Skip to navigationSkip to main contentSkip to footer
The Crown Estate logo

Visitors

I'm a visitor to Windsor Great Park, one of your commercial premises or retail centres.

This notice covers how we may process your personal information when you visit one of our retail destinations including our regional retail parks and shopping centres, Regent Street and St James’s. It also covers our visitor destinations at Windsor.

Privacy and cookies policy

This Fair Processing Notice (or Privacy Notice) was last updated on 01 February 2020. It may vary from time to time so please check it regularly.

This Notice describes the types of information collected, how that information is used and disclosed, and how you can access, modify, or delete your information.

The Crown Estate is the ‘data controller’ for the personal data we collect. We are registered with the Information Commissioner’s Office with registration number Z6390151.

Wi-fi in our retail parks and shopping centres

Wi-fi at the Savill Garden visitors centre is owned and operated by The Crown Estate. We only collect the information we require to log you onto our free wi-fi, and we do not use that information to send you direct marketing, nor do we share that information with anyone else.

Wi-fi at our regional retail parks and shopping centres is provided by a range of providers and further details are available at the dedicated websites for each regional site.

Marketing

How do we collect information about you? 

  • Entering into a competition or promotion hosted by ourselves or our third parties: You may provide us with personal data when you subscribe to these services either online or through a physical form. You will be provided with the terms and conditions for each competition or promotion you enter which will tell you how we process the information you give us.

  • Feedback: Providing feedback to us through our email, online and face-to-face surveys where you may be given the opportunity to provide your contact details and opt in to receive direct marketing. You can also provide us feedback through writing to us or one of our retail centres with you complaints, comments and suggestions at the address provided on each of the websites dedicated to a particular site.

  • Website usage: We may also collect information from you automatically when you access and use our websites, including the time and duration of your visit, the referring URL, your Internet Protocol (IP) or MAC address, the type of device you use and its operating system. As with most websites, we also operate cookies on our sites and further details can be found in the section on cookies below. Each of our websites carries a privacy notice and cookies notice detailing the cookies in use on that site.

  • Enrolling for an event: We may collect your name and contact details if you wish to participate in an event. This data may be captured on a third party booking system. 

  • Promotional photography: We may take photographs of you when you attend one of our events. Signs will be on display during the even to advise you when photographs are being taken, and if you have concerns or do not wish to be photographed please raise these with a member of our staff at the event. 

  • Interaction with social media: Depending on the privacy setting you have applied in your social media accounts, and based on the content that you choose to share, when you interact with our social media presence we will have access to your user generated content, such as posts, comments, pages, profiles and images. Also depending on the privacy setting you have applied in your social media accounts, and based on the content that you choose to share, we may have access to contact details, personal information (such as age, gender, employer, education, location and habits and preferences).

  • Car parking: We may collect your vehicle registration number using automatic number plate recognition (ANPR) to administrate our car parking fees and manage our car parks.

In all cases, we will only provide you with email marketing where you have consented and you can withdraw this consent at any time by clicking the unsubscribe link within the emails you have been sent. Where we send you information electronically, we review whether the communication has been opened and whether you have clicked on any links in the communication. This is because we want to make sure that our communications are useful for you. 

We also use third party marketing agencies who may have access to your personal details to manage email marketing campaigns, to provide customer insight through the analysis of data and to collect personal data on our behalf. We store your information in a secure marketing database hosted by a third party which we use to also generate our email marketing campaigns. Some of our email marketing is conducted by ourselves and marketing agencies using an email management service based in the US, so your data will be transferred securely and legally outside of the UK.

For what purpose is it collected?

The personal information gathered through wi-fi and marketing opt-in is required to: 

  • Tailor our online services to you so the content you see is relevant to you. We may use third parties to carry out profiling on our behalf so we can better understand our customers; and

  • Collect data obtained through our interaction with customers for research, analysis, testing, monitoring, risk management and administrative purposes including the optimisation of service delivery at our properties and to improve the customer experience.

  • Promote our destinations externally. 

  • We frequently ask for post code during our customer interactions to help us better understand our customers. We share this data with third parties without any personal identifiers to assist with our insight and analysis.

For car parking, wi-fi service and competitions and promotions, the legal basis is also to form a contract with you to provide these services and promotions. 

Data minimisation and retention

We will only collect the minimum amount of personal information necessary and will only keep your information for as long as you remain engaged with our marketing campaigns. Where you indicate that you no longer wish to receive direct marketing, we will take steps to remove your information from our marketing database.

Where you have provided your details in relation a completion, we will delete your personal data when the competition has finished (unless you have consented to your information being used for marketing purposes). 

Security

How do we collect information from you?

As part of security operations at our sites, The Crown Estate or our managing agents will also be collecting personal images relating to visitors and customers to its properties from CCTV, body mounted video (BMV) and ANPR (Automatic Number Plate Recognition) systems. Our managing agents appoint third party service providers to provide security services, and The Crown Estate wardens manage security within the Windsor Great Park.

The Crown Estate also captures personal data within access control systems which provide access to the premises we occupy. Personal data is also collected from visitors to our properties with the access control data and visitor management data held by our managing agents on third party systems. 

In relation to access control and visitor data at the sites we occupy and where the data relates to The Crown Estate’s employees, contractors or visitors, The Crown Estate considers itself to be the data controller. However, for access control and visitor data within our tenanted premises relating to our tenants’ staff, contractors and employees, we consider our tenants to be the data controller. 

For what purpose is it collected?

CCTV, BMV, visitor and access control data is collated to pursue our legitimate interests to protect the property in question, to protect the vital interests of our visitors, tenants and customers and to assist with the prevention and detection of crime. 

ANPR is collected to fulfil a contract between ourselves and our users of our parking facilities, including enforcement action. 

Data minimisation and retention

For CCTV, BMV and ANPR, generally this data will not be held for longer than 30 days unless an incident or suspected incident has occurred. 

Accident and incident reporting

How do we collect information from you?

When an incident occurs at one of our properties, The Crown Estate is required to document the particulars of an incident which may include witness statements, CCTV footage, photographs and written reports. This information may include special categories of data depending on the nature of the incident. A third-party system is used to log details relating to these incidents, physical paperwork may also be stored on site. In the Windsor Great Park, our wardens manage the park in accordance with The Windsor Great Park Regulations 1972 – Statutory Instrument 1973:No.1113 (the ‘bylaws’).

The data may be shared with third parties such as insurance providers and legal advisors in order to defend a claim, government organisations to which we are required to report on incidents by law or the police to investigate a crime. 

For what purpose is it collected?

This information is collected to ensure that The Crown Estate complies with its legal responsibilities in relation to Health and Safety investigation and reporting, and also for defending future legal claims. The information can also be used to prevent and detect crime, or to protect the vital interests of individuals. Where health information is collected we may also need this for our substantial public interest for insurance processing.

Data minimisation and retention

All personal data (CCTV, witness statements, photographs and incident reports) relating to the incident to be recorded for six years, unless there are reasons to retain it for longer, such as ongoing HSE investigation, a suspected pattern of fraud, or because an injury has been sustained by a child. 

Retail data analytics:

We also undertake analysis of how our retail venues are being used. This may include:

  • movement and footfall detection and analysis to understand customer numbers and how our customers move around our sites;

  • analysis to understand how far customers travel to our sites or how often they visit us;

  • analysis of shopping trends and customer preferences.

We conduct this analysis using interviews, questionnaires and electronic detection techniques. Whenever we are undertaking such studies we will always avoid processing personal data where we can and perform the analysis anonymously. Furthermore, we will always inform our customers and visitors of the surveys taking place at any time.

Other third-party transfers not detailed previously:

We may also pass on or allow access to your information:

  • to our suppliers, contractors and professional advisors where this is necessary for them to provide services and facilities to us or on our behalf; 

  • to any purchaser of all or part of our business or any of our properties to which the relevant service relates;

  • to sell, make ready for sale or dispose of our business in whole or in part including to any potential buyer or their advisers;

  • where we are required to do so by law, court order or other legal process;

  • where, acting in good faith, we believe disclosure is necessary to assist in the investigation or reporting of suspected illegal or other wrongful activity. This may include exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction;

  • to protect and defend our rights or property;

  • to deal with any misuse of any of our services; or

  • in order to enforce or apply our terms and conditions and other agreements with third parties.

We may disclose your personal data to our joint venture partners and affiliates or third-party data processers who may process data on our behalf to enable us to carry out our usual business practices.

Protection of your information

We have in place administrative, technical and physical measures designed to guard against and minimise the risk of loss, misuse or unauthorised processing or disclosure of the personal information that we hold, which includes an Information Security Management System certified to ISO27001. We place similar obligations on our third parties and risk assess their security based on the sensitivity of the personal data that they hold.

If we transfer your personal information outside of the EEA, it will continue to be subject to one or more appropriate safeguards set out in law. These might be the use of model contracts in a form approved by regulators, or having our suppliers sign up to an independent privacy scheme approved by regulators.

Links to other websites

This notice only applies to the websites provided by us. If you link to another service and/or website from here, you should remember to read and understand that service and/or website’s privacy and cookies policy as well. We are not responsible for any use of your information that is made by other services and/or websites. Links or advertisements do not imply that we endorse or have reviewed such third parties or their privacy practices.

Your rights

Whilst we will always require you to opt-in to direct marketing before we sent it to you, you always have the right to withdraw your consent to receiving marketing at any time. If our processing of personal data is based on your consent, you have the right to withdraw consent for future processing at any time by contacting us. Please note, however, that we may still be entitled to process your personal data if we have another legitimate reason (other than consent) for doing so;

You have the right to obtain information regarding the processing of your personal data and access to the personal data which we hold about you;

In some circumstances, the right to receive some personal data in a structured, commonly used and machine-readable format and/or request that we transmit those data to a third party where this is technically feasible. Please note that this right only applies to personal data which you have provided to us;

You have the right to request that we correct your personal data if it is inaccurate or incomplete;

You have the right to request that we erase your personal data in certain circumstances. Please note that there may be circumstances where you ask us to erase your personal data but we are legally entitled to retain it;

You have the right to object and/or request that we restrict our processing of your personal data in certain circumstances. Again, there may be circumstances where you ask us to restrict our processing of your personal data but we are legally entitled to refuse that request; and

You can also contact the Information Commissioner's Office via https://ico.org.uk/ for information, advice or to make a complaint.

If you wish to opt out of the marketing we send you, please contact:

If you wish for further information, or wish to exercise any other right, please contact the data protection officer at enquiries@thecrownestate.co.uk.

We will respond to your request (including providing information on whether the rights apply in the particular circumstances) within the applicable statutory time period. If we are not sure of your identity, we may require you to provide further information in order for us to confirm who you are.

Changes to the Privacy & cookies policy

This Privacy Notice was last updated on 01 February 2020. If it is necessary for us to alter the terms of the Privacy Notice, we will post the revised Privacy Notice here. We encourage you to frequently review the Privacy Notice for the latest information on our privacy practices.

How you can contact us

If you have any questions about this Privacy Notice, please contact us at enquiries@thecrownestate.co.uk.