Last updated November 2023
Last updated: 28 November 2023 (Version 2.0)
1 Who we are
Braehead Glasgow Limited, registered with the Information Commissioner’s Office with registration number ZA822983, is the controller of your personal data.
We collect, use and are responsible for certain personal data about you. When we do so we are regulated under data protection legislation and we are responsible as ‘controller’ of that personal data for the purposes of those laws.
“Personal data” is information about you from which we can identify you (either on its own, or by piecing it together with other information). Personal data does not include aggregated data where you cannot be identified (e.g. statistics about usage in general or in categories).
The types of personal data we collect about you are:
Preferences & Profile data
Technical / Usage data
We may use your personal data to:
We will only retain your personal data for as long as is necessary to fulfil the purposes for which it was collected (including for the period of any contract/agreement we have with you, and for a period of time after in the event of any potential issue), unless we are required by law to retain your personal data for a longer period (e.g. where you make a rights request, and we maintain records to demonstrate how we comply with such requests).
To deliver services to you, it is sometimes necessary for us to share your personal data outside the UK with our service providers located outside the UK;
Under data protection law, we can only transfer your personal data to a country or international organisation outside the UK
These are explained below.
6.1 Adequacy decision
We may transfer your personal data to certain countries, on the basis of an adequacy decision. These include:
The list of countries that benefit from adequacy decisions will change from time to time. We will always seek to rely on an adequacy decision, where one exists.
6.2 Transfers with appropriate safeguards
Where there is no adequacy decision, we may transfer your personal data to another country if we are satisfied the transfer complies with data protection law, appropriate safeguards are in place, and enforceable rights and effective legal remedies are available for data subjects.
The safeguards will usually include using legally approved standard data protection contract clauses, which have been approved by the UK data protection regulator.
To obtain a copy of the standard data protection contract clauses and further information about relevant safeguards please contact us (see ‘How to contact us’ below).
6.3 Transfers under an exception
In the absence of an adequacy decision or appropriate safeguards, we may transfer personal data to a third country or international organisation where an exception applies under relevant data protection law, eg:
We may also transfer information for the purpose of our compelling legitimate interests, so long as those interests are not overridden by your interests, rights and freedoms. Specific conditions apply to such transfers and we will provide relevant information if and when we seek to transfer your personal data on this ground.
We have set out below, in a table format, a broad summary of the ways we use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Note that we may process your personal data on more than one lawful ground if we are processing the same information for more than one specific purpose.
|Purpose/activity||Type of data||Lawful basis for processing including basis of legitimate interest|
|To manage our relationship with you which will include:
b) Asking you to leave a review or take a survey
c) Responding to your requests
Preferences & Profile
|a) Performance of a contract with you in relation to any updates to our terms. Necessary to comply with a legal obligation to inform you about how we use your personal data.
b) Necessary for our legitimate interests to keep our records updated and to study how customers use our products/services
c) Necessary for our legitimate interests to provide customers with a good service
|To administer and protect our business (including protecting our centre, visitors and staff) and our Sites (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data), this may include data collected from on-site visits to the centre||Contact
Preferences & Profile
Technical / Usage
|a) Necessary for our legitimate interests, for running our business, provision of administration and IT services, network security, to prevent crime and fraud in our Centre and on our Sites, to prevent and manage Health & Safety issues in our Centre, and in the context of a business reorganisation or group restructuring exercise, and in the event that we need to commence and manage any legal proceedings.
b) Necessary to comply with a legal obligation. e.g. to comply with health and safety legislation.
|To use data analytics to improve our websites, products/services, marketing, customer relationships and experiences||Technical / Usage||Necessary for our legitimate interests (to define types of customers for our products and services, to keep our Sites updated and relevant, to develop our business and to inform our marketing strategy)|
|To send marketing communications, including suggestions and recommendations to you about services that may be of interest to you, and to provide you with updates about us and our Centre (which may be personalised).||Contact
Preferences & Profile
Technical / Usage
|a) Necessary for our legitimate interests (to develop our products/services and grow our business)
b) In certain circumstances, with your consent (see also Direct marketing – how to opt out)
|To manage and administer any of our promotions and competitions which you enter.||Contact
Preferences & Profile
|a) Performance of a contract with you e.g. in order send you a prize which you have won from a competition you have entered into.
c) Necessary for our legitimate interests (to develop our products/services and grow our business) e.g. in order establish what products you are interested in so we can target marketing and promotional material which we feel may be most relevant to you.
|To provide a service to you||Contact
Preferences & Profile
Technical / Usage
|a) Performance of a contract with you
b) Consent to push notifications, via your device settings
We have a number of measures to keep your data safe and secure:
We may disclose your personal data to any of the following to the extent necessary to fulfil the purpose for which your data was collected:
We may also share information or statistics with third parties in an aggregated or anonymised form that does not directly identify you, e.g. we may share aggregated information about your interests and geographic preferences and/or location (if given) with advertisers and third party deal sites for marketing purposes.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law and subject to appropriate contractual terms. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
When you post in any profile, comments, forums and other interactive features of the Sites, or share personal data with individuals through the Sites or social media platforms, this personal data will be available to other users and in some cases may be publicly available outside of the Sites (e.g. on social media platforms).
If you interact with us on social media platforms, (for example, if you ‘Like’ our Facebook Page or post on our Facebook timeline, or if you follow us or mention us in a tweet on Twitter) we can interact with you and send you information via these platforms.
The personal data we have access to through social media platforms will depend on your personal settings on these platforms. We will have access to all public information on these platforms. We may also be able to access personal data that others share about you (because they control how that is shared, not you).
We may collect any data that is accessible to us or that you provide through social media platforms, including but not limited to your Facebook and/or Twitter profile picture, gender, and usernames. We will interact with you through social media platforms in accordance with each platform’s rules but we are not responsible for how the platform owners collect and handle your data. We are not responsible for what third parties post on our social media accounts.
You have rights under data protection laws in relation to your personal data, as listed below, to:
If you wish to exercise any of the rights set out above, please contact us at firstname.lastname@example.org; or write to [Management Suite, Braehead Shopping Centre, Renfrew, G51 4BN.
When writing to us to obtain a copy of your personal data or to update our records, please quote your name and address and provide brief details of the personal data of which you would like a copy of, or which you would like to be corrected, because this will help us more easily locate your personal data.
What we may need from you when you exercise your legal rights
When exercising your legal rights, we may need to request specific information from you to help us confirm your identity. This is a security measure to ensure that requests are made by the individual themselves and that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request.
Fees and refusal to comply with requests
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, if your request is clearly unfounded, repetitive or excessive we may charge a reasonable fee and/or refuse to comply with your request.
Time limit to respond
We will respond to all legitimate requests within one month. If your request is particularly complex or you have made a number of requests and it is likely to take us longer than a month to respond, we will notify you of that and keep you updated as to progress.
Your right to make a complaint
In addition to your legal rights set out above, you also have the right to make a complaint at any time to your local data protection authority, (see http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.html). The Information Commissioner’s Office (ICO) is the UK supervisory authority for data protection issues (www.ico.org.uk). We are committed to protecting your personal data and would appreciate the opportunity to address any concerns or complaints you may have before you approach the ICO so that we can remedy them. Any concerns or complaints should be raised with the Data Protection Officer in the first instance.
Automated decision-making takes place when an electronic system uses personal data to make a decision without human intervention. You have the right not to be subject to automated decisions that will create legal effects or have a similar significant impact on you, unless you have given us your consent, it is necessary for a contract between you and us or is otherwise permitted by law. You also have certain rights to challenge decisions made about you. We do not make any automated decisions about you.
You have the opportunity to opt-out of receiving marketing communications from us at any time. You can do this by clicking on the unsubscribe link on any communications from us updating your preferences in our preference centre [https://www.braehead.co.uk/] or by emailing email@example.com.
We take your online privacy seriously, so if you need any assistance in unsubscribing to future communications please contact us. We will promptly take action to ensure that you are “opted-out” from receiving any further mailing or other information. Although we will remove your name from our e-mail list as quickly as possible, there may be a period of time after you unsubscribe during which you may still receive e-mails from us. Additionally, in order to ensure you do not continue to receive correspondence from us, we may retain your Personal Data on a suspension list.