Close this search box.

Shopping Centers and the New European Data Protection Regime

The European General Data Protection Regulation (GDPR) will come into force on May 25, 2018. It harmonizes data privacy laws across Europe. Companies will be more accountable for their handling of people’s personal data and it will change how they handle information about their customers, their employees and their suppliers.

By Birgit Harasser

Whilst the GDPR pertains to all companies, shopping center operators may face more challenges than many other businesses: As a landlord, a shopping center is in the B2B real estate business; as a shopping center operator, however, it provides services to consumers.

Therefore, shopping centers will not only have to comply with the GDPR in relation to their contract partners’ data. Moreover, they have to ensure compliance in the way online and offline retailers have to without being one, e.g. compliance regarding online behavioral advertising, website privacy policy and consent, CCTV, Wi-Fi, Bluetooth Beacons, gift cards and loyalty schemes to name just a few.

Moreover, the personal data stored and used by shopping center operators is both collected from multiple sources (e.g. contract partner data, customer data from the center website but also from tenants’ databases), as well as shared with a variety of partners (tenants, payment processing for gift cards, cloud solutions for data storage, etc.).

Key elements of the GDPR are a wider scope of data being protected and individuals being given more rights and control over their data. Much greater emphasis is placed on accountability, transparency and the documentation that must be kept to demonstrate compliance.

Probably the most talked-about elements of the GDPR are the high fines for non-compliance of up to €20 million or 4% of annual worldwide turnover. However, there are also other penalties and risks for non-compliance. Supervisory authorities have wide investigative and corrective powers, they can undertake on-site audits and issue reprimands and orders to carry out specific remediation activities. This alone makes compliance with the new European privacy regulation a must for companies.

Consumers are increasingly aware of what rights they have concerning their data and it will also be considerably easier for individuals to bring private compensation claims, and consumer protection bodies may bring claims on their behalf. Increased consumer awareness also means that demonstrating transparency and respect in the use of personal data is essential in earning consumers’ trust and retaining them as visitors and customers in shopping centers.

Therefore, privacy impact assessments should be carried out as a matter of routine for projects which might expose individuals to enhanced privacy risks, and appropriate procedures put in place to deal with individuals exercising their rights and how to handle data breaches.

What data is being protected?

Personal data is any information relating to an identified or identifiable natural person. A name is not necessary; any factor which may identify an individual is covered: identification numbers, photos, bank details, email addresses, location data, online identifiers such as IP addresses, cookies and RFID tags are all personal data. And although most contract partners such as tenants or service providers are companies, they act through natural persons and their data is of course protected by the GDPR.

In contracting, the GDPR increases the importance of contracts on data export with processors and sub-processors, and with joint controllers. Data processing agreements for third-party service providers and intra-group data processing agreements have to be reviewed and updated. The GDPR sets down quite specifically the contents of such contracts. Where two or more controllers jointly determine the purpose and means of processing – which may be the case where shopping center operators and their tenants set up a common customer database e.g. for click & collect – they are regarded as joint controllers.

Individuals can enforce their rights against any of the joint controllers. Therefore, agreements between the joint controllers should reflect the respective roles and allocation of responsibility for compliance obligations, including who is responsible for providing the required information to customers and ensuring their rights are met.

Rights of Individuals and Privacy Notices

One of the core elements of the enhanced rights for individuals is the requirement for greater transparency. Information must be provided at the time the data is obtained in a transparent and easily accessible form, using clear and plain language. The most common way to provide this information is in a privacy notice.

Privacy notices can be provided through a variety of media, in writing (contracts, printed media, job application forms), through signage (e.g. icons and symbols, an information poster, for a public area) or electronically (in text messages, on websites, in emails, in mobile apps). Individuals have to be informed which data is being collected and processed, for which purpose, the legal basis for processing, how long data is being kept for and whom it is shared with.

In addition, individuals must be informed of their rights: to access, rectify, the right to be forgotten, data portability, the right to object to processing, to complain to supervisory authorities, and where applicable the existence of any automated decision making and profiling (e.g. through loyalty cards, online behavioral advertising, beacons, CCTV) and the right to withdraw consent.

Therefore, terms and conditions which include privacy consent and public and employee privacy notices and policies have to be updated.


The threshold for valid consents is raised by the GDPR. How consent is sought, recorded and managed has to be reviewed. Consent will not be valid unless freely given, specific, informed and unambiguous. There must be a positive opt-in; consent cannot be inferred from silence, pre-ticked boxes or inactivity. It must also be separate from other terms and conditions and in general consent should not be a precondition of signing up to a service – therefore it should not be included in the General Terms and Conditions or the Privacy Policy. Consent must be verifiable and where data processing relies on consent, individuals generally have more rights.

Existing consent has to be refreshed if it does not meet the GDPR standard, but it should be remembered that there may be an alternative legal basis for data processing: a contract with the individual, compliance with a legal obligation or legitimate interests. Where legitimate interests are relied upon, it has to be specified what the legitimate interests are and considered and documented why the legitimate interests are not overridden by the interests or fundamental rights and freedoms of individuals.

Not only valid consent has to be documented but essentially compliance with the data protection principles in general. Accountability is a key concept introduced by the GDPR. Data controllers must be able to demonstrate that and how they comply with the regulation. This shifts the burden of proof to the data controller in the event of an investigation by the data protection authorities.

Required documentation is not only to keep a record of processing operations but compliance with the principles of the GDPR has to be demonstrated, e.g. proof that consent was obtained, that concept of privacy by design and default is complied with, that there are GDPR-compliant privacy notices and contracts with processors in place.

While the GDPR builds on familiar concepts and rules, it brings about many changes. Some parts of the GDPR will have more of an impact on some centers than on others, depending on what they offer to their customers. However, compliance will require all centers to review their approach to governance and how data protection is managed.


Follow @across_magazine on Twitter and @across.magazine.europe on Facebook, sign up for our ACROSS newsletter and subscribe to ACROSS Magazine.