This Privacy Notice may vary from time to time so please check it regularly. 

This Notice describes the types of information collected, how that information is used and disclosed, and how you can access, modify, or delete your information.

Land Securities Properties Limited (company number 961477) whose registered office is at 100 Victoria Street London SW1E 5JL (“we”, “us” or “our”) is the ‘data controller’ for the personal data we collect. We are registered with the Information Commissioner’s Office with registration number Z5806812. 

1. Wi-Fi in our centres

Read our Wi-Fi service privacy policy.

2. Marketing, analytics and guest services

How do we collect information about you?

1. Entering into a competition or promotion hosted by us or our third parties: You may provide us with personal data when you subscribe to these services either online or through a physical form.  
2. Enrolling for a loyalty card or a club run at our centres: you will typically provide us with your name and contact details when you enrol for a loyalty card either online or through a physical form. 
3. Feedback: providing feedback to us through our online surveys where you may provide your contact details and subscribe to receiving marketing information. You can also provide us feedback through writing to or emailing the centre with any comments, complaints or suggestions.
4. Website usage: We may also collect information from you automatically when you access and use our Online Services, including the time and duration of your visit, the referring URL, your Internet Protocol (IP) or MAC address, the type of device you use and its operating system. As with most websites, we also operate cookies on ours and further details can be found in the section on cookies below. 
5. Purchasing a gift card online or at our centres:  the processing of this data is performed by a third party. You  may be required to enter personal information for shipment or payment processing, or to log ownership of the card to assist you in the event that your card is lost or stolen.  You may also consent to receiving marketing information when purchasing a gift card. 
6. Enrolling for an event: we may collect your name and contact details if you wish to participate in an event that is organised at one of our centres. This data may be captured on a third party booking system. 
7. Promotional Photography or Filming: we may take photographs or video of you when you attend one of our events. Signs will be displayed during the event to advise you when and where photographs or video are being taken, and if you have concerns or do not wish to be photographed or filmed please raise these with a member of our staff. These images will be used for promotional purposes on our website and Social Media. 
8. Interaction with social media: depending on the Privacy setting you have applied in your Social Media accounts, and based on the content that you choose to share, when you interact with our Social Media presence we will have access to your user generated content, such as posts, comments, pages, profiles and images. Also depending on the Privacy setting you have applied in your Social Media accounts, and based on the content that you choose to share, we may have access to contact details, personal information (such as age, gender, employer, education, location and habits and preferences).
9. Car parking: we may collect your license plate to administer our car parking fees, and your credit card details will be collected if you choose this payment method. You may also subscribe to frequent visitor schemes or staff parking benefits where we will also receive your contact details to register you for the service.  Our payment providers and operators of our Car parking services are third parties. We use Clover and NMI as payment processors and Lloyds Cardnet merchant banking services (please see hyperlinks for relevant privacy notices).
10. Loan or hire equipment: you may provide us your personal details so that we loan or hire equipment to you, such as push chairs or mobility aids. 
11. Miscellaneous Forms: there are miscellaneous forms at site which can also record your personal information – for example lost property, coach booking services etc.
12. Postal Service: We may provide a service to distribute mail to you at our site, and your contact details on our mailing system to notify you and track delivery.
13. Analytics: Our CCTV may be equipped with technology that recognizes the presence of a person and records demographic data (such as an age approximation and gender); dwell time; and counting of volumes of people. This technology is not used for the purpose of uniquely identifying a person – it provides Landsec with insight into the use of our physical spaces as a legitimate interest. 

In all of the above instances, we will only provide you with email marketing where you have consented and you can withdraw this consent at any time by clicking the unsubscribe link within the emails you receive.  Where we send you information electronically, we review whether the communication has been opened and whether you have clicked on any links in the communication. This is because we want to make sure that our communications are useful for you. 

We also use third party marketing agencies who may have access to your personal details to develop email marketing campaigns and social media, to provide customer insight through the analysis of data and to collect personal data on our behalf.  We store your information in a secure marketing database hosted by a third party which we use to also generate our email marketing campaigns. 

Landsec uses service partners to provide front of house, concierge and guest services as well at its properties.

In relation to third parties, we ensure that they will also safeguard your data – please see Protection of Your Information below.

For what purpose is it collected?

The personal information gathered through WIFI and Marketing is for our legitimate business interests, this includes to: 

1. Tailor our online services to you so the content you see is relevant to you. For example, we may request your date of birth, gender and some basic interests (such as ‘shopping’ and ‘dining’) so that we can provide you with content that we think you will be interested in – “profiling”; and
2. Collect data obtained through our interaction with customers for research, analysis, testing, monitoring, risk management and administrative purposes including the optimisation of service delivery at our properties and to improve the customer experience.  
3. Promote our site externally. 
4. We frequently ask for post code during our customer interactions to help us better understand our customers. We share this data with third parties without any personal identifiers to assist with our insight and analysis. 

For the gift card, loyalty programs and clubs, events, car parking, postal service, hiring services, Wifi-Service and competitions and promotions, the legal basis is also to form a contract with you to provide these services and promotions. 

For Social Media, our purpose is for our legitimate interests to i) respond to customer complaints; ii)  obtain insight into the use and perception of our customer offerings so that we can improve them. For example, we collect and analyse your public posts that you make directly to us on social media to help us understand if we are receiving negative or positive comments across all of our social media channels. Iii) run promotions, competitions and events to increase engagement with our customers. 
License plate data is also collected for our legitimate interest to understand repeat visits to our centres and to understand how the car park is used to optimize the customer experience. For example, we use publicly available DVLA databases to cross reference license plate information to understand the make and model or vehicle to forecast the growth of electric powered vehicles to ensure that charging points are available. 
 

Data minimisation and retention

We will only collect the minimum amount of personal information necessary, and will only keep your information for as long as you remain engaged with our marketing campaigns. Where you have not engaged with our marketing material for over a year, we will take steps to remove your information from our marketing database. Where you unsubscribe from our marketing, we will add your email address to our suppression list and delete any additional information that we hold about you.

Where you have provided your details in relation to a competition, we will delete your personal data when the competition has finished (unless you have consented to your information being used for marketing purposes). 

For any contractual purpose, your personal data will be held for as long as is required to deliver the services requested.

For analysing responses to customer feedback, we generally keep these for 15 months to allow year on year comparisons.

For our VIP event run in our outlets, personal data is deleted after a period of 12 months unless you have subscribed to receive our marketing material.

3. Security

How do we collect information from you?

As part of our security operation, we will also be collecting personal images relating to visitors and customers to its properties from CCTV, Body Mounted Video and ANPR (Automatic Number Plate Recognition) systems. 

We use third party service partners to provide security services, but the information recorded through these technologies is held on systems we control. The data we collect may be shared with the police, tenants, local authorities, other sites or local crime reduction partnerships and initiatives for our legitimate interests to run successful businesses in environments that are safe for our staff and customers, and the prevention and detection of crime. These organisations may also share data with us. ANPR data can be shared with third parties for the purposes of enforcement.

We may also obtain and share the information with insurance companies where they request data relating to insurance claims to support their legitimate interests, or those of their clients, or to defend legal claims.

We also capture personal data within Access Control systems which may provide access to the building in our London Commercial properties. Personal data is also collected from visitors to our properties. Access control data is held within our systems and the visitor management data may be held on third party systems. 

In relation to access control and visitor data, where the data relates to our employees, contractors or visitors, we consider ourselves to be the Controller. However, personal data relating to our occupier’s staff, contractors and employees, we consider our occupiers to be the Data Controller. At some of our sites an automated system hosted by a third party is used by our tenants to register visitors. This data is then provided to our reception and security teams to allow access to the building.

Security Analytics: Our CCTV may be equipped with technology that recognises the presence of a person (not a specific person), and raises a security alert based on a number of triggers relating to the position of the person relative to the building, such as a person in the building after it is closed or in an inaccessible area. The alerts are reviewed by a security operative to determine the appropriate response. The technology provides Landsec with support in keeping its premises secure and its occupants safe as a legitimate interest, and does not involve facial recognition processing, or any processing for the purpose of unique identification through biometrics.

In relation to third parties, we ensure that they will also safeguard your data – please see Protection of Your Information below.

For what purpose is it collected?

CCTV, BMV, ANPR, Visitor and Access control data is collated to pursue our legitimate interests to protect the property in question, to protect the safety and vital interests of our visitors, employees, tenants and customers,to assist with the prevention and detection of crime and to provide our contracted service to our tenants. CCTV is not used for monitoring of staff or contractual performance, however, if CCTV is required as part of a disciplinary investigation it can be used for this purpose if the seriousness of the investigation warrants it. 

ANPR is collected to fulfill a contract between ourselves and our users of our parking facilities, including enforcement action. At some of our sites ANPR automatically issues a penalty notice where the duration of stay exceeds the amount that has been paid for. If you wish to appeal a penalty notice issued as part of an automated process, please contact dataprotection@landsec.com. 

Access control data is also processed because of our contractual responsibilities to our occupiers.

Data minimisation and retention

For CCTV and Body Mounted Video: Generally, this data will not be held for longer than 31 days unless an incident or suspected incident has occurred. 

ANPR: Kept for as long as is contractually required.

Access Control Systems: Access cards and the personal data associated with them are deleted on requests from our occupiers. Cards which are not used for three months are deactivated. Any passes which have remained inactive for twelve months will have all data relating to the card permanently deleted. 

Visitor Management Systems: All data is deleted where a visitor has not returned to the site within six months.

4. Accident and incident reporting

How do we collect information from you?

When an incident occurs at one of our properties, we are required to document the particulars of an incident which may include witness statements, CCTV footage, photographs and written reports. This information may include special categories of data depending on the nature of the incident. A third-party system is used to log details relating to these incidents and physical paperwork may also be stored on site. 

The data may be shared with third parties such as insurance providers and legal advisors in order to defend a claim, government or other competent organisations who are required to report on incidents by law or the police to investigate a crime. It may also be shared with a third party who are liable for a claim under their contractual relationships with us for the purposes of allowing them to defend a claim. This information may also be shared with government or other competent organisations who are required to report on incidents by law or the police to investigate a crime.  

For what purpose is it collected?

This information is collected to ensure that we comply with our legal responsibilities in relation to Health and Safety investigation and reporting, and also in relation to any future legal claims. The information can also be used to prevent and detect crime, or to protect the vital interests of individuals. Where health information is collected we may also need this for our substantial public interest for Insurance processing. 

Data minimisation and retention

All personal data (CCTV, Witness Statements, Photographs and written reports) relating to the incident is held for six years, unless there are reasons to retain it for longer, such as an ongoing HSE investigation, a suspected pattern of fraud, or because an injury has been sustained by a child. 

5. Other uses

In addition to the purposes already described, we may use information collected to perform other important business operations, for example: to understand usage patterns (such as foot traffic) within our properties; to develop, provide, improve and personalise products and services; and, to provide customer service/support.  We may undertake additional research, analysis, and surveys, both online and in our centres. The lawful basis for this use of Information is for our legitimate business interests.

6. Other recipients and third-party transfers not detailed previously

We may pass on or allow access to your information:

• to our suppliers, contractors and professional advisors where this is necessary for them to provide services and facilities to us, such as to provide car parking services; 
• to our Joint Venture partners;
• to any purchaser of all or part of our business or any of our properties;
• to sell, make ready for sale or dispose of our business in whole or in part including to any potential buyer or their advisers;
• where we are required to do so by law, court order or other legal process;
• where, acting in good faith, we believe disclosure is necessary to assist in the investigation or reporting of suspected illegal or other wrongful activity.  This may include exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction; to protect and defend our rights or property; to deal with any misuse of any of our Services; or in order to enforce or apply our terms and conditions and other agreements with third parties;
• to our group companies and affiliates or third-party data processers who may process data on our behalf to enable us to carry out our usual business practices.
• Personal data relating to an insurance claim, including sensitive data, may be transferred to our reinsurance business based within the Land Securities Group (Land Securities Insurance Limited (registered in Guernsey as a Data Controller (ref 11453)).
• Landsec uses Microsoft Office 365 cloud technology for its operations. Its data centres are located with the EEA.  

7. Protection of your information

We have in place administrative, technical and physical measures designed to guard against and minimise the risk of loss, misuse or unauthorised processing or disclosure of the personal information that we hold. We place similar obligations on our third parties and risk assess their security based on the sensitivity of the personal data that they hold. 

If we transfer your personal information outside of the UK, it will continue to be subject to one or more appropriate safeguards set out in the law. These might be the use of model contracts in a form approved by regulators, or having our suppliers sign up to an independent privacy scheme approved by regulators.  

8. Links to other websites

This Privacy Notice only applies to the websites provided by us. If you link to another service and/or website from here, you should remember to read and understand that service and/or website’s privacy and cookies policy as well. We are not responsible for any use of your information that is made by other services and/or websites. Links or advertisements do not imply that we endorse or have reviewed such third parties or their privacy practices.

9. Child data

We do not collect Information from children under the age of 13, but it may be collected from parents/guardians with their consent.  Examples include the Kids Club services within our centres, and competitions that involve children’s participation. We will not market directly to children. If you are under 13 and have inadvertently subscribed, please notify us as dataprotection@landsec.com to have your consent to marketing removed. 

10. Your rights

You have the right to opt out of receiving any marketing information which we send you. 

Your duty to inform us of changes

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.

Your rights in connection with personal information

Under certain circumstances, by law you have the following rights:

• Subject to certain conditions, request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it. If possible, you should specify the type of information you would like to see to ensure that our disclosure is meeting your expectations. Disclosure should not impact the rights and freedoms of other people, e.g. privacy and confidentiality rights of other staff.
• Subject to certain conditions, request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.  You also have a responsibility to help us to keep your personal information accurate and up to date. We encourage you to notify us of any changes regarding your personal data as soon as they occur, including changes to your contact details. This right only applies to your own personal data. When exercising this right, please be as specific as possible.
• Subject to certain conditions, request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it.  We may not be in a position to erase your personal data, if for example, we need it to (i) comply with a legal obligation, or (ii) exercise or defend legal claims.  You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below). 
• Subject to certain conditions, object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.  
• Subject to certain conditions, request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it. 
• Subject to certain conditions, request the transfer of your personal information to another party.  If you exercise this right, you should specify the type of information you would like to receive (and where we should send it) where possible to ensure that our disclosure is meeting your expectations.  This right only applies if the processing is based on your consent or on our contract with you and when the processing is carried out by automated means (i.e. not for paper records). It covers only the personal data that has been provided to us by you.
• Where our processing of your personal data is based on your consent you have the right to withdraw your consent at any time.   If you do decide to withdraw your consent we will stop processing your data for that purpose, unless there is another lawful basis we can rely on – in which case, we will let you know.  If you withdraw your consent, this will only take effect for future processing.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please email dataprotection@landsec.com.

You will not have to pay a fee to access your personal information (or to exercise any of the other rights); however, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

You can also contact the Information Commissioner's Office via https://ico.org.uk/ for information, advice or to make a complaint.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

For more information, please contact the data protection officer on dataprotection@landsec.com.

If you wish to opt out of the marketing we sent you, please contact:

11. How do we use cookies?

In our website we use cookies to collect information of how many visitors there are to different parts of the website, which helps us keep our site up to date. We may also use cookies to tailor the content that you see to suit your interests. This facility also allows you to receive personalised advertising relating to products viewed whilst using our website.

Our use of cookies generally fall into four categories:

Strictly Necessary Cookies

These cookies are necessary to operate our Online Services. They do not store any personally identifiable information. You can set your browser to block or alert you about these cookies, but our Online Services will not work properly without these cookies.

Performance Cookies

These cookies collect information in an anonymous manner about how visitors use our Online Services and how our Online Services perform. These cookies allow us to recognize and count the number of visitors and help us understand which pages are the most popular and where visitors spend most of their time.

Functional Cookies

These cookies enable the website to provide enhanced functionality and personalisation, such as remembering choices you make or information you provide, what region you are in, your login information, or the pages you have viewed. They may be set by us or by third-party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.

Targeting Cookies

These cookies allow us and our advertisers to deliver advertisements that are relevant to you and your interests. They may be used by us and our advertisers to build a profile of your interests and show you relevant advertisements on other sites. These cookies may track whether you clicked on an advertisement in order to limit the number of times you see a particular advertisement and help us understand the efficacy of our advertising campaigns. They do not directly store personal information, but uniquely identify your browser and device. If you do not allow these cookies, you will experience less targeted advertising.

We allow users to manage their cookie preferences on our website. Click "Cookie Settings" below to set your preferences.

12. Changes to the privacy & cookies policy

This Privacy Notice was last updated on 29th January 2021. If it is necessary for us to alter the terms of the Privacy Notice, we will post the revised Privacy Notice here. We encourage you to frequently review the Privacy Notice for the latest information on our privacy practices. 

13. How you can contact us

If you have any questions about this Privacy Notice, please contact the Data Protection Officer at dataprotection@landsec.com.