Our Mission

Learn who we are and how we serve our community

Leadership

Meet our leaders, trustees and team

ICSC Foundation

Support up-and-coming professionals

ICSC Exchange

Catch up on industry ideas, news and views

Research

Check out wide-ranging resources that educate and inspire

Global Public Policy

Learn about the governmental initiatives we support

Events

Connect with other professionals at a local, regional or national event

Professional Development

Grow your skills online, in a class or at an event with expert guidance

Find Members

Access our Member Directory and connect with colleagues

Find Outlets

Get data and contact information for shopping outlets

Talent HQ

Search and post jobs, upload your resume or find qualified candidates

Become a Member

Learn about how to join ICSC and the benefits of membership

Renew Membership

Stay connected with ICSC and continue to receive membership benefits

 

ICSC Europe Privacy Policy

Your privacy is important to us. To better protect your privacy, we provide this notice explaining our information practices and the choices you can make about the way your information is collected and used. All capitalized terms not defined in this ICSC Europe Privacy Policy (“Privacy Policy”) shall have the meanings assigned to them in the Terms of Service for use of the Web Site.

This Privacy Policy is provided by the International Council of Shopping Centers, Inc. or its affiliates (together, “ICSC” or "we" or "us") and we are a 'controller' for the purposes of the Data Protection Laws that apply to you. This Privacy Policy applies to European individuals who use (or are prospective users of) any of our products or services (including membership, event registration, exhibit space, advertising or sponsorship, and other ICSC volunteer activities), individuals participating in or otherwise related to any events including speakers, website users and any other European individuals whose personal data has been provided to us in connection with any ICSC product or services, and any third parties related to the services mentioned in this Policy.

We ask that you read this Privacy Policy carefully as it contains important information about our processing and your rights.

ICSC is headquartered in the U.S. with offices in Europe (29 Queen Anne’s Gate, London SW1H BU, United Kingdom).

If you need to contact us about this Privacy Policy, contact us at web@icsc.org.

ICSC will make this Privacy Policy available in another format (for example: audio, large print, braille), upon request.

Definitions

The following words and phrases have particular meanings in the Data Protection Laws and are used throughout this Privacy Policy:


Term

Definition

controller

This means any person who determines the purposes for which, and the manner in which, any personal data is processed.

criminal offence data

This means any information relating to criminal convictions and offences committed or allegedly committed.

Data Protection Laws

This means the laws which govern the handling of personal data. This includes the General Data Protection Regulation (EU) 2016/679 and any other national laws implementing that Regulation or related to data protection.

data subject    

The European individual to whom the personal data relates.

ICO

This means the UK Information Commissioner's Office which is our lead supervisory authority responsible for implementing, overseeing and enforcing the Data Protection Laws.

personal data

This means any information from which a European living individual can be identified.

This will include information such as telephone numbers, names, addresses, e-mail addresses, photographs and voice recordings.  It will also include expressions of opinion and indications of intentions about data subjects (and their own expressions of opinion/intentions).

It will also cover information which on its own does not identify someone but which would identify them if put together with other information which we have or are likely to have in the future.

processing

This covers virtually anything anyone can do with personal data, including:

obtaining, recording, retrieving, consulting or holding it;
organising, adapting or altering it;
disclosing, disseminating or otherwise making it available; and
aligning, blocking, erasing or destroying it.

processor

This means any person who processes the personal data on behalf of the controller.

special categories of data

This means any information relating to:

racial or ethnic origin;
political opinions;
religious beliefs or beliefs of a similar nature;
trade union membership;
physical or mental health or condition;
sexual life; or
genetic data or biometric data for the purpose of uniquely identifying you.

WHAT PERSONAL DATA DO WE COLLECT?

Information provided by you

We collect the following information from you:

  • Contact details like: name, address, e-mail address, telephone number and fax number;
  • corporate affiliation;
  • biographical information;
  • photograph;
  • credit card information;
  • information about your interests and use of products, programs and services;
  • information about special accommodations (dietary, religious, health/disability) and other personal information provided to us by you when registering for an event or to be considered by us when providing our services;
  • Information regarding categories of diversity (ethnicity, gender, sexual orientation, age, disability, etc.) to the extent provided to us by you.

Personal information provided by third parties

We collect other information from the cookies and tracking tools we use, such as the type of browser you are using, the type of operating system you are using, and the domain name of your Internet service provider.

Please see our UK Cookies Policy for more information.

Personal information about other individuals

Our Web Site also allows you to submit information about other people. For example, you might submit a person's mailing and e-mail address to enroll them in an ICSC event, or if you order publications online and want them sent directly to the recipient, you might submit the recipient's name and address. In addition, when ICSC members forward ICSC event invitations to third parties, if necessary we will collect personal data about those third parties, such as their email address.

If you provide us with information about other individuals, you confirm that you are acting on their behalf and under their instructions, and that you have informed them about this Privacy Policy.

WHY DO WE PROCESS YOUR PERSONAL DATA?

We use your personal data for the following purposes listed in this section. We are allowed to do so on certain legal bases (please see section 'How is processing your data lawful' for further detail).

  • To fulfill your requests for our products, programs, and services;
  • to respond to your inquiries about our offerings;
  • to offer you other products, programs or services that we believe may be of interest to you;
  • to communicate with you, such as to notify you when we make changes to our subscriber agreements,
  • to fulfill an online order for ICSC products, or
  • to contact you about issues regarding your membership.
  • We include your name, title, corporate affiliation, biography information and photograph as provided to ICSC in connection with any ICSC event attendance lists or other business purposes of ICSC.
  • We use the information that you provide about others to enable us to send them the relevant information which you have requested for them. From time to time, we also use this information to offer our products, programs, or services to them.
  • The information we collect in connection with our online discussion forums is used to facilitate participation in the forums and, from time to time, to offer you products, programs, or services.
  • If you choose to submit User Content for publication, we may publish your name and other information you have provided to us.
  • When admitted by law, we will disclose information about you in response to a law enforcement agency's request or legal process, for example, in response to a court order.
  • We use the information we collect from cookies and tracking tools to improve the design and content of our products, programs and services and to enable us to provide a more tailored interface for individual Users.

HOW IS PROCESSING YOUR PERSONAL DATA LAWFUL?

Personal data

We are allowed to process your personal data for the following reasons and on the following legal bases:

Legitimate Interests

We are permitted to process your personal data if it is based on our ‘legitimate interests’ i.e. we have good, sensible, practical reasons for processing your personal data which is in the interests of ICSC. To do so, we have considered the impact on your interests and rights, and have placed appropriate safeguards to ensure that the intrusion on your privacy is reduced as much as possible.The table below explains the personal data processed on this basis.

Personal data

Legitimate Interests

Geolocation tracking information (e.g., the ICSC website uses cookies from users’ IP address and depending on location ICSC website content may be modified)


We use geolocation tracking information through the use of cookies from users’ IP address and depending on location ICSC website content may be modified to be most relevant to you; We would not be able to offer best curated content to users without this data.

Personal data related to members, prospective members, subscribers, and individuals attending events that are used for any marketing or promotion purposes;

It is on our legitimate interest to carry out marketing and promotion campaigns of ICSC products and services.

Personal data related to members, to be shared with other members

Access to contact information of other ICSC members and event attendees is a key benefit of ICSC membership. As a benefit to members, personal data related to members and event attendees may be shared with other members and event attendees via the ICSC website. We would not be able to offer this benefit to members and event attendees without this information.

Processing of personal data (sensitive & non-sensitive), for litigation or legal advice, when the processing is not necessary to comply with a legal obligation or to comply with a contract between ICSC and the persons whom data is processed.

To the extent that it is necessary in order to protect our rights.

Special category of personal data voluntarily made manifestly public by you (see "Data manifestly made public"

  • to provide the world class customer service to that person (for example, if we know that person has a disability and requires an accommodation at an event; or if we know the person has a religious observation that requires a certain dietary restriction or other limitation on his/her activities);
  • to engage with you on our policy issues of relevance;
  • to assess and promote diversity within the industry and our volunteer leadership (for example, ICSC may keep a record of categories of diversity (ethnicity, gender, sexual orientation, age, disability, etc.) represented in its members or volunteers);

You can object to processing that we carry out on the grounds of legitimate interests. See the section headed "Your Rights" to find out how.

Contract

ICSC may process your data to the extent it is necessary for our performance of the contract you have agreed to enter with us. If you do not provide your personal data to us, we will not be able to carry out our obligations under the terms of your contract.

Legal obligation

We are subject to legal obligations to process your personal data for the purposes of complying with applicable regulatory, accounting and financial rules, health and safety and to make mandatory disclosures to government bodies and law enforcements.

Consent

Sometimes we want to use your personal data in a way that is entirely optional for you. On these occasions, we will ask for your consent to use your information. You can withdraw this consent at any time.

Special categories of data

We are allowed to process your special categories of personal data for the following reasons and on the following legal basis:

Data manifestly made public

Although this sounds like your data is " the public domain", it does not mean such thing. When you voluntarily provide ICSC with data related to you (or related to third parties for which you are authorized to submit) in order for us to deal with any special requirements you may have, for example when attending one of our event, you are providing this information to those employees/ members of our organisation who needs to deal with your request or preference (as opposed to share this information in a private environment). If you do so, it is considered that you are making this data sufficiently public in a way that you allow us to use if for the purposes you request or expect us to do. Of course we will keep this data secure and it will only be processed on a need to know basis.

Legal claims

We need to process your personal data if, we are required to process your personal data to defend or establish a legal claim.

Consent

You have given your explicit consent for us to process it.

WHO WILL HAVE ACCESS TO YOUR PERSONAL DATA?

ICSC may utilize the services of third party vendors in connection with the provision of its products and services. Depending on the services provided, these vendors may act as our processors who will have access to your personal data. If you would like to know the names of our service providers that qualify as processors of personal data, please contact us using the details at the start of this Privacy Policy. In addition, we share your personal data with certain third party vendors who act as separate controllers of your personal data. We may provide them with your name and contact details so that they can contact you separately in order to arrange services/benefits directly with you. If you would like to know the names of our service providers that qualify as controllers of personal data, please contact us using the details at the start of this Privacy Policy. We will also share your personal data with the police, other law enforcements or regulators where we are required by law to do so.

Information you directly provide to third parties under Co-Branded relationships

Our Web Sites may offer content which is co-branded with third parties (the "Co-Branded Content"). By virtue of these relationships, the third parties will obtain the personal data you voluntarily submit in order to use the Co-Branded Content. We have no control over third party use of this information.

Transfers of your personal data outside the EEA

As ICSC is a global organization with offices and events held around the world, we may need to transfer your personal data to the US or other countries located outside the European Economic Area, for the purpose of ICSC operations, including:

  • sharing central systems across ICSC affiliates; and for
  • marketing purposes.

Any transfer of your data will be carried out in accordance with the law to safeguard your privacy rights and give you remedies in the unlikely event of a security breach or to any other similar approved mechanisms. If you want to know more about how data is transferred, please contact us using the details in the section above.

How we keep your personal data secure

We strive to implement appropriate technical and organisational measures in order to protect your personal data against accidental or unlawful destruction, accidental loss or alteration, unauthorised disclosure or access and any other unlawful forms of processing. We aim to ensure that the level of security and the measures adopted to protect your personal data are appropriate for the risks presented by the nature and use of your personal data. We follow recognised industry practices for protecting our IT environment and physical facilities.

Employees, agents and contractors of ICSC who have access to personally identifiable information are required to protect this information in a manner that is consistent with this Privacy Notice by, for example, not using the information for any purpose other than to carry out the services they are performing for ICSC. ICSC members and non-members who have access to personally identifiable information of members and other individuals through the use of the ICSC website are also required to protect this information in a manner that is consistent with this Privacy Notice, and are required to use such information strictly for business related purposes.

Although we take appropriate measures to safeguard against unauthorized disclosures of information, we cannot assure you that personally identifiable information that we collect will never be disclosed in a manner that is inconsistent with this Privacy Notice or as otherwise permitted by law.

Our Web Site may contain links to other sites whose information practices may be different from ours. Users should consult the other sites' privacy notices as ICSC has no control over information that is submitted to, or collected by, these third parties.

WHEN WILL WE DELETE YOUR DATA?

ICSC will not keep your data for longer than we need to in order to meet all the purposes we included in the section "Why do we process your personal data?".

For example, if you are a member, we will keep your data for the duration of your membership and then, we will keep that data if we need it to comply with a legal obligation (including ICSC’s document retention policy), or for research or statistics purposes, but if we do not need all the data you provided at first instance, we will delete the remaining data. For most of the purposes and legal obligations we have stated a retention period of 6 years.

YOUR RIGHTS

As a data subject, you have the following rights under the Data Protection Laws:

  • the right to object to processing of your personal data;
  • the right of access to personal data relating to you (known as data subject access request);
  • the right to correct any mistakes in your information;
  • the right to ask us to stop contacting you with direct marketing;
  • the right to prevent your personal data being processed;
  • the right to have your personal data ported to another controller;
  • the right to withdraw your consent;
  • the right to erasure; and
  • rights in relation to automated decision making.

These rights are explained in more detail below. If you want to exercise any of your rights, please contact us (please see "How to contact us").

We will respond to any rights that you exercise within a month of receiving your request, unless the request is particularly complex, in which case we will respond within three months.

Please be aware that there are exceptions and exemptions that apply to some of the rights which we will apply in accordance with the Data Protection Laws.

Right to object to processing of your personal data

You may object to us processing your personal data where we rely on a legitimate interest as our legal grounds for processing.

If you object to us processing your personal data we must demonstrate compelling grounds for continuing to do so. We believe we have demonstrated compelling grounds in the section headed "How is processing your personal data lawful".

Right to access personal data relating to you

You may ask to see what personal data we hold about you and be provided with:

  • a copy of the personal data;
  • details of the purpose for which the personal data is being or is to be processed;
  • details of the recipients or classes of recipients to whom the personal data is or may be disclosed, including if they are overseas and what protections are used for those overseas transfers;
  • the period for which the personal data is held (or the criteria we use to determine how long it is held);
  • any information available about the source of that data; and
  • whether we carry out an automated decision-making, or profiling, and where we do information about the logic involved and the envisaged outcome or consequences of that decision or profiling.

To help us find the information easily, please provide us as much information as possible about the type of information you would like to see.

Right to correct any mistakes in your information

You can require us to correct any mistakes in your information which we hold. If you would like to do this, please let us know what information is incorrect and what it should be replaced with.

Right to restrict processing of personal data

You may request that we stop processing your personal data temporarily if:

  • you do not think that your data is accurate. We will start processing again once we have checked whether or not it is accurate;
  • the processing is unlawful but you do not want us to erase your data;
  • we no longer need the personal data for our processing, but you need the data to establish, exercise or defend legal claims; or
  • you have objected to processing because you believe that your interests should override our legitimate interests.

Right to data portability

You may ask for an electronic copy of your personal data which we hold electronically and which we process when we have entered into a contract with you. You can also ask us to provide this directly to another party.

Right to withdraw consent

You may withdraw any consent that you have given us to process your personal data at any time. This means that we will not be able to carry out any processing which required use of that personal data.

Right to erasure

You can ask us to erase your personal data where:

  • you do not believe that we need your data in order to process it for the purposes set out in this Privacy Policy;
  • if you had given us consent to process your data, you withdraw that consent and we cannot otherwise legally process your data;
  • you object to our processing and we do not have any legitimate interests that mean we can continue to process your data; or
  • your data has been processed unlawfully or have not been erased when it should have been.

Rights in relation to automated decision making

You have the right to have any decision that has been made by automated means and which has a significant effect on you reviewed by a member of staff and we will consider any objections you have to the decision that was reached.

What will happen if your rights are breached?

You may be entitled to compensation for damage caused by contravention of the Data Protection Laws.

Complaints to the regulator

It is important that you ensure you have read this Privacy Policy - and if you do not think that we have processed your data in accordance with this notice - you should let us know as soon as possible. You may also complain to the ICO. Information about how to do this is available on his website at www.ico.org.uk.

May 2018