Citycon Oyj and its subsidiaries and other affiliates (later referred to as “Citycon”) respect the privacy of its investors, customers, suppliers and other stakeholders. This privacy notice (later referred to as “Privacy Notice”) describes how Citycon collects and processes personal data of its shareholders, other investors and analysts and how Citycon ensures the privacy and security of information collected and processed by it.

In this Privacy Notice “personal data” means any information that can identify you as an individual either submitted by you and/or obtained through alternative channels.

Data Controller

In respect of each data subject’s personal data, the data controller is regarded to be the Citycon group company which has a contractual relationship or other co-operation relationship with the data subject or with the organisation the data subject is representing. The data controller may, thus, be either Citycon Oyj (business ID 0699505-3) or any of its subsidiaries or other affiliates. In this Privacy Notice “we” or “Citycon” shall refer to any Citycon group company acting as the data controller in each individual case.

Customers and tenants

Purposes and legal basis for processing

We process customer and tenant information for creating, managing, maintaining and developing the  customer and tenant relationship, security related issues and communicating on these, providing services, customer and tenant communication, sending newsletters, organizing events, evaluating customer experience, compiling statistics, identification of the customer's users, payments and their controlling, developing business and customer service, handling complaints and claims, defending against claims and for accounting and other legal obligations. In addition, personal data is used for the direct marketing of the controller and its group companies (including electronic newsletters), for the targeting and profiling of online advertising and for the development and planning of the controller's products and services.

We process our customers' data to fulfil our legitimate interests arising from the contract and co-operation relationship we have with the person or the represented company. We may also process personal data of our potential customers and tenants or their representatives with whom we have not yet entered into an agreement or customer relationship, or with whom we have previously had an agreement or customer relationship. In that case, the processing of the data is based on our legitimate interest to investigate and understand potential customers or tenants, to communicate with them and to develop our customer and market insight. Based on our legitimate interest and, if required, consent, we may use personal data for marketing, direct marketing, enquiries and market research and other addressed mailing.

Categories of personal data we collect

Customers and tenants of business premises:

  • contact information, such as name, address, phone number, email address, title
  • information on the company the data subject is representing as well as its location
  • information on the companies the data subject has previously represented and his/her previous titles, if the data subject has changed company/position after his/her data has been collected for the first time in our systems
  • information on marketing prohibitions and consents
  • information provided by the data subject through registration forms in connection with Citycon events or campaigns
  • username and password for electronic services

Tenants of residential premises:

  • contact information, such as name, address, personal identification number, phone number, email address
  • other information, such as bank account number, tax decision, start date of the customer relationship, number and names of persons living in the same household;
  • information on employment, duration and nature of employment, income and assets, credit information, debt restructuring and collection information, information on the need for housing, information on the lease, information on rental deposit and termination of the lease, information on potential guardian; 
  • in the case of a minor tenant, guardian’s identification information, complaints, feedback and other information and communications related to customer relationship and material communications, direct marketing permissions and prohibitions 

Where we collect the personal data from

Our regular source of information is the information provided during the preparation and entering into the agreement as well as during the customer and tenancy relationship.

We collect information for our register directly from our customers, tenants or their representatives, from lease agreements and Citycon Portal. Information may also be collected, for example when you participate in our campaigns and events.

We update your information based on your notices and developments during the tenancy, for example. A notice may also be given by a third party, whereupon we pursue to duly ensure the validity of the information.

We may check the validity of personal data of our residential tenants from civil registry in connection with entering into a lease agreement. From the same registry we may also check the resident information of our apartments. We may collect and update your personal data also based on information received from our partners as well as authorities and companies providing personal data services.

We may collect and update credit and payment information as well as sanctions lists from Suomen Asiakastieto Oy or corresponding company providing company and credit worthiness information.

Information collected for the user management of our data systems, such as Citycon Portal, we receive from you or a representative of your company and our employees create and manage the login information.

Logging information is automatically stored when using information systems.

Disclosure of personal data and categories of recipients of the data

We may disclose personal data within Citycon group companies and also to authorities under a legal obligation.

We may also transfer information to our service providers that process data on our behalf and in accordance with our instructions (for example, for managing and developing the customer relationship or services, leasing, divestment of apartments or business premises, real estate management services, constructions and repairs and their supervision, security related issues and communicating on these, complementing customer information, debt collection and developing and maintaining data system and data security).

In the case of renting residential premises, personal data is disclosed only to the partners required for the management of the customer/lease relationship. These partners include the maintenance company for checking the residents' information (name and contact information), the lock shop for handing over keys (name, personal identification number and contact information) and the collection agency for collecting claims (name, personal identification number, amount of debt and contact information). 

When Citycon divest an asset, the information relating to the existing lease agreements may be transferred to the buyer of the asset. 

Transfer of personal data outside EU/EEA

Personal data may be transferred outside the EU/EEA in accordance with the applicable data privacy laws  and regulations and subject to the restrictions set in said laws and regulations.

When personal data is transferred outside the EU/EEA to a country, which does not guarantee adequate level of data protection, we will use appropriate safeguards, such as EU Commission’s standard contractual clauses and when necessary, apply additional safety measures, in accordance with applicable data privacy laws and regulations.

The personal data of tenants of residential premises is not transferred outside the EU/EEA area. 

Retention period of personal data

We retain customer and tenant data for the duration of the customer and tenant relationship or until you no longer represent our customer. Upon termination of the customer or lease relationship, we will retain the data for as long as the personal data is necessary to fulfill Citycon's needs or to comply with Citycon's legal obligations or, in the absence of such obligations, for a maximum period of 24 months.

We retain information about our potential customers and tenants and their representatives for as long as the information is necessary for Citycon and in accordance with Citycon's legal obligations or, in the absence of such obligations, for a maximum period of 24 months. 

The data concerning the tenants of residential premises shall be kept in the register only for as long as the processing is based on the grounds specified in the General Data Protection Regulation. 

Shareholders, other investors and analysts

Purposes and legal basis for processing

We process personal data of shareholders and their representatives to maintain a shareholders’ register, to arrange and administer shareholder meetings, to identify shareholders’ identity and right to participate in general meetings, to communicate with them and to pay dividend and to make other equity transactions.

We process personal data of other investors and analysts to fulfil our legitimate interests and to communicate with them.

We need to process personal data of shareholders and their representatives, other investors and analysts to be able to provide information to the public as a company listed on Nasdaq Helsinki Ltd.

We process shareholders’, other investors’ and analysts’ personal data to fulfil our legal obligations. We may also process the data in order to fulfil our legitimate interests to disclose information to the public and to communicate with and to maintain good relationships with our shareholders, investors and analysts. In addition, we may process data when we send invitations to our events, send newsletters, send information on our business and other marketing communications.

Categories of personal data we collect

Shareholders

  • contact information, such as name, address, phone number, email address
  • other information, such as personal identity number or other identifying information, nationality, number of shares and voting rights, book-entry account number
  • other information concerning shareholders’ participation in the general meetings (including information on power of attorneys)

Shareholders’ proxy representatives and assistants

  • name of representatives and personal identity number when the representative represents shareholders in shareholder meetings
  • name of We also collect personal data of proxy representatives and of assistants representing / assisting shareholders in general meetings

Other investors and analysts

  • contact information, such as name, address, phone number, email address

Where we collect the personal data from

We collect personal data from:

  • Shareholders. We receive information provided to us in notifications of major shareholdings (flagging notifications).
  • Euroclear Finland Oy (national central securities depository). Euroclear Finland Oy maintains Citycon’s shareholder register and it is the technical provider of the database that we use to manage the shareholder information.
  • Other investors and analysts or companies they represent.

Disclosure of personal data and categories of recipients of the data

Information regarding major shareholders, flagging notifications and list of analysts following Citycon can be found on our website www.citycon.com.

We are required to disclose the list of shareholders to anyone requesting based on applicable laws and regulations (publicity of shareholders’ register).

We may disclose certain data to authorities where we have a legal obligation to do so.

We may also transfer data to our service providers, who process the data on our behalf and in accordance with our instructions.

Transfer of personal data outside EU/EEA

In some cases, personal data can be transferred outside the EU/EEA (e.g. in case of service providers) in accordance with applicable data privacy laws and regulations and subject to the restrictions set in said laws and regulations.

Retention time

Data will be retained as long as needed under Citycon’s legal obligations as a company listed on Nasdaq Helsinki Ltd. In addition, data can be retained as long as it is necessary for Citycon’s genuine interests and needs or purposes of processing.

Business partners and other stakeholders

Purposes and legal basis for processing

We process our business partner and other stakeholder data for fulfilling contracts, co-operation and business relationship management, developing our business, organizing and developing our business functions, communications and collaboration, sending newsletters, organizing events, payments and their supervision, accounting and other legal obligations.

We process data of our supplier and stakeholder representatives to fulfil our legitimate interests arising from the contract and co-operation relationship we have with the company the person is representing. We may also process data of our potential business partners and other stakeholders with whom we have not yet signed an agreement or with whom we have not yet a client relationship. In this case the processing is based on our legitimate interest to research and understand our potential partners and stakeholders, to communicate with them and to develop our knowledge on clients and marketing.

Categories of personal data we collect

We collect contact information, such as name, phone number, email address and title, information on the company the data subject is representing, and the data subject’s area of responsibility and information related to managing the co-operation as described above (e.g. arranged meetings).

Where we collect the personal data from

We collect personal data from the business partner and stakeholder representatives.

Disclosure of personal data and categories of recipients of the data

We may disclose business partner and stakeholder data within Citycon group companies and, where we have a legal obligation to do so, to authorities.

We may also transfer data to our service providers, who process the data on our behalf and in accordance with our instructions.

Transfer of personal data outside EU/EEA

Personal data can be transferred outside the EU/EEA in accordance with applicable data privacy laws and regulations and subject to the restrictions set in said laws and regulations.

Some of Citycon’s service providers may also be located outside the EU/EEA, including the United States.

When personal data is transferred outside the EU/EEA to a country, which does not guarantee adequate level of data protection, we will use appropriate safeguards, such as EU Commission’s standard contractual clauses and when necessary, apply additional safety measures, in accordance with applicable data privacy laws and regulations.

Retention time

We retain the personal data for the duration of the co-operation relationship. After the co-operation relationship has ended, we retain the data as long as the personal data is necessary for Citycon’s genuine needs and legal and regulatory requirements Citycon is subject to, or in the absence of applicable regulatory requirements for a maximum of 24 months.

 

Data protection

Citycon has taken appropriate technical and organizational measures to restrict access to the personal data it holds and to protect it against loss, accidental destruction, misuse, and unlawful alteration. Access to personal data is restricted on a need-to-know basis to individuals (Citycon’s employees and service providers) who need to access the data for the purposes it was collected for.

If personal data is transferred outside the EU/EEA to a country, which does not guarantee adequate level of data protection, we will use appropriate safeguards, such as EU Commission’s standard contractual clauses and when necessary, apply additional security measures, in accordance with applicable data privacy laws and regulations.

What are your rights

Right to object

You have the right based on your situation to object to profiling and other processing in situations where we process your personal data based on our legitimate interests. These situations can relate to, for example, sending a newsletter or invitation to our events that we assume you are interested in, for example, based on your company's field of operation.
 

Direct marketing

You have the right at any time to object direct marketing free of charge. You may do this by contacting Citycon.

Right of access to data

You are entitled to have information concerning your personal data that is processed as well as a copy of such data.

Right to request rectification, erasure or restriction of processing of personal data

You have the right to request that we rectify erroneous data on you. You can also request that we erase certain data on you or request that processing be restricted on the grounds provided by law.

Right to withdraw consent

When processing is based on consent, for a consent to be valid, it needs to be withdrawable, and you have the right for such withdrawal at any time.

Right to data portability

To the extent that you have provided data to us that is processed based on your consent, you are entitled to obtain such data primarily in a machine-readable format and are entitled to transfer such data to another data controller.

Right to lodge a complaint with a supervisory authority

You are entitled to lodge a complaint with the competent supervisory authority if you are of the opinion that we have not complied with the data protection regulations applicable to our operations.

How you can contact us and exercise your rights

If you have any questions concerning protection of your personal data in our data processing activities or you wish to exercise your rights, please contact us at privacy@citycon.com.

Citycon’s Data Protection, Eero Nurmilaukas, Piispansilta 9 A, 02230 Espoo, Finland, +358 20 766 4529, eero.nurmilaukas@citycon.com.

Changes to Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in our operations and/or applicable law. Any changes will be posted here.