GDPR | Mall of America®

GDPR NOTICE OF RIGHTS

Last updated: September 21, 2020

MOAC Mall Holdings LLC, MOA Entertainment Company LLC, and North Pad Development, LLC (“MOA” shall mean any of the foregoing entities and their subsidiaries, including any entity that controls MOA®, is controlled by MOA or is under common control with MOA (each an “Affiliate”), are committed to protecting your privacy and demonstrating care and respect with regard to our treatment of any ‎Personal Information that we may obtain from you. This GDPR Notice of Rights (“Notice”) is applicable for any personal information obtained from a citizen of the European Union (“EU”) and is intended to provide transparency into our privacy practices and to provide a notice of the rights held by citizens of the EU regarding our use of your personal information. This Notice applies where we are acting as a data controller with respect to the personal information of our customers, purchasers, visitors to our Sites, users of our Apps, visitors to our locations, and users of our any of our services where we determine the purposes and means of the processing of their personal information. We are dedicated to treating your Personal Information with care and respect.

Disclosures to Third-Party Information Processors
We also provide your personal information to third-party data processors as necessary to provide the Services, such as companies which host servers, provide secure communications, or process your payment for Services or purchases. These third-party data processors are generally located in the United States and may have sites outside the United States. MOA may provide your personal information to its consultants, professional advisors, and other third parties to provide services such as hosting, data analytics, advertising, and other services. MOA may provide your personal information to these third parties only to provide those services, and the third parties are not authorized to use or disclose your personal information for any other purpose. Our third-party data processors will not use your personal information for any purpose other than those identified within our Privacy Policy and to enable MOA to provide you with the requested information, services, or products.

When Disclosures to Other Third Parties May Be Made
Except for our third party data processors, we will not voluntarily share your personal information with a third party without your prior authorization, except (a) to enforce our privacy policy, to comply with law, regulation, or other legal processes, or to protect the rights, property, or safety of us or others; (b) to a government regulator, law enforcement agency, or other public authorities, including to meet national security standards; (c) in emergency situations; (d) to protect against misuse or unauthorized use of MOA services; (e) to detect or prevent criminal activity or fraud; or (f) in the event that MOA or substantially all of its assets are acquired by one or more third parties as a result of an acquisition, merger, sale, reorganization, consolidation, or liquidation, in which case personal information may be one of the transferred assets.

Our Use of Your App and Site Usage Information
We use the information that we collect through your use of the Sites and Apps to analyze, measure, evaluate, and improve or change the features and functionality of the Sites and Apps. We may also use this information for product marketing, promotion, and sales purposes in our business discretion. We may share this usage information with third parties for marketing, advertising, or other similar uses. Your usage information will not include any personal information which identifies or can be attributed to you unless we first notify you and obtain your consent.

We may process your personal information that has been provided through your purchases or the use of our services. When you use MOA’s services, including our e-commerce services, we require that you provide your informed consent for our use of your personal information. The personal information you provide in relation to your use of MOA services is processed for the purposes of providing MOA services, communicating with you, your designated legal guardian, operating our Sites and Apps, ensuring the security of our Sites, Apps and services and maintaining back-ups of our databases. The legal basis for this processing is your Informed Consent OR our legitimate interests and business through provision of our services, Apps and Sites.

The Legal Basis for the Processing of Your Personal Information
Our legitimate business interest for collecting our visitors’ and customers’ personal information is to operate the Sites, Apps, and services for the benefit of our customers in return for payment for the used services. We use the fee derived from our provision of services to pay our business expenses and operate MOA, which is a for-profit business.

Your Rights Regarding Your Personal Information
As a resident of the European Union and under the terms of the GDPR, you have specific rights you may exercise regarding your personal information. We have summarized your rights in this Notice. Some of the rights are complex, and you should read the relevant laws and guidance from the regulatory authorities for a full explanation of these rights. To exercise any of the below rights contact MOA in writing at privacy@MOA.net and state the right you are seeking to exercise. To protect your privacy and security, MOA will need to verify your identity before granting you the right to access, review, or make corrections to your personal information.

Please be advised that certain personal information may not be corrected or deleted if we must by law retain such information as submitted. In addition, applicable law may require or permit us to decline your request. If we decline your request, we will tell you why, subject to legal restrictions. If you would like to submit a complaint about our use of your personal information or our response to your requests regarding your personal information, you may contact us or submit a complaint to the data protection regulator in your jurisdiction. You can find your data protection regulator here.

Right to Access and Data Portability
You have the right to confirmation regarding if we process your personal information and, if we do process your personal information, you have the right to access such personal information. In addition, if we process your personal information you also have the right to be informed of the purposes of the processing, the categories of personal information concerned and the recipients of that personal information. In case we are processing your personal information in an automated manner as part of a service to you, or based on your consent, you also have the right to request a copy of your information in a structured, commonly used and machine-readable format. The first copy will be provided free of charge, but additional copies may be subject to a reasonable fee.

Right to Restriction on Processing
In some circumstances you have the right to restrict the processing of your personal information. You have this right in circumstances where: you contest the accuracy of the personal information; processing is unlawful but you oppose erasure; we no longer need the personal information for the purposes of our processing, but you require personal information for the establishment, exercise, or defense of legal claims; and you have objected to processing, pending the verification of that objection. Where processing has been restricted on this basis, we may continue to store your personal information; however, we will only otherwise process it with your consent; for the establishment, exercise or defense of legal claims; for the protection of the rights of another natural or legal person; or for reasons of important public interest.

Right to Object to Processing
You have the right to object to our processing of your personal information on grounds relating to your particular situation, but only to the extent that the legal basis for the processing is that the processing is necessary for: the performance of a task carried out in the public interest or in the exercise of any official authority vested in us. If you make an objection to our processing of your personal information, we will cease to process the personal information unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing is for the establishment, exercise or defense of legal claims.

Right to Correction or Modification
You have the right to have any inaccurate personal information about you rectified and to have any incomplete personal information about you completed.

Right to Erasure
In some circumstances, you have the right to the erasure of your personal information without undue delay. Examples of such circumstances include: when your personal information is no longer necessary in relation to the purposes for which it was collected or otherwise processed; you withdraw consent to consent-based processing; you object to the processing under certain rules of applicable data protection law; the processing is for direct marketing purposes; or the personal information has been unlawfully processed. You may not have a right to erasure where the processing of your personal information is necessary for exercising the right of freedom of expression and information; for compliance with a legal obligation; or for the establishment, exercise, or defense of legal claims.

Right to Withdraw Consent
To the extent that the legal basis for our processing of your personal information is consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal. We may need to retain some of your personal information and customer content for limited periods for our legitimate business or legal purposes. Contact us for more information about our data retention periods and how long it takes us to delete your information.

Disclosure of Information
We reserve the right to disclose your personal information as required by law and when we believe that disclosure is necessary to protect our rights and/or comply with a judicial proceeding, court order or legal process.

It is also possible that MOA would sell its business (by merger, acquisition, or otherwise) or sell all or substantially all of its assets. In any transaction of this kind, customer, purchase, visitor, and user information, including your personal information, may be among the assets that are transferred. If we decide to so transfer your personal information, you will be notiﬁed by an email sent to the last know email address in our ﬁles or by notice posted on the Sites and the Apps.

Retention of Personal Information:
We will only retain your personal information for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.

When we no longer require the personal information we have otherwise collected about you, we will dissociate any identifying information from the personal information to the extent possible while retaining such information only so long as needed to comply with business, legal or regulatory obligations and requirements. In some circumstances we may anonymize your personal information (so that it can no longer be associated with you), in which case we may use this information indefinitely without further notice to you.

Data Transfers Outside the EU:
For our customers, visitors and users of our services residing in the EU, we may transfer your personal information to other jurisdictions for processing. Whenever we transfer your personal information to other countries not deemed by the European Commission to provide an adequate level of personal data protection, the transfer will be made: Pursuant to the recipient’s compliance with standard contractual clauses or Binding Corporate Rules; pursuant to the consent of the individual to whom the Personal Information pertains; or as otherwise permitted by European law.
Requests

At any time, you may exercise your right to access, rectify and, if applicable, erase, any personal information relating to you, or restrict the processing of your personal information, in compliance with applicable laws.

You also have the right at any time to object, based on your particular situation, to any use or processing of your personal information which we have based on our legitimate interests.

Such requests should be sent, in writing to privacy@moa.net or by mail to:

Mall of America
Attn: Privacy Office
2131 Lindau Lane
Bloomington, MN 55425

Please note that we may ask you to provide proof of identity (such as a copy of your ID card or passport) before we can comply with your request.

You may also at any time, free of charge and without having to provide any justification, opt-out of any direct marketing campaigns and request to no longer receive any promotional material as described above.

Right to Complain to a Supervisory Authority.
Our Data Protection Officer may be contacted by email at privacy@moa.net. In case you are not satisfied with our handling of your request, you may contact the applicable Data Protection Authority in your jurisdiction.