In the commercial activity carried out by the Paradise Center, there may be several situations in which we process your personal data. More details can be found below:

We are BULFELD EOOD a company with its registered office in 1407 Sofia, Triaditsa region, 100 Cherni vrah blvd., registered in the Commercial Register at the Registry Agency with UIC 175266642 (hereinafter the “Controller”), part of the NEPI Rockcastle Group.

In promoting Paradise Center, we work with the following entities within the NEPI Rockcastle Group:

· NE Property BV, having its seat and address of management at: Stravinskylaan 563, WTC, Zuidas, Tower Ten, floor 5, 1077XX, Amsterdam, the Netherlands, registered with the Dutch Chamber of Commerce under No. 34285470.

· NEPI Investment Management SRL Calea Floreasca 169A, Cladirea A, sectiunea 5.1, biroul 14, Sector 1, Bucharest, Romania, registered with the Commercial Register under No. J40/16378/2007, unique registration number (CUI) RO22342136

· Marketing Advisers SRL Calea Floreasca 169A, Cladirea A, Sectiunea A5.1, biroul 37, Sector 1, Bucharest, Romania, registered with the Commercial Register under No. J40/50498/2014, unique registration number (CUI) RO33099670

From the perspective of how your personal data is processed for specific marketing purposes, the relationship between the Controller, NE Property BV, NEPI Investment Management SRL and Marketing Advisers SRL is that of Joint Controllers, according to Article (26) of the GDPR. Also, for the purpose of promoting Paradise Center, NE Property BV makes the www.paradise-center.com Website (the “Website”) available to users.

This information notice is addressed to all data subjects who visit the Paradise Center, access the Website, participate in promotional campaigns or similar events held on the premises of the shopping centre or online or represent suppliers/partners/collaborators or tenants in the conduct of the contractual relationship with Paradise Center.

The way we process your personal data differs depending on your relationship with Paradise Center to receive more information choose the category below that is applicable to you: I am a visitor or customer of the shopping centre I am a user of the shopping centre website I am the legal representative or contact person of a supplier, collaborator or tenant of the shopping centre I am part of the staff of suppliers, collaborators or tenants of the shopping centre

In all cases, you have several rights that can be exercised, individually or cumulatively, with respect to personal data that Paradise Center holds in relation to you. Information on these rights as well as how they can be exercised is available in the Rights of data subjects section .

We undertake to process personal data in compliance with applicable legislation on the protection of personal data and good practices in this area. More information is available in the section on Data security and accuracy.

In addition, a Data Protection Officer has been appointed at the NEPI Rockcastle Group level, who can be contacted should there be any concerns about the protection of personal data and the exercise of data protection rights. The Data Protection Officer can be contacted by written, dated and signed request, using the contact details mentioned below:

· by mail, at: Calea Floreasca nr. 169A, Floreasca 169, Clădirea A, etajul 5, Sector 1, București/Bucharest, Romania · by email, at: Protection@nepirockcastle.com

1.1Personal data we process

• Identification data, such as: first name and last name, date of birth

• Account access data, such as: password

• Contact details, such as: email address, phone number

• Data on your preferences/interests, such as data on areas of interest - e.g., fashion, technology, pets, etc.

• Data about your interaction with the Website, such as: information about the stores you searched for, the fact that you chose a series of products/services as favorites or that you selected a series of events that you want to participate in, as well as the recurrence with which you visit our Website/access the Account.

• Demographic data, such as: gender, city and neighborhood where you live, whether you are married or not, whether you have children or not, the number of children and their age

• Data on the participation in promotional campaigns and similar events, such as: prizes won, image

• Financial data, such as: bank account number.

• Data collected through cookies or other similar technical means (i.e., small text files that are stored on your computer, phone, tablet or mobile device, and contain information about your activity on those sites/applications), e.g.: sub-pages accessed, period spent on a specific page

• Data from social networks, such as: the unique identification code provided by the Facebook network

In the case of the Website, we also collect your IP, but this data is not processed or used for any subsequent purpose at this time.

1.2Use of personal data

1.2.1General purposes

When you access the Paradise Center website (the “Website”), certain personal data about you will be processed by NE Property BV, mainly in order to be able to provide you with the requested service, namely access to the Website.

1.2.2Data processing for marketing purposes 

In its work to promote the Paradise Center, including through the Website, NE Property BV works together with the following entities within the NEPI Rockcastle Group: The Controller, as owner of the Shopping Centre, NEPI Investment Management SRL and Marketing Advisers SRL. Thus, from the perspective of how your personal data is processed for marketing purposes, the entities of the NEPI Rockcastle Group mentioned above (hereinafter collectively referred to as the “Joint Controllers” and individually as the “Joint Controller”) act as Joint Controllers, pursuant to Article (26) of the GDPR.

In connection with the processing of personal data for marketing purposes, you have all the rights set out in Data subjects' rights. By virtue of the agreement entered into by the Joint Controllers regarding the processing of personal data for marketing purposes, they will cooperate and ensure that they fully respect your rights, regardless of the Joint Controller to whom you choose to send your request to exercise your rights.

1.3Additional information on profiling

The Joint Controllers will create and analyse your profiles based on the personal data we hold about you - data about your preferences/interests, data about your interaction with the Website, data collected through cookies. As a result of analysing such data, we will be able to identify your preferences, interests and capabilities in terms of procurement, and thus relate them to the services we provide or to the products we promote.

Then, through automated procedures, the Joint Controllers determine the content of the direct marketing materials to be sent to you. In the legal language these automated procedures are referred to as “automated individual process”.

Thus, the direct marketing materials that we will send you will be as specific, convincing and applicable as possible to you, and as a consequence may influence you (i.e. in the sense of purchasing the product/service included in the marketing material), as the manage to correctly identify your preferences or characteristics.

With regard to the processing of data by automated individual processes, you have several additional rights, i.e. you can (a) obtain human intervention, (b) express your point of view, (c) get explanations about the decision made and (d) contest that decision. In addition, you can withdraw consent at any time in the manner prescribed in this Memorandum in the section dedicated to Data subjects rights.

1.4Storage period

The personal data processed are kept for the period of time necessary to comply with the legal obligations imposed on us by the regulations specific to our field of activity.

With regard to the use of your personal data for direct marketing activities, it will be stored by the Joint Controllers from the time you have given us your consent for such processing until the date you have withdrawn it. Once you choose to withdraw your consent, your data will be stored by the Joint Controllers, for an additional period of 3 years, in the legitimate interest of the Joint Controllers to be able to access and provide the necessary documentation in the event of a potential legal claim, complaint, investigation (i.e., but not to be used for sending direct marketing materials).

1.5Third party access

Access to your data will be provided only to those persons or entities with whom we collaborate in fulfilling the purposes of processing, and for whom we (we or the intended recipients) can justify a legitimate reason or if we have a legal obligation to provide your data.

The following entities and their employees will have access to your data:

• IT service providers (e.g., software maintenance and development, site maintenance and development),

• CRM solution providers

• Marketing service providers, including market research service providers, marketing communications service providers, online tool traffic and behavior monitoring service providers, various marketing customization service providers, providers of marketing services through social media resources, providers of services for the preparation of the content of marketing forms,

• Group Companies (other than Joint Controllers)

As both the Controller and the other Joint Controllers are part of the Nepi Rockcastle group of companies (the “Group”), your personal data will be processed for the purposes of consolidated management of the Group's activities, for audit purposes and in any other situation where the law requires or permits such processing, if we (the Controller, the Joint Controllers or the recipient companies in the Group) can justify a legitimate basis for doing so or if we obtain your consent to do so. The list of companies in the Group can be found at: www.nepirockcastle.com

• Partners Paradise Center

Your personal data will also be processed in relation to a number of third party partners (“Partners”). These are the Partners that the Joint Controllers promote in their relationship with you through direct marketing activities, and are usually represented by tenants of NEPI Rockcastle Group shopping centres. Partners do not have access to your personal data, unless NE Property BV or the Joint Controllers have obtained your prior consent in this respect. The full list of Partners for the Paradise Center location is updated quarterly and can be found here - https://paradise-center.com/en/stores-en, https://paradise-center.com/en/services-en and https://paradise-center.com/en/restaurants-cafes-en/

We will contractually require these entities, as well as their staff, to respect the confidentiality of this data, ensuring a high level of security for the processing of your data.

We will also provide your personal data to judicial bodies, public institutions, or central and local public authorities, based on a duly substantiated request or legal obligation.

As a rule, NE Property BV or, as the case may be, the Joint Controllers, will not transfer your personal data to third countries outside the European Economic Area. If such a transfer nevertheless takes place, NE Property BV and the Joint Controllers will take appropriate safeguards to ensure the protection of personal data transferred.

2.1Personal data we process

• Identification data, such as: first name and last name, date of birth

• Special identification data, that is personal identity number 

• Contact details, such as: email address, phone number

• Image

• Data on the vehicle for which a parking space is granted in the car park of the shopping centre, e.g.: make, type and registration number

• Data on access to the shopping center car park, e.g.: arrival time, departure time, length of stay

• Device MAC (mobile, laptop, tablet)

• Data on participation in promotional campaigns and similar events, e.g.: prizes won

• Financial data, e.g.: bank account number

2.2Use of personal data

2.2.1General purposes

When you visit the Paradise Center, certain personal data about you will be processed by the Controller, mainly in order to be able to provide you with the services offered by the Controller or to fulfil our legal obligations.

2.2.2Data processing for marketing purposes 

In its work to promote Paradise Center, including through the Website, the Controller works with the following entities within the NEPI Rockcastle Group: NE Property BV, NEPI Investment Management SRL and Marketing Advisers SRL. Thus, from the perspective of how your personal data is processed for marketing purposes, the entities of the NEPI Rockcastle Group mentioned above (hereinafter collectively referred to as the “Joint Controllers” and individually as the “Joint Controller”) act as Joint Controllers, pursuant to Article (26) of the GDPR.

In connection with the processing of personal data for marketing purposes, you benefit from all the rights set out in the section Data subjects' rights . By virtue of the agreement entered into by the Joint Controllers regarding the processing of personal data for marketing purposes, they will cooperate and ensure that they fully respect your rights, regardless of the Joint Controller to whom you choose to send your request to exercise your rights.

2.3Retail Analytics application

Retail Analytics is an application that uses the shopping centre’s Wi-Fi system to process personal data in order to obtain statistical reports that streamline the activity of the shopping centre, while in time improving visitors’ experience.

2.3.1How does the Retail Analytics application work?

The MAC (media access control) address of the electronic device is collected through an API (Application Programming Interface), by exposure to access points (Access Points), through a secure VPN (virtual private network), using an https protocol (HyperText Transfer Protocol Secure) and dedicated internet protocol (IP).

The MAC address is anonymized by the API (Application Programming Interface) immediately after collection and prior to processing for statistical purposes, by applying a hash function.

NOTE: "anonymization" means the processing of personal data in such a way that it can no longer be attributed to a specific data subject.

The information resulting from the application of the hash function is saved in the database of the Retail Analytics application and is not reversible (i.e. the MAC address can no longer be identified).

The personal data of the MAC device and the location are anonymized and cannot lead to the identification of the person.

Depending on the device manufacturer, without our intervention it is possible that - although the WiFi connection of the device is not activated - the device is detected by our WiFi network, so we recommend that you check the WiFi connection of the device when visiting our shopping centre.

NOTE:  You can deactivate the WiFi connection by accessing the device's “Settings” menu and disabling geolocation by accessing the Google geolocation service:  https://support.apple.com/bg-bg/HT207092  for iPhone, https://support.google.com/nexus/answer/3467281?hl=bg for Android, https://www.tenforums.com/tutorials/13225-turn-off-location-services-windows-10-a.html for Windows phones

2.3.2Categories of personal data processed by the Retail Analytics application

• MAC address (media access control) of the electronic device;

• date and time of the visit(s);

• identifier and coordinates of the access point to the WiFi network (AP identifier);

• Wi-Fi signal strength;

• WiFi network connection status (connected/disconnected).

The MAC address captured through the API (Application Programming Interface) is the one that could lead to the identification of the person and the rest of the personal data highlighted above can only be collected with its help. The MAC address is anonymized by the API immediately after collection and prior to processing for statistical purposes.

2.3.3Purpose of the processing of personal data

After anonymization, data is used exclusively for statistical purposes, the statistical reports generated by Retail Analytics being used for:

• developing the business and marketing strategy of the shopping centre, increasing the value of the shopping centre, better organization of the shopping centre, events and campaigns hosted by it, while ensuring a more efficient management of the needs of visitors and tenants of the shopping centre;

• improvement of the services offered by the shopping centre, correlated with a proper management of the periods and areas of maximum congestion, so as to obtain an improved shopping experience.

2.4Storage period:

The personal data processed are kept for the period of time necessary to comply with the legal obligations imposed on us by the regulations specific to our field of activity.

Depending on the context in which we process your personal data, the following rules for determining the storage period will apply:

• CCTV system: Video recordings stored by the CCTV system are usually kept for a period of 30 (thirty) days, unless the extension of their processing period is required by law or justified by legal procedures.

• WiFi network: The device’s MAC is only stored during the period when it uses our WiFi network.

• Data processed for marketing purposes: data collected for marketing purposes will be processed until consent is withdrawn. Once you choose to withdraw your consent, your data will be stored by the Joint Controllers, for an additional period of 3 years, in the legitimate interest of the Joint Controllers to be able to access and provide the necessary documentation in the event of a potential legal claim, complaint, investigation (i.e., but not to be used for sending direct marketing materials).

• Retail Analytics application: In the case of data processed through the Retail Analytics application, personal data is anonymised at the time of collection and is not retained by the Joint Controllers. After anonymisation, the information and statistical reports obtained shall be kept for a period of 1 year.

2.5Third party access:

Access to your data will only be provided to those individuals or entities with whom we collaborate for processing purposes and for whom we (the new or the intended recipients) can justify a legitimate ground in accordance with the GDPR or if we have an obligation legal to provide your data.

The following entities and their employees will have access to your data:

• Security and security service providers - To ensure CCTV video surveillance and access control system in parking spaces, the Controller collaborates with specialised companies, authorised by law to carry out security and surveillance activities.

• Other service providers - With regard to participation in campaigns and events, as well as the handling of complaints, grievances and/or requests regarding lost items addressed to the staff of the Info Desk offices within the shopping centres, the Controller usually collaborates with specialised service companies.

• Group companies

As both the Controller and the other Joint Controllers are part of the Nepi Rockcastle group of companies (the “Group”), your personal data will be processed for the purposes of consolidated management of the Group's activities, for audit purposes and in any other situation where the law requires or permits such processing, if we (the Controller, the Joint Controllers or the recipient companies in the Group) can justify a legitimate basis for doing so or if we obtain your consent to do so. The list of companies in the Group can be found at: www.nepirockcaste.com

• Partners Paradise Center

Your personal data will also be processed in relation to a number of third party partners (“Partners”). These are the Partners that the Joint Controllers promote in their relationship with you through direct marketing activities, and are usually represented by [Shopping Mall Name] tenants. Partners do not have access to your personal data, unless the Controller or the Joint Controllers have obtained your prior consent to do so. The full list of Partners is updated quarterly and can be found here - https://megamallbucuresti.ro/magazine/, https://megamallbucuresti.ro/categorie_unitate/divertisment/ and https://megamallbucuresti.ro/servicii/

• Property Manager Paradise Center

We will contractually require these entities and their staff to respect the confidentiality of this data, ensuring a high level of security for the processing of your data.

We will also provide your personal data to judicial bodies, public institutions, or central and local public authorities, based on a duly substantiated request or legal obligation.

As a rule, the Controller or, where applicable, the Joint Controllers, will not transfer your personal data to third countries outside the European Economic Area. If such a transfer nevertheless takes place, the Controller or the Joint Controllers will take appropriate safeguards to ensure the protection of personal data transferred.

3.1Personal data we process

• Identification data, such as: first name and last name, date of birth

• Contact details, such as: email address, phone number

• Occupational data, such as: position held, company in which you are employed or which you represent

3.2Use of personal data

3.3Storage Period

The personal data processed are kept for the period of time necessary to comply with the legal obligations imposed on us by the regulations specific to our field of activity.

3.4Third party access

Access to your data will only be provided to those individuals or entities with whom we collaborate for processing purposes and for whom we (the new or the intended recipients) can justify a legitimate ground in accordance with the GDPR or if we have an obligation legal to provide your data.

The following entities and their employees will have access to your data:

• Group companies

As the Controller is part of the Nepi Rockcastle group of companies ("Group"), your personal data will be processed for the purposes of consolidated management of the Group's activities, for audit purposes and in any other situation where the law requires or permits such processing, if we (the Controller or the recipient companies in the Group) can justify a legitimate basis for doing so or if we obtain your consent to do so. The list of companies in the Group can be found at: www.nepirockcastle.com

We will contractually require these entities and their staff to respect the confidentiality of this data, ensuring a high level of security for the processing of your data.

We will also provide your personal data to judicial bodies, public institutions, or central and local public authorities, based on a duly substantiated request or legal obligation.

As a rule, the Operator will not transfer your personal data to third countries outside the European Economic Area. However, if such a transfer takes place, the Operator will take appropriate protection measures to ensure the protection of the personal data transferred.

4.1Personal data we process

• Identification data, such as: first name and last name, date of birth

• Contact details, such as: email address, phone number

• Image

Device MAC (mobile, laptop, tablet)

4.2Use of personal data

4.3Storage Period

The personal data processed are kept for the period of time necessary to comply with the legal obligations imposed on us by the regulations specific to our field of activity.

Depending on the context in which we process your personal data, the following rules for determining the storage period will apply:

• CCTV system: Video recordings stored by the CCTV system are usually kept for a period of 30 (thirty) days, unless the extension of their processing period is required by law or justified by legal procedures.

• WiFi network: The device’s MAC is only stored during the period when it uses our WiFi network.

4.4Third party access

Access to your data will only be provided to those individuals or entities with whom we collaborate for processing purposes and for whom we (the new or the intended recipients) can justify a legitimate ground in accordance with the GDPR or if we have an obligation legal to provide your data.

The following entities and their employees will have access to your data:

• Security and security service providers - To ensure CCTV video surveillance and access control system in parking spaces, the landlord collaborates with specialised companies, authorised by law to carry out security and surveillance activities.

• Other service providers - With regard to the handling of complaints, grievances and/or requests regarding lost items addressed to the staff of the Info Desk offices within the shopping centres, the Controller usually collaborates with specialised service companies.

• Controller’s Property Manager.

We will contractually require these entities and their staff to respect the confidentiality of this data, ensuring a high level of security for the processing of your data.

We will also provide your personal data to judicial bodies, public institutions, or central and local public authorities, based on a duly substantiated request or legal obligation.

As a rule, the Controller will not transfer your personal data to third countries outside the European Economic Area. However, if such a transfer takes place, the Operator will take appropriate protection measures to ensure the protection of the personal data transferred.

We will take all necessary security measures to protect your personal data transmitted, stored or otherwise processed against destruction, loss, unlawful or accidental change, unauthorised disclosure or unauthorised access, as well as against any other unlawful processing. The security measures we implement with regard to your personal data can ensure the confidentiality, integrity, availability and continued resilience of processing systems and services, as well as the capacity to restore the availability of and access to personal data in a timely manner if a physical or technical incident occurs.

All personal data will be processed through secure pages using the SSL encryption system, marked with a padlock symbol, located at the top of the browser window.

For more information on security standards on the Website, go to the “Help” section.

In addition, for the security of the data and the confidentiality of the information transmitted through the Account, it is password protected. The Controller, or where applicable the Joint Controllers, shall make every effort and use appropriate information technology to ensure the protection and security of the data you provide to us.

In cases provided for by the GDPR in relation to personal data breaches, the Controller, or as the case may be, each of the Joint Controllers, will duly inform the competent authorities and relevant persons.

The Controller or Joint Controllers process personal data that are accurate and have a procedure in place to update them. Thus, the Controller/Joint Controllers shall take all necessary steps to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

1. Right of access - the right to request confirmation that the personal data are processed or not by us, and if so, the data subject may request access to the data, as well as certain information about such data. Upon request in this respect, we will also issue a copy of the processed personal data. Request for additional copies will be charged on the basis of the costs actually incurred.

2. Right to rectification - the right to get the inaccurate personal data rectified, as well as to supplement incomplete data, including by providing additional information.

3. Right to delete data ("the right to be forgotten") - in situations expressly regulated by law, the right to obtain from us the deletion of the data. Thus, the deletion of personal data can be requested if:

   • the data are no longer necessary for the purposes for which they were collected or processed;

   • withdrawal of the consent on the basis of which processing is carried out;

   • the data subject opposes to the processing under the right of opposition;

   • processing of personal data is illegal;

   • the data must be deleted for the purpose of complying with a legal obligation incumbent on us.

4. Right to restrict processing - the right to request the restriction of processing of personal data in certain circumstances expressly regulated by the law, as follows:

   • the accuracy of the data is contested, for the period when the accuracy of the concerned data is checked;

   • the processing is unlawful and the data subject opposes to the deletion of data;

   • the data subject needs these data to establish, exercise or defend certain rights in court, and our company no longer needs such data;

   • the data subject opposes to the processing of personal data for the period in which we check if our legitimate interests prevail over their interests, rights and freedoms.

In these circumstances, except for storage, the data will not be processed anymore.

1. Right to object to the processing of personal data - the right to object at any time, for reasons related to the particular situation of the data subject, to the processing (including the creation of profiles) based on our legitimate interest.

2. Right to data portability - the right to receive the personal data provided in a structured, automated readable format, and the right to request that the data be passed to another controller. This right applies only to personal data provided directly by the data subject to the controller, and only if the processing of personal data is done by automated means and is legally based on either the execution of a contract or the consent of that person,

3. The right to lodge a complaint - the right to lodge a complaint in relation to the methods of personal data processing. The complaint will be submitted to the Commission for Personal Data Protection (“CPDP”) - details at cpdp.bg.

4. Right of withdrawal of consent - the right to withdraw, at any time, the consent to the processing of personal data in cases where processing is based on consent. Withdrawal of the consent will only have effect for the future, and processing prior to the withdrawal remains valid.

5. Additional rights related to automated decisions used in the delivery of services - if automated decisions are made about personal data and these decisions significantly affect the data subject, the data subject can (a) obtain human intervention with respect to said processing, (b) express their point of views on such processing, (c) obtain explanations regarding the decision made and (d) contest such decision.

These rights (except the right to contact CPDP, which can be exercised under the conditions established by this authority - in this regard you can see the official website cpdp.bg) may be exercised, anytime, either individually or by aggregation, sending a letter/message in the following ways:

• by mail, at: Sofia 1407, 100, Cherni vrah Blvd, fl.4 - BULFELD EOOD

• by email, at: office@paradise-center.com

You can exercise the right to withdraw your consent for the transmission of direct marketing messages (newsletter) by e-mail, by accessing the dedicated unsubscribe link (unsubscribe), included in each message of this kind.