers of screening services. This may include information on whether you are politically exposed person, sensitive categories of personal data (for example, about political opinions or religious or philosophical beliefs) and about any criminal offences that you have committed or been accused of and related information;
Climate, energy and utility consumption data (where such data is personal data); and
Complaints, queries and information contained in your correspondence with us.

The purposes for processing your personal data

We use your personal data as follows:

Our Tenants

For the purposes of:

Our Relationship and Billing

Considering whether to enter into a tenancy agreement with you;
Details relating to the identity of tenants for the purposes of fulfilling obligations, ongoing billing and management arrangements under a lease and collecting debts; and
Exercising our legal rights and remedies.

Anti-Money Laundering and other legal requirements

Considering your tenancy application with us, at the outset of our relationship, on an ongoing basis and at the point of renewal for anti-money laundering and financial crime prevention purposes. We will use your personal data to check the identity of relevant individuals for fraud prevention, sanctions compliance anti-money laundering purposes and as otherwise required by applicable law.

Operations, Health and Safety

Providing property and facility management services. We may collect your personal details to register facility issues in connection with services under your lease. This is performed as part of our contract with our tenants and as legitimate interest to review and improve our services to our tenants;
Reporting any injuries or potential insurance claims. These may include special categories of personal data to ensure that we comply with our legal responsibilities in relation to Health and Safety investigation and reporting, and in relation to defending any future legal claims.
Preventing and detecting crime including anti money laundering and financial sanctions compliance, protecting our properties, protecting the vital interests of individuals or shared with third parties such as insurance providers and legal advisors in order to defend a claim, government or other competent organisations who are required to report on incidents by law or the police to investigate a crime; and
Providing business continuity services to allow us to alert tenants and their employees of an incident that may impact their business operations. This is a legitimate interest to effectively respond to incidents at our properties.

Our Shareholders and Potential Investors

For the purposes of:

Considering and processing your investment application, including for anti-money laundering purposes;
Managing our relationship with you after you have invested in us, for example sending you notices of shareholder meetings and information about our activities, and paying you dividends;
To prevent and detect crime including anti money laundering and financial sanctions;
Communicating with insurers, regulators (which in the UK would include the ICO) and law enforcement agencies in order to comply with reporting obligations, deal with their enquiries and co-operate with regulatory and law enforcement;
Communicating with banks and suppliers in order to satisfy their due diligence requirements when asked about our investment/holding structure; and
Exercising our legal rights and remedies.

Our Suppliers or Service Providers

For the purposes of:

Our Relationship

Considering whether to enter into a contract with you;
Managing our relationship with you after you have become a supplier or service provider of ours;
Organising tenders, implementing tasks in preparation of, or performing existing contracts; and
Exercising our legal rights and remedies.

Anti-Money Laundering and other legal requirements

Ensuring we meet our anti-money laundering and other financial crime prevention obligations. We will use your personal data to check the identity of relevant individuals for fraud prevention, sanctions compliance and anti-money laundering purposes. This will include monitoring, carrying out due diligence, name screening, etc.
To prevent and detect crime including anti money laundering and financial sanctions compliance and as otherwise required by applicable laws.

Operations

Monitoring our facilities to ensure compliance with applicable policies and laws;
Granting you access to our facilities and/or certain technologies to allow you to perform services;
Managing our technology resources (e.g., cyber-risk management, infrastructure management and business continuity);
Preserving our economic interests and ensure compliance (e.g., complying with our policies and legal requirements, tax and deductions, managing alleged cases of misconduct or fraud, conducting audits and participating in litigation); and
Defending or bringing legal proceedings.

Our Tenants, Suppliers, Service Providers and Other Corporate Visitors to McArthurGlen properties

Security Systems

As part of our security operations, we also collect CCTV and Body Worn Camera images and audio (where legally permitted) of individuals visiting our properties. This personal data is collected based on the performance of a task carried out in the public interest, to pursue our legitimate interests to protect the property in question, to protect the safety and vital interests of our visitors, employees, tenants and customers, to assist with the prevention and detection of crime and to provide our contracted service to our tenants. CCTV is not used for monitoring of staff or contractual performance;
We may use third party service partners to provide security services. The data we collect may be shared with the police, tenants, local authorities, other sites or local crime reduction partnerships and initiatives for our legitimate interests to run successful businesses in environments that are safe for our staff and customers, and the prevention and detection of crime. These organisations may also share data with us. This data may also be shared with third parties for the purposes of enforcement; and
We may also obtain and share the information with insurance companies where they request data relating to insurance claims to support their legitimate interests, or those of their clients, or to exercise our legal rights and remedies.

Corporate Cark Parking

Within our car parks, we may collect personal images and Vehicle Registration Numbers relating to visitors to our properties from CCTV and ANPR (Automatic Number Plate Recognition) systems.

Our Legal Basis

We will not use or otherwise process your personal data without a proper legal basis.

Where the GDPR applies, unless already specified above, we rely on the following bases for our use of your personal data:

the processing is necessary to take pre-contractual steps with you or to perform our contractual obligations towards you;
it is necessary to comply with our legal or regulatory obligations;
it is necessary for our legitimate interests and does not unduly affect your interests or fundamental rights and freedoms . Please note that, when processing your personal data on this basis, we always seek to maintain a balance between our legitimate interests and your privacy;
in the case of sensitive categories of personal data and criminal offences and allegations and related information, you have provided your consent or we are obliged to do so under applicable law, such as compliance with sanctions, or it is necessary in the public interest. We do not use such information to discriminate against individuals based on their political opinions or religious or philosophical beliefs. We do not use information concerning criminal offences or allegations or related information unless relevant for anti-money laundering or crime detection or prevention purposes;
necessity in our legitimate interest of enforcing and defending our legal rights; and
necessity to perform a task carried out in the public interest.

Consent

Where our legal basis for using your personal data is consent, you may withdraw that consent at any time by writing to us or emailing us at dataprotection@mcarthurglen.com. This will not affect the lawfulness of the processing that has been carried out based on your consent prior to the withdrawal.
When making the request, please provide your full name and address and/or email address in the form in which they were originally provided to us to avoid any possible confusion with a different individual. We may ask you for further information to verify your identity.

Sharing your personal data

We may share your personal data with:

Our lawyers, accountants and other professional advisers;
Insurers, claims and loss adjusters and our auditors;
Our service providers including anti-money laundering related due diligence services, financial information and security providers, financial services providers and our banks;
Third parties in the event of a court order, where otherwise required by law or where required for the investigation of an illegal or wrongful act;
Our group companies, investors and joint venture partners;
Any person who proposes to acquire us, our business or part or all of any of our properties and that person's agents and advisers to the extent necessary to prepare for and to give effect to such transaction;
The new manager in the event of a change in management of one of our centres; and
Regulators and government and law enforcement agencies (which, in the UK, could include the National Crime Agency, the UK Financial Intelligence Unit and/or the Office of Financial Sanctions Implementation).

International Transfers

From time to time we may internationally transfer your personal information to our group companies, suppliers or service providers. Whenever we transfer your personal data internationally it will be subject to appropriate safeguards and receive an adequate level of protection as required by applicable data protection law Please contact us at dataprotection@mcarthurglen.com if you want further information on the specific transfer mechanisms used by us when transferring your personal data internationally.

How long we keep your personal data

We will only retain your personal data for as long as necessary to fulfil the purpose for which it was collected, or to comply with legal or regulatory requirements, or to protect against legal claims. For more information on our retention policy, please contact us at dataprotection@mcarthurglen.com.

Your data protection rights

Under the GDPR, subject to certain exceptions and as applicable, you may exercise the following rights in relation to the personal data we hold about you:

Access - You have the right to obtain confirmation as to whether or not we are processing your personal data and, where this is the case, to ask us for copies of the data and information about the processing.

Rectification - You have the right to ask us to correct your personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Erasure - You have the right to ask us to erase your personal information where we have no compelling reason to keep using it. This is not a general right; there are exceptions, e.g., if we have a legal obligation to keep the data.

Restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.

Objection to processing – Where we process your data for purposes of pursuing our legitimate interests, you have the the right to object to the processing of your personal information unless we have strong and legitimate reasons to continue using the data.

Portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, where we have used your information based on your consent or the need to perform a contract.

You are not required to pay any charge for exercising your rights. If you make a request, we usually have one month to respond to you.

Please contact us at dataprotection@mcarthurglen.com if you wish to make a request. When making the request, please provide your full name and address and/or email address in exactly the form in which they were originally provided to us to avoid any possible confusion with a different individual. We may ask you for further information to verify your identity.

Change of Purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

How to complain

If you have any concerns about our use of your personal information, you can make a complaint to us at dataprotection@mcarthurglen.com. You also have the right to make a complaint at any time to your relevant supervisory authority details of which, if you are based in the EU, can be found here.

Changes to this Notice

We may occasionally update this Notice. We encourage you to periodically review this Notice to stay informed about how we are using and protecting information that we collect. This Notice was last updated on 26 February 2024.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

Appendix 1: List of Controllers McArthurGlen Entity Name	Jurisdiction	Address	Contact for Local DPO if Applicable
McArthurGlen Management Gesellschaft m.b.H.	Austria	Designer Outlet Strasse 1, A – 7111 Parndorf, Austria	N/a
McArthurGlen Management Vancouver Limited	Canada	Suite 1500 Royal Centre, 1055 W. Georgia Street, PO Box 11117 Vancouver, BC V6E 4N	N/a
MG-RB Europe SAS	France	44 Mail de Lannoy, 59100 Roubaix, France	N/a
McArthurGlen Service GmbH	Germany	Berlin Designer Outlet, Alter Spandauer Weg 1, 14641 Wustermark, Germany	ppa. Uwe Mayer Senior Consultant DH+P Gesellschaft für Unternehmensberatung mbH Reichertweg 10, D – 63069 Offenbach am Main Sitz: Offenbach a.M., AG: Offenbach a.M., HRB: 49674 Geschäftsführer: Jens Müller, Sven Middelhauve Tel.: +49 69 8400 9489
MGR Management & Retail Srl	Italy	Castel Romano Outlet Centre, via Ponte di Piscina Cupa 64, 00128 Castel Romano (Roma), Italy	N/a
McArthurGlen Management Spain SLU	Spain	Calle Alfonso Ponce de Léon 6, 29004 Málaga	N/a
MGE-RB (Roermond) Management Co B.V.	Netherlands	Stadsweide 2, 6041 TD Roermond, The Netherlands	N/a