The press department of SES Spar European Shopping Centers in Salzburg commented: “We comply of course with the EU’s General Data Protection Regulation here at SES and will implement it in all units of our group. We have already been handling data very carefully so far. Our employees were trained to act accordingly.” Bettina Schragl, the Head of Communications and Investor Relations at Immofinanz in Vienna says: “As for all other Austrian companies, the Data Protection Regulation affects our business as well, therefore we have to adapt all relevant agreements.”
The otherwise quite talkative shopping center industry, however, remains relatively silent when it comes to communication regarding the sensitive issue of the European General Data Protection Regulation (GDPR). Contrary to SES and Immofinanz, most of the vast number of players ACROSS contacted did not comment on this issue. Even though this regulation will soon come into force – on May 25, 2018 to be exact.
Its goal is quite ambitious: It harmonizes data privacy laws across Europe. But what does that mean from a legal perspective? Companies will be more accountable for their handling of people’s personal data and it will change how they handle information about their customers, their employees and their suppliers. Whilst the GDPR pertains to all companies, shopping center operators may face more challenges than many other businesses (see Commentary by lawyer Birgit Harasser).
A gigantic headache
Due to these challenges, various national shopping center councils organized information events. For example, the Hungarian council had its event on February 21 and the British Revo on February 27. The latter had the pointed motto “GDPR: A Gigantic Headache for Retail and Property.” Apparently, this is where this stream of communication is headed.
Of the big players, it was Manuela Calhau, Director Innovation and Market Intelligence at Sonae Sierra in Portugal, who informed ACROSS about the adaptions that have to be undertaken in center management: “There are several adaptions needed. From an operational perspective, one has to review all contracts involving personal data, from human resources to suppliers, tenants, and mall operators, as well as one’s own property management contracts.
Furthermore, one has to adapt the contracts and/or terms & conditions used in marketing activities, corporate systems and web-based applications and apps.” But that is not all.
According to Calhau it is of vital importance to redefine accesses and password policies, including staff PCs and mobile equipment. Checking and eventually adapting specific systems such as video surveillance and car park management systems, and procedures will be necessary as well.
Sonae Sierra has a specific team working in the GDPR for several months, addressing all these issues. The Sierra GDPR project is followed every two weeks by the executive board of the company and the work is progressing according to plan.
Significant documentation effort
ECE in Hamburg also launched an internal project regarding GDPR. Its goal is to analyze exactly what still needs to be adapted within the company. During the following step these new requirements are implemented as processes.
Ultimately, the need for documentation will increase, because: “We have no centralized customer data management like online retailers. Therefore, we have to do it individually in each center. There will be legal uncertainties in the beginning because no jurisdiction or experience exists yet,” says ECE’s press office. Besides the need for documentation, the obligation to provide customers with detailed information weighs heavy on center managements.
“Customers need to be informed about the reason why their data is collected, how long their data will be stored and which regulatory authority is responsible for it. The use of customer data needs to be documented in great detail as well. In the future, customers will have the right to be informed about the use of their data and have their data deleted at any time. Furthermore, it may be necessary to adapt agreements with service providers. When in doubt, regulatory authorities can ask for documentation and proof regarding these matters.”
However, the GDPR has virtually no impact on leasing contracts. After all, tenants act autonomously and have their own people who implement data regulations for their respective companies.
It will be interesting to see what the regulation will actually mean for the industry, after it comes into force on May 25, 2018. Penalties for violations are quite draconian, with up to four percent of a company’s worldwide annual turnover. Its execution will be handled differently in each EU-country.
In Great Britain, where Brexit takes full effect in March 2019, it will be handled more restrictively than, for example, in Austria. Here – in its capital Vienna – organizations for consumer protection are already preparing themselves. They launch online platforms for consumers to make it as easy as possible for them to file a complaint when their data is misused…