Privacy Notice

Citycon Oyj and its subsidiaries and other affiliates (later referred to as “Citycon”) respect the privacy of its investors, customers, suppliers and other stakeholders. This privacy notice (later referred to as “Privacy Notice”) describes how Citycon collects and processes personal data of its shareholders, other investors and analysts and how Citycon ensures the privacy and security of information collected and processed by it.

In this Privacy Notice “personal data” means any information that can identify you as an individual either submitted by you and/or obtained through alternative channels.

Data Controller

In respect of each data subject’s personal data, the data controller is regarded to be the Citycon group company which has a contractual relationship or other co-operation relationship with the data subject or with the organisation the data subject is representing. The data controller may, thus, be either Citycon Oyj (business ID 0699505-3) or any of its subsidiaries or other affiliates. In this Privacy Notice “we” or “Citycon” shall refer to any Citycon group company acting as the data controller in each individual case.

Customers and tenants

Purposes and legal basis for processing

We process customer and tenant information for creating, managing, developing and maintaining the customer and tenant relationship, security related issues and communicating on these, providing services, customer and tenant communication, sending newsletters, organizing events, evaluating customer experience, compiling statistics, identification of the customer’s and tenant’s users, user management, troubleshooting of electronic services, payments and their controlling, developing business and customer service, handling complaints and claims, defending against claims and for accounting and other legal obligations. In addition, personal data is used for direct marketing by the controller and its group companies (including electronic newsletters), targeting and profiling of online advertising, and for designing and development of the controller’s products and services.

We process data of customers and tenants to fulfil our legitimate interests arising from the contract and co-operation relationship we have with the company the person is representing. In some cases, we may also process personal data of the representatives of our potential customers with whom we have not yet concluded a contract or established a customer relationship. The processing of said data is based on our legitimate interest to explore and understand potential customers, to communicate with them and to develop our customer and market intelligence. Based on our legitimate interest and, if required, consent, we may use personal data to marketing, direct marketing, enquiries, market research and other addressed mailing.

 

Categories of personal data we collect

Customers and tenants of business premises:

  • contact information, such as name, address, phone number, email address, title
  • information on the company the data subject is representing as well as its location
  • information on marketing prohibitions and consents
  • information submitted by the data subject in sign-up forms for Citycon’s events or campaigns
  • Electronic services username and password

Tenants of residential premises:

  • contact information, such as name, address, phone number, email address
  • other information, such as social security number, credit information

 

Where we collect the personal data from

Our regular sources of information are the information given during the preparation and entering into the agreement as well as during the customer and tenancy relationship.

We collect information to our register directly from our customers and tenants or their representatives, from lease agreements and Citycon Portal. Information may be collected from example when you participate in campaigns and events organized by us.

We update your information based on your notices and developments during the relationship. A notice may also be given by a third party, whereupon we pursue to duly ensure the validity of the information.

We may check the validity of personal data of our residential tenants from civil registry in connection with entering into a lease agreement. From the same registry we may also check the resident information of our apartments. We may collect and update your personal data also based on information received from our partners as well as authorities and companies providing personal data services.

We may collect and update credit and payment information as well as sanctions lists from Suomen Asiakastieto Oy or corresponding company providing company and credit worthiness information.

Information collected for the user management of our data systems, such as Citycon Portal, we receive from you or a representative of your company and our employees create and manage the login information.

Logging information are automatically saved in connection with the use of the data system.

 

Disclosure of personal data and categories of recipients of the data

We may disclose customer data within Citycon group companies and, where we have a legal obligation to do so, to authorities.

We may also transfer data to our service providers, who process the data on our behalf and in accordance with our instructions (for example for managing and developing the customer relationship or services, leasing, divestment of apartments or business premises, real estate management services, constructions and repairs and their supervision, security related issues and communicating on these, complementing customer information, debt collection and developing and maintaining data system and data security).

When Citycon divest an asset, the information relating to existing lease agreements may be transferred to the buyer of the asset.

 

Transfer of personal data outside EU/EEA

Personal data can be transferred outside the EU/EEA in accordance with applicable data privacy laws and regulations and subject to the restrictions set in said laws and regulations.

When personal data is transferred outside the EU/EEA to a country, which does not guarantee adequate level of data protection, we will use appropriate safeguards, such as EU Commission’s standard contractual clauses or Privacy Shield Framework, in accordance with applicable data privacy laws and regulations.

 

Retention time

We retain customer data for the duration of the customer relationship. After the customer relationship has ended, we retain the data for as long as the personal data is necessary for Citycon’s genuine needs and legal and regulatory requirements Citycon is subject to or in the absence of applicable regulatory requirements for a maximum of 24 months.

We retain customer data of potential customers and tenants for as long as the personal data is necessary for Citycon’s genuine needs and legal and regulatory requirements Citycon is subject to or in the absence of applicable regulatory requirements for a maximum of 24 months.

Shareholders, other investors and analysts

Purposes and legal basis for processing

We process personal data of shareholders and their representatives to maintain a shareholders’ register, to arrange and administer shareholder meetings, to identify shareholders’ identity and right to participate in general meetings, to communicate with them and to pay dividend and to make other equity transactions.

We process personal data of other investors and analysts to fulfil our legitimate interests and to communicate with them.

We need to process personal data of shareholders and their representatives, other investors and analysts to be able to provide information to the public as a company listed on Nasdaq Helsinki Ltd.

We process shareholders’, other investors’ and analysts’ personal data to fulfil our legal obligations. We may also process the data in order to fulfil our legitimate interests to disclose information to the public and to communicate with and to maintain good relationships with our shareholders, investors and analysts. In addition, we may process data when we send invitations to our events, send newsletters, send information on our business and other marketing communications.

 

Categories of personal data we collect

Shareholders

  • contact information, such as name, address, phone number, email address
  • other information, such as personal identity number or other identifying information, nationality, number of shares and voting rights, book-entry account number
  • other information concerning shareholders’ participation in the general meetings (including information on power of attorneys)

Shareholders’ proxy representatives and assistants

  • name of representatives and personal identity number when the representative represents shareholders in shareholder meetings
  • name of We also collect personal data of proxy representatives and of assistants representing / assisting shareholders in general meetings

Other investors and analysts

  • contact information, such as name, address, phone number, email address

 

Where we collect the personal data from

We collect personal data from:

  • Shareholders. We receive information provided to us in notifications of major shareholdings (flagging notifications).
  • Euroclear Finland Oy (national central securities depository). Euroclear Finland Oy maintains Citycon’s shareholder register and it is the technical provider of the database that we use to manage the shareholder information.
  • Other investors and analysts or companies they represent.

 

Disclosure of personal data and categories of recipients of the data

Information regarding major shareholders, flagging notifications and list of analysts following Citycon can be found on our website www.citycon.com.

We are required to disclose the list of shareholders to anyone requesting based on applicable laws and regulations (publicity of shareholders’ register).

We may disclose certain data to authorities where we have a legal obligation to do so.

We may also transfer data to our service providers, who process the data on our behalf and in accordance with our instructions.

 

Transfer of personal data outside EU/EEA

In some cases, personal data can be transferred outside the EU/EEA (e.g. in case of service providers) in accordance with applicable data privacy laws and regulations and subject to the restrictions set in said laws and regulations.

 

Retention time

Data will be retained as long as needed under Citycon’s legal obligations as a company listed on Nasdaq Helsinki Ltd. In addition, data can be retained as long as it is necessary for Citycon’s genuine interests and needs or purposes of processing.

Business partners and other stakeholders

Purposes and legal basis for processing

We process our business partner and other stakeholder data for fulfilling contracts, co-operation and business relationship management, developing our business, organizing and developing our business functions, communications and collaboration, sending newsletters, organizing events, payments and their supervision, accounting and other legal obligations.

We process data of our supplier and stakeholder representatives to fulfil our legitimate interests arising from the contract and co-operation relationship we have with the company the person is representing. We may also process data of our potential business partners and other stakeholders with whom we have not yet signed an agreement or with whom we have not yet a client relationship. In this case the processing is based on our legitimate interest to research and understand our potential partners and stakeholders, to communicate with them and to develop our knowledge on clients and marketing.

 

Categories of personal data we collect

We collect contact information, such as name, phone number, email address and title, information on the company the data subject is representing, and the data subject’s area of responsibility and information related to managing the co-operation as described above (e.g. arranged meetings).

 

Where we collect the personal data from

We collect personal data from the business partner and stakeholder representatives.

 

Disclosure of personal data and categories of recipients of the data

We may disclose business partner and stakeholder data within Citycon group companies and, where we have a legal obligation to do so, to authorities.

We may also transfer data to our service providers, who process the data on our behalf and in accordance with our instructions.

 

Transfer of personal data outside EU/EEA

Personal data can be transferred outside the EU/EEA in accordance with applicable data privacy laws and regulations and subject to the restrictions set in said laws and regulations.

Some of Citycon’s service providers may also be located outside the EU/EEA, including the United States.

When personal data is transferred outside the EU/EEA to a country, which does not guarantee adequate level of data protection, we will use appropriate safeguards, such as EU Commission’s standard contractual clauses or Privacy Shield Framework, in accordance with applicable data privacy laws and regulations.

 

Retention time

We retain the personal data for the duration of the co-operation relationship. After the co-operation relationship has ended, we retain the data as long as the personal data is necessary for Citycon’s genuine needs and legal and regulatory requirements Citycon is subject to, or in the absence of applicable regulatory requirements for a maximum of 24 months.

Data protection

Citycon has taken appropriate technical and organizational measures to restrict access to the personal data it holds and to protect it against loss, accidental destruction, misuse, and unlawful alteration. Access to personal data is restricted on a need-to-know basis to individuals (Citycon’s employees and service providers) who need to access the data for the purposes it was collected for.

If personal data is transferred outside the EU/EEA to a country, which does not guarantee adequate level of data protection, we will use appropriate safeguards, such as EU Commission’s standard contractual clauses, in accordance with applicable data privacy laws and regulations and when necessary, apply additional security measures.

What are your rights

Right to object
  • You have the right based on your situation to object to profiling and other processing in situations where we process your personal data based on our legitimate interests. These situations can relate to, for example, sending a newsletter or invitation to our events that we assume you are interested in, for example, based on your company's field of operation.
     
Direct marketing
  • You have the right at any time to object direct marketing free of charge. You may do this by contacting Citycon.
Right of access to data
  • You are entitled to have information concerning your personal data that is processed as well as a copy of such data.
Right to request rectification, erasure or restriction of processing of personal data
  • You have the right to request that we rectify erroneous data on you. You can also request that we erase certain data on you or request that processing be restricted on the grounds provided by law.
Right to withdraw consent
  • When processing is based on consent, for a consent to be valid, it needs to be withdrawable, and you have the right for such withdrawal at any time.
Right to data portability
  • To the extent that you have provided data to us that is processed based on your consent, you are entitled to obtain such data primarily in a machine-readable format and are entitled to transfer such data to another data controller.
Right to lodge a complaint with a supervisory authority
  • You are entitled to lodge a complaint with the competent supervisory authority if you are of the opinion that we have not complied with the data protection regulations applicable to our operations.

How you can contact us and exercise your rights

If you have any questions concerning protection of your personal data in our data processing activities or you wish to exercise your rights, please contact us at privacy@citycon.com.

Data Protection Officer Leena Rentola, Piispansilta 9 A, 02230 Espoo, Finland, tel 020 766 4528, email leena.rentola@citycon.com.

Changes to Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in our operations and/or applicable law. Any changes will be posted here.