Your data protection is important to the Olav Thon Group and we are committed to protecting the integrity, availability and confidentiality of your personal information. All processing of personal data by the Olav Thon Group shall comply with the data protection regulations at any given time, including the GDPR and the Personal Data Act. This personal data protection declaration provides in-depth information about what personal data is collected, how data is collected, and what rights you have if personal data about you is registered with us.
Olav Thon Gruppen AS determines the purpose of the processing of personal data and the means to be used for the different companies where the Olav Thon Gruppen AS has a 50% or more holding (collectively referred to below as the Olav Thon Group). In our assessment therefore, Olav Thon Gruppen AS is to be considered as data controller for the personal data that is processed by the Olav Thon Group, cf. summary below. The administrative and operational responsibility for compliance with data protection in the Olav Thon group has been delegated to Thon Holding AS. Responsibility for the daily follow-up of our compliance with the data protection regulations has been delegated to the data protection coordinator of the Olav Thon Group.
The Olav Thon Group processes personal data for the following main purposes:
To be able to operate our shopping centres it is necessary to process personal data relating to tenants, including names and contact information for contact persons at the tenants and the names of employees who are registered in the IT systems for registration of daily sales, as well as personal data that is processed as part of our control measures, such as security services.
In connection with the leasing of commercial property, it is necessary for us to process personal data such as name and contact information of contact persons at tenants.
To be able to enter into and comply with agreements for the rental or sale of homes, it is necessary for us to process names, contact information, personal ID numbers, credit checks (for rental), family relationships/marital status etc.
In order to administer hotel bookings, course and conference bookings and offer accommodation to our guests, it is necessary for us and our partners to process names, addresses, date of birth, details of the accommodation (name of hotel, room number, room rate, payment method, number of days, number of guests etc.), passport number (only for guests with a registered address abroad) and employer (for overnight stays covered by a company agreement).
In order to manage table reservations at some of our restaurants, it is necessary for us to process information such as name, contact information, telephone number, e-mail address and comments regarding the reservation. The personal information is primarily used to provide customer service. If you have consented, we will also use the information to provide you with relevant information and great offers from the restaurant. Communication will take place via e-mail and / or SMS.
To be able to enter into and comply with hotel agreements, it is necessary to process personal data such as names and contact information of contact persons at customers in both public and private sectors. In order to maintain the hotel agreement, we need to keep personal data of contact persons at customers for agreements that last from 1 to 5 years.
Thon Discovery is Thon Hotels’ loyalty program rewarding our members with such benefits as discounts on accommodation, discounts on selected Oslo bars and restaurants, and bonus points on stays. As a member you are automatically a part of “Discovery”, a worldwide hotel alliance (Global Hotel Alliance), providing you with the same benefits at 650 hotels worldwide, and allowing you to put your earned bonus points towards local experiences. For more information, go to:https://www.thonhotels.no/thon-discovery/betingelser/medlemskap/In order to comply with this agreement, it is necessary for us to process personal data such as, but not limited to, name, contact information, language, currency, accommodation history (see above) as well as any information you have provided us with regarding your personal preferences.
Each of our shopping centers have a customer club where members receive offers and newsletters sent via SMS and / or e-mail. In order to fulfill this agreement, it is necessary to process, among other things, name, address, postal code, telephone number, e-mail address, gender and date of birth. We use auto-lookups from Link Mobility AS, through Eniro AS, and from Boostcom, through Bisnode, to make registration easier. In addition, members may choose to register interests, number of children and age of children, as well as consent to the processing of behavioral data collected / processed. All marketing is done according to the information we receive and the consent given.
To avoid storing information about inactive members, we keep track of your activity. After two years of inactivity, we will send a request if you still want to be a member, via SMS and email. In the absence of a reply or message that you do not wish to be a member, all personal information about you will be deleted. Definition of inactive member: Did not open SMS link, newsletter or app in 2 years.
We are in process of changing provider of the technical system for the customer club and will, for a transitional period, move your personal data to the new system. Changing the technical system will not affect your privacy.
When using the “Min Shopping” app, we will process personal information about you for the following purposes:
Especially about the use of location data
We want to use location data for the reasons mentioned above. Some of our shopping centers have installed transmitters that are used for visitor registration. This is so that we can gain better insight into the use of our shopping centers and have a good data basis for further development. We only process data at an aggregate level and do not have the opportunity to acquire information about an individual, all processing of personal data will only take place on your phone.
We enter into data processor agreements with all companies that process personal data on our behalf. Our data processors may not process your personal information in any way other than as agreed with us and described in this privacy statement. The data is stored within the EU / EEA. Beyond this, the personal information is not transferred to other third parties.
Personal information collected through the “Min Shopping” app can be deleted at any time via your profile under "my settings" in the app. Note that if you delete your information, you will also be opted out from your loyalty clubs. In the same way, your data is deleted when you opt out of your customer clubs.
As a user of the app, you have rights under the Personal Data Act. You can access, correct or delete your information in the app at any time under "my settings". Would you prefer to get in touch with us regarding your rights, you can use the form at the bottom of this page.
We offer free WiFi at our chopping centres and hotels. For you to be able to use this service, it is necessary for us to process IP address, MAC address and phone number, among other things.
Upon use of the Thon Flex App, information about the location of your mobile device, will be registered only when:
We will also ask for consent to access push functionality on your mobile device – this in order to be able to send you messages from the app. Consenting to this will allow the app to gather data about your mobile device and its network connection, for instance your operating system, device manufacturer or network-Id.
When you drive into and out of our parking facilities, we take a photograph of the number plate of your vehicle. We use the photographs and information about the time and place they were taken to calculate parking charges. If there is no charge payable when driving out, the photographs are deleted after you drive out. If there is a charge to pay, the photographs are deleted after the charge is paid or the claim is otherwise withdrawn. The camera does not photograph people inside the vehicle. You can find car parking close to wherever you are on the internet. To provide this service we need information about your location. We also use an online complaint form. If you complain about a calculated parking fee or penalty, we will process the personal data that you provide in the complaint. This is typically the name and address of the driver. There may also be further information about the driver and other persons in your reasons for the complaint and in any documents that you may attach. Time Park will collect details of who owns the vehicle from the Motor Vehicle Register.
To prevent, detect and investigate criminal offenses, our properties are equipped with ITV equipment. Photos and video are stored for 7 days and then deleted. Information obtained from photos and / or video can be shared with the police in connection with criminal cases. Places where ITV equipment is used are marked and information on use can be found on site.
In the payment solution to DittGavekort.no, we work with Nets, Evry and Microlog, and we need personal data about you in order to be able to deliver this service. We use your personal data to provide the service and to support the product after it is delivered. The information we obtain when you purchase an SMS gift voucher is your name and e-mail address, so that we can send you a purchase receipt. We will also store the recipients phone number, so we are able to send an access code. Purchasing physical gift vouchers to be delivered by post, requires us to obtain the buyers address so we can send a purchase receipt as well as the recipients or the buyers name, address and phone number for delivery and activation of the gift voucher.
We register information about you when you are a guest with us. The purpose of this is to be able to assist local health authorities when there is a need for contact tracing in the fight against Covid-19. Our basis for processing in this case is a legitimate interest. It is of great interest to us to be able to run our establishments in a safe way for guests and employees, and to be able to assist health authorities in this important work for the industry and the community at large. We collect your name, mobile number, and time and place of visit. Registration is voluntary. The information you share with us may only be shared with local health authorities and only if there is a need for contact tracing. Deletion is done automatically after 14 days.
Like most other businesses, we have a legitimate interest in marketing our services. If we have an existing customer/member relationship with you, we will send you relevant information relating to our services. For example, this could be sending invitations to events, information on current promotions, newsletters, members’ magazines etc. You can make a reservation against receiving this type of material at any time by sending an e-mail to email@example.com.
Any marketing beyond this will be based on your consent.
In order to market our services, it is necessary for us to process names and contact information. You can also update your member profile yourself with your interests and preferences.
We wish to offer stable, safe and easy-to-use IT systems. It is also important that IT systems contain the correct data. For this reason, we test and develop our IT systems so as to be able to pursue this justifiable interest. We endeavour to have anonymous test environments, but in some cases it may be necessary for us to use real personal data for testing purposes. In such cases, we will provide adequate information security, including access control, deletion and possibly pseudonymity.
We use a number of forms on our websites. In some cases, information is stored in the CMS, but otherwise it is relayed to our CRM system or the relevant contact person. Each form should be clearly marked with what the information is used for and we will not use personal data for other marketing unless an opportunity is provided and consent obtained.
The Olav Thon Group stores data on which search terms users use in our CMS and in Google Analytics. The purpose of storing this data is to improve our information provision. It is only the search words that are stored and these cannot be linked to other information about users, such as IP addresses.
Our mobile applications use tools to track user behavior and app navigation. This information is used only to improve the user experience, and is not traceable to any individual user. We also gather information on use and individual units in order to follow up on error messages. Any other access to information requires permission settings, which is under user control.
Personal data will not be stored any longer than is necessary in order to fulfil the purpose of the processing or statutory obligations; for example the Bookkeeping Act requires that we keep detailed purchasing history for five years.
VWe will also delete personal data about you if you ask us to, unless we have a legal basis or statutory obligation to keep your personal data further.
We will only share your personal data with other companies in the Olav Thon Group to the extent necessary to ensure day-to-day operations. Since Thon Holding is responsible for administrative work in the Olav Thon Group, this means that personal data processed by Thon Hotels, including Thon Discovery, and Thon Property and the customer clubs, as well as Time Park will be shared with Thon Holding. In addition to this, personal data about hotel operations and Thon Discovery will be shared with the companies that are subsidiary to Thon Hotels. The legal grounds for this is justified interest, in that we wish to streamline operations and provide the best possible service.
Unpaid claims will be sent to debt collection companies. We will also share your personal data with public authorities to the extent necessary to comply with our legal obligations.
Beyond this, we will not share your personal data with other organisations unless you consent to this.
We take data security seriously and we have established suitable security measures to protect the integrity and accessibility of your personal data. Access to your personal data is limited to employees who have a need of such access in their work. We will provide training to employees and third parties where relevant, to further awareness of the Olav Thon Group's guidelines and routines for personal data protection.
We use other companies, consultants or contractors to perform services on our behalf. This helps us to offer our services to you. For example, we may engage data processors:
The Olav Thon Group enters into data processor agreements with all organisations that process personal data on our behalf. Our data processors cannot process your personal data in any way other than those agreed upon by us and described in this data protection declaration.
Personal data that is processed by the Olav Thon Group is essentially stored on servers in Norway and Europe. We do not store personal data in countries outside the EU/EEA. Personal data that is processed in connection with Thon Discovery is stored at on the supplier’s servers in Frankfurt.
You have the right to access, correct or delete personal data or restrict the processing of personal data that applies to you. Under certain conditions you also have the right to protest against processing, as well as the right to data portability. You can also withdraw any consent you have given to the processing of your personal data at any time.
You also have the right not to be subject to any decision that is solely based on automated processing that has a legal effect for you or that significantly affects you in a corresponding way.
Any questions or requests to inspect information registered about you can be directed to firstname.lastname@example.org or by post to Thon Holding AS, PB 489 Sentrum, 0105 Oslo.
If you believe that we are processing personal data in contravention of the law, you have the right to complain to the Norwegian Data Protection Authority email@example.com.
The Olav Thon Group has appointed its own data protection officer to assist with guidance to ensure that personal data is treated properly and in line with the regulations.
If you have any questions about or objections to Olav Thon Group's personal data processing, e-mail the data protection officer at: firstname.lastname@example.org.
If we make changes to this data protection declaration, the changes will be published on this website 14 days before they come into effect.